As the number of IoT devices continues to grow exponentially, so too do the number of security threats and risks associated with these devices.
This situation presents two significant challenges for OEMs and IoT solution providers: reducing vulnerabilities and increasing trust in IoT devices and the data they transmit.
In response, recent technological developments for securing IoT SIMs and helping solve the complexity of provisioning millions of IoT devices have emerged.
We’ll focus on the combination of two in particular:
- The drive toward embedded cellular connectivity served via Subscriber Identity Module (SIM) form factors, such as a soldered SIM called eSIM (for embedded SIM) and an integrated one called iSIM.
- The GSMA’s IoT SAFE, a standardized mechanism to secure IoT data communications using a trusted SIM (SIM, eSIM or iSIM) as a “crypto-safe”.
In the first part of the document (The IoT Now Guide to IoT Security 2022), Stephane Quetglas, IoT Marketing Director at Thales, explains what IoT SAFE is and how IoT can be secured end-to-end at scale.
In the second section, we detail how OEMs and IoT solutions providers can tackle the challenge of achieving security by design.
In the third part, we deep dive with Jean-Francois Gros, IoT Product Lines Director and Nicolas Chalvin, VP of marketing, connectivity and embedded solutions at Thales, into security by design and the zero-trust approach to cybersecurity.
We also pinpoint with them some key tech trends shaping the future of IoT cybersecurity.
The last page of the report gives an overview of Thales IoT SAFE benefits.
Here is a summary of the four main parts of the document.
Download the report
#1. How IoT SAFE improves IoT cybersecurity and simplifies deployments
Security in IoT has frequently been listed as a development priority, only to be postponed or neglected with disastrous consequences.
But there are other reasons companies put functionality and the service itself at the top of the list: lack of skilled security experts and costs.
Why is that?
As new threats multiply, traditional approaches to securing devices are too rigid, too expensive or too complex to integrate and meet IoT enterprises’ timescale and volume requirements.
Current security methods address security concerns but must be more cohesive and scale up well.
The good news?
For cellular connectivity, the GSMA’s IoT SAFE initiative provides an alternative for IoT enterprises that is independent of mobile operators and a standardized method for securing IoT devices.
In other words, with IoT SAFE in your devices’ eSIM, you can select a network operator for connectivity and leverage IoT SAFE to securely connect devices to your IoT cloud.
You can later change the mobile operator for your connectivity without impacting your IoT service.
This flexibility sounds simple, and it is.
Even if the mobile operator changes, all devices administered by IoT SAFE will be able to connect to the same cloud with the same credentials.
Why?
IoT SAFE is not part of the mobile network operator profile. Still, it sits in a dedicated security domain alongside the SIM application on the same tamper-resistant element (SIM/eSIM/iSIM).
IoT SAFE meets the needs of IoT security for all SIM form factors: SIM, eSIM and iSIM.
Why is it important?
Enterprises can secure IoT end-to-end at scale and have fewer constraints when selecting vendors, which is nearly impossible when relying on fragmented systems.
#2. OEMs and IoT solutions providers and the challenge of security by design
Security by design is a concept that aims to embed security as a vital component of the development cycle rather than bolting it onto a device or an application after it has been developed.
It's a known concept, but OEMs and solutions providers feel uncomfortable with it: they believe it's expensive and lack the proper expertise.
But the truth?
OEMs and IoT solution providers are well-positioned to leverage IoT SAFE standards and roll out this framework on behalf of customers with the potential to create IoT devices with ‘security inside’.
Their ability to use a security-by-design approach and install an IoT SAFE standard-compliant secure element into an IoT device at the point of manufacture answers the need for a root of trust and flexible connectivity within the device.
Coming at the cost of the software for the SIM, eSIM or iSIM, the value proposition is appealing.
#3. IoT security: trends, options and standards
Trust no one, verify everywhere
In the wake of the pandemic, cybersecurity hacks and breaches have multiplied.
Based on what we experienced, we at Thales have improved the zero-trust architecture and maturity model we presented two years ago.
Zero trust is a model of security that assumes no user nor device can be trusted, and any interaction must be authorized.
As such, it is related to security by design because users, devices, and systems have to prove their trustworthiness. It also enforces precise identity-based rules that grant access to applications, data and other assets.
This approach opens up new perspectives for OEMs, service providers and security architects.
Artificial intelligence
Artificial intelligence (AI) will play a key role in helping companies enhance their cybersecurity strategy.
The technology is used to detect and prevent cyberattacks by identifying risk factors, conducting data analysis for vulnerabilities, and even predicting future threats.
Companies can proactively protect themselves from IoT attacks instead of waiting for hackers to strike first.
Encryption
Encryption has been an essential element of information security for decades, and its importance will only continue to grow in the age of the Internet of Things.
One way to have encryption at the heart of your IoT security strategy is by using an HSM (Hardware Security Module) device.
An HSM is a dedicated hardware device for storing cryptographic keys and other sensitive data like passwords, certificates and tokens.
It provides strong physical protection for your cryptographic keys by keeping them locked inside a tamper-resistant chip.
This prevents hackers from accessing them even if they manage to steal your entire computer system or storage system!
For example, SIM cards have cryptographic features
Root of Trust and SIM security for the IoT
The Root of Trust (RoT) is an important concept in computer security and in IoT cybersecurity in particular. It refers to ensuring a device is safe and trustworthy before it can be used.
An RoT is a part of the hardware that is used to verify that the system has not been tampered with.
- IoT SAFE employs the SIM as the hardware RoT in an IoT device as it has advanced security and cryptographic features. It is a key recommendation of the GSMA IoT Security Guidelines.
- With a similar approach, Intel has announced that it is building security as default into its new platform for IoT device developers: Pathfinder for RISC-V.
- RoT certification is moving forward too. Backed by over fifty ecosystem partners, PSA Certified is a comprehensive response that security experts maintain. This framework is aligned with industry and government standards and best practices.
iSIM at the core
Embedded SIM (eSIM) technology provides a unified solution to global, future-proofed connectivity that can assist organizations in scaling IoT deployments into networks with tens of millions, if not hundreds of millions of devices.
To maximize IoT security, it is desirable to build the RoT directly into the system on a chip (SoC).
That’s exactly what the iSIM does.
IoT SAFE operating on an iSIM enables self-contained processing and encryption elements to manage security-related workloads for network and cloud authentication in a more integrated and tamper-resistant manner.
It enables a vast new range of secure use cases combining smaller device sizes, baked-in connectivity, seamless provisioning, and lifecycle management.
Thales IoT SAFE solution
With the standardized API, the IoT device middleware can use the credentials and security services in the IoT SIM card, namely iSIM, eSIM or SIM, in a seamless manner.
We invite you to discover Thales IoT SAFE.
Good reading.