How to develop secure IoT products
Security is one of the key requirements to ensure global adoption of IoT services and products. It has, however, mostly been overlooked so far. Acknowledging that the sustainable success of IoT depends on provable security, the industry is now addressing the challenge, notably with the GSMA IoT Security Guidelines.
The usual way to prove the security of a product is to go through a formal security certification process, which presupposes the existence of well-defined technical specifications. While there are many initiatives to propose standards for IoT (e.g. oneM2M, OCF), some of which define their own certification schemes, they unfortunately tend to focus on functional testing.
GSMA IoT Security Guidelines
In order to provide an evidence-based and robust approach to end-to-end security, the GMSA has delivered a set of IoT Security Guidelines, backed by an IoT Security Assessment scheme. Based on the mobile industry’s extensive security expertise, the guidelines and assessment were jointly developed with mobile operators, vendors and infrastructure providers. Orange was one the most active partners in this project.
The GSMA IoT Security Guidelines include four documents:
The IoT Security Guidelines Overview Document introduces the concepts used in the different documents and describes common security recommendations.
The IoT Security Guidelines for Service Ecosystems: this guide shall be used by service providers and developers to evaluate all components from service perspective including infrastructure.
The IoT Security Guidelines for Endpoint Ecosystems: this guide shall be used by IoT device manufacturers and vendors to evaluate the security risks of all the technologies used to build the physical device.
The IoT Security Guidelines for Network Operators are high-level guidelines for Network Operators who intend to provide services to IoT service providers, in order to ensure data security and privacy.
Moreover, Orange has also put together a simplified list of guidelines on secure device development as a starting point for security-minded developers and device-makers.
IoT Security Assessment
To allow IoT companies to demonstrate their security measures, the GSMA has defined the IoT Security Assessment, based on the GSMA IoT Security Guidelines. This assessment ensures a security-by-design approach, and enables companies to highlight the measures they have taken to protect their products, services and components from cybersecurity risks.
The IoT Security Assessment provides the company with a comprehensive checklist to complete and submit to the GSMA. The completed assessment may also be shared with the company’s partners and customers. A solution provider may, for example, receive requests from a customer or prospect to provide a completed GSMA IoT Security Assessment, in order to prove their solution is secure.