Part one covered what the IoT SAFE initiative was, plus the challenging cybersecurity landscape faced by enterprises when it comes to securing IoT devices.
In part two, Stephane and George discuss the importance of security by design, how IoT SAFE specifications are being implemented, and Thales’ approach to IoT Safe.
What is your view of security by design and is this approach being taken by the IoT industry?
It is very important and needs to be considered as an essential part of device or service design. Security by design means that you consider security at the earliest stages of your process when you first think about creating an offering or business. If you do this, you will have the right foundations.
Security by design is for us at the heart of what we do but lack of skills and the complexity of security means companies in IoT are not comfortable with it. This is counter-productive because it is very difficult to fix security issues when products are already in the field, and you face issues that you cannot repair or address.
Security is increasingly put as a high priority by IoT companies, and they are interested in relying on security specialists to try and bring the right approach. This is partly to do with the skills shortage but also because security is evolving all the time. To be effective, you need to know the security ecosystems, learn skills and understand new attacks and ways to counter them.
This continuous process is difficult to implement, especially for small-to-medium enterprises. Don’t forget it is made up of lots of small companies, it’s not just a few big names so for many it’s very difficult to develop in-depth security skills.
How are the IoT SAFE specifications being integrated into hardware tamper resistant elements?
What is key for IoT SAFE is that this is a standardised approach that utilises the eSIM independently from the mobile network operator. If you use IoT SAFE in the eSIM in your connected devices, you can choose a network operator to provide connectivity and use IoT SAFE to connect devices to your IoT cloud and later on, if you want, you can change the mobile operator for your connectivity without impacting your IoT service. Indeed, devices will still be able to connect to the same cloud with the same credentials even after the mobile operator has been changed. IoT SAFE is not included in the mobile network operator profile, but in a dedicated security domain sitting beside the SIM application on the same tamper resistant element. The flexibility this provides is important for IoT enterprises because IoT SAFE can be independent across the connectivity provider and the security provider.
The freedom this provides means there are fewer constraints in terms of vendor selection and the security can scale which is not the case when you have fragmented systems
What is Thales’ approach to IoT SAFE and how does that deliver scalable trust for IoT applications?
We embraced IoT SAFE immediately. We are convinced of the need for improved IoT cybersecurity and the requirement to provide a security solution to IoT players that provides something standard and therefore scalable. Standardisation is the right way to go so the security solution can be deployed everywhere.
IoT SAFE is standard but of course you have some additional value as a vendor that you can provide to your customers. We work with providers of security stacks and middleware vendors to make sure IoT SAFE is already supported and thus the integration made easy for device makers. We also provide a touchless provisioning service which is a way to totally remove the cost impact of adding security into a device when the device is manufactured. When you use Thales’ IoT SAFE in the device, there is not additional activity and no additional charge in the process because our solution will automatically generate and validate credentials when the device is first used on the field.
This is how we provide additional value. Of course, we have connectivity management solutions and we’re a leader in eSIM and remote SIM provisioning (RSP) solutions and this means we are able to provide our customers with complete solutions for connectivity and security.
What are the alternatives?
The most popular alternative is a device based approach where security is implemented as software in the device memory. This solution works from a functionality perspective but is quite bad from a secure path point of view because a general purpose processor in the device is not protected and is very easy to defeat. In addition, device-based solutions are usually proprietary or bespoke to a specific device so you need to repeat the same work for every device or implementation and this approach can’t scale.
Another alternative is Generic Bootstrapping Architecture (GBA) which is a user authentication method based on the SIM application. This is mobile operator-centric and was standardised a long time ago. Adopting this method means you require a security service provided by your mobile operator: as a consequence, you lose the service if you change operator and need to integrate with the security service of the new operator. In addition, this does not provide true end-to-end security up to your cloud platform.
IoT SAFE can be deployed in the same way across all of your devices and it is not linked to your mobile operator. The security provided is end-to end so you are truly protected.
Are IoT enterprises adopting IoT SAFE?
We are seeing strong interest in IoT SAFE today and people that are using cellular technology for it are highly accepting of this solution because secure network connections and data are very important to their business cases. Having said that, awareness needs to be developed further to detail the potential of the technology. We’re working to make sure 1oT players are aware they can use and rely on it to relieve some of their pain points and ensure their it’s operations are secure.
To read the full interview with IOT Now you can visit here.