What is IoT SAFE?
IoT applications involve devices collecting, processing and transmitting data to the enterprise servers or Cloud based applications. For organisations to protect both their devices and their users, there is an obvious need to ensure that data is transmitted securely to/from approved and authentic IoT devices only.
This is where IoT SAFE comes in. Developed by the GSMA (Global System for Mobile Communications) and the SIMAlliance, IoT SAFE is an interoperable, industry-wide security standard. It provides a means to uniquely identify devices, for mutual authentication between devices and applications, and also governs the encryption of data to ensure that large-scale IoT and M2M deployments can be kept secure. The key elements of IoT SAFE are:
SIM-based
With IoT SAFE, the SIM card (or embedded SIM) is used as a kind of ‘crypto safe’ (or ‘Root of Trust’) where security keys are stored and managed.
Your SIM is identical in security capability to your bank card, they are the same thing made in the same factories. A small software programme (the IoT SAFE applet) is installed in the SIM card and manages a new secure communication interface.
Zero-touch security
The network operator can install and configure the IoT SAFE applet completely remotely as soon as the device is commissioned. The applet then creates two cryptographic keys – i.e. a private key stored on the SIM card, and a matching public key that is sent back to the operator server.
The IoT SAFE enabled device can then establish a secure connection to the cloud via a mutually-authenticated TLS session. The customer can administer its own key management policies. They can replace keys, revoke them if it appears security may have been compromised, and even disconnect the device from the network where necessary. All of this can be done without the need to physically access the device.
What are the biggest risks of IoT use?
A larger attack surface
As a company scales up its IoT projects, each new connection increases the attack surface by increasing the number of opportunities for threat actors to discover and exploit vulnerabilities. Such gaps can lead to device spoofing or ransomware attacks. There are a range of good practices such as closing ports and connections where they are not strictly required for the application, private IP addressing, private APNs and VPNs. However IoT SAFE adds a further layer of protection by securely automating the provisioning and distribution of security keys to a tightly controlled group of suppliers.
Access control
Ideally, IoT services and data should only be accessible to authorised users. Both the network and individual devices need to be security hardened to the extent that all devices and individuals accessing it can be trusted.
Data exposure
Transmission of plain text gives rise to the risk of a Man-in-the-Middle attack, whereby data is intercepted during transmission. Data both at-rest and on the move should be suitably encrypted.
Application vulnerabilities
Operators need the ability to implement software patches to stay on top of software vulnerabilities that become apparent post-deployment. Without remote (‘over-the-air’) provisioning and management, keeping devices up to date is a huge challenge.
End-user interaction
For customer-facing IoT projects, the greater the reliance on end-user action for configuring security settings, the higher the likelihood of devices being exposed to security threats. Risks can be reduced by configuring those settings at operator level through remote management.
Why does IoT SAFE matter?
IoT SAFE decouples security from vulnerable device applications in an extremely cost effective manner using the SIM you already need. IoT SAFE provides a fully standardised model for IoT security, promoting interoperability across device manufacturers and service providers. It means that as your IoT strategy evolves, you can add new devices – and even swap between operators and cloud infrastructure – without having to constantly change between different proprietary security systems.
It also fully enables over-the-air provisioning and management, making it logistically possible to keep control over the security settings of vast numbers of devices without the need for physical access to devices.
A best-practice approach to IoT security involves looking closely at your specific applications, the nature of the data processed and transmitted, along with the specific security risks you face. Next, it’s a matter of putting in place suitable controls (e.g. device authentication, encryption and access controls) to meet those risks.
The benefits of IoT security are as follows:
Supporting your
IoT strategy
Robust security ensures that the integrity of data, devices and users is protected, maximising the likelihood of existing IoT projects meeting their goals, as well as providing a solid foundation for scaling up those projects in the future through wider markets and new features.
Maximising
revenue
Security measures reduce the risk of services going offline, resulting in interrupted revenue streams. For customer-facing projects, it ensures you are able to deliver a reliable service, helping to boost loyalty and long-term customer value.
Regulatory
compliance
By adopting industry best-practice, you can demonstrate both to regulators and customers that you are taking reasonable steps to safeguard customer data. This helps to avoid breaching data sovereignty and other privacy regulations.
Support for new
business models
For advanced automation in manufacturing and industrial environments through to new initiatives such as instant billing and pay-per-use in customer facing applications, the right security provides a bedrock to enable ever-more complex (and profitable) IoT initiatives.
Find out more
Wireless Logic enables organisations to make the best possible decisions regarding security for IoT applications, in line with current needs and future goals.
To explore your options, speak to us today. For further education around all things IoT, our IoT glossary is full of definitions and explanations.