How to secure the IoT from the SIM to the Cloud

Head of MVNO

IoT devices connect to mobile networks and exchange data with many, often cloud-based, services. To be secure, devices must be identified and authenticated. This is often achieved through a combination of on-SIM technology, for network authentication, and separate components on the device for housing security keys for cloud service authentication.

This combined approach introduces potential security weaknesses into manufacturing and maintenance processes and adds complexities and costs in both cases. End-to-end on-SIM security, that secures the IoT from the SIM to the Cloud, helps defend against a range of cyberthreats whilst streamlining device provisioning and improving scalability and convenience.

Why a secure IoT is important

In a 2020 PSA Certified survey of decision makers in IoT across seven markets including the UK and US, 90 per cent of respondents said they have seen security increase in importance over the last 12 months.

IoT devices, like all connected devices, exchange data that has a value. Some, an extremely high value, including healthcare and payments taken by retailers.

Those retailers need to trust that their digital transactions are secure. In recent Wireless Logic research over half (58%) of surveyed UK respondents aged 16 to 54 years said they are concerned about the security of their personal details/payment. This was even higher among males (63%). Over a third (37%) believe it is the retailer’s responsibility to ensure the security of their payment.

Therefore retail, and indeed businesses across all sectors, deploying IoT devices must consider how secure those devices are. It helps to understand security at the level of the SIM and beyond that as SIMs embedded in IoT devices connect to Cloud networks.

The importance of identity

We all use online services and connect our smart devices to networks, and we all expect an authentication process through which we prove our identity. If we can identify ourselves through a password, PIN, biometric or hardware key, we are granted access to the services we use.

In the IoT, devices must be authenticated as trusted devices. For network authentication, this happens at the level of the SIM, with an embedded security key that the mobile network uses to authenticate that SIM for that device.

What is IoT SAFE?

IoT SAFE is a common standard for SIMs, developed so that IoT devices can be authenticated and authorised by the mobile networks they connect to. The term stands for IoT SIM Applet For Secure End-to-End Communication. It establishes the SIM as a hardware ‘root of trust’ through a common API.

In a similar way, technology in Chip and PIN bank cards is used to identify and authenticate payment transactions.

Next-stage security

Advanced IoT security solutions extend this root of trust to authenticate IoT devices beyond the network onto the cloud-based services they connect to. These could be Amazon Web Services (AWS), Azure, Google Cloud or others.

This increases security for IoT deployments because it authenticates trusted devices end-to-end, authenticating the SIM with the mobile network and the cloud service provider.

It achieves this through Cloud certificates embedded in the SIM, in a similar way to how a security key resides in the SIM to authenticate it to the mobile network.

What this means in practice

Securing the IoT from the SIM to the Cloud benefits organisations with health or safety requirements and applications which need protecting against revenue and reputation loss. These include cashless payments in sectors such as retail and vending, clinical trials,  electric vehicle charging, micro-mobility including eScooters and last-mile delivery.

This end-to-end security helps defend against:

• Unauthorised device access – to network and cloud services because identity is established at both the network and service level
• IoT device spoofing – the risk of a rogue individual or organisation being able to present as a genuine IoT device, such as a mobile point-of-sale (POS) terminal, is reduced because there are fewer opportunities to get at, and therefore emulate, security key information. It’s all embedded within the SIM, it doesn’t reside in a range of components, some of which may have to be accessed by third parties during the manufacturing process
• Ransomware events – embedding Cloud certificates in the SIM contains security within a single component, avoiding the need to share identifiers to be built into additional components as part of the manufacturing process
• Fraud – a suite of capabilities within advanced IoT security solutions can include fraud detection through an IMEI hardware identifier that is locked into the SIM, so if someone attempts to use the SIM in another device, it can be detected and blocked.

It also improves:

• Device provisioning – a remote provisioning platform and advanced rules engines can authenticate and automate the management and control of SIMs and Cloud access for zero-touch provisioning
• Cost management – leveraging the SIM for end-to-end security removes the need for a separate component within the hardware for authentication beyond the network, reducing the cost of manufacture
• Scalability – advanced on-SIM security automates device authentication and secure Cloud registration for dynamic and scalable deployments
• Convenience – securing the IoT from the SIM to the Cloud through on-SIM security removes the need for additional security components. That simplifies device manufacture and makes IoT data exchange more convenient. It is a form of multi- or two-factor authentication, all embedded within the SIM.

Cloud Secure from Wireless Logic

Conexa, Wireless Logic’s network for things, comes complete with Cloud Secure which uses on-SIM technology for zero-touch onboarding of devices to services built on AWS, Azure or Google Cloud.

With a combination of GSMA standards-based on-SIM technology and mobile core network services, Cloud Secure resolves IoT device identity, enables dynamic scalability and provides defence against spoofing of IoT devices, ransomware events and unauthorised device access to network and cloud services.

Conexa is a GSMA certified carrier-grade mobile network built by Wireless Logic just for the IoT. It provides a suite of connectivity solutions, network control and security services built over an ecosystem of leading MNO radio network partners for resilient and flexible connectivity anywhere in the world via all the cellular bearer types from 2G, 3G to the latest 4G, LPWAN and 5G technologies.

A secure IoT depends on effective IoT device identification and authentication to the networks and services each device needs to access. Securing the IoT from the SIM to the Cloud helps protect deployed solutions that may become prey to cyber-attacks. It also simplifies manufacturing, deployment and management processes, thereby also boosting security while improving efficiency and containing costs.

To find out more about advanced security from a network built for the IoT, take a look at Conexa from Wireless Logic. To find out how we can help, contact us to discuss.