GSMA Releases IoT Security Guidelines

GSMA, an association of mobile operators and related companies working together to support the GSM phone system, has issued new IoT security guidelines.

The guidelines are designed to promote secure development and deployment of IoT services and provide advice on how to handle cyber threats and data security issues.

In their announcement, the GSMA said the guidelines were developed with the help of academics, analysts, and other industry experts to ensure they are as comprehensive and inclusive as possible.

The guidelines have separate reports for service ecosystems, endpoint ecosystems, and network providers. As one example, the GSMA team looked at vehicle sensor networks for connected cars. According to the guidelines, while “systems like these are often well-engineered and take a large amount of effort to attack the ecosystem, subtle flaws in the communications architecture can lead to a compromised environment. In walled gardens, such as some CANbus networks, a single flawed endpoint can cause the entire system to become vulnerable. This, in safety-critical environments, is unacceptable.”

The guidelines also include recommended privacy considerations for IoT providers, who should start by asking themselves what kind of data is needed from the customer for the IoT device to function properly, according to the guidelines.

“As billions of devices become connected to the Internet of Things, offering innovative and interconnected new services, the possibility of potential vulnerabilities increases,” Alex Sinclair, chief technology officer of GSMA, told EGov Innovation. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.”

The GSMA project has the support of industry players including Verizon, China Telecomm, Orange, AT&T, Ericsson and Etisalat.

RTInsights Take: As we previously covered, IoT device security and privacy remains abysmal. That’s because for many IoT companies, security tends to be an afterthought. Even when alerted to problems, some IoT companies are slow to fix issues—such as thermostat maker Trane, which took two years to fix security flaws in its smart thermostats. GSMA and groups such as The Cloud Security Alliance have released guidelines—but a big question is whether the industry will follow them.

A related issue is privacy. Even for IoT devices that are secure, that doesn’t mean an IoT provider won’t use a customer’s personal data to commercial advantage. See: What’s scary about a set-top box? Privacy.

Want more? Check out our most-read content:

White Paper: How to ‘Future-Proof’ a Streaming Analytics Platform
Research from Gartner: Real-Time Analytics with the Internet of Things
E-Book: How to Move to a Fast Data Architecture
The Value of Bringing Analytics to the Edge
What’s Your Business Intelligence System? How About Your Culture
Video: Rocana Rolls Out 1TB of Free IT Monitoring

Liked this article? Share it with your colleagues!