The GSMA IoT Security Guidelines, jointly developed by the GSMA and mobile industry, provide detailed recommendations to foster a secure and sustainable IoT.
Security is one of the key requirements to ensure global adoption of IoT services and products. It has, however, mostly been overlooked so far. Acknowledging that the sustainable success of IoT depends on provable security, the industry is now addressing the challenge.
The usual way to prove the security of a product is to go through a formal security certification process, which presupposes the existence of well-defined technical specifications. While there are many initiatives to propose standards for IoT (e.g. oneM2M, OCF), some of which define their own certification schemes, they unfortunately tend to focus on functional testing.
In order to provide an evidence-based and robust approach to end-to-end security, the GMSA has delivered a set of IoT Security Guidelines, backed by an IoT Security Assessment scheme. Based on the mobile industry’s extensive security expertise, the guidelines and assessment were jointly developed with mobile operators, vendors and infrastructure providers. Orange was one the most active partners in this project.
The GSMA IoT Security Guidelines include four documents:
Orange has also put together a simplified list of guidelines on secure device development, as a starting point for security-minded developers and device-makers.
To allow IoT companies to demonstrate their security measures, the GSMA has defined the IoT Security Assessment, based on the GSMA IoT Security Guidelines. This assessment ensures a security-by-design approach, and enables companies to highlight the measures they have taken to protect their products, services and components from cybersecurity risks.
The IoT Security Assessment provides the company with a comprehensive checklist to complete and submit to the GSMA. The completed assessment may also be shared with the company’s partners and customers. A solution provider may, for example, receive requests from a customer or prospect to provide a completed GSMA IoT Security Assessment, in order to prove their solution is secure.