In the fast-evolving IoT landscape, securing connected devices and their IT systems is crucial. During our recent webinar, "IoT Security Strategies: Implementing Secure Connected Solutions," expert IoT specialists — Chris Barker, Senior Director Product Security at Semtech, and Paul Bradley, Vice President Solutions Sales at Kigen — shared insights into the current state of IoT security and practical advice for safeguarding IoT endpoints. You can find highlights of the Q&A session in this blog, which includes helpful references and guidance for IT and technical leaders.
An eSIM is a platform that hosts different mobile operator profiles, allowing multiple profiles to exist within the same physical SIM, or more accurately, an eUICC. IoT SAFE is an application that operates within the eUICC, which reduces bill of materials (BoM) costs by combining the functions of both a physical eUICC and a Secure Element or TPM into one component.
On the other hand, TPMs originated from the PC world, often associated with applications like BitLocker, which encrypt the contents of your hard disk. In the mobile space, where power efficiency is crucial, secure elements and SIMs have increasingly served as trusted roots for transacting or in-device security such as biometric authentication. While eSIMs with IoT SAFE and TPMs have similar roles, they have evolved differently to suit their respective environments.
Companies need to examine the specific regulations for each jurisdiction where they are deploying IoT devices. It’s essential to ensure compliance with local laws, as regulations can vary significantly. Even IoT manufacturers face challenges in navigating the myriad of regulations, often receiving inquiries from customers about specific certifications. While there are common guidelines, such as avoiding hard-coded passwords and ensuring regular updates, the complexity of compliance depends on the deployment location. To aid in this process, initiatives like PSA Certified have been established, which map local regulations to certification requirements, providing traceability and assisting companies in achieving compliance with IoT security standards.
To ensure end-to-end security, it's important to consider the use case, especially if the data is sensitive or will be used in a sensitive manner. A key recommendation is to secure the credentials that guarantee data provenance and transport from the device to the cloud within tamper-resistant hardware. This could be a SIM using IoT SAFE or a root of trust. Protecting those credentials is essential.
We focus on the entire process, looking at every component from the device to the cloud. We build our security and defenses based on this comprehensive view, implementing security controls and testing them thoroughly, including third-party assessments, to ensure a smooth end-to-end security process.
Training for customers on IoT security is crucial, and as IoT manufacturers, we hold a responsibility to educate our users. Hosting webinars and providing security hardening guides are some ways we facilitate this training. However, as an industry, we can definitely improve our efforts in security awareness for IoT. Our team frequently discusses how to better engage with customers, ensuring that security is a key topic during conversations, especially during sales discussions. We're continuously exploring ways to effectively communicate the importance of security and how customers can protect their devices.
Yes, one well-known option is the ARM platform security architecture, which you can certify against. It provides practical guidelines that align with various governmental regulations from different institutions. If you explore sites like the IoT Security Foundation, you'll find a comprehensive list of 30 to 50 links to different resources, some of which contain examples of security architectures as well as connections to specific regulations.
It's crucial to be aware of these standards when deploying IoT solutions. It's important to work closely with your legal team to understand the regulations applicable to your jurisdiction, especially if sensitive data is involved. Ensuring compliance and maintaining transparency across the board is essential for every use case you implement. Additionally, there's an increasing expectation for vendors to provide compliance as a service, as enterprises will look to them for guidance on meeting security and regulatory requirements.
We hope you find this blog informative. To learn more, you can watch the webinar replay now. If you have any questions, don't hesitate to contact us and one of our IoT experts will be in touch for a free discussion.