ETSI IoT Workshop: AppID Registry: A Foundation for Trusted Interoperability
There have been an increasing number of cybersecurity attacks that involve IoT devices. In some situations, IoT devices are the target of the attack, but in a growing number of cases, IoT vulnerabilities have been exploited to launch DDoS attacks against other targets. All of these incidents are a consequence of one critical weakness: the techniques available to control and manage IoT devices are extremely limited.
A SIM card can be used to secure the connection to IoT devices, but has limitations. Many low cost devices cannot support a SIM card, and even when there is a SIM card, it only authenticates the connection to the device, and only when communication is via the mobile network. Scalable, secure IoT solutions will require additional mechanisms. IoT security will need to prevent spoofing of devices and/or data, while still allowing nomadic devices to connect to the networks and contribute data (e.g., out-of-town connected cars accessing smart city services). A wide range of IoT devices and applications will access data available from ecosystems such as Smart Cities, and will need to be authenticated, secured, and comply with relevant data privacy and permissible use policies. Automated processes will be needed to connect and manage “uncontrolled” IoT devices after authentication, authorization and verification of the device identity. Today’s IoT infrastructure falls into two very different categories. Managed IoT networks manually provision devices and restrict access to approved devices. But the majority of IoT applications are deployed with little to no control over IoT devices and the data they produce.
This presentation will demonstrate how enhancements to the current oneM2M AppID Registry, of which ATIS is the Management Authority, can provide the basis for trusted, secure IoT connectivity and communications. It can verify the identity of applications, and unique instances of IoT devices to protect against spoofing and counterfeit devices. The AppID Registry can also ensure consistent application of relevant policies, including licensing controls, access control, acceptable use and data privacy. It allows application providers to more effectively manage and secure services, while also providing a mechanism for service providers to distinguish between secure, trusted devices, and untrusted devices. Although this will not “solve” the security vulnerabilities of IoT devices, it will offer service providers with an important tool to begin effectively managing an open IoT environment.