GSMA publishes IoT security guidelines – aims to boost growth

09 February 2016 – By Ryan Daws

The GSMA, an official body which represents telecom companies, has published guidelines today which aim to ensure the secure deployment of IoT services and devices. Developed in consultation with the mobile industry, ‘The GSMA IoT Security Guidelines’ will help to boost growth of this exciting sector.


As billions of devices become connected in the Internet of Things, offering innovative and interconnected new services, the possibility of potential vulnerabilities increases,” said Alex Sinclair, Chief Technology Officer, GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed. A proven and robust approach to security will create trusted, reliable services that scale as the market grows.

The guidelines have been designed for all players in the IoT ecosystem – including service providers, device manufacturers, and developers. For service providers, the guidelines will help in building related services through outlining technologies and how to deal with potential threats; as well as highlight the need for a thorough risk assessment of all components.

“Starting points” to consider when conducting a risk assessment, the document claims, include:

  • What assets (digital or physical) need to be protected?
  • What groups of people (tangible or intangible) are potential threat actors?
  • What is a threat to the organization?
  • What is a vulnerability?
  • What would the result be if a protected asset were compromised?
  • What is the probability of the asset being compromised?
  • What would the result be when put in context with different groups of attackers?
  • What is the value of the asset to the organization and its partners?
  • What is the safety impact of the asset being compromised?
  • What can be done to remediate or mitigate the potential for vulnerability?
  • How can new or evolving gaps in security be monitored?
  • What risks cannot be resolved and what do they mean to the organization?
  • What budget should be applied toward incident response, monitoring, and risk remediation?


Mike Weston, CEO of data science consultancy Profusion, comments: “Global standards for the IoT will become increasingly important as the role of connected devices increases in our everyday lives. In the space between the advent of this technology and its mass adoption, there is a great opportunity for manufacturers, tech companies, and suppliers to work together to standardise the IoT and avoid ‘specification wars’, rapid obsolescence, security flaws and ethical issues.

However, he warns: “The GSMA calls for homogenous data protection legislation across the globe to further drive development and uptake of the IoT. Unfortunately, this is very much a pipe dream. The complicated nature of data protection laws across the world mean that a general consensus is highly unlikely and it will take a significant amount of time for different governments to come to an agreement. By this time, IoT technology is likely to have developed to a point where it has adapted to the fractured nature of global data protection standards.

A thorough industry consultation was conducted by the GSMA with academics, analysts, and other industry experts to ensure the guidelines are robust as possible. An example provided in the document is that “an IoT service may require communications with many IoT service platforms, each of which may require a separate unique identification.”

One solution for network operators – provided in the document – is to use UICC-based mechanisms to securely identify endpoint devices. Network operators can extend the secure storage functionality provided by the UICC to the IoT service provider in order to enable them to store additional IoT service-related identities on the UICC. Another solution is to use a “single sign-on” by the network operator, thereby allowing endpoint devices to establish and prove their identity once, and then connect to several IoT service platforms without further inconvenience. However, it’s warned the security trade-offs and risks of using such a service must be considered across the multiple platforms.

Don A. Bailey, Founder and CEO, Lab Mouse Security, comments on current threats: “There is a significant amount of evidence to suggest that cyberattacks are already happening in the burgeoning IoT space. If not handled appropriately, these attacks are likely to inhibit the growth and stability of the Internet of Things.

It is imperative that the industry adopts a standard approach for dealing with security risks and mitigations, helping to ensure that the entire IoT ecosystem will not be subject to fraud, exposures of privacy, or attacks that affect human life.

Mobile operators involved with the project include AT&T, China Telecom, Etisalat, KDDI, NTT DOCOMO, Orange, Telefónica, Verizon, and Telenor.

Infrastructure partners include 7Layers, Ericsson, Gemalto, Morpho, Telit and u-blox.

The IoT Security Guidelines are available to download at: