IoT NOw q3 by Prestige Media

IoT Now: ISSN 2397-2793

Q3 2020 • VOLUME 10 • ISSUE 3

TALKING HEADS Eseye's Nick Earle explains how intelligent connectivity is collapsing and disrupting traditional business models

TRANSPORT

SMART HOMES

UTILITIES

CONNECTIVITY

IoT GLOBAL NETWORK

Telematics for a moving industry. See our Analyst Report at www.iot-now.com

New efficiency for living, working and playing. See our Analyst Report at www.iot-now.com

Smart electricity metering's current state of play. See our Analyst Report at www.iot-now.com

How intelligent connectivity is enabling hyperscale IoT. Read the IoT Now Report inside this issue

Log on at www.iotglobalnetwork.com to discover our new portal for products, services and insight

PLUS: 6-PAGE IoT SECURITY REGULATION REPORT • Why it's time to legislate to accelerate IoT deployments • Inside Blackbaud's ransom attack • 6-PAGE ANALYST REPORT: How eSIMs are providing greater freedom for IoT OEMs • A sense of sensing something greater from IoT sensors • 5-PAGE REPORT ON IoT DEVICE COMPONENTS: Why simpliﬁcation demands solutions, not just components • MachNation report on device management for IoT • Does IoT really need an ecosystem of specialists to succeed? • 5-PAGE REPORT ON SECURING IoT DEVICES: Has the back door been slammed shut yet? • Latest news online at www.iot-now.com

CONTENTS TALKING HEADS

IoT SENSORS

INTELLIGENT CONNECTIVITY

INTERVIEW

IN THIS ISSUE 4 EDITOR’S COMMENT George Malim says simplification of connectivity, components and security are giving IoT a needed boost 5 COMPANY NEWS Inside Google Nest’s US$450m deal with ADT, Mobileum acquires SIGOS 6 SECURITY NEWS The details on Blackbaud ransom attack, SonicWall ransomware research 7 THE CONTRACT HOT LIST A round up of the latest IoT contracts 8 TALKING HEADS Eseye’s Nick Earle tells George Malim how intelligent connectivity is enabling IoT visionaries to collapse traditional business models 12

INTELLIGENT CONNECTIVITY REPORT Our 6-page report on how smarter connections are enabling hyperscale IoT

IoT SECURITY REGULATION REPORT Our 6-page report on why it’s time to regulate to accelerate security adoption in IoT

51 INTERVIEW Slawomir Wolf tells Jeremy Cowan that an ecosystem of specialists is required to enable the efficient delivery of IoT capabilities

30 INTERVIEW Robin Duke-Woolley talks to Truphone executives to break down the IoT connectivity complexities of eSIM

32 eSIM ANALYST REPORT Beecham Research on how eSIM is delivering greater freedom for IoT OEMs

58 DEVICE MANAGEMENT Nick Booth on why IoT device management remains easier said than done

38 CASE STUDY How Fox Sports and MachineMax have utilised eSIMs to underpin IoT-enabled operations 40 INTERVIEW Josh Mickolio explains why new approaches to component specification for IoT devices are being adopted

18 CASE STUDY How ubiquitous IoT connectivity is propelling telehealth and telecare

IoT DEVICE COMPONENTS REPORT Our 5-page report exploring why simplification demands solutions, not just components

20 INTERVIEW Thomas Rosteck explains why the market dynamics do not work for security in IoT – yet

46 IoT SENSORS Robbie Paul explores the proliferation of sensor adoption that is fuelling IoT innovation

DEVICE MANAGEMENT FOR IoT DEPLOYMENT REPORT Machnation’s Josh Taubenheim on how to optimise for success

62 IoT DEVICES AVSystem on why device management is essential for secure and scalable IoT deployments 65 INTERVIEW Tony Savvas talks to Giuseppe Surace about how to map out a wild west response to the threat of IoT security

67 SECURE IoT DEVICES REPORT Our 5-page report on how to secure your IoT devices 72 IoT SECURITY Eurotech advocates an end-to-end approach to IoT security 74 EVENT DIARY Our pick of the mostly-virtual IoTfocused events

Cover sponsor: Eseye empowers businesses to embrace IoT without limits. We help them to visualise the impossible and bring those solutions to life through innovative IoT cellular connectivity solutions that enables our customers to drive up business value, deploy differentiated experiences and disrupt their markets. Our pioneering technology allows businesses to overcome the complexity of IoT deployment and develop, deploy and manage IoT projects without the fear of getting it wrong. We guide them every step of the way. Supported by our unique AnyNet Secure SIM technology, Connectivity Management Platform and a powerful partner ecosystem, we help more than 2,000 customers globally to seamlessly connect devices across 190 countries, agnostic to over 700 available global networks. Find out more at www.eseye.com.

IoT Now - Q3 2020

COMMENT

Connectivity, components and security start to enable simplification of IoT – at last

EDITORIAL ADVISORS

This issue of IoT Now is all about simplification. Our reports detail how connectivity, device development and IoT security all need to be made easier for organisations engaging in IoT. Importantly, none of these are the core businesses of the companies that will create the massive IoT market we’ve all been waiting for It seems the penny has finally dropped. Businesses that are digitally transforming and looking to sell products as services are actually good at what they’ve always been good at. They don’t want to become connectivity experts and, while they might be market leaders at designing their own products, the components and design of IoT devices are a foreign landscape. In addition, their adoption of IT security has taken many years and doesn’t relate to the new business they are building in IoT. This disconnect between the vendors of IoT connectivity, IoT device development and IoT security and the customer organisations has been one of the hindrances that have held back IoT and caused it to miss the well-worn multi-billion dollar projections. Those have now proven to be, in fact, threadbare but this may turn out to be a positive for the IoT industry as the vendor community is waking up to the need to create a simplified ecosystem in which it’s not necessary to become an expert in everything in order to succeed in IoT. In intelligent connectivity, companies are providing eSIMs that enable companies to create devices with a single stock keeping unit (SKU) number for global deployment. Once deployed the device bootstraps onto the best available network. This makes connecting everything from vending machines to medical equipment easy and retailers and hospitals no longer have to become experts in wireless communications or have contracts with multiple providers worldwide.

modems, can be used and the device itself can piggyback on that certification. Finally, in IoT security, it’s now understood that force-fitting IT approaches won’t necessarily work in IoT. Instead specialists are emerging to enable secure IoT from the hardware up. Regulation is coming into place that will simplify understanding of security for companies and users alike and this is addressing one of the largest concerns that hampers larger volumes of IoT deployments. It’s a sign of maturity that initiatives across all these areas are taking place to simplify the process of rolling-out and adopting IoT. The realisation that it’s counter-productive for everyone to re-invent the wheel in isolation from each other is a significant step in the development of any sector and IoT looks to have moved from talking about this strategic shift to actually enabling it. An ecosystem of vendors selling simplified solutions in these essential areas will make it far easier for organisations to deploy IoT and they’ll be able to do so more quickly.

We are always proud to bring you the best writers and commentators in M2M and IoT. In this issue they include:

George Malim

Antony Savvas journalist

Andrew Parker, programme marketing director, IoT, GSMA

Gert Pauwels, head of commercial and marketing IoT and M2M, Orange Belgium

Enjoy the magazine!

Similarly, the IoT device components landscape is simplifying. Companies can now buy pre-integrated functional blocks of components. These are essentially sub-assemblies that can be brought together into an IoT device, accelerating development time but also resulting in faster timeto-market because certified components, such as

Contributors in this issue of IoT Now

Robin Duke-Woolley, CEO, Beecham Research

Robert Brunbäck, director, Connectivity, Lynk & Co

Robin Duke-Woolley chief executive Beecham Research

Josh Taubenheim IoT analyst MachNation Aileen Smith, chief strategy officer, UltraSoC

MANAGING EDITOR George Malim Tel: +44 (0) 1225 319566 g.malim@wkm-global.com

SALES CONSULTANT Cherisse Jameson Tel: +44 (0) 1732 807410 c.jameson@wkm-global.com

EDITORIAL DIRECTOR & PUBLISHER Jeremy Cowan Tel: +44 (0) 1420 588638 j.cowan@wkm-global.com

DESIGN Jason Appleby Ark Design Consultancy Ltd Tel: +44 (0) 1787 881623

DIGITAL SERVICES DIRECTOR Nathalie Millar Tel: +44 (0) 1732 808690 n.millar@wkm-global.com

PUBLISHED BY WeKnow Media Ltd. Suite 138, 80 Churchill Square, Kings Hill, West Malling, Kent ME19 4YU, UK Tel: +44 (0) 1732 807410

DISTRIBUTION UK Postings Ltd Tel: +44 (0) 8456 444137

David Taylor, Board advisor on Digital and IoT innovation

IoT Now magazine covers worldwide developments in the Internet of Things (IoT), machine-to-machine (M2M) communications, connected consumer devices, smart buildings and services. To receive ALL 4 ISSUES per year of the printed magazine you need to subscribe. The price includes delivery to your chosen address worldwide. BUY A 1-YEAR, 2-YEAR, or 3-YEAR SUBSCRIPTION: 1 Year Normal price UK£60.00 NOW UK£51.00 for 4 issues OR 2 Years NOW £102 (8 issues, save £18.00) SUBSCRIBE ONLINE: www.iot-now.com

IoT Now - Q3 2020

Google’s Nest cameras

Google spends US$450m on ADT to integrate Nest-based home security Google’s Nest hardware is to be combined with ADT’s security, professional installation and monitoring service. The goal is to create a fully integrated set of devices, software and services for the secure smart home. Google is to invest US$450 million (€380 million) to acquire 6.6% ownership of ADT, cementing a long-term commitment to partnership and removing a major threat to ADT. Each company will commit $150 million (€126 million) for co-marketing, product development, technology and employee training. The partnership is intended to provide customers with integrated smart home technology to be offered in both do-ityourself (DIY) and professionallyinstalled security offerings.

The partnership will integrate Google’s hardware and services and ADT’s DIY and professionally installed smart home security solutions to innovate the residential and small business security industry. The future ADT + Google helpful home security solution is expected to advance smart home offerings and attract new consumers seeking premium technology, end-to-end smart home service and trusted security.

Boca Raton, Florida-based ADT, a provider of security and smart home solutions, and Google announced they are entering into a long-term partnership to create “the next generation of smart home security offerings”.

“We are thrilled to partner with Google to provide the smart home market with a strong, differentiated product and service offering that integrates the best technology, hardware and smart home security expertise from our two brands,” said Jim DeVries, the president and CEO of ADT. “Google’s partnership and financial investment in ADT underscores the depth of our joint commitment to the smart home and security markets.”

The partnership will combine Nest’s hardware and services, powered by Google’s machine learning technology, with ADT’s installation, service and professional monitoring network. The intention is to create a more helpful smart home and integrated experience for customers, initially across the United States.

Rishi Chandra, the general manager and vice president of Nest, added: “We’re excited to partner with ADT to further our mission of building helpful devices for the home. ADT is a leader in smart home security, and I look forward to working with the team to create innovative smart home security solutions that help everyone feel safe and protected.”

COVID-19 has sped up digital transformation by six years, says study A global survey, by cloud communications platform Twilio, measuring the impact and outlook of the COVID-19 pandemic on businesses’ digital engagement strategies says the pandemic has significantly accelerated transformations. The study found that COVID-19 has accelerated companies’ digital communications strategy by a global average of six years. COVID-19 has propelled some industries further than others. Those accelerating their digital transformation most significantly in response to COVID-19 were tech companies (78%), followed by energy (77%), healthcare (74%), construction (71%) and retail (70%). Notably, however, the greatest acceleration in digital communications has been seen by construction businesses (8.1 years) and energy (7.2 years), while retail and e-commerce organisations report an average acceleration of 6.1 years.

IoT Now - Q3 2020

Twilio surveyed more than 2,500 enterprise decision makers globally, to gauge the effect on their Michele Grover, Twilio company’s digital transformation and communication roadmap. The COVID-19 Digital Engagement Report is a snapshot of how businesses have addressed the complex challenges posed by this crisis and how they will continue to evolve. Twilio has also appointed its first chief information officer, Michele Grover. She will reportedly be responsible for the company’s technology systems and processes. Grover’s previous appointment was as senior vice rpesident of software development at SAP Concur.

COMPANY NEWS Lacroix Group buys IoT and AI firm eSoftThings With the acquisition of eSoftThings, a specialist in the Internet of Things (IoT) and artificial intelligence (AI), based in Cesson-Sevigne, France, Lacroix Group has consolidated its R&D division. This was already present in the Brittany region of France and now strengthens its positioning in the industrial IoT and artificial intelligence sectors, particularly in the field of connected vehicles. eSoftThings is described by Lacroix as a young, innovative company with 50 employees, which has achieved 50% annual growth for the last three years and boasts an impressive client portfolio. Lacroix Group believes the company is now an international benchmark in the design and industrialisation and in the field of AI. Vincent Bedouin, the CEO of Lacroix Group said, “This new acquisition, the sixth in four years, concludes the programme of external growth under our Ambition 2020 plan, and sets us on the strategic path towards our forthcoming 2025 plan. The projects already underway and the connection between the teams herald a bright future.”

SIGOS acquired by Mobileum Mobileum, a global provider of analytics-based roaming, network security, and risk management solutions, is to acquire SIGOS. This is the third acquisition that Mobileum has completed, following the purchase of WeDo Technologies in August 2019, and Evolved Intelligence in October 2018. With global operations and offices, SIGOS has been offering its customers active end-to-end domestic and roaming testing solutions to improve network security and service quality for mobile networks since 1989. The SIGOS portfolio includes the largest roaming and interconnection test system in the cloud, covering almost every country in the world. “SIGOS is a company with over 500 network operators in 156 countries. The company has developed an impressive suite of technology and products that deliver great value to global telecom operators” said Bobby Srinivasan, CEO of Mobileum. “We are excited to partner with SIGOS and support them in the next phase of growth.”

SECURITY NEWS

Cloud software provider Blackbaud pays ransom, hackers’ increasingly favoured global attack vector

IoT continues to serve threats, ransomware is up globally Work-from-home (WFH) employees or remote workforces can introduce new risks, including Internet of Things (IoT) devices like refrigerators, baby cameras, doorbells or gaming consoles. Researchers at SonicWall found a 50% increase in IoT malware attacks, mirroring the number of additional devices connected online. (www.sonicwall.com/ThreatReport) Meanwhile, California-based SonicWall Capture Labs threat research team has published its mid-year update to the 2020 SonicWall Cyber Threat Report. This highlights increases in ransomware, opportunistic use of COVID-19, systemic weaknesses and growing reliance on Microsoft Office files by cybercriminals. During the first half of 2020, global malware attacks fell from 4.8 billion to 3.2 billion (-24%) over 2019’s mid-year total. This drop is the continuation of a downward trend that began last November. Despite this decline, SonicWall’s CEO Bill Conner said: “Ransomware continues to be the most concerning threat to corporations and the preferred tool for cyber criminals, increasing a staggering 20% (121.4 million) globally in the first half of 2020.”

As our sister title, The Evolving Enterprise reported recently (https://bit.ly/2P6q24E) ransomware is behind one in three cyber security attacks on organisations, news was breaking of another major ransom attack. This time, reports Jeremy Cowan, it was Blackbaud, a thirdparty supplier of database services and customer relationship management (CRM) systems for enterprises, that paid hackers a ransom to unlock its own client data.

removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. … We apologise that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”

Blackbaud describes itself as “world's leading cloud software company powering social good.” The clients in question reportedly include, homeless charity Crisis, the UK Universities of Aberystwyth and Aberdeen, each of which has issued apologetic notices to its customers and partners. Other customers listed by the company include the American Diabetes Association, the Universities of London and Oxford, and YWCA Chicago.

It is not clear what reassurance was given that the data would not be misused or shared in future, or how Blackbaud could trust the hacker’s assertion it was destroyed.

In a statement (https://www.black baud.com/securityincident), Blackbaud said: “In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers.” It went on, “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they

Discovered in May, notified in July In a message to its alumni, Rob Donelson, executive director of Advancement at Aberdeen University wrote: “On 16 July 2020, Blackbaud advised us that it had discovered a ransomware attack in May 2020. According to Blackbaud, the cybercriminal removed data from its backup server at some point between 7 February and 20 May 2020, and we have been informed that data related to our alumni was part of that. We understand that a significant number of organisations around the world have been affected.” One point of immediate concern to clients was Blackbaud’s delay in notifying them of the data breach. Aberdeen University said: “Blackbaud has advised that they did not notify us sooner because they needed to: defend against the attack; conduct the subsequent investigation; take measures to address the issue that led to the incident; and prepare resources for its customers.” If this can happen to an organisation whose raison d’etre is the storage and protection of mission-critical data readers may want to consider the preventative 5 steps outlined in a NordLocker article (https://bit.ly/2P6q24E).

2020 Ransomware Volume / Top 10 Countries COUNTRY 79,985,276

USA UK Malaysia Canada Netherlands Brazil Italy

4,295,721 2,535,693 2,491,377 1,840,836 1,190,836 811,682

France

651,694

Belgium

567,503

Switzerland

545,136 10M

20M

30M

40M

50M

60M

70M

80M

IoT Now - Q3 2020

THE CONTRACT HOT LIST

March – August 2020 It’s free to be included in The Contract Hot List, which shows the companies announcing major contract wins and deployments. Email your contract details to us now, marked “Hot List at <j.cowan@wkm-global.com> Vendor/Partners

Client, Country

Product / Service (Duration & Value)

Awarded

Aeris

AEON Credit Service, India

Multi-year strategic IoT technology partnership agreed for car finance business

3.20

AT&T

XENEX, USA

XENEX LightStrike Robots equipped with AT&T IoT Connectivity to fight infections in hospitals

4.20

QuadReal Property Group, Canada

BehrTech MYTHINGS wireless connectivity infrastructure chosen to enable multiple IoT solutions in buildings

6.20

Eseye, global

Deal to supply virtual connectivity infrastructure in new regions, with complementary management and reporting capabilities

5.20

Deal to ensure farmers anywhere in Australia can use Farmbots solutions to remotely monitor water tanks, dams and reservoirs

8.20

BehrTech

floLIVE

Inmarsat/ Pivotel

Farmbots, Australia

Kerlink

CityTaps, Kenya

French start-up, CityTaps, deploys LoRaWAN in Kenya to bring running water to houses

4.20

Kerlink

Saturas, Israel

Provision of LoRa-based hardware and software for launch of automated stem water measuring system

4.20

Quectel

TVU One, China

Selection of Quectel 5G module for TVU One mobile video transmitter device

5.20

Semtech

Everynet, Italy

Utilisation of Semtech geolocation and asset tracking capabilities to monitor runner safety at 2020 Tor des Géants ultramarathon in Italy

6.20

Samea Innovation, France

Selection of Sequans GM01Q module to provide LTE connectivity to new Sensoriis smart building wireless sensor

4.20

Liveable Cities, Canada

Sierra LPWA system selected to enable smart city applications for division of LED Road Lighting company

3.20

Deployment of Sigfox-connected ByteLab retrofit smart devices by national energy company to digitise gas meters

8.20

Civil Rights Defenders, global

Deal to provide secure, reliable connectivity to Civil Rights Defenders for human rights defenders’ security alarms globally

5.20

Tele2IoT

9Solutions, Finland

Tele2IoT selected by provider of nurse call systems to front line workers

4.20

Telit

Kumpan, Germany

Electric scooter designer and manufacturer selects Telit to provide telematics for ridesharing eScooters

4.20

Selection of Google Cloud to deliver highly secure and scalable activation of embedded SIM (eSIM) capable devices

5.20

UltraSoC embedded analytics chosen for use with Simple Machines’ composable computing platform

5.20

Launch of IoT-enabled heat detection camera that combines thermal imaging with Vodafone IoT connectivity to screen temperature of people as they enter buildings

5.20

Insung Information, South Korea

Business cloud communications provider selected to bring telehealth services to patients, medical professionals and healthcare facilities in South Korea

6.20

NNNCo, Australia

Deal agreed for Belgian applications and solutions provider to bring new IoT solutions, including COVID-19 prevention applications, to Australia

4.20

Sequans

Sierra Wireless

Sigfox

Tele2

Thales

UltraSoC

Vodafone

Vonage

WMW

IoT Now - Q3 2020

HEP-Plin, Croatia

Google Cloud, global

Simple Machines, USA

Digital Barriers, UK

INTERVIEW

Intelligent connectivity enables IoT visionaries to disrupt and collapse traditional business models Intelligent connectivity is set to enable devices to connect to the internet everywhere with minimised complexity. Nick Earle, the chief executive of Eseye, tells George Malim that this is the piece of the disruptive jigsaw that IoT has been missing. Flexible access to different mobile network providers according to location, application and device needs will take the complexity of connectivity away from the business side of IoT, turning it into a simple fact. This will supercharge a new wave of IoT visionaries, and the good news is the intelligent era is already underway Most people think

George Malim: What does the term intelligent connectivity mean to you?

ubiquitous coverage is a given because their mindset is in the consumer mobile phone model, and the industry coverage statistics talk about coverage by percent of population

Nick Earle: For us at Eseye, intelligent connectivity means the ability to provide embedded universal integrated circuit card (eUICC) enabled orchestration via a single application platform interconnected to multiple mobile network operators (MNOs), offering the widest choice between localisation or roaming on a country by country basis. Only by doing this can you provide ubiquitous connectivity as a service to every IoT device with no MNO lock-in. This near 100% global connectivity capability for every device is enabled via an eUICC compliant eSIM that can rotate between embedded international mobile subscriber identity (IMSI) numbers and multiple bootstraps, as well as have new IMSIs pushed into it over-the-air (OTA). The rules sit at the platform level and determine which mobile network operator gets used at what time, under what circumstances. The key here is that the rules are defined by the enterprise, not by each mobile operator individually.

GM: What is enabling the existing model that is dominated by tier one mobile operators to start to break down? NE: Let’s start by examining the deficiencies in the traditional model. Most people think ubiquitous coverage is a given because their mindset is in the consumer mobile phone model, and the industry coverage statistics talk about coverage by percent of population. But IoT devices are often outside the major population centres and so you need to look at coverage by territory. When you do this businesses are often surprised to see the data that shows the average 4G coverage is 60% per operator. Yes, you can roam but often you’ll struggle to get above 80%. IoT needs 100% coverage not 80% to be truly successful. So, you still have to use a combination of regional operators to achieve 100% coverage and that means the enterprise still has the task of stitching fragmented solutions together. They want to focus on their business not on integrating the various carriers. More critically, the commercial model for roaming is broken. If you’re a tier two or tier three operator it's really difficult as there's an unfair share going to the tier one providers who sell the original deal. That’s why it’s often impossible for MNOs to make money from IoT. So, the net effect is that nobody really wants to accept inbound roaming and it’s the

▲

Once you enable out-of-the-box global connectivity through a single platform you achieve device connectivity rates far higher than possible through a single MNO solution, and you open up a huge opportunity for enterprises. Essentially, by having multiple MNOs connecting to the platform, each of which allows localisation of each of their networks via a single eSIM, you enable enterprises to deploy large numbers of devices globally, with a single product stock-keeping unit (SKU). This massively increases manufacturing, supply chain

and deployment process efficiency and saves them a huge amount of money. It is also good for the MNOs as well because they make more money from devices connecting locally.

SPONSORED INTERVIEW 20

IoT Now - Q3 2020

Thomas Rosteck Infineon Technologies However, there will be no IoT without security in the long run. Security is a fundamental feature of connecting devices in order to communicate in privacy, to share sensitive data among companies, or to set up new digital business models. Yet, as the number of attacks is still relatively limited, users don’t necessarily see the risks and device manufacturers do not see the need to act with foresight. GM: Is specific IoT security regulation needed and what will drive it? TR: As security is not a marketed feature today, usual market dynamics don´t work. Regulation can help initiate market dynamics to respond to the very realistic threat of increasing cyberattacks. Government initiatives and standards bodies have started thinking about how to define a common set of standards that facilitate security implementation for device manufacturers, make security features comparable and give orientation to consumers. Because one fundamental problem is that end users have difficulty in understanding what the security level of a device is – or even if any security is there at all. If you go into an electronics store and want to understand the security level of a device it’s hard to get an accurate answer. Security is either not mentioned or it’s simply described as secure or there is a highly technical explanation that is hard to follow. As long as security is not a marketed feature it’s difficult for consumers to make a consistent decision. If this was clarified, people would only buy secure products and therefore there would only be secure products available. To make market mechanisms of supply and demand work, security features must become far more visible and more widely understood. And another important aspect is, that a certain security level is not necessarily the same today as it will be tomorrow. Today, if a car parts maker designs a braking system, the physics of braking will be the same today as they will be in ten years but the ‘physics’ of security will be completely different in ten years as the abilities of attackers will have improved by then. This represents an additional challenge to device manufacturers and calls for regulatory support by standardisation bodies and security agencies.

GM: What would you like to see emerge in terms of IoT security certification and regulation? TS: I would like to see a form of device certification that reflects the evolving character of security and visualises the product’s security level through labelling such as the energy consumption labelling that you see on fridges. If the device has the label, users would see that it fulfils certain requirements and includes a minimum set of features. I think this is a good, clear way to make security transparent to users. But labels like this will only work if they’re mandatory. That triggers everyone to use them. Voluntary codes such as the Security by Design initiative in the UK and similar German regulations remain optional and I don’t think that is very helpful because voluntary codes will not be as effective as we need them to be. Don’t forget, we will have tons of IoT devices and if they’re all insecure we will have a large problem that will hold back IoT. GM: What IoT security solutions does Infineon see being widely adopted? TR: From our perspective, there are common reactions to common threats. Everyone knows that grounding your software in hardware that is not easy to manipulate makes sense. For example, a chip-based trusted platform module (TPM) goes on the circuit board of a device and cannot be easily attacked and manipulated from the outside. Starting with a security hardware base and building on that provides apps with a trust anchor. This also helps to address the five key security threats such as confidentiality, authentication, integrity of the product, integrity of the data and availability of the connection and the data. GM: IoT companies aren't security experts - who can help and abstract the complexity away? TR: Cybersecurity is a very complex topic and IoT companies usually don’t have a lot of knowledge in this area nor do they have the resources to build up security skills. What we recommend is a basic security concept in their devices from when they design them – this is security by design which is a very valid and important term. The good news is that IoT device manufacturers can take a short cut by referring to the knowledge and

experience of the security industry. We’ve developed an understanding of what the threats in the future will look like and we’re investing heavily in developing concepts and architectures that can protect against such attacks. Connected devices are out there for a while and cars, gateways or smart locks need to be secure for the next three, ten,, 15 years and more. The amount of research we do is obviously greater than what an IoT company can do so that’s an important part of our capability. Therefore our strategy is to package what we know into products that are easy to integrate. This helps to eliminate quite a number of common mistakes in the deployment and to always keep security features up-to-date. Finally, we are very actively involved in defining and developing industry standards and certification schemes that are transparent and open to everyone. There’s a risk that if everyone develops security solutions themselves, there will be a lot of implementation problems. Particularly for IoT we need globally harmonised standards for all kind of products from smoke alarms to car factory plants. Ultimately, the market demand will drive cybersecurity, but we have to act now, by increasing consumer awareness of risks and threats, by defining cybersecurity standards that are transparent and internationally accepted and by providing manufacturers with security products that are straightforward to implement. www.infineon.com/security

IoT Now - Q3 2020

IoT SECURITY REGULATION REPORT WHY ITâ&#x20AC;&#x2122;S TIME TO REGULATE TO ACCELERATE

IoT SECURITY REGULATION REPORT

IoT security regulation is needed to underpin market acceleration As volumes of IoT deployments scale-up, the question of security has never been more important, writes George Malim, the managing editor of IoT Now. We've looked on in horror at the well-known breaches such as the Jeep hack by Wired magazine and the Las Vegas Casino aquarium water pump cyberattack but these have been in relatively confined, experimental environments and are not at the hyperscale of IoT. The scale in itself is a security issue and that is compounded because IoT is truly global and therefore is enacted under different regulations in different nations. In addition, IoT relies on different technologies both in the devices and in the networks used to connect them. Some connectivity is fundamentally more secure than others, such as private 5G in comparison to home Wi-Fi, and therefore regulating IoT security is complex and multi-layered. Hunger to get to market first and fast has also weakened prioritisation of security as organisations battle to become market leaders of new sectors To date, securing IoT has relied on wellestablished IT, web and network security but there is an increasing need for IoT-specific solutions and a growing awareness that regulation is required. IT security that works well for protecting servers or PCs in offices only goes some of the way to securing remotely deployed sensors, surveillance cameras or the multitude of endpoints and sensitive data that traverse IoT networks. Systems need to take security more seriously to increase customer confidence in IoT and avoid a wave of breaches that hamper the early phases of the massive IoT market.

IoT Now - Q3 2020

This is well-understood and reflected by predictions of increased spending on IoT security from analyst firms. In Figure 1, IoT Analytics projects a CAGR of 44% in spending on IoT security in the period 2017-2022. Technavio has also been monitoring the IoT security market and predicts it is poised to grow by US$80.94bn during 2020-2024, progressing at a CAGR of almost 37% during the forecast period.

â&#x2013;˛

IoT-specific security regulation is required to establish a framework for IoT security and to clarify what levels of security are needed. This could, ultimately, lead to a certification process in which IoT devices and services could be certified secure. Some are keen to see levels of security defined that reflect the security requirements of different IoT applications, with

certification matched to the business value and security risk profile of the deployment. A sensor that alerts if a bin is empty has a different security priority to a streetlighting system interacting with an autonomous vehicle. Each also will face security constraints in terms of the cost of securing it. The notion of appropriate security that matches and optimises security to the device and its business case needs further exploration and definition to both protect systems adequately and foster user and operator confidence that products are secure.

IoT SECURITY REGULATION REPORT

Internet of Things connections are expected to exceed 23 billion across all major IoT markets by 2026, according to new figures from ABI Research. The analyst firm's ‘Device Authentication in IoT Technology’ report reveals almost all those connections will be faced with incessant and constantly evolving cyberthreats, forcing implementers and IoT vendors to embrace new types of security to protect managed fleets and connected assets. Secure device authentication is among the top-tier investment priorities for key IoT markets, the firm reports. It expects that hardware-focused IoT authentication services will reach US$8.4 billion in revenues by 2026. "There are several key technologies revolving around authentication security that currently transform the IoT device value chain,” said Dimitrios Pavlakis, an industry analyst at ABI Research. “Chief elements among them revolve around IoT identity issuance, provisioning, authentication, encryption key lifecycle management, access management and attestation. These are the prime focus of IoT vendors who capitalise on the emerging threat horizon to better position their services and explore new IoT monetisation models." Figure 1: IoT security is being invested in

The regulations Since the first government-mandated IoTspecific security regulation was made with the introduction of security certification criteria for smart meter gateways to support Germany’s roll-out of smart meters, other jurisdictions have worked to create IoT security regulation. The German Federal Office for Security in Information Technology (BSI) set out common criteria for securing smart meters as part of the country’s Smart Meters Operation Act (MsbG), which came into force in September 2016. The Act stipulated that once three certified smart meter gateways are available, national roll-out could begin. Certification guarantees that the smart meter gateway meets the strict technical and security criteria defined by the BSI, making them suitable for installation in intelligent metering systems first outlined in the legal framework for smart metering laid down by the Bundesministerium für Wirtschaft und Energie (BMWi). Germany has not been alone. Governments in both the UK and United States have been working to enhance consumer protections included in IoT devices. In the US, for example, California became the first state to pass an Internet of Things (IoT) security law, which went into effect in January 2020. The state of Oregon is following closely. The legislation, the California Senate Bill 327 (SB-327), requires “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327, which was first proposed in 2018 and became law in January 2020, has received criticism from the security community, which has complained that, while the bill is a good first step, it does not go far enough in regulating IoT security.

▲

In the UK, the government has also introduced a new draft law that will require certain cybersecurity features to be built into IoT Source: IoT Analytics Research

Figure 2: Pioneering IoT security regulations

Source: Infineon Technologies, 2020

IoT Now - Q3 2020

IoT SECURITY REGULATION REPORT

Figure 3: Elements of the UK’s optional code of practice

CODE OF PRACTICE FOR CONSUMER IoT SECURITY 2

No default passwords

4 Securely store credentials and securitysensitive data

Implement a vulnerability disclosure policy

Minimise exposed attack surfaces

Communicate securely

8 Ensure software integrity

Make it easy for consumers to delete personal data

Ensure personal data is protected

11 Monitor system telemetry data

Keep software updated

Make system resilient to outages

Make installation and maintenance of devices easy

Validate input data

Source: UK Department for Digital, Culture, Media and Sport

products and clearly labelled on the packaging. Both of these IoT security laws could become templates for other nations. The UK’s draft law, announced in late-January 2020, comprises three main requirements for IoT manufacturers. All consumer IoT device passwords must be unique and not possible to reset to universal factory settings. IoT device manufacturers must provide a public point of contact so that anyone can report a flaw to be “acted on in a timely manner”. Finally, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale. The UK has been early to address the IoT security challenge and previously introduced its Secure by Design Code of Practice for consumer IoT security, which was launched in 2018. However, this was a guidance rather than legislation and had no penalties for manufacturers who did not comply.

IoT Now - Q3 2020

The Singapore Cybersecurity Act is among the most stringent regulation to be applied to IoT and looks to level up digital security and digital resiliency measures across industry sectors that provide essential services in Singapore. KPMG says the Act provides a framework to Critical Information Infrastructure (CII) owners on their obligations to proactively protect their data and networks from cyberattacks. The defined CII sectors in the Act are energy, water, banking and finance, healthcare, transport (land, maritime, and aviation), info-communications, media, security and emergency services, and government. Organisations in the CII sectors are required to take the following measures: • Prevent, manage and respond to cyber security threats and incidents; • Protect Critical Information Infrastructures (CII) • Share CII information with the Cyber Security Agency of Singapore (CSA) in the event of a cyberattack.

▲

Several other attempts at IoT security regulation do exist globally. In the European Union, ENISA (European Union Agency for Network and Information Security) has published its Baseline Security Recommendations for IoT with a particular focus on critical national infrastructure. Other industry initiatives include the IoT Security Foundation’s Code of Practice, which provides a basis for testing and certification of IoT security.

These initiatives are far from the end of the IoT security regulation journey and, in the EU in particular, these practices are not mandatory. Regulators need to work out how effective standards and practices can be enforced pragmatically. The task for IoT device manufacturers is to ensure that products are secure by design and by default.

IoT SECURITY REGULATION REPORT

Figure 4: How current regulations compare programme. It could be as simple as a traffic light system, or a platinum to bronze spectrum of security levels.

Source: Infineon Technologies

From design to default The well-intentioned UK Secure by Design Code of Practice provides an effective framework for securing IoT but its lack of enforcement weakens it to being mere guidance. It’s therefore clear that enforceable legislation like the Singapore Cybersecurity Act are required and these will play an important role of moving security to become a default in IoT as it is in the IT world.

An additional function of this would be that lower security devices may no longer be saleable and therefore the sticker system could provide a generalised uplift to security across all of IoT as users vote with their feet and only buy secure systems. Finland is leading the charge here and has launched a cybersecurity labelling system to inform consumers of IoT products that meet digital safety standards. The labelling initiative, led by the Finnish Transport and Communications Agency, Traficom, began development late last year. It will see a stamp placed on every smart device that adheres to Finland’s cybersecurity safety guidelines.

▲

Along this path, IoT security must become visible and simple to understand for consumers and customer organisations. There will be many different shades of IoT security, as discussed earlier, and an easy means to demonstrate the security credentials of a device or solution is through an independent certification

Some have put forward the concept of an IoT security equivalent to the Energy Star certification for energy efficiency of appliances, electronics, HVAC systems and others. Energy Star is a US government programme, but IoT is global and unlikely to be able to wait for government action. Instead, the IoT industry could develop its own security certification system. This would make it easy for customers to immediately understand the security capabilities of an IoT device and purchase accordingly.

Figure 5: IoT security best practices post COVID-19

Source: IoT Analytics Research 2000

IoT Now - Q3 2020

IoT SECURITY REGULATION REPORT

A website is also available for vendors to become certified with the security badge, and for consumers to make informed purchases. The implementation of the initiative has been led by the National Cyber Security Centre Finland (NCSC-FI) and telecoms operator DNA along with smart device manufacturers Cozify and Polar Electro. The aim is to have stickers on all consumer IoT devices that detail their security status. Such a scheme would be readily extendable to industrial IoT and the businessto-business market.

IoT security in the time of COVID As COVID-19 has led to an increase in

cyberattacks and to changes in hackers’ strategies, companies are taking precautions and revisiting their IoT security setup. In Figure 5, IoT Analytics provides its top five security best practices for COVID-19. The growth in remote working, which is seeing a wide array of devices connecting to corporate networks, is compounded by the rise of IoT devices at home and at work. Most security teams have zero visibility into these and, as consumer IoT devices increasingly share the same – often home Wi-Fi – network as corporate devices, consumer IoT devices effectively expand the organisation’s attack surface.

Conclusion Many IoT devices continue to be released with serious security vulnerabilities which leaves them open to attack. Without a enforced standards governing the security of IoT devices, device manufacturers have been allowed to prioritise time-to-market above security. The lack of regulation has allowed systemic issues such as insecure administrator interfaces, poor authentication schemes and firmware vulnerabilities to persist across brands and types of devices. Once a smart device is hacked, the opportunities for hackers to attack enterprise assets or steal employee credentials greatly increases. Until meaningful legislation is passed, enterprises are, in effect, having to do the job of their IoT device and solution providers. It’s their reputations that are on the line so they are taking responsibility for protecting their assets from the risks of sharing a network with IoT devices. This presents a substantial opportunity for IoT vendors that can provide secure solutions. If they can communicate simply and effectively via a certification that their device meets specific, well-understood criteria the burden of security can shift, at least in part, from the enterprise to the vendor, making procurement decisions easier and ultimately removing insecure systems from the market. As IoT matures, device makers have a responsibility to their customers to ensure their devices are secure. This will also benefit them because customers will prefer to buy secure solutions and if fewer breaches occur, IoT will avoid the bad reputation of being an insecure market. On the upside this will stimulate further growth, foster trust and result in more and more organisations and people engaging in IoT at scale. Ignoring optional codes of practice, seeking out the loopholes and continuing to sell insecure devices may look like a way to save development costs and bring cheaper devices to market but in reality, it’s a way to hamper the development of IoT in its entirety by weakening the reputation of companies, causing mistrust of IoT and enabling the cyber criminals. The new regulations and the direction of travel towards legislation and certification that are outlined in this report show the IoT industry is engaging with the security issues it faces. In future we will see certification schemes such as the Finnish initiative go global and it will be another step towards IoT security completed when devices are sold based on their certified security status. There is, however, a need for speed here. IoT can’t wait for lengthy standards development processes. The industry should take its own lead and find its own way.

IoT Now - Q3 2020

“

IT IS NOT THE STRONGEST SPECIES THAT SURVIVE, NOR THE MOST INTELLIGENT, BUT THE ONES MOST RESPONSIVE TO CHANGE

”

YOUR DIGITAL TRANSFORMATION JOURNEY STARTS HERE SUBSCRIBE

www.TheEE.ai

INTERVIEW

Breaking down complexities in IoT connectivity with eSIM Robin Duke-Woolley, CEO Beecham Research, interviews Steve Alder chief business development officer at Truphone and Michael Moorfield, director of product at Truphone

Robin Duke-Woolley: How do you describe what Truphone does?

Robin Duke-Woolley, Beecham Research

Steve Alder: Truphone is a mobile virtual network operator (MVNO) based in nine countries – UK, US, Germany, France, Spain, Netherlands, Poland, Hong Kong and Australia. We have our own global core network that covers over 200 destinations and connects with many different MNOs, providing global or regional roaming. Truphone was originally one of the first VOIP apps. We still have a large enterprise voice business for international use but recognised that the network is also valuable for Internet of Things (IoT) customers. The heart of our offer is simple connectivity, but we are strong believers in the potential of embedded subscriber identity module (eSIM). As a result, we have invested in eSIM and are one of the biggest providers of eSIM in the market. We’ve also recently launched Truphone for Things, our all-encompassing global connectivity solution which breaks down complexities in IoT connectivity by utilising eSIM technology. Truphone for Things enables users to connect devices anywhere in the world in a few simple clicks. RD-W: For an eSIM solution to be effective, it needs to be able to switch between MNOs and find the lowest cost path for each device out there. How does Truphone cater for that?

A connected device no longer needs to be tied to a network brand, it can connect remotely to any and all of them. Any device shipped around the globe will have out-of-the-box connectivity, on a network of the user's choosing, from the moment they switch it on. All this can be done with the Truphone SIM. In addition, eSIM technology allows a user to swap the SIM to a new MNO remotely. In IoT you never want to go back to the device to swap the SIM, so with eSIM this can be done over-the-air. It means that you aren’t locked into the same operator for the life of the device, it gives more flexibility and choice in the future. Truphone believes in this open policy as it will be good for the growth of IoT. RD-W: What level of granularity can you provide for different requirements? SA: Within the Truphone service we have the ability to access multiple networks whether that is for high bandwidth, low bandwidth, low power or other customer requirements. Michael Moorfield: The SIM that can switch to

▲

SA: The switching between network operators we deal with is invisible to our customers. The Truphone profile attaches to Orange in France,

to Vodafone in Germany and so on. We have multi-international mobile subscriber identity (IMSI) technology on the SIM that allows the SIM to look for different networks and always look for the best quality and price. This is great for IoT manufacturers and distributors as they can create a single stock keeping unit (SKU) that doesn't need to be programmed to a local network on manufacture.

IoT Now - Q3 2020

Michael Moorfield, Truphone

Steve Alder, Truphone

multiple networks is something Truphone has done for eight or nine years as a Multi-IMSI solution. We do that on the back of our MVNO infrastructure and we have 13 IMSIs on our SIM card that allow us to decide the best route given the specific customer use case. One customer might be deploying an LTE-M tracker globally, so we put IMSIs on that SIM that give access to the most LTE-M networks around the world. Another customer with a tablet to roll out globally will need a different set of IMSIs to make sure it has the best and cheapest possible access to LTE service. The eSIM bit then goes on top of that, in that you can then deliver that profile remotely as well.

MM: Yes – we support the GSMA spec. There are two separate points here. The Multi-IMSI technology we’ve developed in our profile is proprietary Truphone intellectual property. It all runs within a GSMA standard eSIM so all of our SIM cards are GSMA-certified and our provisioning platform in London and Amsterdam is GSMA-certified. We’re a big supporter and part of the GSMA working group.

RD-W: The IMSI profiles that you provide, can they be downloaded over the air or are they inserted into the SIM and that’s what gets installed into the device? MM: Both. Each of our SIMs comes preloaded with our IMSIs but we’re adding new ones all the time, so we push those over the air. If you’re in a country where we have a new agreement, we can push that new one. We have patents in this area around our SIM management capability in order to do this. So you don’t necessarily need to select Truphone at the initial deployment and you can swap away from Truphone if you want to. You can do that all through our platform. RD-W: Do you follow the GSMA spec for eSIM? Multi-IMSI solutions are proprietary, so swapping out may not be as easy.

IoT Now - Q3 2020

RD-W: What kind of services are offered from your platform?

Within the Truphone service we have the ability to access multiple networks whether that is for high bandwidth, low bandwidth, low power or other customer requirements

MM: At its core, we provide a platform for all our customers to manage all their connected devices wherever they are. For each device, you can see its IP address, you can optimise or troubleshoot it, see what’s happening in terms of traffic on each device. Alongside that we support our eSIM management of those devices as well with our own remote SIM provisioning platform. RD-W: When did you start offering IoT eSIMs? SA: September 2018, and we are one of the biggest remote eSIM provisioning companies. It’s been helped by our partnership with Apple. We’ve been partnered with Apple for eSIM for a long time. We then also opened up our platform to other operators. We now have 26 operators using our platform to serve their customers, so we are acting there as a service provider for network operators. This is in addition to Truphone’s own end user service, where most of our customers are product manufacturers looking for international coverage.

eSIM DELIVERS GREATER FREEDOM FOR IoT OEMs IoT NOW ANALYST REPORT

SPONSOR

Reproduced from IoT Now Magazine

ANALYST REPORT

Robin Duke-Woolley, Beecham Research

Traditional SIM card restricts IoT growth for OEMs The original SIM card (Subscriber Identity Module) – the plastic card inserted into your mobile phone to determine which network operator (MNO) your phone is assigned to – has essentially not changed much since it first came to the market in 1991. It has been well suited to the sales process in specialist mobile retail stores, where the SIM is inserted into the phone at the point of sale

▼

While it has contributed significantly to the growing success of the mobile handset market for many reasons, it is not ideal for other connected devices which are not purchased through mobile phone retail outlets. For IoT applications, such as those using asset trackers, cars, CCTV cameras, healthcare devices, security alarms and smart meters, matching up a specifically configured SIM card with the device it is configured for is often a logistical nightmare for the product manufacturers (OEMs) involved. This is particularly the case where the devices are manufactured in one country then shipped worldwide, with the SIM cards then often being configured in a different country and also shipped worldwide to be matched up individually with those devices. This all adds cost and when errors are inevitably made, these need to be corrected which adds time as well. It is also highly inflexible to customer service changes and is in any case becoming increasingly untenable as the volumes of manufactured devices requiring to be connected have risen sharply in recent years. In essence, the traditional SIM card has been restricting the growth of cellular IoT device use in global markets.

IoT Now - Q3 2020

ANALYST REPORT

As well as all this, there may be a need to change the mobile operator (MNO) during the life of the device. This could be for coverage issues, or because the tariff is now high compared with other alternatives, or even due to a network shutdown as the network technology is upgraded. Changing the MNO means changing the SIM card and that introduces both the same and new logistical issues. It is usually the case that such devices, once installed, cannot be simply disconnected and sent back to base for the swap. Apart from the loss of service the device is providing, the card may be physically difficult to access. It may be up a lamppost. It may be in a small cabinet out of easy reach. On the other hand, if it is easy to access and in a public location, it may then be open to tampering and even theft if not physically secured in some way. Such issues and more all add cost and further logistical challenges in the use of traditional SIM cards for connected devices.

eSIM to the rescue To address these and other challenges posed by the SIM card in this market, a new type of SIM has been introduced that is provisioned over the air. Somewhat confusingly, this is called an embedded universal integrated circuit card (eUICC). The major advantage for OEMs of this approach is that the SIM can be inserted into a device’s circuit board during manufacture like any other component and then provisioned later with the appropriate network operator proﬁle over the air (OTA) for wherever in the world it happens to be. It converts the SIM into a single stock keeping unit (SKU), thereby helping to streamline production processes and reduce costs. This is particularly important for the OEM market where products may be shipped anywhere in the world and considerably eases the issues for OEMs.

▼

This whole solution, incorporating both the eUICC and the means for updating it remotely over the air, is then called the eSIM solution. The introduction of the eSIM Technical Specification by the GSMA in 2014, and continuously updated since then, provides a technical standard for this type of solution and this has considerably enhanced the prospects for eSIM use in the IoT market. It has dramatically opened up the opportunities for OEMs to use cellular connectivity in their products. It has of course already been widely taken up by the auto industry manufacturers, who have pioneered its use for a variety of telematics and in-car entertainment uses, and is relevant for any application where embedded, wide area connectivity is appropriate. Through the way it works, this solution also changes the ownership of the SIM itself. The traditional SIM card has always been the property of an individual MNO. It is supplied by the MNO and to change to another requires a physical change of SIM. With the eUICC, the SIM is owned by the OEM or service provider and has a bootstrap network profile installed in it. Wherever the product is subsequently shipped to, when the eUICC is switched on the bootstrap profile sets up a wireless connection so the correct network profile for that location can be downloaded over the air, with no physical intervention.

IoT Now - Q3 2020

Majority of new cellular IoT connections to be eSIM-based Projected eUICC shipments vs Cellular IoT Connections (m) 2500

bandwidth – will be eSIM based in the next few years. Further, since growth of eSIM for low bandwidth NB-IoT and LTE-M is behind and catching up, growth of eSIM for high bandwidth connections is well ahead of that. This means that the majority of new cellular IoT connections will use eSIM and its related developments, such as iSIM (integrated SIM), within the next few years. The IoT market is just at the start of exploring the new ways of working and the new operational ﬂexibilities that eSIM now offers for IoT business users.

2000

1000 500 0 2017

2018

Total Cellular

2019

2020

New Cellular

2021

2022

eUICC shipments

Figure 1: eUICC shipments vs new cellular IoT connections (Source: Beecham Research) Projections for use of eSIM for M2M/IoT applications show strong growth with market expectations high that nearly two thirds of all new cellular IoT connections – both high and low

IoT Now - Q3 2020

One of these flexibilities is that if the business user requires a particular experience for their connected devices in a large number of countries, establishing the best rates for that coverage can be complex. It may therefore seem simpler just to opt for a global SIM provided by one MNO that offers coverage using the roaming agreements that the MNO has worldwide. That is then often provided by means of a locked eSIM that cannot be changed for the life of the product. Yet this approach may not in fact provide the optimum geographic coverage for the data rate required within each country and overall may cost more than an alternative that does provide this. If it is locked, it cannot then be changed. The difference is then between a one-size-fits-all global SIM solution that is not designed for the specific requirement and an open and flexible solution tailored to the specific needs of the business user. The former solution cannot adapt to any changes required by the user that come about over time, whereas the latter remains open and flexible to such changes. ▼

1500

ANALYST REPORT

A related issue is permanent roaming. In some countries, a device that is roaming permanently in a country when its home country is elsewhere contravenes local regulations and may be disconnected. This is a changing situation and the number of countries where this is an issue may increase over time. This is easily overcome using an eSIM approach, where a new network proﬁle can be uploaded as required. A further area that may also need to be considered is local country regulations aimed at ensuring that data originating in a country stays in that country. This has implications for choice of carrier in some countries for some applications and this trend is expected to increase over the next few years. There may also be a need for local breakouts, so that data is processed close to where it will be used rather than being sent back to a cloud-based server where latency could be an issue. All of these issues suggest that eSIM solutions will continue to evolve and become more granular and more ﬂexible over time as their use increases.

Truphone for Things As the name suggests, Truphone originally entered the telecoms market with a voice application for enterprise users and has also been partnered with Apple for eSIM for some time. Its entry into the IoT market is more recent, and this has provided the company with the opportunity to utilise its experience of both eSIM and Multi-IMSI to provide a ﬂexible solution for IoT. In doing so, its principle objective is to make life easy for its customers. Although eSIM is intrinsically quite complex to operate, Truphone’s view is that there is no need for its customers – typically not telecoms experts – to be involved in that. Keep it simple.

▼

Figure 2: Remote SIM Provisioning System Architecture (Source: Truphone)

Figure 2 shows Truphone’s version of the GSMA’s Remote SIM Provisioning Architecture, which features the interfaces required (ESxx) for secure transfer of network profiles. As this demonstrates, this is a quite complex process with many interface activities required. It also demonstrates the need for one globally accepted specification or standard to maximise the benefits of eSIM in the IoT market. Proprietary specifications, of which there are a number, effectively lock the customer in to one supplier’s subscription management system.

IoT Now - Q3 2020

Figure 3: Key Elements of Truphone’s eSIM Line-up

Truphone has developed this technology – including the SMDS (Subscription Manager-Delivery Server) and SM-DP (Subscription Manager-Data Preparation) – in their own infrastructure, which provides full control over the feature set and being able to integrate it in different ways. At its core, Truphone provides a platform for all of its customers to manage all of their connected devices. Wherever they are in the world, the device will show up. The customer can see what IP address it has, they can control that device in terms of whether it is activated or troubleshoot it and see what is happening in terms of traffic on that device. Alongside that, Truphone supports its own SIM management of those devices as well with its remote SIM provisioning platform, which can be integrated with the eUICC in each device. That could be pushing new profiles to those devices and switching profiles if needed. Figure 3 shows the main elements of Truphone’s eSIM offering. Among others, this includes Entitlement Management, which offers the ability to securely configure devices with the right settings. For example, this may be particularly useful for wearables applications where there is no effective user interface (UI). It can be challenging to configure voice services on a wearable. The integrated Entitlement platform Truphone has developed provides the facility to configure those wearable devices. Truphone is now nearing six million eSIM enabled connections on their platform. They are downloading about 20,000 per day, although this is a total mix of data traffic – not all IoT. For example, it includes iPad traffic. In addition, this is not just Truphone’s own connectivity. The company has 26 other network operators using its platform to serve their own customers.

IoT Now - Q3 2020

The company has established various partnerships across the ecosystem including eSIM partnership with Synopsys in the US and Murata in Japan, who make LTE-M/NB-IoT multi-mode modules that come linked to Truphone’s platform. What differentiates Truphone? In the company’s own words “we have an end to end solution so if you want to have eSIM we can provide the eUICC, the connectivity and the remote SIM provisioning platform to go with it. There are not many who can provide all of these elements and give a global endto-end solution to an IoT player.” In addition, Truphone maintains an open stance towards eSIM. The whole point of eSIM is to provide the ﬂexibility to change the SIM in the future to somebody else. Truphone is quite open and relaxed if its customers want to move away from Truphone and use another service. It will facilitate that to happen. This is not a usual attitude in the telecoms world but necessary for eSIM and the IoT market to thrive.

CASE STUDY

Fox Sports used Truphone SIM cards to broadcast from the tournament

Truphone for Things gets Fox Sports ahead of the game From providing our services to 10 of the world's 12 largest banks to being a trusted partner of Apple’s for the last five years as the first Apple eSIM provider, Truphone’s roster of clients is as diverse and influential as our product suite. Whether we’re helping MSA Security scale at the touch of a button or keeping Fox Sports close to the action, our customers can rely on us to provide them with seamless connectivity, on the ground, wherever they are. Truphone’s use-cases cover a breadth of IoT needs, such as high-volume data for a smaller number of devices, as we do for Fox Sports, or lower volumes of data for asset and fleet tracking purposes, as we do for MachineMax. Below, we’ll discuss in more detail how Truphone has helped these two particular customers stay ahead of the game

Rising to the challenge for the Women’s World Cup During the Women’s World Cup in France, Fox Sports needed a flexible solution that would enable them to broadcast live footage for its programming, without having to worry about poor connection or breaks in service.

"We were able to replace all of the SIMs with Truphone SIM cards to enable us to be on the Truphone network everywhere we were with the backpacks in France. This allowed us to have one data plan and no surprises at the end of the tournament," says Kevin Callahan, the vice president of Engineering and Operations at Fox Sports

Transforming connectivity with Truphone for Things Using Truphone for Things – Truphone’s cuttingedge IoT technology – Fox Sports replaced all of its regular SIM cards with Truphone SIMs in its LiveU mobile broadcasting packs. These ▼

As one of the largest sports broadcasters in the world, Fox Sports is on-site at every major sporting event, reporting on the biggest stories as they break. These pre-planned large-scale events are the focal point of the year for broadcasters, with multi-millions invested to ensure the best quality coverage.