The oneM2M specifications enable secure IoT data exchange and information interoperability across different vertical sectors, service providers, and use cases. Credit: GreenButterfly / Shutterstock The ITU Telecommunication Standardization Sector (ITU-T) has approved a set of security specifications for internet of things (IoT) systems. The oneM2M specifications define a common set of IoT service functions to enable secure data exchange and information interoperability across different vertical sectors, service providers, and use cases. The specifications were approved by more than 190 countries and are now available for use by ITU-T member states.The ITU-T is responsible for coordinating standards for telecommunications and information communication technology for cybersecurity. It is one of the three branches of the International Telecommunication Union (ITU), a specialized agency of the United Nations that oversees matters relating to information and communication technologies.International standards bodies launched oneM2M in 2012. ARIB (Japan), ATIS (Americas), CCSA (China), ETSI (Europe), TIA (Americas), TTA (S. Korea), and TTC (Japan) came together to form a global partnership initiative to develop an international standard for interoperable and scalable IoT systems. Authentication, encryption, policies among IOT security specificationsWith its approval of oneM2M, the ITU-T has added IoT security capabilities to its recommendations of the M2M common service layer, according to a press release. The oneM2M standards provide an interoperability testing framework and support a global certification program by the Global Certification Forum (GCF) for oneM2M based products, it added. The specifications set out in the ITU-T Y.4500.3 oneM2M security solutions document are extensive, encompassing three IoT security architecture layers: security functions, security environment abstraction, and secure environments.The security functions layer contains a set of security functions that are exposed at reference point Mca and Mcc, the document read. These security functions are classified as identification, authentication, authorization, security association, sensitive data handling, and security administration. The security environment abstraction layer implements security capabilities such as key derivation, data encryption/decryption, signature generation/verification, and security credential read/write from/to the secure environments. These are invoked to protect the operations in secure environments. In addition, this layer also provides physical access to secure environments.The secure environments layer contains one or multiple secure environments that provide security services to adequately protect sensitive data storage and sensitive function execution. The sensitive data includes secure environment capability, security and asymmetric private keys, local credentials, security policies, identity information, and subscription information. The sensitive functions include data encryption and data decryption.“The architecture needs to be adapted to be suitable for implementation in different entities. For example, the architecture can be mapped to different device classes,” the document read. “Before any M2M common services layer procedure can take place, connectivity has to be established in the underlying network services layer, which may involve independent provisioning and service registration procedures specified by the underlying network.”The service layer security provisioning (security pre-provisioning or security bootstrapping) and security association establishment procedures specified can take place independently (and generally consecutively) from any required network service layer connectivity establishment procedures, according to the document.Security capabilities essential components of all IoT systems“Security-related capabilities are an essential and complementary component in all IoT systems – oneM2M treats security as a common service function that can be applied in the same way across many applications in different verticals,” said Roland Hechwartner, Deutsche Telekom, technical plenary chairman, oneM2M. “It also emphasizes the use of open standards so that service providers can control all entities and services in their deployments without relying on a single company or proprietary set of technologies.”A close rapport between the ITU-T and oneM2M experts helped to deliver common IoT standards and security that benefit the widest community, added Rana Kamill, British Telecom, ITU-T WP1/20 vice chair. Kamill stated that the OneM2M security solutions document went through the ITU-T’s Typical Approval Process – the default method for international standards with regulatory or policy implications. It has also been translated into the ITU’s six official languages (English, Arabic, Chinese, French, Spanish, and Russian). Related content news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe