Toward secure IoT lifecycle management

By Dr. Antonio Skarmeta, University of Murcia

Dr. Antonio Skarmeta from the University of Murcia participated in the IEEE 9th World Forum on Internet of Things – 2023 IEEE WF-IoT, which took place in Aveiro, Portugal, between October 16 and 20, 2023. He gave a keynote with the title TOWARD SECURE IOT LIFECYCLE MANAGEMENT, where the project DOSS was included as an example of the topic. The presentation described the vision and challenges of IoT security and how DOSS is defining solutions associated with this challenge.  Additionally, Dr. Skarmeta participated in the Topical Track: SECURITY, PRIVACY, AND TRUST, in the Session “Security, privacy, and attestation for IoT devices and products”, giving a talk about IoT secure bootstrapping and lifecycle management.

Within these sessions, several aspects related to the work in DOSS were discussed.

The first talk covered, as DOSS envisages it, how security management of IoT infrastructures encompasses the full lifecycle of products and why continuous certification is a fundamental tool to guarantee high-level security, as emphasized by the Cybersecurity Act.

The DOSS concept foresees the assurance of security compliance throughout the lifetime of the device, along the entire supply chain. This talk has described the design and implementation of a cybersecurity lifecycle management framework for IoT devices and its application in different scenarios. The framework is intended to support the design, bootstrapping, commissioning, and upgrading the device security and how it can be integrated into data-sharing security information solutions. The talk provided examples of how projects like DOSS aim to generate a flexible solution for controlling the secure onboarding process of new embedded devices and ensuring their runtime integrity. The central topic has been the concept of bootstrapping and enrolment.

Within the second talk, new challenges and the future direction of the secure IoT lifecycle management aspects were presented. The following challenges and requirements were mentioned:

  • Bootstrapping issues:
    • The generation of cryptographic material is necessary to
      • Run different Security Association Protocols (SAP) (e.g., DTLS, OSCORE)
      • Protect the communications at different layers (e.g., Link layer);
    • Trust relationships to gather additional credentials or tokens to perform the device’s normal operation;
    • Federated scenarios are needed to enhance scalability and interoperability if external authenticators are used.
  • Management of IoT deployments:
    • Scenarios with millions of heterogeneous devices cannot be managed by centralized and out-of-band approaches à self-management techniques should be supported;
    • The application of scalable mechanisms for bootstrapping, configuration, upgrading, and key management are necessary;
    • Multi-home deployments should be considered in IoT.



Leave a Reply