DoT Guidelines for M2M, IoT Stakeholders

M2M communications refer to automated applications that involve machines or devices communicating through a network without any human intervention. Sensors and communication modules are embedded within M2M devices, enabling data to be transmitted from one device to another device through wired and wireless communications networks.

Networks and Technologies (NT) Cell deals with all policy and regulatory aspects related to M2M communications. Following initiatives have been taken by the Department of Telecommunication (DoT):

• ‘National Telecom M2M Roadmap’ was released by the Ministry of Communications (MoC) on 12 May 2015. It seeks to assimilate various M2M standards, outline policy and regulatory approaches and measures for increased M2M proliferation.
• DoT has issued instructions, permitting the use of e-SIM with both single and multiple profile configurations with Over the Air (OTA) subscription update facility, as per prevailing global specifications and standards (GSMA).
• Instructions for Know Your Customer (KYC) for SIM embedded M2M Devices were issued addressing identification and traceability of M2M Devices.
• DoT has implemented a separate 13-digit numbering scheme for SIM based M2M devices.

Notification Dated 16th May 2018

Guidelines for issuing e-SIM

Guidelines issued instructions for restrictive features for SIMs used only for M2M communication services and related KYC instructions for issuing M2M SIMs and related Know Your Customer (KYC) instructions for issuing M2M SIMs to entity/organization providing M2M Communication Services under bulk category and instructions for embedded-SIMs (e-SIMs).

Permitted the use of ‘Embedded-Subscriber Identity Module (e-SIM)’ with both single and multiple profile configurations with over the air subscription update facility, as the case may be, as per prevailing global specifications and standards in order to cater to the needs of modern technological developments in M2M and Internet of Things (IoT).

• Mobile users will not need to buy a new SIM card while changing telecom service provider or buying a new connection if the mobile phone has an e-SIM.
• The e-SIM will be installed in the device and details of service providers can be updated at the time a customer buys a new connection or changes operator or wants to buy standalone service from a telecom operator like data or calling, etc.
• DoT has allowed profiles to be updated over the air to facilitate mobile number portability on e-SIMs and to avoid locking of the device by a telecom operator.
• Telecom operators are required to facilitate services on e-SIMs to meet lawful interception and monitoring requirement as well as to ensure that the manufacturer of the device does not tamper with e-SIM.
• DoT has enhanced number of connections per user to 18 which includes 9 SIMs that can be used for normal mobile phone communications or for use in devices which has slot for them.
• The other 9 SIMs can be purchased for M2M communications.
• According to the DoT guidelines, device makers will be responsible to complete subscriber verification where M2M is required to be pre-installed in devices.
• The person or end user will be responsible to update subscriber details if they transfer device to another user.

Notification Dated 8th February 2022

Guidelines for Registration Process of M2M Service Providers – M2MSP and WPAN/WLAN Connectivity Providers for M2M Services

The guidelines were issued to address concerns like interface issues with telecom service providers, know-your-customer (KYC) compliance, security and encryption. It aimed to create a robust digital communication infrastructure, enable next-generation technologies, and ensure a holistic and harmonized approach for harnessing emerging technologies such as M2M and the internet of things.

• DoT outlined various requirements for registration such as an M2M service provider furnishing the details of the location of their IT setup/core network.
• The guidelines enable authorized telecom operators to provide M2M services to third parties under their existing license without a separate registration.

It also mandates technical conditions such as M2M service providers and WPAN/WLAN connectivity providers need to obtain telecom resources such as bandwidth, leased line, etc., from an authorized telecom service provider. In addition, M2M service providers can use WPAN/WLAN technologies in the unlicensed spectrum to provide M2M services.

In the case of WPAN/WLAN technologies in the unlicensed spectrum/frequency band, WPAN/WLAN connectivity providers will have to connect to licensed telecom operators’ networks for backhaul connectivity to provide connectivity for M2M services.

M2M service providers must keep:

• Updated records related to customer details:
• Updated details of M2M end devices like IMEI (international mobile equipment identity), ESN (electronic serial number) etc., as well as details such as make, model, registration number of the machines should be made available to the authorized telecom licensee and the DoT.

M2M service providers are required to adhere to DoT instructions that permit the use of e-SIMs with both single and multiple profile configurations, with Over the Air (OTA) subscription update facility, and these are as per prevailing global specifications and standards.

• Among the security conditions outlined, M2M service providers and WPAN/WLAN connectivity providers need to ensure that all data logs, event logs, system logs etc., handled by their system are tamper-proof, and these records must be preserved for at least a year if needed by the DoT for inspection.

The registrants must also only make use of devices or equipment in the network that meet Telecommunications Engineering Centre (TEC) standards and certifications, or those set by national and international standardisation bodies such as the IEEE (Institute of Electrical and Electronics Engineers), ETSI (European Telecommunications Standards Institute), etc.

Notification Dated 2nd March 2023

Guidelines to machine-to-machine (M2M) / internet of things (IoT) stakeholders for securing consumer IoT (Guidelines)

In view of the anticipated growth of M2M/IoT devices, the guidelines ensure that the M2M/IoT end-points comply with the safety and security standards in order to protect the users and the networks that connect these devices.

Hacking of devices/networks being used in daily life would cause significant harm. Therefore, securing the M2M/IoT eco-system end-to end, i.e., from devices to the applications is very important.

The following broad guidelines are hereby issued to all M2M/IoT stakeholders:

• Keep the Software Updated

The Guidelines shed light on the importance of securely updating software in the devices and the steps to be followed in this regard.

• Updates should be easy to implement, made available in a timely manner, and should not adversely impact the functioning of the device.
• M2M IoT stakeholders must also publish an ‘end-of-life’ policy for end-point devices which expressly sets out the assured duration for which a device will receive software updates. For devices that cannot be physically updated, they should be isolatable and replaceable.
• An obligation has been placed on retailers and manufacturers to inform consumers in a timely manner whenever an update is required and to also elucidate the need for an update to such consumers.

• Implement means to Manage Reports of Vulnerabilities

M2M / IoT stakeholders have also been advised to designate a dedicated public ‘point of contact’ as a part of its vulnerability disclosure policy for reporting security related concerns and issues by security researchers and others.
M2M / IoT stakeholders have also been recommended to act upon disclosed vulnerabilities in a timely manner to avoid the risk of any significant harm.

In order to facilitate responsible and coordinated disclosure and remedy for vulnerabilities, it has been suggested that the cyber security community must be encouraged and rewarded for identifying and reporting vulnerabilities in the security systems of these devices.

• No Universal Default Passwords

Many consumer M2M / IoT devices are sold with default pre-set passwords. This has been noted as one of the major reasons for security concerns.

• Thus, it is advised that all consumer M2M / IoT devices must have unique passwords per device.
• Users may also be required to choose a password based on the prevailing best practices while obtaining such devices.
• The passwords must not be resettable to any universal default value.
• It has also been recommended that for associated web services, multi-factor authentication must be enabled, and any unnecessary user information must not be disclosed prior to authentication.

Best practices on passwords and other authentication methods shall be followed such as the use of the strongest possible password appropriate to the usage context of the device.

Code of Practice for Securing Consumer Internet of Things (IoT)

TEC, under Department of Telecommunications, Ministry of Communications, has released a report ‘Code of Practice for Securing Consumer Internet of Things (IoT)’ as a baseline requirement aligned with global standards and best practices.

These guidelines will help in securing consumer IoT devices & ecosystem as well as managing vulnerabilities.

What is the Need for these Guidelines?

The global Internet of Things (IoT) security market size is expected to grow from USD 8.2 billion in 2018 to USD 35.2 billion by 2023, at a CAGR of 33.7 percent during the forecast period.

The guidelines seek to protect against the following:

• Discontinuity and interruption to critical services/infrastructure.
• Infringement of privacy.
• Loss of life, money, time, property, health, relationships, etc.
• Disruptions of national scale including civil unrest.
• Risk of Attack: IoT devices, services & software, and the communication channels that connect them are at risk of attack by a variety of malicious parties, from novice hackers to professional criminals and even state actors.

Guidelines for Securing Consumer IoT

• Implement a means to manage reports of vulnerabilities: IoT developers should provide a dedicated public point of contact as part of a vulnerability disclosure policy for security researchers and others to report security issues.
• No Universal Default Passwords: All IoT device default passwords shall be unique per device and/or require the user to choose a password that follows best practises, during device provisioning.
• Securely store sensitive security parameters: IoT devices may need to store security parameters such as keys & credentials, certificates, device identity etc. which are critical for the secure operation of the device.
• Ensure that personal data is secure: In case the device collects or transmits personal data, such data should be securely stored.
• Make systems resilient to outages: Resilience should be built into IoT devices and services where required by their usage or by other relying systems.
• Communicate securely: Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage of the device.
• Minimize exposed attack surfaces: Devices and services should operate on the ‘principle of least privilege’.
• Keep software updated: Software components in IoT devices should be securely updateable.

Conclusion

Considering the various notifications and DoT guidelines that have been issued for M2M/IoT stakeholders for the years, it is imperative to familiarize yourself with them to ensure you avoid any risk or legal complication in the future.