December 2020 - In this interview, Rana Kamill of BT discusses the topic of IoT security and oneM2M’s collaboration with ITU experts to formalize oneM2M technical specifications at the international level.
Q: Let us begin by talking about your background and roles in BT.
RK: I work as a Security Consultant in BT’s Security Consultancy team. We provide consultancy across all of BT’s Customer Facing Units (CFUs). The Security Consultancy team sits in the Technology unit, which is forefront of where new technologies are being developed.
Our role is to provide design assurance and ensure privacy by design. We also identify, document, and help mitigate risks, making sure that security is an integral part of everything we do. We get involved in over a thousand projects per year which gives you some idea of the amount of innovation in our industry. I also lead a few internal standards initiatives and represent BT in oneM2M.
Before joining BT, I worked in Academia and Research for several years. Prior to that, I had studied Electronics and Telecommunications Engineering then did post graduate studies in Mobile and Wireless Networks.
Q: What is your role in oneM2M?
RK: I got involved with oneM2M 2 years ago, working with my colleague Colin Blanchard who has now retired after pioneering a lot of the fundamental work on IoT security in 3GPP and oneM2M. Now, I represent BT in oneM2M and get involved in activities to share information about oneM2M.
Having a passion for research, I got fascinated with the amount of knowledge that is shared in oneM2M’s Technical Plenary meetings and the cutting-edge research shared by subject matter experts from both academia and industry. The research we share is not only about creating standards but also about sharing knowledge, enriching areas of expertise and applying new research and concepts to using this knowledge to face new challenge and achieve better security.
Technology is constantly evolving, and change is a constant. I believe that the work we share through oneM2M helps us drive this change to be ready for new challenges. It helps drive security to how it should be. A good example of knowledge sharing is work oneM2M has been doing with the International Telecommunication Union (ITU). We represented oneM2M in joint meetings with the ITU. Our work was well received and established a closer rapport between the two organisations.
Q: Why is it important to collaborate with organisations like the ITU?
RK: ITU standards are referenced by many countries, government states and corporations. This is very important for establishing common standards that benefit the widest community of users across the world, as happened with mobile communications. Collaboration gives us the basis for mutual understanding and helps us develop consistent, transparent, quality standards. By working with subject matter experts across both organizations and pooling our knowledge, we have a much better chance of developing great standards and achieving deployment on a wider scale.
Q: What oneM2M/ITU contributions have you worked on so far?
RK: It is important to understand how the ITU operates. The ITU is a specialized agency of the United Nations responsible for all matters related to information and communication technologies. Standardization takes place under the so-called ITU-T section, through designated Study Groups (SGs) and, through ITU-Y Recommendations (standards). In 2015, for example, The ITU published Recommendation ITU-T Y.4412/F.748.5 on requirements and a reference architecture of the M2M service layer, building on basic middleware concepts standardised within oneM2M.
At present, the relevant group for IoT standardization is ITU-T Study Group 20 (ITU-T SG-20). Over the past year, we have been working on a set of 28 responses to the resolution comments on the ITU-T’s transposition of oneM2M’s technical specification for security solutions (TS-0003) into an ITU-Y series Recommendation. The document covered subjects such as authentication, authorization, identity management and protection and handling of sensitive data. It aims to define security solutions for oneM2M related systems and provide specifications for M2M Security and Privacy protection.
The collaboration aims to get TS-0003 Release 2 and Release 3 transposed by the ITU-T SG-20, taking account of feedback from ITU representatives. I am currently finalizing change requests based on previous meetings. These will feed into a security Section in oneM2M-TR-0057, on the topic of ‘Getting Started with oneM2M’. There will also be a new technical report specifically for security with an additional section on Privacy Policy Manager (PPM).
We also aim to create a dedicated oneM2M Security Document addressed to a non-technical audience. Sometimes high-level designs are not the ideal way to introduce security, especially to non-technical audience. We want to explain as many security principles as we can in a clear way that’s easy to understand and incorporate into various projects.
Q: Coordinating across the world and different time zones must be difficult. What has been your experience of virtual meetings and Technical Plenaries (TPs) because of COVID-19?
RK: The last three TPs had to be held online because of the pandemic and sessions were spread over four weeks. Even though we did not travel or meet in person, we still managed to have great sessions. The fact that sessions were spread over four weeks allowed us to join more sessions. A lot of research was put into the sessions and a lot of great work was presented. The great thing about the sessions is that there is always a compelling conversation that you can have and something new that you can learn. The social aspect was also present, there was even a drinks event in the end of TPs where those who joined had a drink together with their cameras on. The spirit was great.
Q: Drawing on your consultancy and oneM2M standardization experience, what advice would you give to corporates on the issue of security?
RK: It is very important to make sure that security is incorporated in the fabric of your projects and products as early as possible. Sometimes, competition or other industry factors puts pressure on projects to launch as quickly as possible. Some stakeholders may view intensive security measures as a potential business blocker so urge them to take time to make sure that all security checks and mandatory security processes are completed.
Security is not a tick-box exercise. It is important to spend the right amount of time and allocate a budget for security in order to discover potential risks and vulnerabilities in a design or an implementation before external sources do. It is much easier to deal with security problems early on, rather than let problems happen and deal with the issue retrospectively. It also avoids problems in dealing with the consequences of security breaches which may negatively affect a business and its brand. It is best to have security baked in to keep it into consideration since the very beginning. Security is no longer a luxury; it is a necessity.
About oneM2M
oneM2M is the global standards initiative that covers requirements, architecture, API specifications, security solutions and interoperability for Machine-to-Machine and IoT technologies. oneM2M was formed in 2012 and consists of eight of the world's preeminent standards development organizations: ARIB (Japan), ATIS (U.S.), CCSA (China), ETSI (Europe), TIA (U.S.), TSDSI (India), TTA (Korea), and TTC (Japan), together with industry fora and consortia (GlobalPlatform) and over 200 member organizations. oneM2M specifications provide a framework to support applications and services such as the smart grid, connected car, home automation, public safety, and health. oneM2M actively encourages industry associations and forums with specific application requirements to participate in oneM2M, in order to ensure that the solutions developed support their specific needs. For more information, including how to join and participate in oneM2M, see: www.onem2m.org.