“As continued deployments of machine to machine (M2M) applications across diverse geographical and vertical markets worldwide give rise to an increasingly fragmented ecosystem, industry players must put security, remote programmability and interoperability at the heart of their plans for development, or risk inhibiting the sector’s prospects for growth,” says Bruno Basquin, Chair of the M2M and eUICC Working Group at SIMalliance.
The potential for cellular connectivity in M2M is vast. Technavio analysts forecast the global M2M market will grow by approx 26 percent between the period 2012-2016 and GSMA estimates that connected devices will reach the 25 billion mark in 2020. In 2012, SIMalliance members shipped 5 million M2M (MFF2 form factor) SIMs; a number which represents 42% growth on the previous year. Further growth in shipments is expected in the coming years thanks to the combination of two factors: firstly, there is an increasing range of applications across many different verticals, led currently by connected cars and smart metering, and secondly, there is no saturation limit for the M2M market, since it is not restricted by population statistics. While this is clearly positive news for the industry, the reality is that a complex ecosystem which is capable of supporting secure subscription management must be in place before the market can achieve its full potential.
A key challenge is related to the M2M operational model; the process of operating fleets of machines running diverse applications is very different from operating communities of ‘human’ subscribers. Many M2M applications use millions of unattended terminals in various remote, difficult and inaccessible locations. In this scenario, service providers cannot cost-effectively provision the terminals with a new UICC (or SIM card), when updates or replacements are required; in light of this, extended remote provisioning and management capabilities are essential. For this reason, SIMalliance supports the concepts of the embedded UICC (eUICC) and remote subscription management infrastructure as enablers of M2M market growth.
The first benefit of the eUICC is operational: subscription operations can be undertaken remotely. Since the eUICC has a dual role, both carrying a subscription and acting as an application platform, it offers service providers, MNOs and their partners secure remote management capability for their value added services located in the eUICC. As the lifecycle of an application is usually far shorter than that of its host terminal – many of which can last for up to 20 years in the M2M sector – service management capabilities, enabled by remote management, are essential to support the many iterations of applications that may evolve over the terminal’s lifecycle.
The second benefit of the eUICC is that it enables the realisation of complex international business models. In order for a M2M deployment to reach across international borders, an innovative, open and flexible subscription distribution model is required to enable service providers to enter relationships with various MNOs across markets. In this context, the remote subscription management services enabled by the eUICC offer a strong value proposition.
A further advantage of remote subscription management services, beyond provisioning and reprovisioning connectivity of individual terminals, is the flexibility offered to service providers when managing the connectivity of fleets of terminals. Service providers are able to negotiate the best possible terms for commercial relationships with MNOs, and switch suppliers over time to align with business requirements.
The third benefit of the eUICC, which can be realised thanks to its remote subscription management capabilities, is related to industrial product lifecycles. Equipment may sit in warehouses for long periods of time before being shipped to their final location, which is not usually known at the time of manufacture. As such, the need for remote provisioning is heightened by the growing requirement for the late configuration of M2M terminals (when the UICC/eUICC is personalised after it is shipped). This enables devices and terminals to be cost-effectively mass produced even though they may be destined for deployment in different countries. Considering the volumes at stake, this is a very attractive proposition.
The Importance of Security
Aside from presenting a solution to the various operational challenges, the eUICC also plays a significant role in ensuring that optimal security levels are created and maintained in M2M deployments. M2M services may become a prime target for advance security threats in the future, because of three key factors:
- A large majority of M2M terminals will be unattended during most of their operational lifetime.
- A number of high value M2M applications may be attractive to hackers because they offer lucrative returns or because they provide a means to achieve an unlawful agenda.
- There are likely be a higher number of connected devices than phones or consumer devices in the future, since the potential scale of the global M2M market is much larger.
Security must therefore be at the heart of the design and implementation process at both the system level and when considering the individual components of the deployment. With security threats constantly evolving however, it is equally important that the security levels of system components can be upgraded regularly and with ease. All security measures have a limited lifespan, which means that security upgrades must be performed at regular intervals, particularly on terminals and equipment with long lifecycles.
Thanks to the track record established by UICC technologies in the field of security, the eUICC and its associated infrastructure are uniquely positioned to fulfill these advanced security requirements. The result is that M2M subscription data, processes and connectivity can benefit from equal or greater protection than that found in consumer applications.
Like the UICC, the eUICC is an open secure application platform that is able to execute code, process data flows, store data and manage credentials. Service providers can implement their application in a distributed way, among the eUICC, terminal and back end system, by locating strong authentication and data protection components in the eUICC for example. By doing so, they ensure the highest possible levels of security for their application and take full advantage of the secure management channel associated with the eUICC to manage the security of their service over time.
The M2M ecosystem is, by nature, more complex than traditional wireless consumer communication ecosystems. This is due to the increased number of actors involved and the evolution of ownership models. In contrast to the traditional UICC/phone model, the eUICC can potentially be owned by a non-MNO party (e.g. the device owner), who will typically enter into a commercial relationship with one or more MNOs to receive communication services, through the intermediation of subscription management services. In order that all parties can interact seamlessly and with confidence, a high level of interoperability must be ensured. SIMalliance is supporting wider industry efforts to standardise the eUICC with M2M specific initiatives, including collaboration and education on new use cases.
Through its dedicated M2M and eUICC Working Group, SIMalliance actively promotes the creation, deployment and management of innovative secure M2M services based on the use of the eUICC and more generally on secure elements. It is expected that this will boost deployment and usage of the eUICC by all market players, while providing a solution to the key current concerns inhibiting growth in the M2M sector.
Bruno Basquin is Chair of the SIMalliance M2M and eUICC Working Group
About SIMalliance (Security, Identity, Mobility)
SIMalliance is the global, non-profit industry association which simplifies secure element (SE) implementation to drive the creation, deployment and management of secure mobile services. The organisation promotes the essential role of the secure element (SE) in delivering secure mobile applications and services across all devices that can access wireless networks. For more information, visit www.simalliance.org .