IoT

The Software Updates for Internet of Things (SUIT) Working Group is tackling one of the most pressing challenges in IoT security: reliable, secure, and interoperable firmware updates for constrained devices.

Today IoT deployments often depend on proprietary update mechanisms that are fragmented and difficult to audit. As vulnerabilities continue to emerge, security experts, researchers, and regulators agree: every IoT device should have a robust and standardized way to update firmware securely.

The SUIT WG is designing a comprehensive solution, focusing on devices with very limited resources, those with as little as ~10 KiB of RAM and ~100 KiB of flash storage, while also supporting more capable systems.

Key components of the SUIT approach include:

• A manifest, providing metadata about firmware packages, their dependencies, and cryptographic protections.
• Use of CBOR (Concise Binary Object Representation) for compact encoding, along with COSE cryptographic mechanisms to secure manifests.
• Extensions to support encryption, trust domains, update management, and integration with other IoT frameworks like MUD (Manufacturer Usage Description).
• Mechanisms for devices to report update status securely, enabling visibility and compliance across IoT fleets.

The group collaborates closely with the Remote ATtestation Procedures (RATS) WG to define claims that can attest to firmware update status, strengthening supply chain transparency and trust.

The SUIT WG is also committed to working with silicon vendors, OEMs, and the broader IoT ecosystem to drive real-world implementations, including participation in IETF Hackathons to validate and improve specifications.

Link to the WG: https://datatracker.ietf.org/group/suit/about/
Link to the WG Documents: https://datatracker.ietf.org/group/suit/documents/

The IoTops (IoT Operations) WG at the IETF has a document called Terminology for Constrained-Node Networks, whose abstract is as follows:

"The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks." A new version of this document is dated 7 July 2025.

Link to the document: https://datatracker.ietf.org/doc/draft-ietf-iotops-7228bis/

IoTops WG: https://datatracker.ietf.org/wg/iotops/documents/

The IRTF draft titled "Guidance on RESTful Design for Internet of Things Systems"(https://datatracker.ietf.org/doc/draft-irtf-t2trg-rest-iot/) provides recommendations for applying REST (Representational State Transfer) principles to the design of IoT systems. REST is a well-known architectural style for building scalable and interoperable web services. This draft explores how those same principles can be adapted to the unique constraints and characteristics of the Internet of Things, where devices often have limited resources and operate in constrained networks.

One of the central ideas is that RESTful approaches can help create machine-understandable interfaces that reduce the need for human intervention and make integration between systems easier. To support this, the draft emphasizes the use of lightweight protocols like CoAP (Constrained Application Protocol) and compact data formats suited for constrained environments. It also recommends designing interactions that are resource-based and stateless whenever possible.

The document acknowledges that IoT devices may act both as clients and servers and provides guidance for managing these roles within a RESTful framework. Additionally, because IoT deployments are long-lived and widely distributed, the draft encourages designs that support extensibility and gradual evolution over time, without requiring simultaneous updates to all nodes.

By promoting RESTful design principles tailored for IoT, the draft aims to improve interoperability among devices and systems from different vendors. This reduces integration complexity and fosters a more robust and adaptable IoT ecosystem.

We introduced LoRa mesh networks at in the GAIA WG meeting at IETF 122. Different to LoRaWAN, LoRa mesh networks are not standardized. The current proprietary solutions and open source solutions are not interoperable. The lack of standardization is a difficulty for a quicker adoption of LoRa mesh network technology.

The Internet-Draft titled "Comparison of CoAP Security Protocols" analyzes and compares the message sizes of key exchange processes and per-packet overheads associated with various security protocols used to secure the Constrained Application Protocol (CoAP). Minimizing message sizes is crucial in constrained radio networks, such as Low-Power Wide Area Networks (LPWANs), to reduce energy consumption, latency, and completion times.

The security protocols evaluated in this document include:

• Datagram Transport Layer Security (DTLS) 1.2 and 1.3
• Transport Layer Security (TLS) 1.2 and 1.3
• Compact TLS (cTLS)
• Ephemeral Diffie-Hellman Over COSE (EDHOC)
• Object Security for Constrained RESTful Environments (OSCORE)
• Group OSCORE

The analysis considers the DTLS and TLS record layers with and without 6LoWPAN-GHC compression and examines DTLS both with and without Connection ID.

Find in here https://datatracker.ietf.org/meeting/118/proceedings/ the proceedings of IETF 118, where you can check IoT Working Group work such as ROLL, 6Lo, IoTOps, etc. Minutes, Slides and Video Recording are available.

The IRTF Thing-to-Thing Research Group is working on a document that describes the IoT Edge Challenges and Functions. 

Link: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-edge/

From Charter: "The Supply Chain Integrity, Transparency, and Trust (SCITT) WG will define a set of interoperable building blocks that will allow implementers to build integrity and accountability into software supply chain systems to help assure trustworthy operation. For example, a public computer interface system could report its software composition that can then be compared against known software compositions or certifications for such a device thereby giving confidence that the system is running the software expected and has not been modified, either by attack or accident, in the supply chain." 

Source: https://datatracker.ietf.org/wg/scitt/about/

To Subscribe: 

https://www.ietf.org/mailman/listinfo/scitt

Routing Over Low power and Lossy networks (roll) Working Group has met at IETF 115, please find below the link to the video recording

https://www.youtube.com/watch?v=KwV1ajTdpQM

The IETF has published this month a new version of draft about Reliable and Available Wireless Architecture

Abstract: "Reliable and Available Wireless (RAW) provides for high reliability and availability for IP connectivity across any combination of wired and wireless network segments. The RAW Architecture extends the DetNet Architecture and other standard IETF concepts and mechanisms to adapt to the specific challenges of the wireless medium, in particular intermittently lossy connectivity. This document defines a network control loop that optimizes the use of constrained spectrum and energy while maintaining the expected connectivity properties, typically reliability and latency. The loop involves OAM, PCE, and PREOF extensions, and a new Controller plane Function called the Path Selection Engine, that dynamically selects the DetNet path for the next packets to route around local failures."

Source: https://datatracker.ietf.org/doc/draft-ietf-raw-architecture/

we propose to raise awareness on the one hand of IoT standardization players on the energy impact in defining standards and on the other hand to developers of IoT stacks and applications. For this, we propose an approach consisting firstly of starting from the existing to highlight the energy impact in the choices of the use of a standard and its implementations and then secondly to identify a set of recommendations.

The IETF 114 is presenting several topics in IoT, such as:

• RATS (Remote ATtestation ProcedureS), video recording: https://www.youtube.com/watch?v=Fgy20yeT4Eo
• 6lo (IPv6 over Networks of Resource-constrained Nodes), video recording: https://www.youtube.com/watch?v=bTULdS6iI0E
• ANIMA (Autonomic Networking Integrated Model and Approach), video recording: https://www.youtube.com/watch?v=UIsxhY73QrA
• DTN (Delay/Disruption Tolerant Networking), video recording: https://www.youtube.com/watch?v=VF2vB5QTx9c
• ROLL (Routing Over Low power and Lossy networks), video recording: https://www.youtube.com/watch?v=ChhlXBPgbr4
• COSE (CBOR Object Signing and Encryption), video recording: https://www.youtube.com/watch?v=d0zOUQ26qt0
• CORE (Constrained RESTful Environments), video recording: https://www.youtube.com/watch?v=rr1LXhbrs7Y
• RAW (Reliable and Available Wireless), video recording: https://www.youtube.com/watch?v=gG7fVTd95yM
• LPWAN (IPv6 over Low Power Wide-Area Networks), video recording: https://www.youtube.com/watch?v=UTwGyKOTdlk
• LAKE (Lightweight Authenticated Key Exchange), video recording: https://www.youtube.com/watch?v=Oq7O5-ODfqc
• TEEP (Trusted Execution Environment Provisioning), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI
• DETNET (Deterministic Networking), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI
• SUIT (Software Updates for Internet of Things), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI
• CBOR (Concise Binary Object Representation Maintenance and Extensions), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI
• MANET (Mobile Ad-hoc Networks), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI
• IOTOPS (IOT Operations), video recording to be published in here: https://www.youtube.com/playlist?list=PLC86T-6ZTP5iqRy5pg4hScW5zp2-j7TVI

More Information: https://datatracker.ietf.org/meeting/114/agenda/

I propose to start discussing cybersecurity standardisation deliverables from the perspective of Common Criteria for Information Technology Security Evaluation (CC v3.1), in particular with respect to the EUCC - the ENISA cybersecurity certification scheme proposed for ICT products, and therefore including IoT, which is currently in preparation.

Problem definition

Given the complexity of the consumer IoT cybersecurity issue, it seems reasonable to expect different approaches that may lead to different solutions. Also considering that no overarching institution / organisation / body has authority when dealing with global IoT ecosystems, a fragmented approach is natural and probably unavoidable under the circumstances.

However, the fragmentation of the cybersecurity processes leads to inefficient use of resources and, very likely, to insufficient coverage of threatened or at risk products.

Proposed examination for a solution

It is therefore useful to analyse and align standardisation deliverables related to cybersecurity, with the aim of reducing fragmentation of the approach to cybersecurity evaluation and certification.

Background information

The EUCC is based on the Common Criteria which is an Information Technology Security evaluation method. The latest revision of the Common Criteria was published in 2017 with supporting contributions from a number of governmental organisations, representing among others EU member states like France, Germany, Netherlands, Spain, and Sweden. According to the Common Criteria Foreword version 3.1 (CC v3.1), it aims to:

• eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product;
• clarify CC terminology to reduce misunderstanding;
• restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed.

In the EU, ENISA is responsible for the EUCC scheme (Common Criteria based European candidate cybersecurity certification scheme) which looks into the certification of ICT products cybersecurity, based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, ISO/IEC 15408 and ISO/IEC 18045.

In the document “Council of the European Union conclusions on the cybersecurity of connected devices from 2 December 2020”, it is emphasised that any certification scheme for connected devices and related services should specify how the applicable security requirements at the relevant assurance level should be met on the basis of specific European and internationally recognised standards.

Further explanation of the Common Criteria is given on their website, as follows.

The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

- Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;

- Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;

- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;

- These certificates are recognized by all the signatories of the CCRA.

The CC is the driving force for the widest available mutual recognition of secure IT products.

The Internet Engineering Task Force (IETF) is an international Standards Developing Organization that work in the development and standardization of Internet protocols. The IETF is open to any interested individual. The next IETF meeting is called IETF 113. The IETF 113 starts Saturday 19 March and runs through Friday afternoon, 25 March.

More Information, registration, agenda: https://www.ietf.org/how/meetings/113

Routing Over Low power and Lossy networks (roll) working group at the IETF, is the working group in charge of developing routing standards for constrained environments, oriented to use cases such as smart home, smart cities and industry 4.0. The Working Group focus on routing issues in IPv6 for Low power and Lossy networks, maintaining and improving the protocols already developed, including RPL and MPL. The Participation is open to any individual.
Charter: https://datatracker.ietf.org/wg/roll/about/
To Subscribe: http://www.ietf.org/mailman/listinfo/roll

The Internet Engineering Task Force (IETF) is an international Standards Developing Organization that work in the development and standardization of Internet protocols. The IETF is open to any interested individual. The next IETF meeting is called IETF 112. The IETF 112 will start on Monday, 8 November 2021 and run through Friday afternoon, 12 November 2021. Sessions will from 12:00-18:00 UTC each day.

More Information, registration, agenda: https://www.ietf.org/how/meetings/112/

IETF 112 Newcomers: https://www.ietf.org/how/meetings/112/newcomers/

IoT in the IETF: https://www.ietf.org/topics/iot/

Get to know more about how the M-Sec solution is being implemented in Fujisawa, Japan, by watching this video on our Use Case 4: https://youtu.be/XioYWKcLfhM

Are you a company, university student, researcher, data scientist, entrepreneur or a concerned citizen?

Do you have an innovative earlystage business idea that addresses a smartcity challenge? ?‍? Are you interested in security and privacy issues of iot devices and apps? ??

Then don't miss this chance and apply by 26 August 5pm CET to M-Sec Project Online Contest, that will run between 6-10 September ? 
https://lnkd.in/ecfRk7b

Main perks:
??‍? 1-1 Technical and business support to develop your business idea
✍? Business workshop
? Present the business idea to an international panel of experts

Top 3 winners of each challenge will also have the chance to meet city council representatives of Santander and Fujisawa #smartcities

Guidelines and more info ?‍♀️
https://lnkd.in/eXS85QN

#msecsmarthack

At the end of 2020, the M-Sec Project launched a survey to the European and Japanese IoT community, to better understand their experience when using IoT devices and applications and on their knowledge of EU & Japan’s data protection regulations. 6 months after, and with more than 450 answers, here are the first insights from our community: https://www.msecproject.eu/m-sec-eu-japanese-consultation-preliminary-results/  

Get to know more about how the M-Sec solution is being implemented in Santander, Spain, by watching this video on our Use Case 1: https://youtu.be/9o5QofdWhBs

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 3 to better understand how this Use Case is being implemented in the Japanese city of Fujisawa.

Get to know more about how the M-Sec solution is being implemented in Santander, Spain, by watching this video on our Use Case 2: https://youtu.be/GstjqDWPrUg

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 4 to better understand how this Use Case is being implemented in the Japanese city of Fujisawa.

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 2 to better understand how this Use Case is being implemented in the Spanish city of Santander.

Dear community, the M-Sec Project is currently implementing 5 pilots to test, validate and showcase the impact of its cybersecurity solution. Learn more about M-Sec’s Use Case 1 to better understand how this Use Case is being implemented in the Spanish city of Santander.

Read the blogpost Here

The main focus of M-Sec’s Cookbook is to introduce the M-Sec IoT security framework that has been developed by the European and Japanese consortium researchers for the past two years. Therefore, it presents techniques, methods, and design and operating principles of the M-Sec solution that those researchers believe will help other IoT developers to minimize the risk of suffering critical vulnerabilities in a wide range of IoT devices. In other words, the M-Sec Cookbook is a practical guide for all IoT developers to develop reliable and secure applications for the smart city context.

The Cookbook provides an introduction to the M-Sec components from five different aspects – IoT security, cloud and data level security, P2P level security and blockchain, application-level security, and overall end-to-end security – with their definition and ulterior implementation, thus serving as a practical guide for any IoT developer who wishes to implement the M-Sec solution in order to address security concerns and risks identified in a smart city context.

Want to know more about how to implement the M-Sec solution?
Download the Cookbook: https://www.msecproject.eu/wp-content/uploads/2020/12/M-Sec_Cookbook_final-version.pdf

M-Sec is an EU-Japan collaborative Project with the main goal of developing an innovative solution that ensures a more secure data transfer between stakeholders when using IoT devices and applications in hyper-connected smart cities.

In the scope of this research, the project is now conducting an online survey to all EU and Japanese citizens and stakeholders, to collect feedback on individuals use of IoT devices and applications, and their understanding of data protection regulation.

Your opinion is, thus, very much appreciated and will contribute to a better understanding of the IoT ecosystem in which M-Sec is expected to operate.

Filling in this survey will not take you more than 1 minute.
Access the survey: https://forms.gle/GhhDqGTUPPyfX7Fh6

Thank you so much for your collaboration,
The M-Sec Team

The M-Sec Project, an EU and Japanese collaboration, released a White Paper that acts as a guide to inform readers about the main IoT security issues faced nowadays and proposes concrete solutions to these problems.

Tell us your opinion! Read the Report:
https://www.msecproject.eu/wp-content/uploads/2020/10/M-Sec_WhitePaper_v5_CLEAN.pdf

I am delighted that Sebastian Hallensleben has taken up the role of Chair of Technical Working Group (TWG) on Trusted Information. In a time when fake news can interfere in the political election process, undermine vaccination programs and cause riots in the streets ( or indeed in government buildings), access to trusted information will become a much sought after commodity. What tools, technologies, processes and services can be applied to the "digital information lifecycle" that can help restore "Trust in Information"? We need a standard vocabulary of trust, an ethos of maintaining trust, methodologies that allow trusted services to connect together so that when citizens consume information, that is valid, accurate (if factual), contemporaneous, and informed/qualified (if opinion). There will be business revenue opportunities in dealing with creating, aggregating, checking and presenting  "Trusted Information". Trust me...  #ThisIsReal

The National Standards Authority of Ireland are launching an ISO/IEC JTC1 SC41 Internet of Things and Digital Twin mirror committee with significant interest being displayed from Academia, Research Centres, Government Agencies and Industry. More information to follow when the committee has been established.

The present draft document, elaborated by the ETSI TC CYBER, specifies a conformance assessment methodology for consumer IoT devices, their relation to associated services and corresponding relevant processes against ETSI TS 103 645 [1] / ETSI EN 303 645,  Draft ETSI addressing the mandatory and recommended provisions as well as conditions and complements ETSI TS 103 645 / ETSI EN 303 645 by defining test cases and assessment criteria for each provision.

https://www.standict.eu/standards-repository/cyber-security-consumer-internet-things-conformance-assessment-baseline