Recent News

How eSIM standards are evolving for secure IoT


Sitting behind cellular communications infrastructure is a vast library of complex technology common, industry-specific engineering standards and specifications. Stakeholder organisations invest extensive effort and engineering resources on an ongoing basis to maintain and progress these. Products and services can thus be improved, creating opportunities to explore new use cases that will enable additional revenue streams. Just looking through the first few pages of one of these publications shows how dependent one specification is on a raft of others, says Said Gharout, head of standards, Kigen.

Some of these documents outline specific protocols in detail. Conversely, others define a technology landscape leveraging multiple technologies to deliver a cohesive architecture or ecosystem. One such example is the GSMA’s standard for Remote SIM Provisioning (RSP) of eSIM & iSIM, which allows cellular carriers’ SIM content to be securely delivered to target SIM ‘containers’ digitally.

Regardless of their scope, the overarching purpose of standards and specifications is to facilitate development, ensure separately delivered components work seamlessly together, and promote widespread interoperability. Additionally, with full industry backing, they reduce market-stifling fragmentation, thereby accelerating adoption.

Progression from SIM to eSIM and iSIM

Since cellular communications’ inception, SIMs have been required so that remote devices can achieve authentication when connecting to a network. Protecting the security credentials stored has been fundamental, yet these must be easily issued to subscribers for placing into their devices. SIM definitions emerged back in the early 1990s, comprising a credit card-sized format, minimal memory capacity (8kB), and a 5V supply voltage. Over the following decades, as cellular technology advanced, SIMs evolved accordingly. They have been compressed to a nano form factor and seen their voltage drop to 1.8V. Increased chip performance and memory capabilities have resulted in greater functionality and stronger security.

With cellular connections now extending beyond consumer handhelds and into IoT devices, etc., the demands being placed on SIMs are changing. Further reductions in size, plus greater electrical and memory endurance, are being mandated.

In response to this, ETSI specified a new class of SIM Form Factor in its TS 102 671 standard (first published in 2010). This set out more robust physical and logical characteristics, including the layout for the permanently fixed (soldered onto the chip) machine-to-machine (M2M) form factors. Moving beyond that, SIM chip suppliers now offer M2M capabilities in a newer form factor, the wafer-level chip scale package (WLCSP), which is even easier to embed and further reduces footprint.

Concurrent advances permitted delivery of discrete, SIM-grade protection within multipurpose cellular chips. A logical secure enclave (tamper-resistant element), hosted on a system-on-chip (SoC) allowed all SIM functions to be carried out—with benefits for footprint, power consumption, and robustness being derived while still maintaining the necessary physical and logical security. The integrated SIM (iSIM) concept was born. However, further work was required to push for wider acceptance through standardisation, as interoperability and partnerships are key to delivering the simplified logistics that accelerate the adoption of Cellular IoT.

GSMA eSIM specifications

While a SIM could, if needed, be permanently fixed in a device, the ability for the owner to choose or switch networks (that swappable SIMs permitted) was lost. This threatened market choice, curtailing competition, and pushed the industry to think about interoperable solutions where customers could dynamically change network operators. In response, the GSMA formulated a solution to satisfy the demand from the M2M market. The focus of this was the M2M market, where the embedded form factor was expected to be most prevalent. Today as the term eSIM enters wide usage with OEMs such as Apple now centralising on eSIM only devices, it is used as a top-level generic descriptor for devices and eUICCs that can support RSP operations.

Specification processes commence with requirements and constraints being drawn up to meet perceived business needs, with the technical solution then outlining how these will be addressed. Sets of documents defining test cases and procedures for accreditation and certification of the various constituent parts are then compiled. In addition, amendments are made to existing publications (where dependencies are recognised) to reflect new/updated approaches.

The GSMA’s RSP specifications for M2M (SGP.01 and SGP.02) were released in 2013. Here the use case was machine-to-machine devices that typically have limited user interface, are located in hard-to-reach and challenging environments, and deployed at scale, usually under B2B agreements. At that time, the term “IoT” was not yet used. Due to subscriber/user absence at the device, possible geographical distribution, and expected device numbers, RSP presents a fully remote management solution where devices have out-of-the-box connectivity and profiles, with management events pushed from the server side.

To support the new specification and the introduction of a remote server architecture handling sensitive carrier security credentials, the eSIM group worked in concert with SAS group. The joint work comprehensively documented the scope, standards (FS.04), and methodology (FS.05), defining the expectations on the operation and security auditing of SIM manufacturing sites handling similar carrier credentials and carrying out UICC (SIM card) production. They extended the existing specifications to include eUICC production, resulting in the creation of the new documents SAS-SM standard (FS.08) and methodology (FS.09) to define the new Security Accreditation Scheme for Subscription Management (SAS-SM) for RSP servers: the SM-SR and the SM-DP.

Early 2016 saw the GSMA publish its specifications addressing the consumer market, initially aimed at issuing SIM profiles into companion devices, such as watches. It was subsequently iterated so that smartphones and tablets could also be addressed. Operating on a pull approach, the subscriber utilises a primary device’s user interface (UI) and connectivity (cellular or Wi-Fi) to initiate and complete the download following a subscribing journey with the carrier. The consumer specification has since been enhanced to incorporate further features, such as support for seamless carrier app sales and download journeys and influence from enterprise device management systems.

Emergence of IoT

The cellular IoT market is forecast to see major growth in the years ahead, offering cost and efficiency benefits to businesses and individuals alike. Resultant device/subscriber volumes will commercially benefit device manufacturers and connectivity providers, despite requiring some upfront investment in new technology support.

IoT devices can be anything from a minute smart sensor or medical wearable to a livestock monitor. Typical IoT connectivity requirements include minimal power consumption, limited up-time, and low data volumes. NB-IoT and LTE-M protocols are optimised to achieve these, and the options are still expanding, with 5G reduced capability (REDCAP) entering the field soon.

Purpose-oriented standardised radio technologies guarantee ubiquitous support, offering consistent, reliable, and mature features. They simplify engineering efforts, promote adoption, and encourage market growth. One key cellular IoT expectation is support for off-grid devices, where battery use is necessary and operating lifespan must be extended as much as possible. Standardised power-efficient radio protocols contribute, but additional tools for minimising power consumption have also been defined (such as eDRX and PSM), so devices can remain dormant, only awakening/connecting when it is imperative.

RSP & cellular IoT

TheIoT’s efficient cellular networks address aspects of new use cases, however other requirements exist, such as effective management of highly distributed and remote devices. Though solving power efficiency issues, IoT radio makes remote management trickier due to increased latency, limited data utilisation, and devices being offline. Rather than having to define a fully third eSIM architecture, IoT-specific specifications have been based on the existing consumer architecture.

The consumer architecture was chosen for its less restricted and more adaptable implementation offering better interoperability between the different components. Let’s recall that the consumer architecture was also an evolution of the M2M architecture. GSMA’s eSIM Working Group Seven (WG7) was tasked with progressing this using SGP.31 (architecture and requirements) and SGP.32 (technical specification) as the core documents. The first version of the IoT specification focuses on two categories of IoT Devices: UI Constrained Devices and Network Constrained Devices.

The IoT eSIM solution will deliver several key device SIM provisioning enablers, including a new core capability within the ecosystem, known as eSIM IoT Manager (eIM). eIM is a carrier and SM-DP+ independent remote management entity that an IoT device’s eUICC can be registered to and via which the device deployer/owner will trigger RSP activities. For scenarios where connectivity restrictions apply, the eIM will also provide a trusted pathway over which an eSIM profile can be delivered during download to the eSIM.

The intent is to offer support for various procedures and protocols, suited for latent connectivity, to offer implementation options and flexibility to accommodate the cellular technology of choice. The eIM is also responsible for Profile State Management (e.g. Enable, Disable, Delete). Many eIMs could be associated with the same eUICC, and of course a single eIM is managing many eUICCs. An eIM could be associated with an eUICC at any moment of the lifetime of the eUICC. This was not possible in M2M where the SM-SR shall be associated with eUICC during manufacturing.

The SGP.31 requirements document v1 has already been published, with work on SGP.32’s technical content currently underway. Additional work will be required to document new test cases, create a new protection profile, or amend the existing consumer eUICC protection profile in line with new protocol implementations, and to include IoT RSP into the compliance and accreditations regimes maintained by GSMA.


Access control security and communication integrity and confidentiality are essential to IoT communication. The GSMA has introduced a specification outlining how to deliver the device root of trust within the eSIM, which can be employed as a building block across a wide array of IoT use cases. Recognising the difficulty of securing data at the IoT device stack, IoT SAFE allows IoT data protection at the source, from device to cloud.

To further ease IoT SAFE’s deployment and expedite adoption, Kigen has conceived the Open IoT SAFE initiative. This unites the technologies and principles behind IoT SAFE with the Enrolment over Secure Transport protocol (RFC 7030) set out by the IETF, where the latter allows cloud and/or IoT service providers to deliver their own security credentials to remote IoT endpoints for use in ongoing data security.

The IoT RSP revolution

Via remote SIM provisioning specifications, eSIM/iSIM standards can revolutionise cellular device connectivity, opening new possibilities that will drive IoT roll-out. SIM and device manufacturers, connectivity providers and solution deployers and managers will all benefit.

Carriers no longer need to worry about physically handling SIMs, their complex logistics, and expensive packaging. Instead, they can migrate their subscriber connection activity to a completely digital journey with near instant service enablement, heightened customer satisfaction, plus the potential for serving subscribers in previously unreachable markets.

With GSMA’s IoT eSIM bringing flexible cellular connectivity to a broader selection of devices, coupled with the cost, size, and energy-efficient iSIM, greater uptake will naturally follow. The team at Kigen is fully invested in contributing to standardisation and collaborating on the development of GSMA eSIM specifications. In addition, we contribute to the work of the Trusted Connectivity Alliance (TCA) and support efforts within GlobalPlatform (GP), on whose own standards and specifications GSMA eSIM architectures heavily rely.

IoT devices are increasingly integral to and are evolving our digital interactions. The security of IoT devices must be a priority across both consumer and M2M scenarios. Standardised approaches that allow for constrained IoT Devices to benefit from remotely assisted profile and connectivity management options are beneficial for anyone looking to future-proof their digital transformation.

The author is Said Gharout, head of standards, Kigen.

About the author:

Said Gharout is head of standards at Kigen. He is the chair of GSMA eSIM IoT working group and the chair of the TCA IoT Remote SIM Provisioning working group. He has been involved in developing many standards related to IoT, eSIM and iSIM, and security in various organisations.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

This UrIoTNews article is syndicated fromIoT-Now

About Post Author