scope:

General

Below are reproduced some of the terms of reference concerning security handling in ETSI TC M2M [i.1].

• "Requirements pertaining to detailed security analysis (such as the analysis of threats, risks and counter-measures) are within the scope of ETSI TC M2M.

• Wherever possible, detailed solution work based on other SDOs' existing mechanisms shall be performed by those SDOs, based on input which TC M2M may provide. Identified solution gaps which are not addressed by other SDOs can be handled in ETSI TC M2M.

• Security aspects which are part of the current architecture document shall remain with the current architecture document for the purpose of Release 1, because of the tight integration needed to provide a solid basis for Release 1. Note: this requirement is intended to avoid the creation of separate security architecture specifications for Release 1".

Specific

Below are the terms of reference in the WI description [i.2].

In the present document, threats against M2M functional architecture, Service layer and interfaces are identified and analysed for impact and for likelihood. The need for countermeasures is determined.

The threat analysis considers only the following two types of threat (with the following order of priority):

1) Type 1 threats: threats that are specific to M2M service layer or interfaces for the service layer.

2) Type 2 threats: threats that may not be specific to M2M service layer but which have a significant impact upon M2M functional requirements.

The level of risk (i.e. combined likelihood and impact) of identified threats is also evaluated. As a result of that, there is a prioritisation of threats and therefore of countermeasures and security requirements.

Concerning countermeasures identified in the present document, the scope includes:

• consideration of merits and demerits (i.e. pros and cons) of identified countermeasures;

• evaluation of countermeasures to determine:

1) the need for a standardised solution/implementation,

2) availability of existing standardised solutions (e.g. from other SDOs),

3) the need for a new standardised solution (either from another SDO or from ETSI M2M).

Additionally:

• Threats against, or originating from, any stakeholders may be considered.

• Countermeasures which are normal practice in IT systems (e.g. maintenance logs, firewalls) are out of scope.

Content in the present document may lead to new requirements in future releases of TS 102 689 [i.5] and normative text in TS 102 690 [i.6].