What is Remote SIM Provisioning?
Remote SIM provisioning (RSP) in IoT is the process of remotely managing SIM profiles saved on eUICC-capable SIM cards. This includes installation, switching, and deactivation of SIM profiles over-the-air. Today, there are two major solutions in RSP – Machine-to-Machine (M2M) and Consumer solutions. Before RSP entered the game, a change of an operator’s profile could only be done by physically changing the whole SIM card or through the Multi-IMSI feature, which required having the SIM profile already loaded onto the SIM before it has been deployed in the field. With remote SIM provisioning, it has become possible to overcome the issues by allowing to add, switch or change a SIM profile remotely over-the-air (OTA). Find more information about how RSP overcomes the challenges in our guideline.
Remote SIM Provisioning relies on the eUICC standard. eUICC SIM cards can be used like standard (non-eUICC) SIM cards. They can be either soldered inside of a device (MFF2) or put into the SIM slot when used in removable form factors (2FF, 3FF, 4FF). Each SIM profile consists of the operator data that is related to subscription as well as the operator’s credentials and further 3rd party SIM-based applications. The eUICC secure element can load multiple IMSI profiles that are either pre-installed or can be downloaded OTA.
Consumer and M2M Remote SIM Provisioning: How Do They Work?
The Global System for Mobile Communications (GSMA) has established distinct technical architectures for the use of eUICC within Consumer and M2M use cases. Consumer eUICC (eSIM) is primarily utilized in devices like smartphones and laptops, where the device "pulls" the profile from the subscription management (SM) backend based on the user interaction, for example via QR scanning. On the contrary, M2M deals with IoT sensors, meters, trackers, and other devices that do not imply much human involvement. Here, the profile is usually pushed towards the device via remote commands from the subscription manager. The diverse GSMA solutions mean different requirements applied to the RSP process. GSMA has recently released a new standard referred to as RSP IoT. This standard is intended to overcome the challenges the M2M and consumer specs bring to scale IoT.
About M2M Remote SIM Provisioning
M2M RSP targets IoT and M2M use cases and is based on GSMA’s M2M specifications SGP.01,.02,11. The major benefit of M2M RSP is that the device normally functions without local physical control in terms of connectivity. It’s managed via the operator’s backend infrastructure, which means profiles are either downloaded, enabled or disabled depending on the device location.
M2M technology utilizes the Bearer Independent Protocol (BIP) to establish a connection between Subscription Manager - Secure Routing (SM-SR) and eUICC, using underlying bearers such as SMS, CAT_TP28, or TCP/IP. The choice of the bearer can affect the download performance. Furthermore, M2M solutions do not require hardware adaptation.
The GSMA M2M solution is straightforward because it does not involve any direct interaction with end users. It follows a server-driven or 'push' model, involving three main components: Subscription Manager - Data Preparation (SM-DP), SM-SR, and eUICC.
SM-DP protects and stores the profiles on the server to allocate, download, and install go to the target eUICC.
SM-SR is in charge of Profiles status management, including enable/disable/delete, as well as secure communication between eUICC and SM-DP for Profiles delivery. It communicates via SMS encrypted with ISD-R keys.
eUICC is a secure element that may contain one or multiple IMSI Profiles. eUICC sets a secure data communication session (HTTPS) back to the SM-SR.
How M2M Differs from Consumer RSP
Consumer RSP is intended for consumer and consumer IoT use cases and is based on SGP. 21, 22, 23. It implies full control carried out by the end user through the consumer device interface, including ‘primary’ devices (e.g., smartphone that can be companioned with smartwatch). While SM-SR is an integral constituent in M2M Remote SIM Provisioning, it’s not necessarily required for consumer RSP, since in this case it is more a client-driven or pull model that comprises the following elements:
SM-DP+ (Subscription Manager - Data Preparation +) deals not only with the data preparation tasks, but also includes the functionality of Secure Routing of the subscription data from the Subscription Manager (SM) to the appropriate eUICC (embedded Universal Integrated Circuit Card).
SM-DS (Discovery Server) is an additional backend component containing a list of ready-to-download profiles on the device.
LPA (Local Profile Assistant) enables local download and status management of the eUICC profiles on the device
eUICC (explained above)
At the same time, both M2M and Consumer solutions entail a SM-DP/SM-DP+ provisioning system. The two ecosystems involve a eUICC secure element for Profile storage and management.
In addition, they both use PSK and PKI cryptography. For M2M, authentication via SM-SR utilizes PSK and enables a single SM-SR to connect with the eUICC. Consumer solution implies PKI authentication, allowing any eUICC and SM-DP+ connection if they share the same root PKI certificate.
A GSMA Certificate Issuer is necessary for both solutions in order to provide simple communication within entities as well as mutual authentication (in Consumer case).
Although architectural similarities have been discussed, it is important to note that the two solutions are fundamentally distinct and cannot be used interchangeably.
What Functionality and Technical Setups Are Needed for RSP?
The full functionality of Remote SIM Provisioning involves several processes and notions that should be considered as part of the whole RSP ecosystem.
Subscription and profile management implies management of SIM profiles, and covers tasks like provisioning, activation, and deactivation of subscriptions. Profiles are remotely updated and changed according to the network requirements, tariffs, or services.
Over-the-Air (OTA) enables remote management of eUICC profiles, including installing SIM profiles from different network operators over a wireless connection.
Lifecycle management covers the management of eUICC-capable SIM cards during their entire lifecycle. This includes the initial deployment, activation and configuring with network credentials, profiles and subscription details, which is basically provisioning. In addition, it entails subscription management discussed above and security, such as encryption and authentication protocols. It includes updating software and firmware remotely and eventually ends with decommissioning.
Within the technical setups one should, of course, consider the eUICC-capable SIM card. The SIM must be enabled to make use of RSP and SM-DP in order to store the profile description from an MNO, to generate and store further profiles and to download and install additional profiles on the eUICC element via SM-SR. The SM-SR then stores all eUICC data and securely delivers the encrypted MNO credentials based on the device identifier. There are also other parts involved such as MNO infrastructure, OTA channels, and security.
What Rules, Compliance, and Safety Aspects Need to Be Considered?
The GSMA acts as a standardization body for Remote SIM Provisioning and has defined several rules and guidelines for consumer, M2M, and IoT RSP specifications. Examples are GSMA SGP.02: "Secure Element Access Control for M2M Devices", GSMA SGP.22: "eUICC Security Assurance Framework," GSMA SGP.24: "Remote Provisioning Architecture for Embedded UICC," GSMA SGP.25: "Remote SIM Provisioning for M2M Devices" and GSMA SGP.32: “Secure Element Protection Profile for Subscription Management".
Furthermore, to ensure that eUICC environments are protected, there are specific compliance aspects. Compliance with the GSMA M2M standards requires the following verifications:
eUICC Security, referring to a Common Criteria Protection Profile 10,11 to the EAL4+ assurance level
Production Environment and Process Security within GSMA’s Security Accreditation
SAS-UP (for eUICC personalization) or SAS-SM (for SMP).
Functional Compliance based on the GSMA’s test specification.
Find out more about eUICC Standards in IoT.
Who Are the Key Players in eUICC Management?
With over 260 MNOs/MNVOs supporting eUICC, the number of GSMA-credible Remote SIM Provisioning platforms is growing as well. Today, there are over 25 RSP providers on the market globally. Below is a highlight of the most prominent players and providers in the field:
Thales is a French company with over 300 subscription management platforms globally. Thales has a strong presence in the consumer and IoT eUICC environments and supports various eUICC-enabled industrial IoT applications. Together with GSMA they constantly work on new specifications and provide various deployment services for eSIM subscription management platforms. Find more information on the provider’s webpage.
G+D (Giesecke+Devrient) is a RSP player based in Germany. G+D launched its eUICC-powered SIM provisioning platform in 2012. It has enabled diverse consumer eUICC-capable devices, including smartphones, smartwatches, and tablets. At the same time, it targets transportation, utilities, agriculture, and smart home solutions. Learn more about AirOn360 by G+D.
IDEMIA provides an RSP service platform with a focus on high security, broad technology contribution, and extensive global reach, also building upon a well-extended partnership framework. The company has deployed over 200 dedicated RSP platforms worldwide. The company is actively involved in the GSMA Working Group 7 which defines new architecture for IoT connectivity. They mostly aim for B2B, and their M2M RSP solutions are highly relevant to private networks, network slicing enhanced IoT security, and subscriber privacy protection. Learn more on the company’s website.
There’s a separate cohort of providers referred to by analysts and researchers often as ‘specialists.’ Players in this group include Kigen, Truphone, WORKZ, and VALID. There are other players such as Eastcompeace, Invigo, RedTea Mobile, and Nordic eSIM, who are catching up with the above due to a reliable pool of partners and innovative technology.
Kigen is one of the fastest-growing players in IoT eUICC technology. The vendor offers three major solution packages: Kigen Operating System (SIM OS, eSIM OS, iSIM OS), RSP Solutions (Remote SIM provisioning solution, OTA server, server hosting, server sandbox), and Connectivity Solution, including integration with partners like AT&T. Remote SIM provisioning by Kigen works both with consumer and M2M solutions. Among the major verticals Kigen works with are the automotive, healthcare, logistics, and smart cities sectors. Learn more about Remote SIM Provisioning by Kigen here.
Buy the 1NCE IoT Lifetime Flat now!
Visit the 1NCE Shop and start connecting your IoT devices easily. Simply order your SIM cards, choose the desired type of SIM card and fill out all required forms. After the payment has been approved you get your cards within two to three business days.