Machine-to-machine (M2M) communication is a critical technology that can be applied across various sectors. Its use cases include vehicle tracking, e-calls, vehicle-to-vehicle applications, traffic control, navigation and infotainment in the automobile sector; smart metering, smart grid, electric and water line monitoring in utilities; telemedicine and wearable health devices in healthcare; and ATMs, kiosks, vending machines and digital signage in the finance sector.
The Department of Telecommunications (DoT) has developed a two-tier regulatory framework governing M2M communication services in the country: M2M communication services using unlicensed spectrum, and those using licensed spectrum. The former is bifurcated into entities holding “M2M authorisation under unified licence (UL)”, which may provide M2M communication services through the low power wide area network, and those holding “registration of wireless personal area network (WPAN)/wireless local area network (WLAN) connectivity provider for M2M services”, which are allowed to use WPAN/WLAN for offering M2M services. Meanwhile, entities with service authorisation under unified a licence or unified access service licence can obtain licensed access spectrum from DoT to provide wireless access services, including M2M communication services.
In 2017, the Telecom Regulatory Authority of India (TRAI) had released its recommendations on “Spectrum, Roaming and QoS Related Requirements in M2M Communications”. This stipulated that the government, through DoT, should identify critical services in the M2M sector, and that these services should be provided only by connectivity providers using licensed spectrum (Recommendation 5.1[g]). In January 2024, DoT wrote a detailed letter to TRAI, mentioning, among other things, that in November 2020 it established an interministerial working group to deliberate on all issues concerning critical M2M services. DoT also stated that there was a need to revisit TRAI’s 2017 recommendations. Subsequently, in June 2024, TRAI issued a consultation paper on “Issues Related to Critical Services in the M2M Sector and Transfer of Ownership of M2M SIMs” to solicit comments from stakeholders on various issues related to the matter.
TRAI’s salient recommendations
TRAI’s latest recommendations cover three broad areas – the need for a guiding framework to define a service as a critical M2M/internet of things (IoT) service and to review Recommendation No. 5.1(g) (of TRAI’s 2017 recommendations on M2M communication); the inclusion of M2M devices under the trusted source/trusted product framework; and the establishment of a regulatory framework for the transfer of ownership of M2M SIMs among M2M service providers (M2MSPs).
Defining a critical M2M/IoT service
Most stakeholders thought that there is a need for a broad guiding framework for defining a service as a critical M2M/IoT service, saying that this would help mitigate risks by ensuring robust security measures and establishing accountability for service providers and device manufacturers. Moreover, considering the increasing IoT adoption in the future, a guiding framework would ensure consistent and uniform criteria for what constitutes a critical M2M/IoT service. Stakeholders further proposed certain guiding principles for defining critical M2M/IoT services: these should support critical business services and infrastructure which are vital to national interests, considering factors such as time sensitivity and latency, safety and human impact; and national security, among others. However, a few other stakeholders contended it citing numerous reasons including the lack of a global precedent for the classification of IoT devices based on criticality of use case and the fact that a universal framework may lead to increased costs, overengineering and delays.
In its recent recommendations, TRAI affirmed that a service (application) should be classified as a “critical IoT service” upon verifying the following – whether the service demands ultra-reliable low-latency M2M connectivity with very high availability; and if any disruption of the M2M connectivity used for delivering the service will have a debilitating impact on national security, economy, public health, or public safety. Moreover, any IoT service should be treated as a non-critical IoT service unless it is identified and notified as a critical IoT service. Also, rather than classifying an entire domain/sector as a critical IoT sector, specific IoT services (applications) within the domain/sector should be classified as critical IoT services.
The regulator added that the classification of services as critical must be undertaken by the ministry/regulatory body concerned in consultation with DoT. Further, DoT should devise an institutional mechanism encompassing the following aspects for the assistance of concerned ministries/regulatory bodies:
The classification of critical IoT services for each domain/sector should be done based on the recommendations of a standing committee consisting of one or more officers nominated by the ministry/regulatory body concerned and an officer nominated by DoT. The standing committees should also recommend service performance benchmarks (such as latency, reliability, availability, etc.) for each critical IoT service.
After considering the standing committee’s recommendations, the concerned ministry/regulatory body should notify the regulatory requirements including the telecommunication service performance benchmarks (such as latency, reliability, availability, etc.) for each critical IoT service separately.
DoT, as the nodal department, must create an online repository of sector-wise critical IoT services and corresponding regulatory requirements including telecommunication service performance benchmarks, as prescribed by the concerned ministries/regulatory bodies. The online repository should be accessible to the general public.
Any wireless M2M communication technology (utilising unlicensed spectrum or licensed spectrum) or wired M2M communication technology should be allowed to be used for the provision of critical IoT services if it meets the prescribed service performance benchmarks. The choice for M2M communication technologies may be exercised by user agencies based on their techno-commercial considerations.
Securing IoT/M2M devices
Stakeholders had three kinds of views on the subject of bringing M2M devices under the trusted source/trusted product framework: those stakeholders who agreed, those who disagreed and those who felt that only M2M devices used for critical IoT/M2M services should be brought under the trusted source/trusted product framework. The ones who argued that all M2M devices should be used in India should be brought under the trusted source/trusted product framework cited various reasons. These included reducing the risk of supply chain attacks where malicious actors could introduce compromised devices, and the need to bring in standardisation and allow interoperability with other countries. The ones who opposed this idea reckoned that security needs for different applications may vary, and the mass application of trusted source/trusted product framework would be a humongous task and could further delay the uptake of M2M services in India.
According to TRAI, security and privacy concerns from IoT devices originate essentially from the M2M communication modules embedded in them. It also noted that the government has already laid down the frameworks for ensuring the security of the telecommunication ecosystem through the National Security Directive on Telecommunication Sector (NSDTS) and Mandatory Testing and Certification of the Telecommunication Equipment (MTCTE). The government is also contemplating the implementation of the National Trust Center (NTC). The authority opined that the trinity of NSDTS, MTCTE and NTC, once fully implemented with respect to IoT/M2M, will provide a comprehensive framework for ensuring a secure IoT ecosystem.
Further, TRAI expressed that the M2M communication modules embedded/plugged in all IoT devices (which are capable of being connected to telecommunication networks) deployed in the critical sectors identified by the National Critical Information Infrastructure Protection Centre should be notified under the framework of MTCTE in a phased manner. IoT devices deployed in the remaining sectors may be notified under MTCTE subsequently.
Transfer of ownership of M2M SIMs
The majority of the stakeholders believe that that there is a need to establish a robust regulatory framework for the transfer of ownership of M2M SIMs among M2MSPs. They remarked that a framework for the change of ownership of SIMs amongst M2MSPs can help to avoid service disruptions and inconvenience to users. This could happen in cases where an M2M service provider (M2MSP) stops its services; or following a merger, demerger or acquisition of an existing M2MSP or simply where customers opt for a new M2MSP for better service, pricing or other reasons. The stakeholders also put forward the salient features of the regulatory framework governing the ownership transfer: a customer-oriented transfer of ownership with minimal disruptions; mutually agreed upon terms regulating the transfer; the new entity meeting the subscriber verification norms and obtaining no-objection certificates (NOCs) for the transfer of ownership from both outgoing and new entities; that transferred M2M SIMs should be allowed to continue with the earlier configuration parameters; and so forth.
TRAI was of the view that DoT must establish a framework for the transfer of M2MSP registration/authorisation to the resultant entity in case of merger, demerger, acquisition, etc. of M2MSP entities. DoT should introduce an enabling provision for the transfer of the ownership of M2M SIMs from one M2MSP registration holder/authorised entity to another if the transferor entity furnishes an NOC for the transfer of M2M SIMs, and the transferee entity furnishes an undertaking for taking over all responsibilities of M2M SIMs to the access service provider(s) concerned. Upon transfer of M2M SIMs, the access service provider(s) concerned should promptly amend the name of the owner of the M2M SIM in its subscriber database. Further, the transferee M2MSP entity should maintain the updated details of physical custodians of machines fitted with M2M SIMs obtained from the transferor entity and provide the same to the concerned access service provider(s).
Summing up
The M2M landscape in India is in its infancy, but as this technology matures, it will require crucial IoT for delivering services of critical importance, making the meticulous demarcation of critical services in the M2M sector vital. This will be a win-win situation, as it is expected to serve as a guiding framework for players in the system, establish accountability among telecom service providers, enhance cybersecurity and improve customer experience.
Nikhaar Gogna
