Best Practices for Device Provisioning

Best Practices for Provisioning LoRaWAN® Devices

Scaling an Internet of Things (IoT) solution to thousands or millions of devices is complex and challenging. A myriad of elements adds to the complexity, and one that centers on something as unassuming as device provisioning and naming conventions can become a significant obstacle in IoT deployments. In this blog, we will focus on IoT deployments using a LoRaWAN® network, review best practices, and uncover some vital information you need for scalable success.  

What is Device Provisioning, and Why is it Necessary?

To begin, we need to identify what device provisioning is. It's the process of registering and configuring a device on a network to enable communication. Provisioning devices ensures that each device is given an identity and authenticated by the IoT application using the identity provided. Once a device is appropriately provisioned, it can begin sending and receiving data over the network and receive commands or updates. Different protocols and nuances to IoT solutions mean there needs to be a standardized process across the board for device provisioning. Therefore, enterprises must look to repeatable, simple, and scalable practices.

While device provisioning may seem straightforward, it’s of paramount importance for two essential reasons:  

• Security: Data security should come as no surprise. LoRaWAN encrypts all broadcasts with industry-standard AES-128 encryption. Plus, two different provisioning methods offer added security measures for enterprises.  
• Network efficiency: LoRaWAN networks use different communication parameters, such as frequency band, data rate, and transmission power, to optimize network performance and battery life.

How Do You Provision Devices?

Different provisioning requirements depend on the activation method and protocol used. When leveraging MachineQ’s network, devices can be provisioned via a graphical user interface or GUI, bulk upload via a CSV file, or API. The flexibility of having multiple provisioning methods to select from means enterprises can connect tens of thousands of devices in an efficient and scalable manner that works for their business – enabling speed to market. When provisioning a LoRa® device, there are two standard methods: Activation by Personalization (ABP) and Over-The-Air Activation (OTAA). The main difference between these two methods is how the device is authenticated and how security keys are managed.

ABP

With ABP, the device is pre-programmed with a set of security keys before deployment. These keys include a unique DevAddr (Device Address), Network Session Key (NwkSKey), and Application Session Key (AppSKey). When the device joins the network, it uses these keys to authenticate with the network server and starts transmitting data.  

The advantage of ABP is that it is a simple and quick provisioning process, as the device does not need to exchange keys with the network server. However, if these keys are exposed, it compromises the network's security as they are static and cannot be easily changed.

OTAA

With OTAA, the device generates new security keys during the activation process. These keys encrypt and decrypt data between the device and the network. When the device joins the network, it sends a "join request" to the network server, which responds with a "join accept" message containing a new DevAddr, NwkSKey, and AppSKey.

The advantage of OTAA is that it provides better security, as the keys are unique to each device and are generated dynamically during activation. Given the join process, the activation takes longer than ABP, as the device must exchange keys with the network server before transmitting data.

In summary, ABP is a simpler and faster way to provision LoRaWAN devices, while OTAA provides better security through the dynamic generation of security keys during activation. The choice between ABP and OTAA will depend on the specific requirements of the IoT application and the desired balance between simplicity and security. We recommend OTAA for the added layer of security and reliability knowing the network has confirmed the device during the activation process.

What are some best practices for device provisioning?

• Choose the appropriate provisioning method: As discussed earlier, there are two standard methods for LoRaWAN device provisioning: ABP and OTAA. Choose the way that best suits your application's security and deployment requirements.
• Generate unique device identifiers: Each LoRaWAN device should have a unique identifier, such as a DevEUI, to prevent conflicts and ensure secure communication. Avoid using default identifiers or easily guessable values if you create your own device and leverage a third-party network.
• Leverage naming conventions: There are many ways users can identify a device – mainly through its DevEUI prefix. However, having a naming convention makes organizing and managing a high volume of devices on a LoRaWAN network easier. Assigning each device a unique and descriptive name (e.g., Building number, device type, and last four of DevEUI) simplifies identifying and locating a specified device for maintenance, troubleshooting, and other tasks. Lastly, a naming convention enables scale by systematically naming new devices added to the network.

• Use strong security keys: The security keys to encrypt and decrypt data between devices and the network should be long, complex, and not shared between devices. Use a secure random number generator to generate keys and avoid hardcoding them in device firmware.
• Securely store security keys: Stow security keys in a safeguarded location, such as a hardware security module or encrypted database, to prevent unauthorized access. Avoid storing keys in plaintext or easily accessible areas.
• Look for security beyond the standard: LoRaWAN utilizes industry-standard AES-128 encryption for data transmission. Enterprise customers on an enterprise-grade network that adds an extra layer of security onto the industry-standard AES-128 encryption ensures that all payloads are sent from the gateway using transport layer security to a VPN in the cloud – the same industry standard for online banking.
• Standardize device configurations - An enterprise-grade network enables enterprises to configure communication parameters based on a specific device profile. Device provisioning allows the network to “turn on” these specifications.
• Perform device authentication: Verify that the device is authorized to join the LoRaWAN network using a secure authentication mechanism.

• Monitor device activity: Proactive device monitoring practices help detect and prevent unauthorized access or suspicious behavior. This practice can include monitoring device communication patterns, data usage, and device health.
• Document provisioning procedures: For consistency and repeatability, document provisioning procedures to enable rapid troubleshooting and resolution of provisioning issues.

It’s All in the Details

Device provisioning is an integral step in IoT deployments and shouldn’t be overlooked. Paying attention to the minutia will remove obstacles down the road. Remember, the devil is in the details, so read the LoRaWAN spec sheet and use repeatable and scalable processes.

‍