An Econocom Group company, Digital Security is the world’s first CERT™ (Computer Emergency Response Team) dedicated to IoT. Security in this field is an increasingly important issue, especially after the massive hacking on Dyn’s servers on 21 October 2016, or with infected cameras and connected thermostats. With its 180 complementary experts, Digital Security offers an end-to-end approach to IoT security: we found out more from Cédric Messeguer, CEO of Digital Security.
IoT security is now a major issue, which you address in an innovative way through the CERT-UBIK. Can you describe the different types of expertise it includes, and each person’s role?
A CERT is a cybersecurity expertise centre, with the best, most advanced players in the sector – the acronym was registered by Carnegie Mellon University in the US. There are several types of CERT: internal CERTs whose role is to protect a perimeter, such as the CERT-FR, and commercial CERTs, which sell services. We belong to this second category.
To provide prevention, awareness and reaction services, we combine various profiles in the CERT, because IoT requires a wide range of expertise. We have electronic engineers, IT engineers, radio transmission specialists, people who can perform reverse engineering, etc.
Our objective is to secure connected objects across the whole chain, from the object itself to the cloud and the gateways linking them together, and the interface used for managing it. To do so, we offer two types of services:
- Beforehand, we guide our customers who wish to integrate connected objects to their project, in a secure way. These people generally have a rather high level of technological maturity, are aware of this wave of connected objects and are concerned about security in this field, which they want to incorporate as early as possible in their project. It implies IoT risk analyses, advice, demos, proof of concepts and ideation approaches to brainstorm directly with the customer.
- When the customer has a clear idea of the ecosystem of connected objects they wish to implement, we help them by providing them with our R&D or various approaches: assessing established protocols, carrying out security audits and penetration tests by acting as potential hackers (black, white or grey box testing).
These two types of approaches help free our customers of the burdens of digital transformation, and control the risks implied by any change. What the two approaches have in common is that they both aim to make things more concrete, and to show by example what are the issues, risks, technical evolutions, etc.
All this can help explain that there are no good nor bad solutions, only decisions to make depending on the customer’s project. Security is not an obstacle, but a growth driver for IoT: that’s what we explain to our customers.
The world’s first IoT CERT, which you created, is European. However, the European Union is refining their General Data Protection Regulation, which will require companies, from 25 May 2018, to be “responsible for their compliance” and “able to prove it”. How are you incorporating these measures into your customer support approach?
This General Regulation comes after several previous regulations on personal data, but is much more repressive with non-compliant companies: those who don’t appoint a Data Protection Officer and don’t comply with personal data restrictions will have to pay a fine of up to 4% of their revenue or €20m.
For us, it means helping our customers make their IT system compliant in terms of governance, implementing procedures, technical solutions, etc. We must also assess all the company’s good intentions through a closer look on the IoT solutions they’ve implemented internally. We analyse the links between connected objects, the way they are managed and the cloud, and we make sure the data exchanged between them is anonymous and not personal.
Thanks to our consulting team, which is made up of some fifty people, we offer support in terms of organisation, either through fixed-price contracts or time-and-materials contracts, with a training/awareness/change management section to explain to our customers how to implement a secure management system of their personal data. As for all the legal compliance, we rely on Digital Security’s partner law firms.
More generally, what cybersecurity advice would you give companies planning on digitalising in terms of IoT? And to IoT manufacturers?
For companies who want to invest in IoT, the answer is simple. To carry out their project, they need to analyse the risks as early as possible, to help clarify things: this consulting service doesn’t take months. Most of the time, they’re flash services based on interviews and a few tests, which can be carried out over the course of a few days, within the company.
This helps build the foundations of this sort of project and ensure its development. Everyday innovations are introduced in this sector, which is why solutions must last in the long run. We have specialists who take part in all security conferences, research projects, etc., and we work closely with Econocom’s “Next” business unit, which is dedicated to IoT.
To provide our customers with the solution that’s best-suited to their project, we must be up-to-date: for example, while 5G is very promising, especially in terms of absorbing IoT data flows, 2G can be enough for a customer’s small-scale project.
As for manufacturers of connected objects, they must think beforehand, during the ideation phases. The ideal solution for manufacturers is to quickly create an object in agile mode and test it on the market, to check its response. From this perspective, the main issue is not dismissing security matters as a waste of time and money if the market doesn’t positively respond.
But things must be seen the other way around: without security measures, the market will hardly respond, since security is a requirement that is increasingly featuring in investors’ specifications. That’s why we created the first security label for the Internet of Things in late 2016. Here’s what I would advise manufacturers: do everything you can to get this label!