Qualifying your project, an essential first step
To secure an IoT project properly, one must first analyze it end-to-end and understand its specific challenges. Vigilance will not focus on the same elements from one project to another. Factors influencing security include the industry sector, the criticality of the collected data, and the need for immediate availability of information. These characteristics shape the project. For instance, IoT projects related to video surveillance or payment terminal management can be highly sensitive, both in terms of availability and confidentiality. Conversely, connected solutions for managing offices and meeting rooms (occupancy rates, energy performance, etc.) may be potentially less sensitive.
A single overarching project may include completely opposing characteristics. In a connected building project, some actions will be highly critical (videosurveillance, access management, etc.), and others will have a lesser degree (meeting room management, coffee machines, etc.). Therefore, in the design phase of the project, each issue must be analyzed separately to apply the best security method through a graduated and flexible approach, combining different technologies. All this with the aim of meeting the technical and economic expectations of the enterprise. The technology must adapt to the need, not the other way around.
Multiple technological layers to understand and protect
Sensors
The first technologicalllayer is the sensors, containing a communication module that may include chips and allow sending and receiving information. This makes the object “communicative” and captures the desired data. Several methods exist to quickly identify a possible theft or attack remotely:
- Detection of IMEI change to be alerted if the chip is transposed into another object,
- Control of unexpected movement, allowing an alert if the sensor is out of its authorized and usual zone,
- Monitoring the number of connections to detect an anomaly, etc.
It is also possible to inhibit the dialogue between sensors to prevent a virus from spreading in case one of the sensors is attacked.
Data flows and their transportation
The second technological layer: data flows and their transportation. The various networks used in IoT projects (M2M, LoRa, etc.) already have strong security protocols to provide some peace of mind to companies. However, sometimes a company decides, out of necessity in poorly covered areas or by choice, to create its own private network with a partner. A solid security layer must then be integrated to encrypt the data flows and prevent any diversion. To be more serene, companies can also turn to network suppliers linked to telecom operators, who adhere to very strict rules in terms of security and business continuity, both on their flows and infrastructures.
Data and their supervision
The third layer is related to the data and their supervision. It is important to secure their storage and processing, which involves full visibility and good supervision. For this, computer platforms are available to manage, via the same interface, all the data. It is then more easily possible to detect weak signals that may indicate an attack is underway. But supervision does not stop at the digital world. Attention must also be paid to human and technical interventions: both in the organization itself, where the maintenance of sensors and connected objects or of the business application server must be governed by a policy of strict and controlled access rights; and with partners for all their equipment participating in the overall IoT solution.
The object
The last technological layer to secure: the object itself. Concerns from both companies and individuals often crystallize on this part. The main challenge here is to control who can access and, more importantly, who can command the object. This challenge can be especially significant in the automotive sector, for example, to prevent remote hijacking of connected cars, or in the medical sector. No fraudulent maneuvers should be possible. Therefore, it is strongly recommended not to connect objects directly to the internet, especially with a public IP, to limit the possibilities of attacks. In some projects, however, connection to the internet is inevitable; additional security measures must then be implemented to encrypt end-to-end flows and secure the object.
Choosing your partners according to the expected requirements, a key element of security
The company cannot respond to these issues alone, and all these factors are essential for the smooth running of an IoT project. Technological partners have a major role, both in advice and supervision. That is why the company must pay particular attention to the choice of partners to benefit from strong and complete support.
The rule is simple: the more advice and support there is from the start of the project, the fewer security vulnerabilities there will be. It will also be necessary to remain vigilant over time, as cyber-attack techniques, as well as the use of various connected objects, evolve and give rise to new threats that must be taken into account and eradicated. IoT projects involve a multitude of providers, but the network partner often plays the role of conductor and guarantor of the proper functioning and security of the entire project.
A good partner will participate in the qualification of the project. It can, together with the company, define the criticality of the collected data and flows. It will also seek to understand the whole project, as well as the importance given to each element, to design a tailor-made solution. Its role is to perceive challenges or needs that project leaders were not yet aware of, then help define the list of “abnormal behaviors” that may presage an attack. The solution is created to measure, to adapt to the business, technological, and budgetary constraints of the company, without sacrificing security.