How do you secure the Internet of Things?

While botnets – interconnected devices infected by the same malware – are targeting connected objects to perform cyber attacks on a massive scale, the question is how to counter the risk of piracy and secure the Internet of Things? The answer lies with Aymerick Dumas, who is responsible for defining and implementing the IoT and industrial security strategy for Orange Cyberdefense, the Orange Business Services entity charged with protecting companies and securing their systems.

The Internet of Things, is it secure?

Aymerick Dumas: It’s as safe as the Web is for PCs; there are known risks and ways to manage them. However, IoT has four specific features. Firstly, the huge amount of connected devices expected in the coming years makes indexing, managing and controlling them more complex. Secondly we’re just at the beginning of the IoT era, and when new technology first appears, security is not a priority for manufacturers who are focusing on exploring new uses and upgrading equipment. Thirdly, connected devices are exposed by nature, because of their geographical distribution and accessibility and also because of their limited memory and software capabilities. And finally, the impact of a security breach can be critical. This is why legislation is evolving to compel the market to focus on security (the French Military Programming Law and General Data Protection Regulation - GDPR in particular). Of course, not all connected objects carry an inherent security challenge: some projects are not linked to any major risk.

The first service offered by Orange Cyberdefence is consultancy, to provide a full risk assessment
Aymerick Dumas

How does Orange Cyberdefense support companies in ensuring that IoT projects are secure?

A.D.: An IoT project is primarily a business project, which is aiming to reduce costs, improve productivity… before being a computing project. This implies new risks, which the company doesn’t always think about! Also the first service offered by Orange Cyberdefence is consultancy, to provide a full risk assessment. This is essential for several reasons. On the one hand because risks are not always found where the company thinks they’ll be. It’s not just about securing data or IT: connected objects interact with the physical world too, and this increases the potential impacts. For example, an asset-tracking project may present no real security issues outside of data theft. However, some projects that may seem fairly innocuous can actually present dangerous risks to the people involved as well. On the other hand, because identifying risks must be carried out as far upstream as possible. The later the risks are taken into account, the greater the effort required to secure the solution. Finally, there is no ‘zero risk’ sector. Take agricultural equipment for example, which handles harmless data or presents ‘no’ risk. You’re forgetting that it can still be a gateway to the farmer’s computer systems and pose a risk if the PC that it’s connected to is used for accounting or hosting personal data! Every project must be studied on a case-by-case basis.

How do you take security into consideration once a project has launched?

A.D. : Our initial consultancy aims to identify the specific risks to take into account in the project design. Then, the computer component – the communication between the devices and the information system, data collection and storage, processing… – is handled by Orange Cyberdefense the same as for any other IT project. It benefits from the same expertise, resources and infrastructure in terms of intrusion detection and malware etc (see the box below). The technologies may change, with new players coming on the market all the time, and stakeholders dealing with specific business cases (industry 4.0 for example), but the methodology and principles remain the same.

Detect, evaluate and mitigate IoT risks: Orange Cyberdefense’s expertise in key figures

  • 1 200 experts in security professions
  • 21 billion events correlated per day
  • 1 epidemiology lab and Intelligence Signal, monitoring malicious software. Today, over 300 000 malwares, including around 50 000 in financial industry, are daily analysed by our systems.
  • 7 Security Operation Centers (SoC) around the world monitoring and responding to events 24/7, 365 days a year
  • 2 CyberSOC in France and India concentrating threat analysis expertise
  • 1 Computer Emergency Response Team (CERT) in France with relays in Montreal and Singapore to ensure continuous monitoring 
  • 3 DDoS Scrubbing Centers in France and the USA and data centers specialised in cleaning traffic

Are manufacturers paying more attention to their assets since the recent cyber attacks?

A.D. : Definitely. The market is young but already IoT developers are using chipsets* that integrate security functionality. The market is maturing, stimulated by business demand but also legislation, in particular General Data Protection Regulation (GDPR), which will come into force at the European level in May 2018 with the aim of protecting personal data. New data analysis solutions are emerging from Orange R&D labs thanks to artificial intelligence, which enables us to supervise a large number of datasets and events and monitor the security of the entire IoT environment through blockchains. These technologies are very promising for IoT security.

How do companies feel about security when it comes to their IoT projects?

A.D. : Companies are very aware of the security issues. The safety officer is no longer a secondary role: he now has a direct line to the board of directors and sits on the Executive Committee. Another example? Orange Cyberdefense is more and more involved in consulting. Companies and authorities are increasing the amount of projects linked to IoT even if they’re not all being delivered for the moment. Decision makers are watching the market. There’s a crossover with what happened in the world of convergence: at the time, telecoms leaders watched what the pioneers did before launching their own services! Nowadays, business leaders and CIOs are closely watching the IoT initiatives that their peers and competitors are involved in.

* chipset – an electronic circuit board responsible for coordinating data exchanges between the various components of the computer (processor, memory…).

English subtitles available.