Secure Connected Objects Platform (SCOP) : Life-cycle security analysis for connected objects
Thales security specialists are working on various aspects of the Internet of Things (IoT) to develop Thales's capabilities in life-long security assurance for connected objects. Here, Ludovic tells us about the company's activities in Lille, and particularly the Secure Connected Objects Platform (SCOP) being developed in partnership with the Centre d’Innovation des Technologies sans Contact (CITC).

 

What exactly is Thales doing in this field?

The Thales teams in Lille work in four main areas:

  • design and deployment of secure communications and information systems
  • network infrastructure and related security solutions
  • cybersecurity
  • the Internet of Things (IoT).

In all, we have about sixty people here, working in software development, secure communications solutions, cyber protection and the expanding world of connected objects — the "things" that interact with each other to make up the Internet of Things. The markets we serve are mainly in industry, telecoms, banking and insurance, transportation and retail, with a particular focus on supporting critical infrastructure providers in the security aspects of their digital transformation.
 

Today you are developing the Secure Connected Objects Platform (SCOP) to verify the level of security of IoT endpoints. Why is Thales involved in this project?

In an interconnected world, information systems are part of our way of life at home and at work. Many of the components developed for industrial users, like the smart sensors behind the concept of Industry 4.0, are permanently connected to the Internet. As the frontiers of cyberspace expand, the need to protect these objects from cyber threats has become an issue of major importance and a priority for governments all over the world. By 2020, more than 20 billion connected objects will be communicating to us every day, so there is a clear need for a reliable way of providing security assurance for all these objects. This why we launched the SCOP project.

IoT advocates have a tendency to focus on use cases and often overlook the importance of protecting the underlying data. Governments and enterprises alike need to ask themselves how these billions of devices can be protected from potential intrusions or interference that could compromise data confidentiality and threaten public safety or company security.

This is the basic question we're trying to answer too. As the number of connected objects grows, securing the data flows and measurements they transmit and receive is becoming ever more important — but at this point nobody has a clear vision of who does what.
 

Why are you working with the CITC to develop this new platform?

We wanted a partner with specialised expertise in the Internet of Things. The CITC (Centre d’Information des Technologies sans Contact) is a real expert in connected objects and a perfect fit with Thales's experience as the European leader in cybersecurity and a major force in information systems security.
 

What exactly will the platform do and what are the key challenges you face?

The number one objective is to verify and validate the level of data security throughout the life cycle of these connected objects. We want to help our customers meet a number of challenges related to the types of IoT requirements that already exist:

  • autonomous objects and the need to improve the native security of each object
  • interconnected objects in different configurations and the need for a modular, scalable security architecture that accommodates the different levels of criticity of individual data flows
  • dynamic security maintenance and the need to secure networks of connected objects over time as systems grow and evolve.

Our overarching goal is to guarantee the confidentiality, integrity, availability and auditability of data generated by the connected objects in service today.
 

How are you going to achieve that goal?

To ensure that security is built into the whole life cycle of a connected object, we have adopted two complementary approaches. The first involves basic risk analysis using the EBIOS method developed and maintained by ANSSI[j1] , France’s national agency for information system security. The second is the Mehari method proposed by the CLUSIF, a French association of information security professionals. Mehari is a way of evaluating and managing risks and vulnerabilities in terms of the types of users, but also in relation to the type of use and the operating environment of the connected object being analysed.

After this initial risk analysis, we need to conduct a more targeted, in-depth analysis using an industrial scale platform to determine the level of overall security of an object or set of objects throughout the life cycle.
 

Are your solutions still prototypes or are they fully developed? What are the next milestones for this platform in the near term?

The SCOP platform is still under development. According to the schedule, a V1 will be ready by the end of May and the first operational implementation is planned for June 2016. We have a unique positioning in this market — unlike other players who are focusing on particular use cases or business models without systematically addressing security considerations at every step. We will offer a method of security qualification and assurance for an extremely broad range of applications in three priority sectors:

  • smart homes (B2C products and services)
  • smart factories (Industry 4.0 solutions)
  • smart cities (services to city authorities).

The experience we gain across these three priority sectors will strengthen our cybersecurity consultancy capabilities and position our IoT services at the top end of the value chain.

To find out more, visit https://www.lembarque.com/le-citc-et-thales-lancent-la-plate-forme-scop-de-verification-du-niveau-de-securite-des-objets-connectes_004408

 [j1]a remplacé la DCSSI http://www.ssi.gouv.fr/agence/cybersecurite/lanssi/
All articles