Among the first to achieve the IoT Cyber Assurance Level 2 (audited) certification was Chess with Mymesh, their smart building enabling wireless technology.
The IoT Cyber schemes certify internet connected devices against the most important security controls and demonstrates commitment to best practice security. The level 2 version of the scheme provides a level of certification above the verified assessment level, providing independent 3rd party testing and certification.
Director of Chess, Jasper Hijink spoke to us about their Secure-by-Design approach. With a keen interest in raising the bar within the industry, he found the process of third party security review and discussion of particular value.
Cyber security Assessor, Gary Wills from Forti5 put Mymesh through its paces (from a security standpoint). He tested the Mymesh wireless control system which consists of the Mymesh Network (actuators, sensors), the ethernet gateway, the cloud server (Edge42) and the Bluetooth gateway (commissioning device). As part of the audit, Gary checked the documentation, interviewed Chess, and checked and tested the device physically. Gary says, “The mentality at Chess for cyber is the kind of security you might expect in a bank! Every 10 seconds the encryption keys are changing, so there would be no time to hack it. If you try and take a look at what’s on the chip, it automatically wipes itself, so the physical aspects as well as the software aspects have a high level of security.”
Chess Wise is a Dutch company, with headquarters in the Netherlands and a sales office in the UK. Director, Jasper Hijink describes the company as a start up that has been starting for nearly 20 years until the market caught up.
Originally, the founders foresaw the immense potential of wireless infrastructures yet didn’t have the technology available at that time. Today, however, after decades of development, Mymesh offers professional locations from hospitals to warehouses to car parks, secure, reliable, and scalable smart building solutions.
Chess has its background in the banking industry and that is perhaps where the company’s incredible focus on security comes from. They have used the secure by design principle from the very start with a vision for a secure smart building where everything connects and can be managed together for a reasonable cost. Such a system had to be wireless of course and extremely scaleable. We started with the lighting, because that is basically the low hanging fruit from a pay-back perspective and the most common entry point into the building’s network.
In the assessment process, we were asked questions about our security, for example, Do you provide a simple and clear method for the user to change their password or security credentials (such as keys or identifiers)?
We answered ‘no’ as we don’t use a password in the network; Mymesh uses secure keys that change 10 times per second, protecting both the communication and the hardware with no user involvement.
Our ‘no’ answer equated to a non-compliance in the assessment, so in the interview, we had to explain that we basically don’t have it because we don’t need it. Our security is on the next level. We deliberately don’t use passwords in our network and users don’t have access on site, so it is impossible to access a Mymesh network just with a commissioning device. If we need to grant access for commissioning, it is given via a remote security server that can give the keys and authentication directly.
Many smart systems can be compared to the way a Bluetooth speaker works in your home, in the sense that if you’ve got a friend visiting and the friends wants to hook up to the speaker to play some of their music, there’s no way that you can get them off the speaker again once they have finished because the control happens from the phone and not from the speaker. In our systems, we control the speaker, so to speak, we control who retains access to the system.
How did you hear about the scheme? What was the motivation?
We heard about the scheme because we were working with a couple of clients that asked for external certification, most notably for a large transport contract.
We usually do large scale installations, for example Guys and St Thomas NHS Foundation trust which includes about 36 buildings where every light needs to have Mymesh onboard. We also do quite a few large sites, the biggest one is Bluewater shopping centre down in Dartford where we use Mymesh to make the entire mall smart and adaptive.
The IASME IoT certification and the feedback from our Assessor, Gary, was useful to share with other customers to demonstrate what we are doing. External certification certainly reassures clients that you have a secure system that has been audited by a third party. I hope that more and more customers will start to ask for this, as many don’t have the knowledge to go into a detailed discussion.
We would like to work together to raise the bar in the industry.
The unique network protocol of Mymesh certified to the Assurance level 2 of the scheme which means that its security aligns with all of the 13 ETSI security requirements plus the data privacy requirements.
Why would you need such security measures on lights? Is this a bit of overkill?
If someone was to break into the system that the lights are connected to. they could start to communicate with the hub and the cloud and then potentially access other information. These devices need to be both physically secure as well as electronically secure to the extent they could even be installed somewhere high risk like a prison or a government building in Cheltenham and criminals would not be able to gain unauthorised access.
What would be your advice to other manufacturers of IoT devices?
We need to jointly raise the bar for security in wireless systems. This will give confidence to the market that that it is okay to work with wireless systems. I also think that together we need to educate the market about what security is all about. It is not limited to encryption of the communication, I think security is a lot wider. It’s about encryption of the hardware, about authentication, it’s about commissioning, and of course, the weakest link is still people; the user.
It would be great if we could have an IoT certification scheme endorsed by the government, so certification becomes almost a requirement for public and private sector. My advice to the private sector is that if they use products with an Assurance level 2 certification in this IoT scheme, it will cover what they need to have in place to make sure that they are doing the right things.