Return to overview

Pillar 5: Security & Compliance

The 7 Industrial IoT Platform Pillars: 5 Security & Compliance

---

Security has always been at the tip of organisation’s tongues when it comes to Industrial IoT. Even with machine-2-machine communications and 5G capabilities allowing for further IoT and Industrial developments, data breaches and attacks are always an underlying concern. There are multiple cogs working together in the security realm, from the basic 2-factor authentication to VPN concentrators and device authenticators. 

And it doesn’t stop there. Employees need to be trained and educated on a regular basis to ensure they are up to date with password safety and workflows around handling personal and private data and information. Not only does the workforce need regular training in information security and compliance, they now also need to manage a whole new routine of working from home, making organisations even more vulnerable to threats. 

In today’s pillar topic, we’re going to discuss the security steps Davra takes to ensure the platform and any applications developed on the platform remain safe and secure. 

But what exactly is this critical capability? According to Gartner, security encompasses the “software, tools and practices facilitated to audit and ensure compliance, and to establish and execute preventive, detective and corrective controls and actions to ensure the privacy and security of data across the IIoT solution.”

Data Flow Architecture 

On the Davra platform, there are multiple systems with data flowing in and out so it’s imperative that each of these systems is secure and built to detect and prevent both explicit attacks and accidental leaks. 

The application builder framework is hosted on the cloud or else on premise, this is our security parameter. It’s implicit in the role of an IoT platform to make things talk that didn’t talk to each other before, therefore requiring a lot of surfaces such as gateways, sensors, web APIs. 

Davra develop AAA goals across all the various data sources. AAA means authentication, authorisation and auditing. 

The other surfaces that come east or west bound into the operational system that the customer has; to share meta data or receive from those systems, also need to be tightly secured. It is easier to secure the Davra API when they all sit inside the platform, but this might not always be possible.

Southbound security covers the data receiver and involves using HTTPS and encryption. If we have a gateway we do encryption at the network and application level which maintains double encryption. Davra also use a VPN concentrator with an Information Security (ISec) tunnel. For our customers, the device layer and application payload will be encrypted as well. 

A Davra security principle is no native access to the database, because it’s easier to secure. In order to get to this data you have to access our AAA service, which is where all the security checks are carried out. We don’t have to secure each database individually, rather there’s one single place to secure the databases all together. 

On-disk encryption is also an option for all or a segment of your data, especially if you have personal identifiable data.

We have a local encrypted database, LDAP, OAuth, and over 130 optional security strategies at the AAA Service and UI/API level, which are other ways security can be implemented. 

For example, if you want to login to the platform with your Facebook or Google credentials; there are ways about doing this in a secure manner.

Devices & Gateways 

If you have devices in your environment, ensure that the device on the network and on our platform is guided through a dialog that has all the checks in there so that when they are fully provisioned they’re trusted. We enable checks so you can carry out that joining process to identify an anomaly or malicious device. 

In LoRa, we ensure various layers of the stack have the keys to authenticate the device to authorise it to join the network. Our application level feeds the lower levels of the tech stack so they know to authenticate the devices. They have the serial numbers of the devices that need to be provisioned which send those devices down into the layers

The gateways are the shipping gateways to the field. For example, a utilities company worker can climb up a utility pole with the IP device to install it, and they’d wait until the light went green to ensure the gateway works as expected. These processes need to make it simple to provision devices at scale, but also do the underlying checks to make sure they are the devices they say they are. 

Davra can allow a gateway to join in phases, as it joins it has to prove itself in parts. The more trusted the gateway, then you send it more information. The gateway gets its cert from the cert authority, then on the VPN where it can send app data. 

Compliance and Regulatory Lifecycle Management   

We run this process on the apps developed on the Davra platform. 

We look at the design requirements, if it’s for a new feature on our platform or application, we take those requirements and run them through assessments: 

1. 1. Privacy, 
   2. Cyberthreat, 
   3. Risk, 
   4. Data integrity,
   5. GDPR assessments.

The output of these assessments gives us a set of criteria that feeds back into our design phase 

1. We build and conform. 
2. We then test and validate the criteria.
3. License 
4. Release and maintain 
5. QMS: Quality management system, continuous auditability; this ensures security and compliance across all regulatory compliance criteria. 

We have an independent company that advise us and maintains this system over time. This is part of what it takes to bring a high-quality security system and software deliver solution to the market that’s completely secure.

Horizontal & Industry-Specific Approaches to Compliance

At Davra, we follow a whole host of frameworks to ensure we are up to date on the latest compliance outlines in every industry we operate in. 

NIST security framework

Critical infrastructure cybersecurity framework in 2014. It’s the US standard but has been adopted globally. 

• How you identify where the attack occurred?

• Do you have the tech and the processes in place to identify the attack?

• How do you protect against attacks? 

• How do you detect if something goes wrong?

• Incident response.

• How do you recover from the attack?

We have the base framework ISO 27001, which is the international standard that is recognised globally for managing risks to the security of information held.

Regulatory compliance frameworks 

FedRamp: in Davra, our IoT solutions are at FedRamp moderate levels. This allows you to sell to the US Government. There are 325 security controls that you have to implement. We also deliver to other regulated environments, which allows us to inherit security controls in this framework because we’ve already done it with other projects.

There needs to be a process for the organisation that consumes your product also needs to implement controls to ensure maximum security. 

HIPAA compliant: For health staff to consume, they also need to be careful when printing patient records etc. The org that consumes it also needs to implement their own security controls. 

The sec controls are hugely overlappable. We can apply them to the different frameworks.

ISO 27001 is security in the cloud, if you store identifiable information in the cloud.

When you go into specific industries, they’ll all have their own criteria and compliance that you need to abide by. Your application may fall into niche and specific criteria. 

We also look to the HITRUST certification, which enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.

We also seek advice from NIST 8259 CSF2014 cloud software. They brought out a framework for IoT device manufacturers to follow, this came out in May 2020. This framework aims to clear up confusion in the market about what actually is a safe device. 

83% of IoT devices data are in the clear and it most insecure data is in the home devices industry. 

Use Cases 

• Monitoring patients in hospitals.

• Monitoring patients at home using sensors and giving the information to the carers. 

• First responders: ambulances, police officers, incident response flows.

• Tracking high value shipments: multimodal transport, looking inside containers, vehicles, rail road and sea using satellite tech, high value imperishable goods, bags of money, diamonds and livestock.

• Tracking work safety through using audio communication.

• Contact tracing for the enterprise: bringing staff back to work safely. Developing decision trees and workflows around cleaning protocols. Using tag technology that can help enterprises track close contacts. If you’re informed of a case, there is no personally identifiable information on the tag that Davra can trace, but the line manager would have the information of people using each individual tag with the tag number and it can be set to vibrate the tag to let them know they’re in too close contact with someone.

There are a multitude of areas where security and safety need to be considered, and unfortunately due to the global pandemic we are in, more and more companies are cutting their security budgets or leaving it as an afterthought. If security is a key concern for you, or you would like more information on how Davra consistently lean into security frameworks to ensure our customers’ data is reliable and safe, please contact us today