As an IoT network operator, management platform provider and object distributor, Orange is directly involved in this connected environment and is particularly committed to IoT security. And as long as the IoT remains a prime target for cyberattacks, this will be a necessary prerequisite for user confidence.
The IoT Is Targeted by 10% of All Cyber Threats
According to data published in Security Navigator 2022 from Orange Cyberdefense, 10% of all cyber threats are linked to IoT vulnerabilities. This observation is the focus of Orange’s White Paper on IoT Security. The incorporation of security into connected objects—particularly security by design—is still rare and the results we are seeing are inadequate. “The extreme fragmentation of the IoT ecosystem largely explains this lack culture around and ownership of security issues,” explain David Armand, Security Expert, and Fabrice Fontaine, Embedded System Security Engineer at Orange. In most cases, object manufacturers do not have the necessary resources or expertise in this field. They are also in a race to be the one with the best offer, to market their objects at the cheapest price possible, as fast as possible. Even when security is integrated into the development process, this is done precariously, right at the end, leading to fundamental vulnerabilities such as the use of basic passwords.”
Orange Takes a Proactive Approach
The resulting threats are both generic and common to any digital service, such as malware, and more specific to the IoT ecosystem. Connected objects are installed everywhere, in both controlled environments and public spaces, and they have the ability to affect their surroundings. A perfect example of this risk is the case of a hacker who seized control of a water treatment plant in Florida in an attempt to multiply the amount of sodium hydroxide.
Manufacturers of connected objects only incorporate security at the end of the process, and to a limited extent at that.
For many years, Orange has been committed to the end-to-end protection of the IoT service chain, from networks, to platforms and objects. In particular, this proactive approach includes a strict set of requirements and an evaluation process for manufacturers who want to be included in the catalog of connected objects distributed by the carrier.
Action is Required Upstream
But such requirements are far from the norm in the IoT ecosystem. It is necessary to push for best practices to be adopted through standards, or even labeling schemes similar to the Nutri-Score, in order to make consumers more conscious of these issues. The past few years have seen some progress in terms of this awareness. At European level, Orange is actively contributing to the ENISA initiative to define certification schemes dedicated to the security of connected objects, structured around three criteria levels: basic, substantial and high.
The Group also helped to develop the IoT SAFE standard within the GSMA. This standard suggests using the SIM or eSIM, a proven security asset, as a digital safe for storing data encryption keys. In addition to its clear added value in terms of protection, it also allows the carrier to dynamically update keys in the SIM to generate and renew them in a flexible way. The IoT SAFE project is part of an open source approach to ensure that as many people as possible can contribute to this emerging ecosystem.
Research on All Fronts of IoT Security
In conjunction with the standardization effort, Orange is mobilizing its research teams around innovative IoT security projects. This expertise is being put to use in major European projects like 5GCAR and 5GCroco, particularly in the field of connected vehicles. And internally, this expertise is focused on how certain technologies can contribute to solving this security challenge, such as the use of AI mechanisms to monitor and detect abnormal behavior or traffic originating from, or destined for, connected objects.