How to Secure IoT for Public Safety in Smart Cities

Enrico: Basically, the point is that when you go with tenders, they are really long-lasting; they have lots of requirements and they are really complex ones. The point based on our experience in Telit Cinterion is that sometimes you need to provide something more than what is requested. And the best thing to do is to think about the solution and to make sure that it's futureproof.

To make sure that it's futureproof, you need to adopt the proper standards, not going into specific proprietary solutions or applications that can actually block any possibility to update and to improve transition smoothy to different technology or a different application or different security requirements. Because as I said, security is a factor of time and it's going to change. So, the important thing is that we use standards. And an X.509 certificate, as Steve mentioned in his slides, is one of the best ways to guarantee that that device has an identity, just to make a simple example.

Steve: I think it's overlooked. People don't know that that's a question. You might go to great lengths to ensure all your devices are on a private network with private IP addresses so you're safe from any sort of public access, yet of course the benefits of the cloud are there. How do you then access applications in the cloud instead of hosting them on your own data center, for example? And actually, the providers, as most of us know AWS, Google and Microsoft, all have virtual private clouds that even though your application resides in a public cloud, they provide a safe, containerized area. From there you access it via VPN from your facility to that virtual private cloud, and they set you up with their own private address space. So, all your devices stay off the public Internet, and of course the public Internet can't access these systems. So that's a great way to keep your OT system secure.

Steve: As we've talked a bit about certificates, they are the best way for authentication, but you will always wonder: what's in a certificate? Why couldn't someone just create a phony one? And the reason is the cryptographic technology on one hand and the other is also the certificate authorities. These are established companies that provide vetting. When an organization wants a certificate, they ensure that that's a valid organization. They create the certificate. The certificate then is assigned to the company.

It’s very interesting. There's a private key and there's a public key — and that’s a trusted certificate — and if you were to access their website, you authorize that on your laptop, or your IT manager does. And then if there's ever a need to validate that, you can request a certificate validation and what happens is the entity will send you a message that's encrypted with its private key and you can then use the public key which is available to anyone to decrypt it. And immediately you'll see that it is actually that entity. The way the technology works is quite remarkable.

Enrico: I can take this for one reason specifically, because now we just rolled out a device that works with AWS ExpressLink, and this is a perfect example of how you can simplify all the requirements that you need to ensure a secure connection to AWS IoT through a device. Basically, these devices come provisioned with a certificate, with an X.509 certificate, and they have the connection secure through TLS 1.2. The device has a secure vault so the data is stored securely and can be accessed and can't be tampered. So, this is an example of how Telit Cinterion can accelerate the business for customers that are not really into the IoT security requirements and implementation of them.

And so basically, we are opening up a space also for smaller enterprises to come into the smart city business.

Steve: Yeah, good question. Some of you may know that the FIPS object module used by most entities actually came from OpenSSL. And OpenSSL is regularly updated whereas FIPS went through a validation process, and it’s quite difficult to make changes. But why is it important there is because FIPS is validated. You can't change a single letter of code, not even a line of code. What is produced there as far as the hash functions and encryption and authentication is absolutely ensured because those modules are validated and unchangeable.

OpenSSL is as secure and although...what's the challenge there is that you don't know if a developer has made modifications to the OpenSSL library when they implemented it in their device, for example. It's not validated. It's a broader scope of cryptography than FIPS and it's a very good package. Everybody uses that as well, but it's just not validated so you can't be sure.

Enrico: The point is that we haven't touched deeply on this but Telit Cinterion is providing connectivity services, connectivity activation and connectivity lifecycle management. So basically, we provide multi-NC connectivity and we also provide the possibility to manage this connectivity remotely. So, this means that with us, you are really going to have a long-lasting way of managing the data plans and the connectivity by all means. So be sure to contact us to have a wider and deeper description or overview of what we can do for you.

Steve: 5G, as we all know, gives you faster bandwidth but it's much more than that. They've also extended the address space tremendously. And so, there's many, many more devices that can be connected to a 5G network than a 4G network. Also, the latency has significantly reduced from LTE. So, you get a faster time on it. And 5G continues to evolve. What you'll see soon is something called SideLink or point-to-point where a 5G device can actually talk to another 5G device. You don't have to go through the tower. That's going to open up a whole set of new applications in IoT. And we'll take advantage of that of course when the time comes. It'll be a nice, new feature in networking.