The Internet of Things (IoT) is expanding rapidly, with the number of actively connected devices already exceeding the earth’s population. Connected devices not only include computers and smartphones, but also a wide variety of industrial sensors and other process control assets. These come with a cyber threat, because low-security devices may expose previously unavailable attack surfaces, increasing the vulnerability of industrial control systems. Are your devices cyber-proof? A laboratory assessment by ENGIE Laborelec’s Cyberlab can give a decisive answer.
Context and service scope
Testing industrial IoT devices and embedded systems
ENGIE Laborelec’s Cyberlab performs cyber security assessments on all types of IoT devices and embedded systems, with a special focus on devices and systems used in industrial environments. We analyse devices and their gateways in great depth to identify relevant hardware and software vulnerabilities. In addition, we carry out tests using a black- or grey-box approach, deploying relevant use and abuse scenarios to evaluate the impact on system integrity, availability, and confidentiality. Scenarios make use of software hacking procedures as well as relevant physical actions that alter the device hardware or configuration, whether consciously or unconsciously.
Reporting vulnerabilities and areas for improvement
We carry out assessments for both device manufacturers and users. Our report will include an assessment of the likelihood of vulnerabilities being exploited, the impact of potential cyberattacks, and recommendations to improve the asset’s cyber resilience.
Based on industrial best practices
Recognizing the current lack of international IoT cyber security testing methodologies or certification procedures, our tests conform with industry best practices such as OWASP and ENISA. More specifically, the tests cover features such as web, admin and device interfaces, network communications and authentication mechanisms, RF communication, update mechanisms, embedded data storage, and firmware, as well as physical interfaces such as USB, JTAG, and UART.
Validating onsite implementation
In addition to offsite testing in our Cyberlab, we carry out follow-up onsite assessments to validate the implementation of tested assets. Testing the devices in their operational environment allows us to exploit the identified vulnerabilities in real situations, describe discrepancies between the laboratory and the operational environment, and critically review the implementation details.