Presciense Ltd is an innovative end-to-end secure solutions provider working with utilities and service providers aiming to bridge smart energy and smart home automation through their award winning scalable, integrated IoT platform.
To aggregate, monitor and analyse smart home data, Presciense provides a fully-featured Internet-enabled Smart Home gateway that connects smart devices including utility meters, thermostats, smart plugs, appliances, sensors and cameras.
The Challenge
The security of internet connected devices can no longer be considered optional and therefore manufacturers, service providers and consumers are looking for ways to ensure the devices they produce and purchase follow security best practices. Consumers are concerned that hackers will control their IoT devices, steal data or breach their privacy. Service providers need to ensure their network is secured to protect customer data, build trust and maintain reputation. Manufacturers realise the need to remain compliant with legal and regulatory obligations by ensuring their device has considered Security by Design and best practices were followed.
Presciense conducted an internal risk assessment of their Polaris Device that highlighted a need to have an assurance by getting the device assessed by a competent, independent third party to verify the device met the requirements of the DCMS Secure by Design code of practice.
Presciense appointed Gemserv to conduct the assessment due to our significant expertise in Information security, data privacy and the IoT to Understand the devices security posture and its compliance against the DCMS code of practice and other emerging regulations.
Our Approach
To ensure that the Polaris device adhered to best practice principles and could provide a secure and robust service into thousands of consumer homes, we used our expertise within the Information, Device security and Data privacy areas to provide a security assessment of the device and its associated business processes.
To achieve this, we used our comprehensive Device Assessment Framework (Based on industry best practice and the DCMS code of practice). We started by assessing the risks to the confidentiality, integrity of data and availability of the device, through our Device and Impact classification process. This resulted in an Assessment class which helped us draw a detailed set of controls from key security areas such as software updates, encryption, supply chain security, hardware security and Business processes that are relevant for the device type, its function and intended use environment.
To help with information gathering, both Presciense and Gemserv worked collaboratively to identify key information and evidences required. Following this period of collecting information, Gemserv’s expert consultants assessed supporting evidences and information provided about the device and its associated business processes, again collaborating with Presciense were clarifications were needed.
A confidential report was then produced clearly showing the status of each security objective. To supplement this an array of visually comprehensive charts showing status of controls were generated providing a high level overview of their assessment status.
In addition to this, a list of mitigation actions was produced after assessing the Likelihood of the vulnerabilities being exploited and the impact this could have in its current use environment. Putting this through a risk management framework allowed these mitigations to be prioritised and allowed the client to channelize their efforts and resources in a way that is efficient and balance their return on investment.
During the engagement both Presciense and Gemserv worked closely to collaborate on the process through the use of a secure collaboration platform and discussing progress and outcome through calls with the entire team.
As a result, Gemserv and Presciense concluded the whole process engagement in 10 days.
Testimonial
How was Gemserv to work with?
This was Presciense’s first UK security assessment for our Polaris product and Gemserv patiently helped us through the process.
Did our solution accomplish their objective(s)?
Our product is a little different from most products in the market and with Gemserv’s feedback and our explanations we soon came to a comprehensive and credible security assessment.
What benefits did you see or plan to see because of this work immediately?
Our customers, who require this type of assessment to even consider this product, have accepted Gemserv’s findings with few clarifications required.
What benefits should you see because of this work over time?
This in combination with the short time Gemserv took to product the reports have helped us bring our product to a large-scale trial and hopefully into the market.
Gerdjen busker – COO, Presciense