For more than 2 years, CEA, in France, has been a key member of the M-Sec consortium, supporting the development and testing of a technology that intends to support our cities to become smarter and, at the same time, more cyber secure. Meet the team and work behind CEA, their role in the M-Sec Project and where will they go next
We spoke with Mathieu Gallissot, Project Manager, to know more about CEA’s role in the Project.
1. Mathieu, thank you so much for agreeing with this interview. Please briefly present yourself and the institution you work at.
I’m a cybersecurity architect specialized in IoT, having spent 15 years as an ICT expert in the areas of energy systems. My job consists in analysing the cyber-security risks of connected devices in order to specify and implement appropriate technologies to counter these risks. I’m highly interested in ethical hacking and automated pen testing solutions.
CEA-Leti is the largest French research and technology organization specializing in micro- and nanotechnologies. This organization I composed of 1900 researchers dedicated to make our society smarter, healthier, more sustainable and more secure.
Within CEA-Leti, I’m in the cybersecurity division in which we have an accredited ITSEF lab for hardware component evaluations and a second laboratory dedicated to securing embedded systems (i.e. working on security-related micro-processor issues, RNGs, cryptography implementations, embedded software and design-time testings) and technology integration.
2. Why have you and CEA decided to join the M-Sec Project?
We found the M-Sec initiative interesting for developing security technology for legacy devices and systems. The consortium is very representative of the ecosystem with technology providers, device manufacturers and solution integrators. M-Sec also have strong challenges with the use of novel technologies such as blockchain at the scale of smart city, but also have to faces challenged such as potential distrust from citizen against IoT devices. The particular focus on privacy and citizen rights made this initiative very interesting, in particular in a cross-continental perspective.
Achieving cybersecurity in such complex IoT topology as smart cities is a tremendous challenge, which I find highly motivating. The particularity of smart cities is to have heterogeneous interconnected systems with various lifecycles. Having everything working is already a challenge, but what about having everything secured? Having control of a city’s sub-systems can be attractive to an attacker: controlling lighting, watering green spaces, road management systems, etc. One of the major challenges is to make security simple and easy, so that stakeholders understand it, it is in the first point of the pedagogy. A second point is technology; it must not be too out of step and must be easily integrated with the existing in order to be able to ensure its maintenance. Having security technologies understood and mastered by the product managers is essential in order not to create potential breaches by poor integration.
3. What has been the main role of CEA at the M-Sec Project?
CEA roles within M-Sec is to provide cyber-security technologies for different layers. For example, we collaborate with TST for the integration of secured elements compliant to the TPM2 profile on embedded device with examples on measured boot, device monitoring/integrity management and file system encryption on removable medias. We have this kind of collaboration with other technological partners to provide the best level of security for the M-Sec solution. At the end, we also provide a so called “security manager”, which serves as an interoperable backend for security providing a PKI, an user federation module and some other security function with many interfaces for an easier integration.
4. With only a few weeks until the end of the project, on what major developments do you and your team still need to focus? Do you feel confident?
We are continuing the development on the security manager and learning about feedback for this integration in the use case. Some integration looks good and we enjoy seeing all these layers altogether. We are also continuing the integration of secure element in gateways, targeting higher security levels with Trusted Execution Environment dependencies (not available in legacy platforms) in completion of TPMs.
5. Did you find this experience of participating in an EU-JP partnership rewarding?
We have learned from collaborating with Japanese partner, at a human scale of course but also from a technological point of view where some approaches differs and we have found complementary ways of doing things.
What we have been doing in M-SEC is developing tailor-made cybersecurity technologies to address some of the security issues the partners might have to face. From there we have to develop and propose a systematic systemic approach consisting in
- Devising methods and tools to help define security objectives and formalise those requirements
- Continuing to develop solutions and countermeasures to reach those objectives
- Developing methods and tools to validate the efficiency of those solutions and validate the initially identified solutions have been reached.