Equipment manufacturing or Instrument Engineering companies globally are increasingly required to connect their hardware products to the Cloud. However, two of the foremost concerns with such initiative are “Will the data from the devices / equipment be secure on Cloud?” & “Can someone access / control the device with malicious intent?”. A crucial element of data engineering is therefore, ensuring data security.
The Smart Meter Company manufactures smart energy and water meters. They deliver intelligence as a service i.e., they don’t simply sell data-emitting hardware but help their customers derive actionable insights from the data. To do so they have enabled the meters with ability to –
- capture data in real time.
- integrate with Azure cloud
- manage and analyze data for consumption analytics
Their customers are utilities who need to view / analyze massive volumes of data captured from such smart devices.
There are millions of devices generating a lot of data at a high frequency. Additionally, to keep the overheads of updating / maintaining these devices, manufacturers or utilities can remotely connect and update the firmware on these devices. This essentially means establishing a bidirectional communication channel via public cloud with the devices.
It is therefore important to protect this channel and the data to prevent any malfeasance. Throughout the channel / pipeline of data from the device to cloud there are 3 areas / conditions of vulnerabilities –
- End Point Access,
- Data at Rest,
- Data in Transit.
End Point Access Vulnerabilities -
- Anonymous access
- SQL Injections to manipulate backend data
- Cross Site Scripting (XSS)
- injecting client-side scripts into web pages viewed by other users
- Broken Authentication, Authorization & Session Management
- impersonation of legitimate users
- Insecure Direct Object References
- attackers can bypass authorization and access resources in the system directly
- Security Misconfiguration
- Cross-Site Request Forgery (CSRF)
- unauthorized commands are submitted from a user that the application trusts
- Insufficient transport layer protection
- DDoS - a denial-of-service attack
- cyber-attack in which the perpetrator makes a machine or network resource unavailable to its intended users
Data in Transit Vulnerabilities –
- Insufficient transport layer protection. Attacks in this layer include –
- TCP sequence prediction –
- where attacker can damage the network by asking the victim to run malicious scripts
- UDP &TCP flooding –
- Blocks legitimate users, reduces network bandwidth / crashes systems of legitimate users
Data at Rest Vulnerabilities –
- Insecure Cryptographic Storage - where sensitive data is not stored securely
Solution – A stepwise approach to enhance Data Security
Saviant partnered with the smart meter manufacturer to modernize the legacy system architecture and make it technology ready for the next decade. A team of experienced technical architects and data engineering specialists designed the new system to have enhanced security, scalability, performance, availability, and maintenance.
To make the system more secure, the team took a stepwise approach where they –
- Identified the tools for security analysis for Azure subscription
- Identified all the security risks for all the resources in the Smart Meter Manufacturer’s subscriptions
- Created an artefact to show all the vulnerabilities.
- Implemented the recommendations to increase data security at various levels like –
- Application Gateway
- AKS Cluster
- App Services
- Azure Key Vault
- Implemented encryption for data at rest as well as in transit
Data Engineering is incomplete without ensuring Data Security especially when it comes to connected devices. Saviant helped modernize the system where TBs of data from millions of devices can be now securely captured, managed, and analyzed.
Modern Instrument and Equipment cannot be called Intelligent unless properly protected from hacking and other vulnerabilities as after all –
“Discretion is a synonym for intelligence” – Eloisa James