“Remote” Vulnerability Assessment and Penetration Testing
VA and PT are the answers to the need to validate and verify the level of resilience of IoT systems to cyberattacks.
PT typically are executed at the end of development process, and in most case very close to launch in production. This issue can lead to delay in the launch in production in case of vulnerability discovery.
For this reason, it is important to anticipate the search of vulnerabilities during the early phases of the validation and verification process. This can be done involving cyber researchers at an earlier stage respect to PT execution. This can be done using VA during the validation time, even if there a number of issues that need to be solved in order to run VA on test/development benches.
How WESETH works
WESETH is a tool to support a smartest way to execute VA ad PT in the embedded system worlds. When it comes to test a component that is not directly connected to the Internet, the only solution is to ship it to a testing facility. This is not only time consuming, but also reduces the opportunity to test a system in an early stage.
WESETH overcomes all the issues connected to PT and introduce a completely new model for the validation of cybersecurity requirements and systems resilience to attacks.
When a Customer subscribes Iotcy platform, He/She receives the desired number of WESETH boxes that can be connected to their components, bench tests, manufacturing lines or vehicles, through the desired test link (eg. CAN). When powered ON the Box connects autonomously to the Iotcy Server via a secure mobile link (not supported by the Customer’s IT infrastructure).
After this process, the Customer can assign a PT or VA contract (through the WESETH portal) to Company or an Independent cyber researcher. When the contract is accepted, the Researcher receives a Client that allows a secure remote connection to the Box via the server. At that point the Researcher can commence the search for vulnerability of the testing of security requirements.
WESETH box is a piece of art! It is an embedded (automotive grade) device that export a large number of network interfaces that can be used to test remote devices.
This is the hearth of Iotcy platform.
Use cases and features
Drivesec is building an Ecosystem of Companies interested in delivering VA and PT services using Iotcy.
This will enable a completely new model to deliver services and open a new world of opportunities. Weseth can enable a continuous vulnerability assessment model that can support OEMs and Tier1s during the whole product development cycle. Testing security requirements ahead of time can guarantee a robust design of the final products, with higher chances to reach the target sets by the Technical service for the product certification
Being part of the Ecosystem will help Partners to be-reached by VA and PT customers, that can find then on the list of Ecosystem members on the Iotcy Portal
WESETH will dramatically lag between Companies and Customers, and is going to simplify the way in which a service provider is selected and engaged.
Validation of product safety is carried out through “penetration tests” (PT), performed before its launch on the market. These tests are carried out by the cyber researchers, that need access to the systems.
Drivesec WESETH optimizes PT execution by providing a platform that gives remote access to IOT systems bringing an advantage concerning logistics, time and costs. Remote testing allows a stronger collaboration between cyber researchers and production teams through the execution of PT alongside the regular product development and validation phases.
The WESETH platform consists of two components: an access Servers and one or mpre HW ECU (Electronic Control Unit) that need to be installed in on development and validation benches of the product teams.
All the ECU are connected to the central server that will grant access to cyber researcher from their remote location.
WESETH can be used to execute manual penetration test from remote. In this scenario the remote attacker/researcher connects to the on-board ECU via a secured and monitored link that pass through the server. All sessions can be recorder and tracked.