The relatively low number of “violated” charging stations worldwide to date should not lower attention on the issue of cybersecurity of these devices. Like any other device connected to the network, the charging station can also be a gateway for potential attacks and threats. At risk are not only the end user but also all potential actors involved in the process, such as the charging station manufacturer and the electric vehicle manufacturer. Mitigating these risks is one of the main objectives of the design of Dazebox and the collaboration between Daze and Graftholders.
This design process relies on the main cybersecurity standards and frameworks such as ISA IEC 62443, ISO 27001, and SP 800-53 published by the NIST (National Institute of Standards and Technology) along with the Cybersecurity Framework and NISTIR 8228 guidelines that address security for IoT devices.
These frameworks, in addition to mastering the technology, require a systematic and structured approach focused on risk management from the beginning of the design (security by design), which simplifies and optimizes subsequent activities such as vulnerability management, access management, data protection, and incident detection. Furthermore, security by design allows addressing security challenges in a less resource-intensive context thanks to the optimization of product development processes. With the goal of developing a secure product, a product is developed that better adheres to customer expectations and needs.
To effectively apply these complex standards, Daze also relies on a qualified partner, Graftholders, whose mission is the development of secure embedded/IoT systems.
How did the collaboration between Daze and Graftholders come about?
Federico: About two and a half years ago, Daze was a small startup that was beginning to grow and, in particular, needed to expand its technical team. As the head of the department, I had to start evaluating collaborations that would allow us to increase our speed of development and design. Graftholders came to us precisely for this purpose: to support us in software development activities. We had the pleasure of meeting Vincenzo and starting to collaborate with them. At the time, only one of their resources was sufficient for our collaboration, but today, the members of the Graftholders team working with us on a daily basis have risen to 5. In addition to software development, Graftholders is particularly helping us with cybersecurity, a topic that becomes increasingly important at Daze as the horizon and ambition of our projects and collaborations with large companies grow. In this case, we are not only talking about security protocols for our software but also, and above all, about best practices that must be adopted primarily by our technical department and then by the entire company.
What are the main challenges to be faced/addressed?
Federico: Certainly, the most important challenge for Daze on the horizon is to internalize and implement all security best practices not only in the technical team but in all areas and company processes, including relationships with third parties. Above all, it is important that these processes are implemented without slowing down our speed of development and design, a very delicate operation.
Vincenzo: I confirm, working on cybersecurity is a constant compromise. I believe that perfection is the enemy of good, one must make the best use of the resources available to make processes lightweight and not burdensome. Cybersecurity, approached by a startup or a multinational, is different. By changing the scale of the team, the attack surface of the systems involved, and the availability of economic and human resources, the adopted strategy must also be customized.
Are there any future projects?
Federico: We will certainly continue to collaborate on software development. Then, numerous cybersecurity courses are planned for the development team and in general for the entire Daze team, as we mentioned before.
Vincenzo: We are committed to paying particular attention to the training of the company’s management, emphasizing the importance of fundamental cybersecurity processes being embraced by management before the operational staff. Cybersecurity is a process of continuous improvement, aimed at keeping the organization always one step ahead of attackers. Just as having qualified technicians and competent management is essential to stay ahead of competitors, the same goes for staying ahead of attackers. “Shift left” represents the anticipation of security, placing it as a priority in the early stages of every process. Just as a successful product is conceived to meet customer needs from its inception, a secure product is directly designed to counter attackers. This is the concept of “security by design”.
Why is it important to educate everyone about cybersecurity?
Vincenzo: Educating every individual within an organization about cybersecurity is essential to protect the entire system from potential threats. This principle is based on the awareness that, just as a chain breaks at its weakest link, the security of an organization can be compromised by a single mistake or distraction.
It is said that a vampire cannot cross a door unless invited, so phishing attacks exploit a similar principle in the digital world: they cannot infiltrate our systems without an action, however unwitting, on our part. This can happen when, deceived by fraudulent messages, we unwittingly provide our credentials, thus allowing attackers to gain access.
The Verizon Data Breach Investigations Report (DBIR) for 2023 finds that 74% of breaches involve the human element, highlighting the importance of security training for all levels of the organization, from executives to cleaning staff. Such training aims to strengthen every link in the chain, teaching to recognize and reject attempts by “vampire attackers” to exploit our unwitting digital hospitality.
This collective commitment to education and the adoption of effective security practices builds a robust defense against external threats, turning the organization into a fortress impervious to the assaults of digital predators.
What is the most common mistake made at work in terms of cybersecurity?
Vincenzo: The most common mistake made in terms of cybersecurity is not so much technical as it is strategic: it is the failure, at the managerial level, to understand that skills developed in the field of cybersecurity can be a transversal advantage for the organization. This ability, often mistakenly attributed only to managing cyber threats, actually concerns the company’s ability to respond quickly to external stimuli, whether they are security threats or market opportunities.
Proper implementation of cybersecurity practices contributes to developing a more agile and responsive organization. The ability to quickly identify problems and implement solutions in a short time is a fundamental skill that goes beyond mere protection from cyber attacks. This proactive and dynamic approach to risk and opportunity management not only improves security but also the competitiveness and operational efficiency of the company.Therefore, the main mistake is underestimating the impact that a well-integrated security culture can have on the entire organization, limiting the perception of cybersecurity to a support function rather than seeing it as an essential strategic component that enables the company to successfully navigate an increasingly complex and interconnected environment.