Thingsee uses standard security technologies on all levels of communication.
A sensor communication is secured using mesh network encryption, which is built in during manufacturing process. Each customer will get their own network parameters and encryption keys by default, and if required, the customer can get multiple different mesh network configurations to further limit the use and availability of sensor communication.
Thingsee Gateway is connected to the same encrypted mesh network, and it communicates to the Thingsee Operations cloud through encrypted cellular modem communication. The cloud communication is secured by AWS IoT certificates and encrypted communication to the specific AWS IoT instance. AWS IoT certificate is created to the gateway device during the first communication attempt and the certificate is stored to customer specific Thingsee Operations profile. The certificate can be revoked and renewed.
Thingsee Operations runs using AWS serverless design within a dedicated instance for the client, and all internal communication, databases and access are done as AWS internal communication with the specific roles and access rights for each of the service used. For example, the database has different roles that are limited only to those operations and firewall access that is required for APIs, manufacturing process, diagnostics etc where a database user only need to access certain tables of the data.
All sensor data is sent to customer cloud by using customer-defined authentication methods and API requirements thus making data transmission fully encrypted end-to-end.
The access control is done either as AWS Cognito (dashboard) or as AWS IAM access when using Thingsee APIs by a client. All user accounts are manually created based on need and there is no self-registration available. All the API access and integrations are always from service to service so there is no need for self-registration after the initial setup has been done. The following access rights and roles are used across all the services:
In Wirepas Mesh, every transmitted message is encrypted with a unique AES-128 key counter mode. Messages are appended with the OMAC1 Message Integrity Code (MIC) to prevent playback and man-in-the-middle attacks. A device without the correct encryption and authentication key pair cannot join the Wirepas Mesh network.
Thingsee has been built to handle data anonymously so that the only identifier is the device id (TUID). Thingsee gateway will update its rough location using cellular positioning so that the maintenance personnel can identify a city or postal code accuracy of the device location. This can be disabled if not required for maintenance operations.
Thingsee Operations Cloud stores a limited amount of raw sensor history values for diagnostics reasons. This data must be made available for Thingsee ToolBox users so that they can diagnose whether the actual sensor values has been changed for something abnormal, or if there has been some sudden impact or other reason for suspected erratic behaviour.
Limited set of history data allows us to identify if the sensor (static) has been removed from its installation position thus causing strange readings in actual measurement values.
The default value for data storage is 60 days to allow enough time for diagnostics in case of reported error. The data storage can be extended if longer period for diagnostics is preferred.