Securing the Internet of Things
The current Internet of Things has been described by the critical infrastructure industry as a slow-motion train wreck. As an industry it is therefore critical that we re-evaluate the importance of security in out products, where security needs to be integrated, the value of the services security can deliver, and the consequences of being compromised to our customers and our shareholders.
Anbieter zum Thema
Securing the Internet of Things
The Internet of Things is a huge market for the next generation of connected devices across many markets including Integrated Transport, Industrial Internet, Smart Cities, Smart Home, and Future Medical. In most cases these markets will require significant usage of Big Data, directly and via the Cloud to power real-time decision-making and drive efficiency. Unfortunately all of these applications are predicated on having trustworthy data and hence even the threat of data becoming polluted with incorrect or corrupted information has the potential to inflict significant harm on both real-world applications and future purchasing decisions.
There is much hype in the media about potential threats to the IoT, and it is important to separate fact from fiction. However we know that many weaknesses and attack surfaces do exist in existing systems, and we must work to resolve today’s issues whilst also evolving better protection for tomorrow.
Naturally threats must be measured and protection balanced against likelihood of attack, ease of attack, and the consequences of attack. Some attacks, such as Stuxnet are low-likelihood, difficult to achieve, but have massive consequences. We also know that attacks against critical infrastructure are high-likelihood, relatively easy to attack today, and potentially have catastrophic consequences, with the US power grid recently found to be riddle with compromises. Security must be right-sized to the application, risk of attack, and consequences of attack, but ultimately an argument can be made that security must be present in every IoT design.
Security comes in many flavours but in this paper we will focus on two critical areas of device security – namely securing devices and securing the applications running on these.
The number one threat for most equipment designers today remains the protection of their intellectual property. Having spent million of dollars on research and development too many companies see their valuable creation in cloned devices or cheap copies. Overproduction “grey” trading and counterfeit devices create false markets and reduce revenue, and of course the injection of malware on or before the manufacturing run can have massive consequences for the organization.
It is therefore imperative that the industry develops solutions that protect critical code and intellectual property from the moment of birth, to inhibit theft and prevent device cloning. Naturally issues arise from this, not least the issue of whom you trust within your manufacturing stakeholder chain, and thus we rapidly have to develop a practical zero-trust framework where only two pieces of information are guaranteed – firstly the device is personalized within the fabrication plant, and secondly the OEM is the only party with the key to their application.
To secure devices it is vital to create a robust secure kernel within the device that is implemented at the point of creation in the fabrication plant. This has previously been accomplished for high value chipsets, such as mobile handsets, but today must also be applied to IoT devices ranging from lowly edge devices through to gateways and other compute engines within the system. Only by creating a root of trust, encompassing a secure boot and fundamental key provisioning, can we both ensure that the devices become inviolate and capable of being programmed with validated code.
The delivery of these mechanisms to the embedded space has previously being stymied by cost and complexity issues, however the migration to new process nodes coupled with intense development in the mobile domain is now enabling cutting edge technology to migrate to the lowliest of devices.
Further industry development has been required to enable the deliver of critical key material once the OEM has encrypted applications. In the example we have investigated this has been accomplished through cloud-based HSM solutions and also through the use of tamper resistant devices for high value intellectual property. This type of solution can provide a double-lock solution, ensuring that malware in unable to be injected into devices, even where they have yet to be programmed, and also provide a critical mechanism to manage device production, removing the opportunity for over-production and cloning of applications
Securing Applications in the Internet of Things
Protecting devices from the point of creation is a critical component is providing a robust platform for the Internet of Things, but naturally devices must exist, and continue to operate safely and securely in a harsh world where they will be continuously under attack. Security in the IoT must therefore be more that just protection of data in-flight, although this itself is a critical component forgotten by many current devices.
Many people confuse security with cryptography, and while the latter is critical in everything we need to accomplish in this space it is just a technology we need to learn to apply appropriately.
To achieve confidentiality of data, and privacy in our personal communications, it is critical that we start off by developing the correct fundamental approaches within our devices.
Firstly we need to ensure that we develop architectures for our devices that enable each one to be uniquely addressed through the use of robust asymmetric identifiers. While it is sufficient for a device to have an IPv6 identifier in public, the true identity of the device must hinge on a private key, which has been created with sufficient entropy to be truly unique and mathematically unchallengeable. Too often today devices give up their keys too easily enabling simple attacks to gain leverage within the system.
Beyond the identify of the device it is critical for the industry to move to easy to use authentication mechanisms to enable devices to securely integrate into systems, with either trusted relationships being forged or zero-trust relationships providing a mechanism to verify and validate, but not trust, the other party.
Authentication enables a device to interact with a system, however authorisation is also critical to define both how devices can interoperate, and which users and applications have the correct permission to monitor and interact with the system.
Of course identity, authorisation and authorisation should make use of asymmetric encryption, however the industry has again been limited by the performance of microcontrollers. Nevertheless innovation in this space, led by process shrinkage and new architectures are enabling the delivery of new devices that enable simple implementation of critical capabilities, including speeding up cryptographic functions, wrapping of keys, and the provisioning of short term symmetric sessions and key agility to defeat sustained attacks.
While confidentiality of data is important the reality of many systems is that devices will still become compromised, and utility “trash-in, trash-out” is a truism of cryptography – if the data emanating from the device is incorrect then encryption of the data will not help. Thus it is critical to ensure that devices remain secure throughout their lifecycles.
To ensure integrity we have to think of trust across the life cycle of the device, how we create trust within the device, how we manage it across its lifetime, and ultimately how we destroy trust once we have finished with the device.
As with the secure manufacturing mentioned earlier it is critical that a device is secured from birth with a robust secure kernel combining secure boot mechanism that is inviolate with a robust key generation and management architecture. Only by absolutely guaranteeing the start-up criteria can we then make the attestations and measurements required to ensure we know the device is operating correctly and is uncompromised.
Once a device has been correctly instantiated we can then periodically HASH the device memory to provide levels of confidence that the device is operating within tolerance.
Unfortunately things change. We are all human, and as such errata are a real world component of every system we create.
The IoT is no different from this, and as such we should always design IoT devices in such a way as to enable remote updates of software, to ensure the next Heartbleed bug doesn’t require us to throw away devices or leave applications at risk of compromise within our homes and industry.
The challenge with remote updates is that these mechanisms instantly become the honeypot for aggressive attacks, as these enable the injection of new code into devices. Again these issues are well known in many industries and we have to leverage this knowledge across to ensure that all updates are aggressively protected using cryptographic identifiers linked to the specific keys, signatures or certificates within the devices.
The fundamentals of security for the IoT are not new, however we must be far more aggressive in applying the best practices developed in the automotive, industrial, and mobile applications to the nascent IoT domain. The IoT Security Foundation, in partnership with many leading companies is leading the charge in supporting best practice and creating a Secure Internet of Things.