(Source: BeeBright/Shutterstock.com)
In a connected ecosystem, the consequences of a cyber-attack often defy our imagination. During the security breach of the Ukrainian power-grid in 2015, hundreds of thousands of people lost electricity for hours. The attackers not only knocked off the circuit breakers, but they could also remotely access the utility’s Supervisory Control And Data Acquisition (SCADA) systems, wipe out hard disks from the controlling systems, and even infect the firmware of the critical subsystems. Malicious firmware updates are irreversible. So the only option was to fully replace those subsystems.
Attacks such as these compel us to think beyond our conventional approach to cybersecurity. Because of network connectivity, Internet of Things (IoT) devices and sensors are highly vulnerable to remotely launched exploits that pose serious threats for critical infrastructure, healthcare systems, financial systems, and the privacy and safety of individuals. Table 1 summarizes possible threats those span across the IoT stack.
Table 1: Threats and Vulnerabilities of IoT Endpoints table. (Source: Practical Industrial Internet of Things Security, Packt Publishers)
To secure traditional computing, it was probably OK to employ software-based controls. But IoT demands a much stronger security foundation.
In IoT use cases, runtime requirements and threats significantly differ from traditional IT settings.
When “things” communicate—in addition to protecting the privacy and integrity of the data—it is crucial to correctly identify the source and recipient of the data. Device identity protection requires the following features, which necessitates hardware-based security design:
Whether security cameras, assembly belts, or industrial robots, embedded systems and industrial equipment are expected to run uninterrupted for years with minimal human intervention. Reliability, safety, efficiency, and productivity are critical expectations from these systems. During maintenance downtimes, operators are extremely cautious while applying software updates that could compromise their reliable operations.
Memory and CPU footprint of connected microcontrollers, sensors, and actuators are minuscule. Power availability and connection bandwidth are also limited. Full stack software security is not an option in such cases. Also, because of direct exposure to physical attacks and harsh environmental conditions, the hardware must be tamper-proof. System on Chip (SoC) design, crypto accelerators, and security coprocessors are more viable options in resource-constrained scenarios.
Embedded devices (e.g., connected turbine in a hydro-electric dam) are often placed in remote locations and accessibility can be challenging. The maintenance availability windows are infrequent and machine maintenance is more concerned about reliability than regular software updates. All these make updates difficult to apply, as evident in many industrial systems still running on Windows XP.
A security strategy for connected devices encompasses:
Secured OS and runtime environment in hardware greatly minimizes exposure to generic exploits in Windows and other popular software platforms.
To secure a connected device, the first step is to establish a trust anchor. Root-of-Trust (RoT) determines the highest level of trust attainable by a device. A compromise on the RoT compromises trust for the entire system. Traditional computers mostly rely on a software-based trust anchor. But tamper-resistant hardware-based root-of-trust (RoT) can be demonstrated to behave reliably in a significantly higher percentage of attack scenarios.
A trust zone can be established either in the same microprocessor or in a dedicated security processor. Many new devices include field-programmable gate arrays (FPGA). FPGAs are reprogrammable in the field. This is a major advantage when upgrading firmware for IoT devices. FPGA units might also include a CPU coprocessor to execute security-related housekeeping functions.
During product development, it is also worthwhile to consider whether security should be applied in an embedded or removable form factor. In the case of mobile handsets, for example, a removable secure element can simplify porting the stored credentials from one device to another. For many IoT applications (e.g., telematics or infotainment modules in a connected vehicle), an embedded secure element is more appropriate.
As millions of connected devices enter the market every year, time-to-market pressures coupled with pressures to save on space and cost are huge. Besides security standards specific to IoT are yet to solidify. These factors often lead to weaker security design. The growing number of reported IoT attacks, vulnerabilities, and exploits by hackers highlights the imperative to harden secure development lifecycle for IoT.
System designers can leverage the hardware security components and platforms from vendors such as Samsung, Infineon, Microchip which in addition to trust zone technology offer secure boot, secure key storage, and chip-level tamper resistance.
Sravani Bhattacharjee has been a Data Communications technologist for over 20 years. She is the author of “Practical Industrial IoT Security,” the first released book on Industrial IoT security. As a technology leader at Cisco till 2014, Sravani led the architectural planning and product roadmap of several Enterprise Cloud/Datacenter solutions. As the principal of Irecamedia.com, Sravani currently collaborates with Industrial IoT innovators to drive awareness and business decisions by producing a variety of editorial and technical marketing content. Sravani has a Master's degree in Electronics Engineering. She is a member of the IEEE IoT Chapter, a writer, and a speaker.