Bench Talk

(Source: metamorworks/Shutterstock.com)

According to multiple market research reports, Internet of Things security is a top concern for both industrial and individual consumers. Secure design without driving up price is a delicate balancing act for system designers. Add to that the organizational pressures to accelerate time-to-market.

In the case of IoT products, an additional challenge is the lack of integrated security standards and certification guidelines. Nevertheless, in IoT markets, secure design is no longer only a design imperative but also a competitive differentiator.

The cyber-physical attributes of IoT products expose them to new types of threats unseen in traditional computing systems. Successful exploits of these threats directly affect not just the product lifecycle but also its market longevity. In this blog, we’ll take a look at a full-stack approach to integrate secure design in a way that reduces both complexity and implementation costs.

Because of direct exposure to physical environments, IoT systems are vulnerable to many complex attack scenarios. Software-based security alone cannot safeguard against these threats. A hardware-based, tamper-resistant trust-model has been demonstrated to outperform software in many attack scenarios. By establishing the root-of-trust in silicon and by storing secrets in hardware, vaults can significantly harden the system. Hardware-based security offers power-efficiency. The complexity of firmware updates can be reduced by using IoT-specific security solutions.

Infineon’s OPTIGA Trust family, for example, offers many turnkey trust solutions at the silicon layer. OPTIGA™ Trust X (SLS 32AIA) is a high-end security controller that can be integrated into products across a wide range of industrial automation, consumer, and smart city use cases.

Crypto-accelerators help to embed cryptographic capabilities within small form factors. Hardware security modules (HSMs) and Trusted Platform Module (TPMs) (defined in International Organization for Standardization and Trusted Computing Group standards) can be used for strong tamper resistance, cryptographic key storage, and key generation using hardware random number generators (RNGs), strong authentication, boot integrity protection, and firmware integrity measurements.

Because IoT devices might not be rebooted for long intervals, it is important to ensure boot process integrity through measurement and validation. This prevents a compromised device from exchanging data. Measured boot, verified boot, and secured boot are three options to ensure device integrity during boot. A range of security ICs is available to reduce the complexity of boot protection and that of managing the integrity metrics.

Once booted, the device needs to authenticate itself using identity credentials. For machine-to-machine scenarios, authentication keys and certificates are more suitable than passwords. In addition to device-level Identity and Access Management, it is also important to authenticate and control access for hardware elements, firmware, application programming interface (API) calls, etc. by adhering to the principles of separation of duty, least privilege, and role-based permissions. TPMs allow the secured authentication of devices and systems looking to connect to clouds, servers, and other devices.

Securing the software and firmware updates is also crucial for connected systems to prevent malicious code in the system that could lead to dire consequences. Digital signature verification and hashing are two common mechanisms to secure firmware updates.

In M2M and machine-to-cloud communications, embedded systems need to communicate over heterogeneous networks involving various standard and proprietary protocols. To protect against eavesdropping, message tampering, etc., VPNs, encrypted tunnels can be used. Resourced-constrained systems with small-footprint (sensors, actuators) can rely on gateways for secure communication.  Third-party security ICs can be used to store keys, certificates used in the communication protocols and cryptographic operations.

Data integrity is a critical part of product design because compromised data can sabotage the entire IoT ecosystem. Data includes device-generated raw data, secrets, libraries, binary executable, configuration and log files, etc. These can be classified as:
 

• Stored data – Data-at-Rest (DAR)
• Runtime data – Data-in-Use (DIU)
• Sent/Received Data – Data-in-Motion (DIM)
   

Traditionally, checksum is used to validate data integrity, but the IoT threat landscape requires more advanced integrity controls. Cryptographic signatures can attest to data integrity at any point in the workflow. Hardware trust root or TPM is usually used for the signing. The signing key can also be securely stored there. Some of the common data integrity measures are shown in Table 1.

Table 1: Common Data Integrity Measures (Source: Practical Industrial Internet of Things)

For system developers, complying with a myriad of cybersecurity standards is a major challenge in IoT design. IoT security platforms and products resulting from ecosystem partnerships among security vendors can ease the burden. These integrated security platforms provide robust hardware and software design and toolset that system designers can either replicate or customize to fit their application needs.   

Conclusion

System designers face multiple technical and business challenges in designing adequate security for IoT systems. A full-stack approach for security should be followed to ensure that adequate security at every layer of the system has been considered such as hardware, boot process and firmware update integrity, communication, and data integrity. Designing security also needs to factor in use-case security requirements, as not every use-case or system requires the same level of security.