How To Secure The Network Edge

Microcontrollers, sensors, and other devices that live at the edge of the Internet must be protected against cyberattacks and intrusions just as much as the chips in data centers, network routers, and PCs. But securing those edge devices presents a swath of unique challenges, including the cost and availability of technology resources, as well as varying levels of motivation to solve these problems by both vendors and end users.

Security companies have been sounding the alarm for several years, citing statistics about the rising number of breaches and the increasing value of those attacks. But securing the edge takes on new urgency as safety issues enter the picture. Assisted and autonomous driving essentially transform cars into Internet edge devices, where real-time responsiveness is required for accident avoidance and cloud-based connectivity is needed for such things as traffic and weather alerts. Likewise, embedded systems are being used to monitor and control critical infrastructure, and that data is being read by external monitors or devices at the edge of the network that are directly connected to those systems.

All of this raises the stakes for security. So how exactly do this issues get solved, and by whom?

“That’s a tricky question,” observed Robert Bates, chief safety officer for the Embedded Software Division at Mentor, a Siemens Business. “In some sense, those kinds of smart devices can be as secure as anything else connected to the network. But theory and reality are two different things.”

The compromised home security cameras that led to the 2016 Mirai-based distributed denial-of-service attack on Dyn are an example of just how devastating these breaches can be in a matter of minutes. In that case, the manufacturer shipped Internet-connected cameras with simple default passwords, and most consumers never bothered to change them. Together they worked as an army of bots to bring down some of the largest and most secure sites on the Web.

“The same problems exist across industry,” said Bates. “Industry buys something, and they just kind of want to forget about it. If they’re not updating these devices themselves, or they’re not thinking about updating them, they’re going to be exposed—even if their security was top-notch at the point of the link. That’s one problem. The other problem is bandwidth. The bill-of-materials costs on a lot of these devices is really, really low. Because of that, the amount of memory and the amount of processing power on these devices is really, really low. Unless you build in security-the best possible security-and keep it up to date, you run into the same problems. Are people or companies willing to spend $2 more on the bill of materials to make sure what they have is secure? At the end of the day, something like an automobile is less of a concern in that respect than your robotic vacuum or your industrial sensor, because you’re talking about a higher cost of entry.”

But as the Dyn attack showed, security breaches aren’t always predictable. In point of fact, the basics of security-root-of-trust, Internet security, and key management can be applied to any edge device, and it still may not be enough.

“Edge devices is a broad category that includes everything from sensors to smart meters and industrial control-type edge devices,” said Dana Neustadter, senior manager of product marketing at Synopsys. “What they have in common, and how they can be made secure, is they need to be protected in all phases of operations—regardless of the category of the device—whether they are offline, during power-up, at runtime, and more importantly, while they communicate with other devices or over the network. Establishing the integrity of a system is essential for creating a trust in the system and to ensure that it behaves as intended.”

Still, even where security does exist, it isn’t always easy to implement.

“Sometimes we forget, as we develop solutions, to make them easy to integrate,” said Marc Canel, vice president of security systems at Arm. “In the case of security, it’s very important to have system architectures and system business models that people can rely upon. And technology companies have to promote good practices, including ecosystems that make it easy for device manufacturers to pull things together.”

It’s much more difficult to manage security with streamlined devices, though. And integration using third-party components and IP adds its own unique twists. Not all open-source software, for example, is created equal. Two different versions of Linux, for example, may be completely different when it comes to security.

“Can edge devices be made secure? They can be made as secure as your phone,” said Bates. “They can be made as secure as your PC. We know how to do it. It takes resources, both in terms of processing power, memory, those kind of things, and it takes a plan. But security is what it is. A device can be made as secure as humanly possible, and then tomorrow we’ll find out the chips themselves are not secure. And so it’s not just a case of are you secure today. It’s a case of do you have some way to maintain that over the lifetime of the device. In the coming world of autonomous cars, that’s 10, 15 or 20 years. Your edge device is different. It’s kind of single-purpose. It may not even have data that anybody cares about. So you don’t have to protect every edge device as completely as the kind of the things we think of needing security.”

Redefining the edge
The emphasis there is on varying levels of protection based upon the devices and use cases. There is a full spectrum of technology that constitutes what is generally grouped under the heading of “edge devices.” The design of these devices has been in an almost constant state of flux as companies try to discern what should be processed locally, which in the case of a car or robot may be at the sensor or sensor hub level, versus what should be processed by a mid-range server such as a home network hub or department-level server, and what should be handled in the cloud.

The main criteria behind these kinds of decisions are response time, latency, and the cost of moving data, both in terms of resources such as memory, I/O throughput, bandwidth and storage, as well as the urgency with which decisions are required. For a car moving at 60 miles per hour that is approaching another car moving at the same speed, even the time it takes to move data back and forth to a central brain in another part of the car might take too long to avoid a collision.

That has significantly changed the definition of what constitutes an edge device and how it is designed. Several years ago, when the IoT was still a rather vague term, most companies thought edge devices would be simple sensors that transmitted all data through a gateway. While chips inside some IoT devices still fit the original concept, a single label for these devices is increasingly misleading.

“Since some edge devices perform edge computing, they typically require chips with stronger CPUs and larger memory,” said Asaf Ashkenazi, vice president for IoT security products for Rambus Security. “While edge computing often is used to reduce the overall data sent to the cloud, edge devices also can aggregate data of multiple devices, which overall increases the data sent by the edge device. In some cases, edge device chips are required to support higher data rate Internet connectivity. [More advanced] edge devices also can shield devices connected to them from remote attacks. Small and resource-limited IoT devices sometimes do not have the capabilities to provide strong security. The [more advanced] edge device can be used to shield these devices from the Internet, making sure they are not exposed to remote attacks. Products that provide strong connectivity security can protect other devices.”

Improving security
By definition, edge devices are connected to something else. As a result, there is no single or simple solution to securing a device because any attack can come from a multitude of sources using a variety of attack vectors. The generally accepted best practices for security involve layers of security, as well as constant diligence in changing passwords and updating software.

Not all security weaknesses are intentional, however. Some are inherent in the initial design, and those open up vulnerabilities that can later be exploited. In industrial settings, for example, wireless communication may be subject to unexpected interference, something that is reflected in the growing demand for Ethernet in the IIoT.

“One of the prime drivers for using Ethernet here is because of timing accuracy,” said Venu Balasubramonian, marketing director for the Connectivity, Storage and Infrastructure business unit at Marvell. “The equipment needs to be synchronized, and when you build a custom device you want to minimize timing variations. Wired devices have much tighter tolerances.”

Where weaknesses are known, they need to be addressed. Where none are obvious, a multi-layered strategy is required.

“Edge devices have a wide range of sizes and compute power and there is no one security solution that fits all,” said Synopsys’ Neustadter. “The optimal security solution will have to be tuned based on the target application that has been chosen for that edge device, a good understanding of the threat environment, certification, regulation requirements, as well as power, performance, cost, and target. Security always needs to be like a toolbox that people need to draw from and choose the right scale of solutions for the appropriate edge device.”

Part of this needs to be addressed at the earliest phases of semiconductor and system design, and carried throughout the design cycle.

“You need to employ a security-oriented mindset at every stage of design, or else you could let things through,” said Jeff Miller, a product strategist at Mentor. “It’s one of those things where you have to have a verification-oriented mindset across the design flow. You need to know your design will function under all possible plausible circumstances. The first thing is this chain of security, where every device and every team that contributes something to these devices needs to be thinking about security. How does my device influence the security of the overall system? IoT is a particularly difficult market to get security right. That means every team has to be thinking about it throughout the design flow. You need the chain, and the weakest link is going to be the downfall of your overall IoT service. There’s no partial credit for security. You’ve got to get it right everywhere. That said, it’s almost impossible to get it right everywhere, all the time.”

Perhaps even more daunting, as chips are developed for markets such as automotive and industrial IoT, they need to last for a decade or more. By that time, what is considered unhackable today may be simple to crack as new techniques emerge and the processing power required to break ciphers and encrypted keys increases by orders of magnitude. The only way to address that is through field upgrades.

“You need ways of securely updating your device,” Miller said. “You need to really make sure your hardware is robust as designed, but you also have to make sure you have the ability to update it securely.”

Rambus’ Ashkenazi agrees. “You need to be reducing the device attack surface by implementing security at the design phase, treating security as a primary design parameter rather than a tertiary afterthought. You also need early detection of compromised devices. Since no system is 100% secure, real-time detection of a compromise in an edge device can invoke patching and recovery of the infected device and other vulnerable devices, as well as device recoverability. Once a software vulnerability is discovered and identified, a quick action is crucial for limiting any damage to the edge device or any other devices connected to it. Fast recoverability can be achieved using over-the-air recoverability mechanisms where security updates are pushed to the device via the Internet.”

But he adds that edge computing devices can be much more difficult to secure than other devices. “Edge devices typically require performing complicated tasks not performed by other standalone IoT devices,” Ashkenazi said. “Edge computing requires more CPU, memory, and flexibility, which typically results in a larger attack surface. In many cases, edge devices also aggregate and process data from multiple devices connected to them. A compromise of an edge device can result in a compromise of the data collected from multiple devices connected to it. The combination of a larger attack surface, and the access to multiple other connected end-devices, elevates even more the need to provide protection, detection, and recoverability. In addition, some edge devices might be required to handle data of two separated users who do not trust each other. This requires the edge device to implement a secure data separation to prevent data leak of one user to the other. The principles and security best practices of edge devices, such as routers, switches, or smartphones, are not different from the ones used in other areas, like the data center or cloud computing.”

Software needs to be part of this security, solution, as well. Operating systems can provide a secure connection to the cloud, for example. And virtualization, which enables execution separation, can help when multiple users that don’t know or trust each other, utilize a shared edge device.

“It is important to periodically check that the code that is being executed has not been modified by various means,” said Synopsys’ Neustadter. “It’s also important to ensure that while the device is running, while it’s communicating with other devices or a network, it’s done in a trusted manner.”

Related Stories
Imperfect Silicon, Near-Perfect Security
Physically unclonable functions (PUF) seem tailor-made for IoT security.
Who’s Responsible For Security?
Experts at the Table, part 1: Where security is working, where it isn’t, and what to do about it.
Who’s Responsible For Security?
Experts at the Table, part 2: Cheap components contaminating the supply chain, the need for platforms and certifications, and the futility of trying to future-proof devices.