IoT Security: Technology Is Only One Part Of The Equation

A comprehensive security strategy is necessary to protect against damaging breaches.

popularity

Survey after survey on the adoption of the IoT punctuates that security and data privacy continue to be the top concerns with any new implementation.

It used to be that security was all about protecting data (business, personal ID, etc.), but as more devices are connected to the IoT, security concerns reach far beyond just the value inherent in the data. According to Gartner, nearly 5.5 million “things” are connected to the Internet each day. It’s no surprise then with an ever-expanding universe of connected devices, cyber criminals are having a field day when it comes to threats, breaches, and all out cyber attacks.

Today we have hackers whose sole directive is to gather data to hold as ransom or to incriminate innocent bystanders caught in the crosshairs. The recent hack into HBO to reveal plot lines of the current season of “Game of Thrones” is one example. The WannaCry attack, which held Windows OS machines ransom all over the globe, is yet another type of malicious attack. And who could forget the famous Stuxnet computer worm attack, which acted as a type of cyber weaponry.

And let’s not forgot attacks on American businesses such as Target, Yahoo!, and the most recent, and perhaps most devastating attack of all, Equifax.

Much has been written about IoT security and the various types of attacks that occur these days; whether it’s through the software via a DDoS attack, through a network via an exposed node or hub, or a physical attack that exploits a CAN bus, SCADA, or other pieces of hardware. Side channel attacks are also on the increase, where hackers rely on weak authentication and security layers to enter an IoT system.

A strategy around security
Security is one of the toughest challenges within IIoT system development today. A comprehensive strategy can save businesses from having to pay costs associated with a security breach as well as preventing embarrassment or a damaged public reputation. Quite simply, the more systems connected to enterprise and cloud infrastructures, the more devices are exposed to security risks and vulnerabilities.

What is the process?
A security strategy incorporates the latest technologies and intelligently selects the right products to use within the IoT infrastructure. But it doesn’t stop there. Simply having the technology in place is not enough. You need to know how the products were conceived, developed, validated, and tested. Any reputable vendor should follow a process that not only ensures the products work as promised but also that these products meet current IIoT standards and guidelines. Today, the International Electrotechnical Commission (IEC) publishes a multitude of consensus-based international standards for the electrotechnology sector. For example, the IEC has designated IEC 62443 as a series of standards related to securing Industrial Automation and Control Systems.

For developers, following a defined process from concept through post-deployment is of paramount importance. As devices are defined, security/threat profiles should also be defined. Requirements should reflect those attack vectors and QA should develop a test strategy, test plan, and test cases to ensure those defined vulnerabilities are accounted for. The complexity of this testing can range from simple static code analysis to the extreme case of validation using formal methods.

Once a device is deployed, there is a strong likelihood that latent vulnerabilities will be discovered in your device. These vulnerabilities could be due to newly-discovered software defects, vestiges from development like leaving a debug port open, or it could even be baked into your hardware. Businesses must hope for the best, but plan for the worst; they must plan ahead and define the processes for handling these vulnerabilities.

Security processes must also extend beyond your immediate business, and appropriate considerations should be given to your entire supply chain. Think about a microprocessor being manufactured by a third party and the people who have access to the IP and even the physical product. What if the IP is compromised? What if the actual chips were reverse-engineered or physically modified and replaced back into the supply chain unbeknownst to the end user of the chip? In any event, businesses must develop processes for identifying, isolating, validating, and handling security vulnerabilities.

People and products
As the threat and modes of cyber attacks continue to grow, businesses should consider staffing a cyber security team, a team trained in security whose sole job is to focus on the technologies that secure IoT products. This team might also work closely with IT to ensure that there are company-wide protocols in place to ensure that people in the company or in the supply chain are properly trained to handle even the seemingly simple act of social engineering – not clicking on links delivered via email or social media. There are many security frameworks available that can guide organizations on ways to prevent, detect, and respond to cyber-attacks, such as the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST).

From the software development perspective, at Mentor we have a dedicated team of security professionals who constantly monitor security sites such as US-CERT for security vulnerabilities.

Once a device is deployed, Mentor’s Core Critical Security Team monitors newly discovered vulnerabilities from numerous sources including US-CERT. When a new vulnerability is detected, we quickly identify which of our products are impacted (if any), assess the exposure and severity of the vulnerability, and develop and/or integrate needed fixes as quickly as possible. These updates are then deployed to customers.

The technology itself
When building a device, it should be trustworthy and the software that runs on it needs to be authentic. Establishing a software chain of trust begins at the root level (the hardware) and flows up to the application layer. Within my world of embedded systems, vendors in the supply chain often talk about the technologies of securing data in rest, or secure storage; securing data in use, known as secure processing; and securing data in motion, or secure networking.

Below are a few brief descriptions of these technologies:

Data at Rest:
Data at rest addresses the state of a device from being powered down to fully operational in the “on” mode. Issues to consider in this stage might include:

  • Root of Trust

Is the SoC used in the hardware platform capable of providing root of trust? If not, does the platform include a secure element that would offer similar capabilities? Even if the answer is no to both of these questions, there are security vendors who offer purely software-based root of trust solutions.

  • Chain of Trust

With the root of trust present (Figure 1), the boot process establishes a chain of trust. A few questions to ask when establishing a chain of trust include:

  1. Has the hardware validated and authenticated the bootloader?
  2. Has the bootloader validated and authenticated the operating system or other systems?
  3. Have the operating systems validated and authenticated application code?


Figure 1: The chain of trust model ensures every file downloaded is signed and authenticated from the bootloader up to the application level.

Data in Use:
This stage refers to a device operating normally and the data is being generated and processed. A few technologies to utilize at this stage include:

  • Hardware-enforced isolation

Some software developers physically isolate applications by placing multiple SoCs side by side. Not everyone can afford to do this, so using Arm TrustZone is the next best thing. Arm TrustZone technology implemented in a SoC can be leveraged to address the network, application, and data aspects of the layered security model. The TrustZone architecture provides a solution that carves out or partitions a hardware subset of the full SoC. It does this by defining processors, peripherals, memory addresses, and even areas of L2 cache to run as “secure” or “non-secure” hardware.

  • Software-enforced separation

If the hardware separation is not an option, the next best thing is to use the software to isolate and protect applications. These days, with multicore SoCs supporting virtualization extensions in the silicon, there are more designs utilizing embedded hypervisors.

Hypervisors allow multiple instances of the same or different operating systems to execute on the same SoC as a virtual machine (VM). Each VM can be isolated and through use of a system memory management unit (MMU), other bus masters can be virtualized. This separation can be used to protect and secure resources and assets in one VM from other VMs.

  • User space isolation

Many operating systems today offer some type of MMU enforced isolation of the application code running in the RAM; Linux has user space, and Mentor’s Nucleus RTOS has a process model (Figure 2). The idea here is while the kernel of the operating system runs at a more privileged level such as kernel mode process 1 or 2, applications that run the user mode process utilize various memory isolation techniques to protect code and data on a per application basis.


Figure 2: Nucleus process model is a light-weight approach to space partitioning which creates protected memory regions.

  • Information or data obfuscation

While most developers take care to hide and encrypt the password, care must also be taken to obfuscate variables and text strings stored in the memory or storage. This will make it more difficult for bad actors to modify variables and text strings or even re-engineer the device operation.

In addition to the isolation techniques listed above, realize that these devices are connected to many instances throughout the IoT infrastructure and care needs to be taken to secure all connections. As such, the least a developer could do is enable and configure a firewall and utilize various publicly available tools to perform network stress testing and network penetration analysis. For example, Mentor has achieved Achilles Level 2 security certification from GE Digital for both the Nucleus RTOS and the Yocto Project-based Mentor Embedded Linux. This certification provides our customers with a level of assurance that our platforms are tested for the most recent security configurations and vulnerabilities in the industrial automation device space.

Data in Motion:
Data in motion relates to data entering or leaving a device while the device is “on.” A good design should always address the following two areas:

Prior to sending the data, will the device utilize any mutual attestations? Various tricks and techniques could be deployed to authenticate the receiver of the information prior to sending it.

And how is the data protected in the event the device is hijacked? Encrypting the data while at rest and in motion provides some level of protection. For efficient cryptography operations, SoCs with crypto engines should be considered. The crypto engine is a self-contained module designed to off-load the encryption/decryption work from the core processor. Because the crypto engine is a self-contained IP block, hackers can find it difficult to derive techniques to gain access to the encryption process. The use of crypto engines can have a huge impact on the ability of the application to secure data quickly and efficiently.

With billions of IoT devices in use globally, IIoT security requires strong authentication to ensure communication between known and trusted devices (including the smallest endpoints). In today’s IoT devices and systems, security features need to be designed-in early to address advanced security threats. To further augment security, software security companies and Mentor partners such as Icon Labs and GE Digital provide technologies for enterprise data protection. Icon Labs is a leading embedded security company that offers products to effectively manage, secure, and protect devices and networks. GE Digital offers cross-platform security by subjecting devices that will be connected to an IIoT network through rigorous testing and granting certification that security standards were met.

Conclusion
Security is one of toughest challenges within IIoT system development today. The more systems are connected to enterprise and cloud infrastructures, the more devices are exposed to security risks and vulnerabilities. A sound security strategy incorporates the latest technologies, accounts for quality processes, and encompasses the people involved in both the system design development and deployment of products in use.