Next Wave Of Security For IIoT

New technology, approaches will provide some protection, but gaps still remain.


A rush of new products and services promise to make the famously un-secured Industrial IoT (IIoT) substantially more secure in the near future.

Although the semiconductor industry has been churning out a variety of security-related products and concepts, ranging from root of trust approaches to crypto processors and physically unclonable functions, most IIoT operations have been slow to adopt them. There are a number of reasons for this, including:

  • The uniqueness of industrial operations requires custom security approaches, which are more expensive, more complicated, and relatively unproven.
  • There are few industry standards, and those that do exist are limited in scope.
  • More data, more edge devices and different architectures sometimes make it hard to determine what to secure.
  • Many established operations are skeptical of the value of IIoT in the first place, and security features are not always easy to use.

To make matters worse, even where security is implemented, the return on investment isn’t always obvious. It’s hard to tell if security is working until it is breached, and even the best security is sometimes hacked. This has prompted security providers to look at different ways of solving these problems, ranging from security as a service to building security into hardware.

“The limitation on security was that customers were not willing to pay additional costs,” said Wally Rhines, CEO emeritus at Mentor, a Siemens Business. “Awareness is greater, though, with all of the hacking and phishing. Now we need to apply that awareness when we design chips so that these devices are more threat resistant. PUFs are a lot of work and expense, and for commercial applications they will not pay for that. There is ground in between that and the design tools, which can make it more straightforward.”

There is still a long way to go. Only 6% of big companies participating in the first big rollouts of IIoT projects said they paid for security above and beyond the default level offered by an OEM, while 44% refused due to cost and 50% for a range of other reasons, according to a 2017 survey sponsored by IoT security provider Gemalto. A year later, the company said only 48% can see their own devices well enough to know if there has been a breach.

But change is coming to this market. Aversion, and sometimes antipathy, toward cybersecurity was common among industrial operational technology (OT) staffs until recently, according to Richard Soley, executive director of the Industrial Internet Consortium (IIC) and chairman and CEO of the Object Management Group. Soley estimated the security level of IIoT projects as “zero” in August.

“On security, a year ago I would have said that no one cares,” he said. For IIC members, security revolved around a series of testbeds putting smart-industrial systems through their paces. “Now everyone cares. There is a lot more focus on security in-depth, not just around a perimeter.”

Rethinking security
Behind this change in attitude are some significant shifts in technology. That starts with chip architectures, where exploding complexity is one of the main causes for concern.

“There are plenty of cases where vulnerabilities occur through human error,” said Paul Kocher, security technology advisor at Rambus. “There is no reason to insert something maliciously. If you find something, you can take advantage of it. This is a combination of complexity and complacency.”

That complexity comes in a variety of forms, from architectures to microarchitectures to the software that runs on them.

“Processors may be built in accordance with an ISA (instruction set architecture), but the implementations of that ISA can differ based on microarchitectures,” said Jason Oberg, CEO of Tortuga Logic. “Security is a trust handoff. Any broken links in that chain can create a security problem, whether it’s power or timing side channels or something else.”

This helps account for a flood of new product and services announcements over the past few months. The main emphasis in many cases is to make the basic building blocks of security much more accessible and easier to understand. Most were presented to potential customers at big trade shows in February and March, aimed at security problems stemming from inaction going back more than two years.

Consider Arm’s PSA Certified program, for example, which set out to raise the bar on IIoT security by requiring that devices be tested by outside labs. The idea was that a certification would will make them searchable by customers looking for devices that fulfill requirements of a PSA root-of-trust (PSA-RoT) profile. Arm will add more rigorous 25-day penetration tests for chipmakers and, later this year, tests to verify resistance to side-channel and other physical attacks.

“What we’re doing here is creating a common building block and common security architecture, some high-level APIs with sensible and added some sensible security functions also as default—things like secure storage and trusted boot, the essentials in crypto,” says Chet Babla, vice president of new business development, in Arm’s Emerging Businesses Group. “That makes it super easy to use, and the multilevel scheme means someone can do just the basics if they want. But that is already better than nothing, which is the default today.”

Fig. 1: Types of attacks. Source: Arm

Rambus, meanwhile, introduced a RISC-V crypto core that isolates such functions as secure boot, remote attestation, authentication and runtime integrity, and added a service offering to outsource security management.

“The ability to revoke updates and manage them is critical,” said Martin Scott, CTO of Rambus. “You need to think systematically from the chip to the cloud. How do you know what you’re updating to? How do you know you’re updating the camera on the southwest corner of a building?”

The networks to which these chips are connected add another element of uncertainty. Most industrial operations are utilizing more devices and doing more processing locally. The result is more complexity in network communications, and more opportunity for data to be stolen or corrupted.

Take the health care industry, for example. “The problem is that more computing is moving to the edge to bring analytics closer to the patient,” said David Niewolny, director of market development for health care at Real-Time Innovations (RTI), which focuses on IIoT connectivity in a variety of industrial markets. “So now you’re dealing with streaming data, adding more sensors to the patient, and processing all of this locally. And just like in a car, there is no time to send this off to the cloud. The systems have to interact as one. In a hospital room you have electrical waveforms, blood pressure, temperature, respiratory rate and fluid rate. And now you have to add and subtract devices in a system. This is a platform of platforms.”

That also increases the amount of data that needs to be secured and processed. “With the distributed edge, everything that’s done can be recorded and done, which opens the door to the root cause of different scenarios,” said Niewolny. “So now you have new drug trials, new insights, and you can see across the system how everything works.”

That also adds security risks. In the past, the big concern was data in motion. What has changed is that data at rest can be hacked through a variety of means, such as side-channel attacks, and there is more data as a whole and more points of entry into that data. So while some data may be secure, chances are good that much of the data in an industrial operation is not.

And then there is the software stack, from base layer functionality all the way up to the operating system and applications.

“The doors are all open,” said Aart de Geus, chairman and co-CEO of Synopsys. “With the increase of embedded software and increase of systemic complexity, you have an increase of security issues.”

This has been coming for a long time, and hackers have been well ahead of most industries. “Around 2005, I kept asking people what’s their ratio of software versus hardware engineers in semiconductor companies,” de Geus said. “They had all passed the 50% point and they were all complaining about the same thing, ‘Our customers never pay for the software.’ The problem was they were not semiconductor companies. They were functionality companies that wrapped that functionality in a wonderful semiconductor wrapper. But they were already selling functionality. With the software content growing and the complexity growing, a lot of the actual delivered value impact was the intersection of software and hardware.”

When that software is attacked, the functionality suffers.

Tracking data movement
One of the biggest shifts in security, which is just beginning, involves tracking the movement of that data that runs on and between these devices. There are more sensors everywhere, and those sensors are churning out massive amounts of data.

That data can be used and mined, and it can be managed using AI. But AI opens up a whole new can of worms when it comes to security, because by definition AI systems are meant to react to their environment. That means data can be used to affect system behavior, not always with the best intentions.

“It goes well beyond the issue of just hacking chips,” said Michael Schuldenfrei, corporate technology fellow at Optimal Plus. “You’re going to see a lot more geographical firewalls to limit the movement of data. GDPR (General Data Protection Regulation) and other regulations are going to be more significant in controlling the movement of data between different bodies as time goes on. Or can you use data differently, in a way that you’re providing whatever data is needed to solve a problem but you’re not giving out data in detrimental ways you weren’t planning or thinking of.”

Limiting the ability to access data isn’t a new concept, but it’s becoming more important as the amount of data grows—particularly in the semiconductor industry, where IP code is extremely valuable.

“You want to make sure people working on IPs do not see other IPs,” said Ranjit Adhikary, vice president of marketing at ClioSoft. “So basically what you’re doing is translating all of this into a data management system. If you knowingly download something, you need to keep track of IPs and how they are used.”

This particularly difficult in markets where IP companies are being bought up by larger players. “The problem is that no one is sure where the code is,” said Adhikary. “Most small companies look to get acquired, but how much IP do they have, what is it and what is the valuation of that IP?”

Being able to track that data is one facet in a many-faceted security picture. Another facet involves tracking the movement of data on a chip or between chips.

“We have a customer using our [in-circuit monitoring] technology for malware detection, where they observe transactions and processes,” said Rupert Baines, CEO of UltraSoC. “They will label a process or software task as suspect right down to a very granular level. We’ve created a universal lock-step mechanism. We’re looking at two program streams, and if they diverge we sound an alarm. That’s happening on the fly, in real-time, in situ, while it’s running.”

Making it easier to use existing tools
While the most recent wave of security products won’t turn the market from Wild West to suburban lawn party overnight, analysts do expect to see the sale of security products take a quick upturn. Revenue from the sale of Industrial IoT-specific security products will rise more than 25% per year, from $1.7 billion in 2018 to $5.2 billion in 2023, according to a recent report from BCC Research.

One thing that will help is making security functions easier to access and to use.

“In the past, root of trust and secure boot were implemented but in ways semiconductor customers couldn’t necessarily use,” said Pim Tuyls, CEO of Intrinsic ID. “For the IoT, we have to do this in a way that can be securely broached from all levels—not just by the semiconductor manufacturer, but the OEM and some customers, as well.”

Others are responding with their own offerings.

Intel, which introduced its Security Essentials architecture last April, announced a secure onboarding partnership with Mocana under which IoT devices could be activated, provisioned and authenticated, with the installation of customer-specific certificates to test device reliability before they are attached to the corporate network.

Last month Microsoft announced new additions to Windows 10 IoT—the Linux-based Robot Operating System (ROS) it announced in Sept. 2018 for robots and IoT devices, including a split into two versions: Windows 10 IoT core for small devices running Arm CPUs, and a version of win10 tweaked and licensed specifically for IoT environments, called Windows 10 IoT Enterprise.

And IBM announced research into a Virtual Patch service that could allow for automatic patching of IIoT vulnerabilities as soon as they’re found by Deep Learning software or human analysts—potentially eliminating zero-day flaws before exploits can be developed.

In addition, U.K.-based Secure Thingz announced a partnership with IAR Systems to market Embedded Trust—a secure environment that uses hardware security built into next-generation microcontrollers to provide integrated identity, certificate management and scalable secure boot management, secure deployment and secure updating.

All of these moves are meant to address the low default level of security in the IIoT. There has been a shortage of general-purpose commercial security products relevant to the wide variety of devices that make up the IIoT, according to Michael Chen, design for security director at Mentor.

The IIoT isn’t like the PC business where a few universal standards can cover most interoperability issues. IIoT devices could be HPC-like industrial units or sensors that simply take the temperature and text it to another device. Storage, memory, power, connectivity, size, physical accessibility and other factors can vary wildly. “An Arm Cortex M-0 doesn’t have the memory or processing to do encryption, but it does still have some TrustZone hooks, if you know how to use them,” Chen said.

Getting what you don’t pay for
The big question for chipmakers is whether IIoT customers are interested enough in security to pay for it.

“Most aren’t asking us about it, which means they don’t want to pay, but I expect this is one of the areas we’ll have to cover regardless,” Chen said.

Still, it’s easier to cost justify tech spending in industrial applications than consumer applications if the spending goes to something that raises productivity, said IIC’s Soley. Not every company with an IIoT project understood the connection perfectly at first, but it’s becoming common wisdom now, he noted.

Chip designers and OEMs have tried to address the lack of security in the IIoT by pushing for common security standards, organizing interoperability groups, creating groups within their own companies to provide security services, and trying to educate OEMs and customers about how to use the security hooks already embedded in the IP of existing devices.

A lot of guidelines from different government sources are available, with some consistency among them, Tuyls says. While most aren’t specific enough to do more than start a discussion, they do outline fundamental principles that should inform development more specific analysis.

“DHS (the United States Department of Homeland Security) has a set of guidelines out on security that highlights a few key issues,” Tuyls says. “One is that it has to be rooted in hardware and that authentication is important. We need to know where data is coming from and be able to tell that the device is a legitimate entity.”

Whether to store a secret key identifier in secure spot in software on a chip, or use a physically unclonable function (PUF) or other means depends as much on interpretation of the method as how height the priority is for secrecy or security, according to Haydn Povey, CTO of Secure Thingz. “You could use a PUF. It’s a perfectly reasonable approach. But storing a key physically is not the only effective way.”

IoT/IIoT devices tend to be more at risk than some other devices just because they’re out in the real world, where people can get at them and attack them physically. But that doesn’t necessarily imply they can get direct, undetected access to a secret key and decrypt it, so it may not be necessary, according to Mike Demler, analyst at The Linley Group.

Security is a broad subject, and in the IIoT there are few standards and sometimes few commonalities between companies, their internal systems, and their security practices. This makes it hard to develop standards, hard to deploy one solution across multiple companies, and sometimes difficult to use.

But the bottom line for security in any of these organizations is a tolerance for risk, and that may be even more individual than the methods for managing it. For those with a low tolerance, improvements in security at all levels of all systems used by those companies are at least increasingly possible, and much of that security begins at the chip level.

“It’s very hard to spoof hardware, barring a lab attack,” said Michael Shebanow, vice president of R&D for Tensilica at Cadence. “PUF via hardware implementation makes it nearly impossible to spoof an ID, whereas software is never 100% secure, as it is virtually impossible to prove that a complex software system has no back door.”

Related Stories
Blockchain May Be Overkill For Most IIoT Security
Without an efficient blockchain template for IoT, other options are better.
Imperfect Silicon, Near-Perfect Security
Physically unclonable functions (PUF) seem tailor-made for IoT security.
IIoT Edge Is A Moving Target
Industrial Internet Consortium defines use scenarios, not standards, of IIoT edge computing.
Are Devices Getting More Secure?
Manufacturers are paying more attention to security, but it’s not clear whether that’s enough.
IoT Merging Into Data-Driven Design
Emphasis on processing at the edge adds confusion to the IoT model as the amount of data explodes.

Leave a Reply

(Note: This name will be displayed publicly)