Security is recommended for use within every technology that’s connected these days. In the old days, most computers were isolated, protected by a physical “air gap” where only devices that were manually connected to the computer posed a potential risk. The internet has caused an explosion of productivity, creating new business models with operational efficiency gain from billions of sensors connected via the Internet of Things (IoT). However, the same capability for near-instant connectivity and communication has also opened a doorway to risk. As billions of IoT devices connect to the internet, security is now of great concern. IoT devices must be protected with isolated, protected boot code and firmware storage (e.g., Arm’s “TrustZone”), encrypting and authenticating communication transmissions, by detecting anomalies using Artificial Intelligence (AI), protecting the supply chain of custody for authentic hardware components, and more.
Security breaches are increasing with the propagation of IoT devices across multiple markets and industries as connected devices, contributing data from multitudes of sensors, introduce additional portals to vulnerability. Hijacking IoT and other connected devices increased in 2017 for the purpose of bit coin mining. Per Symantec’s 2018 Internet Security threat report, “As malicious coin mining evolves, IoT devices will continue to be ripe targets for exploitation. Symantec already found a 600 percent increase in overall IoT attacks in 2017, which means that cybercriminals could exploit the connected nature of these devices to mine en masse.” IoT devices are gateways to edge computing and cloud services that, when hijacked, can themselves overheat and slow down while increasing the cost of cloud services. Sadly, consumer products are often sparing on security to reduce cost while playing up user convenience.
Security for things connected to the internet include the use of passwords, isolated firmware and boot code, digital certification for verifying legitimate firmware updates, encrypted transmissions, AI for detecting anomalies, and even protecting the hardware supply chain of custody for authentic hardware components.
Arm’s TrustZone is one example of protecting IoT at the root. TrustZone creates two environments that run simultaneously on a single core as a secure area and a not-as-secure area to process software. Such rooted stacks protect both boot code and firmware at the lowest software levels. Firmware or boot code updates can be safeguarded by using a system of authentication for enabling IoT device updates only via systems that produce valid and verified digital certifications.
Encryption and Anomaly Detection
Public and private keys for security and encrypting transmissions of IoT devices to cloud servers are essential to keeping private the data that is collected by the IoT device. So-called “grayware” applications are not malicious but can leak private information including physical location, phone numbers, and copious amounts of sensor data. For example, a smartphone app used by a plant supervisor to manage operations remotely can be categorized as grayware that unintentionally leaks data by sending unencrypted performance reporting, physical IoT device locations, and other information to the plant manager on a piecemeal basis. Energy operations are often victims of intelligence gathering.
Another means of protecting data from large IoT device networks, including sensors, is a real-time inspection of accurate or legitimate data using AI. Anomaly detection algorithms run on IoT data can quickly indicate that either digital or physical tampering might be affecting input. Large amounts of data cannot be monitored by humans. Analyzing hundreds or thousands of individual data points as slightly out of range or as anomalies needing further human analysis can be done using AI. Machine learning systems now coming to market” are beginning to provide simpler interfaces that allow people other than data scientists to work with anomalies, fine tune to minimize false positives and false negatives, and otherwise manage their businesses with improved accuracy,” according to David Teich, Forbes contributor.
The Supply Chain of Custody
Authentic hardware is also key to protecting cybersecurity interests; a backdoor in the supply chain of an IoT device can compromise privacy, trade secrets, and national security. Bloomberg’s explosive article, “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” is still a controversial story, as Apple, Amazon, SuperMicro, and others denied some of the article’s claims. Nevertheless, the possibility of introducing a spy chip on production motherboards (after customers approved a design/prototype without the chip) is just one more means for stealthily compromising security. Applying military-style specifications and checkpoints for PCBs that are stuffed overseas seems draconian. However, hardware that’s accepted only with compliance testing and without close inspection provides insufficient protection. Authentic products from original suppliers must be managed throughout the supply chain using documentation with a chain of custody method. One way to ensure the purchase of original, authentic components, such as smart sensors, is to buy them from authorized distributors. Authorized distributors guarantee that the parts they sell will not be fraudulent or counterfeit.
Figure 2: Security matters throughout all layers essential to, or associated with, connecting to the internet. (Image: Microsoft.com)
Conclusion
Securing IoT is critical. As Symantec's 2018 Internet Security Threat report states, “It goes without saying, but blocking attacks at the point of entry is the most effective way of combatting targeted attacks.” Point-of-entry can be at the physical hardware level in any layer up through the entire stack of the OSI model: physical, data link, networking, transport, session, presentation, and application layers.
To learn more about this and see content live, be sure to sign up for Embedded Technologies Expo & Conference taking place this June 25-27 at the McEnery Convention Center in San Jose, CA. A myriad of sessions and workshops will be taking place during the event covering security, including:
- Pre-Conference Workshop: Security Bootcamp
- Trusted Computing Group Workshop: Let's Build in Security
- AA3: Managed & Secure Programming for the Automotive World: Securing the Connected Car with Hardware Based Security for Flexible & Secure Manufacturing Strategies
- SES4: Designing & Deploying an End-to-End Security Solution for Microcontrollers in a High-Mix, High-Volume Production Environment
You can view the complete schedule of sessions and speakers at www.embeddedtechconf.com/schedule.