Enabling trust in the Internet of Things era
At the end of 2014, Gartner stated that there could be as many as 4.9 billion connected ‘things’ in use this year alone. That’s a lot of devices collecting and sharing data with each other to control the environment around us. And it is a potential security nightmare for consumers, equipment manufacturers and infrastructure owners alike. How can we trust the devices we use, the networks they connect to and other devices that they interact with?
As an individual, we want to be sure our private data stays secure, whether on our own mobile phone, over the internet or when stored in the cloud or a company’s database. And we want our devices to be protected against viruses or hacks that could not only give others access to our information but cause them damage as well. But at the same time, security should be invisible, as we don’t want to have to remember lots of passwords or constantly authenticate transactions using complicated security procedures.
For equipment manufacturers, there are issues around liability. Who is to blame when a product gets hacked? And how much damage could a security breach do to your brand and market share? Infrastructure owners face similar challenges around liability and reputation. Additionally, a security breach could cause significant downtime or damage to the network, connected devices and services.
Addressing all security aspects
How can we best address all these different aspects of security? According to the World Economic Forum’s 2015 Industrial Internet of Things report, “Organisations will need new frameworks that span the entire cyber physical stack, from device-level authentication and application security, to system-wide assurance, resiliency and incidence response models.’’ There are a variety of aspects to security which can be examined to identify the best solution with the smallest investment and cost.
The level and uncertainty of cost is biggest when a security breach actually happens. For companies this is not only the cost of recovery from a breach but also the harm to the brand, impact on market share and the potential legal costs resulting from a breach.
Key management and certification are ongoing processes that pose considerable costs and have some uncertainty. For key management, it is necessary to secure production lines which could have an impact on production flow, manufacturing flexibility and even the project schedule. The certification process can be even more problematic through, for example, delays due to needing to recertify a product as a result of a patch.
Yet all these costs could be easily reduced through investment in a good security design. That does not mean simply downloading a cryptographic software stack. There are too many examples of where software vulnerabilities have resulted in security breaches, with the ‘Heartbleed’ bug being one of the most recent.
Towards a unique and strong device ID
Authentication is a key requirement of a good security design and is critical for building trusted infrastructures. But authentication requires cryptographic techniques to prove identity of devices and high tamper resistance to protect a device or sensitive information stored on it.
Embedding hardware security solutions addresses system and device security by isolating crypto operations and keys in tamper resistant hardware. This is a major step towards raising overall system security and trust in the system.
Also, security modules like these significantly facilitate secure deployment and management of equipment in the field. Only by improving the security design of equipment can we create the levels of trust needed for IoT connected embedded systems. Does that mean spending a little more on security design? Yes it does. But would you rather have a quantifiable additional design cost at the start of your project, or deal with the potentially massive fallout from a major security breach due to a vulnerability in your product or system?
By Denis Noel, Global Segment Marketing Manager and head of Industrial Cyber Security Solutions at NXP Semiconductors.