At the end of 2014, Gartner stated that there could be as many as 4.9 billion
connected ‘things’ in use this year alone. That’s a lot
of devices collecting and sharing data with each other to control the
environment around us. And it is a potential security nightmare for consumers,
equipment manufacturers and infrastructure owners alike. How can we trust the
devices we use, the networks they connect to and other devices that they
interact with?
As an individual, we want to be sure our private data stays secure, whether on
our own cell phone, over the Internet or when stored in the cloud or a
company’s database. And we want our devices to be protected against
viruses or hacks that could not only give others access to our information but
cause them damage as well. But at the same time, security should be invisible,
as we don’t want to have to remember lots of passwords or constantly
authenticate transactions using complicated security procedures.
For equipment manufacturers, there are issues around liability. Who is to
blame when a product gets hacked? And how much damage could a security breach
do to your brand and market share? Infrastructure owners face similar
challenges around liability and reputation. Additionally, a security breach
could cause significant downtime or damage to the network, connected devices
and services.
Addressing all security aspects
How can we best address all these different aspects of security? According to
the
World Economic Forum’s 2015 Industrial Internet of Things report, “Organizations will need new frameworks that span the entire cyber
physical stack, from device-level authentication and application security, to
systemwide assurance, resiliency and incidence response
models.’’ There are a variety of aspects to security which can
be examined to identify the best solution with the smallest investment and
cost.
The level and uncertainty of cost is biggest when a security breach actually
happens. For companies this is not only the cost of recovery from a breach but
also the harm to the brand, impact on market share and the potential legal
costs resulting from a breach.
Key management and certification are ongoing processes that pose considerable
costs and have some uncertainty. For key management, it is necessary to secure
production lines which could have an impact on production flow, manufacturing
flexibility and even the project schedule. The certification process can be
even more problematic through, for example, delays due to needing to recertify
a product as a result of a patch.
Yet all these costs could be easily reduced through investment in a good
security design. That does not mean simply downloading a cryptographic
software stack. There are too many examples of where software vulnerabilities
have resulted in security breaches, with the ‘Heartbleed’ bug
being one of the most recent.
Towards a unique and strong device ID
Authentication is a key requirement of a good security design and is critical
for building trusted infrastructures. But authentication requires
cryptographic techniques to prove identity of devices and high tamper
resistance to protect a device or sensitive information stored on it.
Embedding hardware security solutions like our A70CM turnkey security solution
addresses system and device security by isolating crypto operations and keys
in tamper resistant hardware. This is a major step towards raising overall
system security and trust in the system.
Also, security modules like these significantly facilitate secure deployment
and management of equipment in the field. Only by improving the security
design of equipment can we create the levels of trust needed for IoT connected
embedded systems. Does that mean spending a little more on security design?
Yes it does. But would you rather have a quantifiable additional design cost
at the start of your project, or deal with the potentially massive fallout
from a major security breach due to a vulnerability in your product or system?
