How to Choose the Best Product for Your Security Requirements

The number of IoT devices has steadily outgrown  the number of humans living on this planet and is expected to keep increasing.

This same trend is true for the proliferation of interconnected electronic devices within today's industrial IoT (IIoT) systems. Digitization, ever-growing IIoT and use of operational technology across nearly every sector helps improve efficiencies and reduce costs – but it comes at the expense of increased threat potential. The repercussions of attacks can threaten our environment, risk worker safety and financially impact  organizations.

Modern industrial systems are incredibly complex, and identifying the security requirements for a given product can be daunting, to say the least. To help ease the task of pinpointing security requirements, NXP defined a comprehensive set of security definitions  in a structured, simplified framework. We call these ‘security primitives’ that you can use to find suitable products or related security standards based on use cases or high-level ideas of security requirements.

Here’s a typical example to illustrate how you can use the security primitives. Let’s say you’re designing an access control system for a smart commercial building. It generates, stores and transmits sensitive data about its occupants and their comings and goings and it requires a microcontroller that can protect the data handled at various stages of its use. Moreover, you want it to protect against hacks of the system software.

Using the security primitives, you can quickly identify the first requirement: both the long-term data storage and short-term memory needs to be protected when data on the microcontroller is stored or processed. This is covered by the “secure (encrypted) storage” primitive.

The second requirement of prevention of software hacking corresponds to the integrity and authenticity of the system software and can be linked to the “root of trust” primitive. The root of trust security property relates to the initial root of trust on the platform that is established during the manufacturing process and is the foundation for the device commissioning. This might be achieved, for instance, by manufacturing the IIoT device inside trusted manufacturing facilities, or, if available, by using pre-provisioned secure elements in a zero-trust environment.

Providing the translation from these high-level descriptions of security requirements to the corresponding security primitives is a first step to identify an NXP product that has the necessary security features to meet the requirements of the customer. This security mapping enables NXP to quickly identify which platforms and products are ideally suited for this use-case: for example, the i.MX RT1170 crossover MCU family is selected as a potential solution for this customer. Specifically, for secure storage, the i.MX RT1170 has secure non-volatile storage including tamper protection. Moreover, there is support for secure memory. The root of trust on the i.MX RT1170 is enabled by high assurance boot. With this secure boot process, the boot image is validated and the i.MX RT1170 can attest to a secure authentic state: in other words it can detect any modifications made to the software.

NXP’s security definitions serve as an entry point for gathering security functional requirements and process requirements for a particular use case. Hence, the security primitives  are a good starting point to help you map your security requirements to products in a structured way in order to find the best security solutions for your needs.

Authors

Joppe W. Bos

Joppe W. Bos is a Technical Director and cryptographer at the Competence Center Crypto & Security (CCC&S) in the CTO organization at NXP Semiconductors. Based in Belgium, he is the technical lead of the Post-Quantum Cryptography team, and has authored over 20 patents and 50 academic papers. He is the co-editor of the IACR Cryptology ePrint Archive.

Aylin Buyruk

Sara Aylin Buyruk is a member of the Competence Center Crypto & Security (CCC&S) in the CTO organization at NXP Semiconductors. Based in the Netherlands, she completed a master's degree in cybersecurity at the Eindhoven University of Technology and now works in security for Industrial & Internet of Things.