548,282 active members*
1,995 visitors online*
Register for free
Login Register

Perfection in Protection, Licensing, and Security

Five Steps Towards IoT Device Security

February 2016
Author: Wibu-Systems
Five Steps Towards IoT Device Security

This past summer, the Trusted Computing Group (TCG) published an interesting document entitled,Architect’s Guide: IoT Security. The document outlined 5 critical strategies that developers of connected devices should consider to help gauge security risks and develop appropriate security controls to manage or reduce the risks. Given the heightened awareness of the potential vulnerabilities of connected IoT devices and networks to viruses, malware, industrial espionage, and other types of cyber threats, I thought it would be a good time to review these recommendations.

As noted in the document, the security challenges presented by the IoT are many and formidable and are being widely discussed – for example, consider the unprecedented number and variety of connected devices in the near future; a patchwork of highly heterogeneous networks involving many device manufacturers; legacy equipment and industrial control systems that often co-exist with traditional IT networks; unattended and unmanaged devices that are difficult or impossible to access for physical updating; and many other potential risk areas.

To address these challenges, the TCG outlined a 5-step process to help developers build in security from the initial concept to the final product. Following is a brief summary of these 5 steps. You can download the complete document here.

Step 1: Assess IoT Goals and Risks
Gaining a full understanding of the strategic goals of the IoT deployment is an important first step towards understanding the risks. Once goals are defined, sketch an architecture diagram and show how data and control flows through the system. Add security controls to the diagram to address the salient risks. Finally, document the risks that could threaten the system, focusing on three critical security properties: confidentiality, integrity, and availability.

Step 2: Manage Identity and Integrity
Only authorized parties should be able to gain access to the system to ensure its integrity and components are not compromised. If compromise cannot be prevented, it must be readily detectable and remedied.

Step 3: Encrypt Confidential Data
Data in transit as well as stored data should be protected with encryption. For long lived systems, plan for key updates and changes in cryptographic algorithms. Carefully consider where encryption keys will be safely stored and inaccessible to unauthorized users.

Step 4: For Critical Systems, Use Hardware Security and Standards
Software bugs can be exploited to compromise IoT systems. Critical components should be protected by security hardware as this approach helps protect against malware and attacks that are typical in vulnerable software.

Step 5: Protect Limited Devices with Overlay Networks
Many IoT systems included limited devices that cannot be upgraded to include security capabilities. These systems can be protected by placing them on an “overlay network” that insulates them from attacks and protects the confidentiality of the data traffic.

I highly recommend that IoT architects read this document in more detail as well as many other resources available on the Trusted Computing Group’s website.

Also, if you are attending RSA 2016, please join us in a security session organized by the Trusted Computing Group, on February 29 from 8:30 am – 12:30 pm. During the session, Wibu-Systems and Infineon Technologies will present a live demonstration on “IP Protection and Flexible Licensing Applied to TPM Connected Devices”. In addition to all the security features that safeguard the intellectual property of your applications by binding the protected license to an Infineon OPTIGA™ TPM 2.0 in the target system, CodeMeter will also show its strength on a separate front: the monetization of your software through a lean and flexible licensing system. You’ll find more information about the demonstration here.


Blog Archiv

November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
October 2016
September 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016