524,329 active members*
2,974 visitors online*
Register for free
Login Register
WIBU-SYSTEMS Blog

Perfection in Protection, Licensing, and Security

Protecting Industrial Internet of Things Endpoints

December 2016
22
Author: Wibu-Systems
Company: WIBU-SYSTEMS AG
Protecting Industrial Internet of Things Endpoints

An attack to an Industrial Internet of Things (IIoT) system typically starts with an attack on one or more endpoints. In many cases, an attacker will try to access the execution code and attack the weakest point in the devices’ security implementation, then modify or replace the execution code with malicious intent.

To better understand the method of attacks, and develop security mechanisms to protect against them, it is important to understand the nature of the endpoint itself. In most simple terms defined by the Industrial Internet Consortium (IIC), an endpoint is a component that has an interface for network communication. Endpoints are everywhere in the IIoT landscape and not restricted to a single location. Endpoints are the only place in an IIoT system where execution code is stored, started and updated and data is stored, modified or applied. A single device can have several endpoints because it can have several communication points. A router, for example, typically has a LAN endpoint and WAN endpoint and code data is frequently shared between multiple endpoints.

There are many security threats and vulnerabilities that can be exploited in an IIoT endpoint and developers must be aware of the possibilities. In hardware components, the processor could be replaced with a fake, memory corrupted and peripheral devices falsified. The boot process is a critical vulnerability point since if tampered with, all processes executed after the boot are in jeopardy. The operating system itself can come under attack and programmed to run improperly. Applications and their APIs are vulnerable and can be programmed to accept illegal parameters. Even code from applications that run outside the OS, like a virus checker, can be tampered with and serve as the entry point for malicious code. Other vulnerabilities can be exploited in the runtime environment, hidden in code used from third parties, and exploited during configuration, deployment and management.

There are several important elements to consider in securing IIoT endpoints.

First, developers must start with a clear design of the security model and policies. They must define endpoint identity, authorization and authentication. A proper data protection model must address integrity and confidentiality for shared data-in-rest as well as data-in-use. Secure hardware, BIOS and roots of trust should include the consideration of the hardware lifecycle, BIOS updates and consistent root of trust. Select a secure OS, hypervisor and programming language and consider Isolation principles that are easy to implement and guarantee security in the most critical areas. Developers should also plan for secure remote code updates and ensure code integrity to prevent malicious remote code hijacking.

Beyond the basic security definitions and considerations, developers should build-in security configuration and management to ensure the appropriate replacement of updating of encryption keys and certificates and assignment of future access rights and authorizations.

Finally, it is imperative that the development team is experienced in security implementations and has the latest version of development tools, OS, Hypervisors, and libraries at their disposal.

The IIC has recently presented an endpoint protection/security model and policy in its Industrial Internet Security Framework (IISF) document. The technical report is an in-depth cross-industry-focused security framework reflecting thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments. The key areas of focus include endpoint data protection, physical security, root of trust, endpoint identity, access control, monitoring and analysis, secure configuration and management, and integrity protection. You can download the complete document for free.

Blog Archiv

July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
October 2016
September 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016