Securing Embedded Devices in the IoT Era
In this corner, a deeply embedded device with limited resources. In the other, pervasive determination to exploit connectivity for the purpose of getting up to no good.
In a recent study, Spanish security researchers reported that smart meters installed by a utility in Spain to meet government energy efficiency goals lacked basic safeguards, leaving room for hackers to carry out billing fraud or even cause blackouts. Weak encryption used in these smart meters allowed the researchers to get hold of the encryption keys used to scramble all the information that the smart meter shares with “nodes” sitting higher in the power distribution system. Using the keys and the unique identifier associated with each meter the researchers were able to spoof messages being sent from the power-watching device to a utility company and make the smart meter under-report the energy use. Shared IDs, poor protection against tampering and data formats that would be easy to fake have been identified as problems for smart meters deployed in other countries, such as the US and the UK, too.
Just in 2014, multiple data breaches at JPMorgan Chase, Home Depot, Albertsons and others compromised in excess of 150 million accounts in the US alone. Piracy and reverse engineering of embedded devices and software also remain a big issue that costs embedded device vendor billions in lost revenues. A German Engineering Federation (VDMA) study indicates that 9 in 10 companies with over 500 employees are affected by piracy that caused €7.9 billion in losses for the German economy in 2013 alone. In 51 percent of the cases, the complete machine was subject to plagiarism.
Clearly, the importance of connected embedded systems being impermeable to cyber-attacks, acts of industrial sabotage and data theft has become paramount. But how can one safeguard deeply embedded endpoint devices that usually have a very specific, defined mission with limited resources available to accomplish it? Embedded devices are designed for low power consumption, with a small silicon form factor, and often have limited connectivity options. They typically have only as much processing capacity and memory as needed for their tasks. And they are often “headless”—that is, there isn’t a human being operating them who can input authentication credentials or decide whether an application should be trusted; they must make their own judgments and decisions about whether to accept a command or execute a task. For example:
- In factory floor automation, deeply embedded programmable logic controllers (PLCs) that operate robotic systems are typically integrated with the enterprise IT infrastructure. How can those PLCs be shielded from human interference while at the same time protecting the investment in the IT infrastructure and leveraging the security controls available?
- Similarly, control systems for nuclear reactors are attached to infrastructure. How can they receive software updates or security patches in a timely manner without impairing functional safety or incurring significant recertification costs every time a patch is rolled out?
- IoT sensor hubs aggregate a representative data set from numerous packets of sensed data. How can these real-time operating system (RTOS)-based devices open those packets, validate their integrity, analyze their contents and verify that these actions have taken place securely without compromising the speed and performance5?
The answer is in designing systems for security from the start and incorporating a comprehensive set of security features to efficiently and effectively protect devices and data throughout their lifecycle.
Designing for Security
Security cannot be thought of as an add-on to a device, but rather as integral to the device’s reliable functioning. Software security controls need to be introduced at the operating system level, take advantage of the hardware security capabilities now entering the market, and extend up through the device stack to continuously maintain the trusted computing base.
Building security in at the OS level is critical, since adding it at the user or application level is ineffective, expen¬sive and risky. Enabling security at the OS level can also take the onus off device designers and developers to configure systems to mitigate threats and ensure their platforms are safe.
Protecting Devices at Every Stage
Security must be addressed at every stage—from boot-up to operation to data transmission to powering down (Figure 1). Being able to add hardware-based security to software-only features can help significantly harden device security overall.
|Figure 1: Security throughout the embedded devices’ lifecycle.|
When power is first introduced to the device, the authenticity and integrity of the software on the device must be verified using cryptographically generated digital signatures to prevent the injection and execution of malicious code. In much the same way that a person signs a check or a legal document, a digital signature attached to the software image and verified by the device ensures that only the software that has been authorized to run on that device, and signed by the entity that authorized it, will be loaded. Binaries must be verified at every stage of the boot-up process. If a component fails to pass signature verification, boot must stop.
With Secure Boot, the foundation of trust has been established, but the device still needs protection from various run-time threats and malicious intentions. Preventing unauthorized execution and other forms of tampering with system code is a critical component for securing devices in operation. A solution that can decrypt (using AES or other encryption) and verify digital signatures (using Elliptic Curve Cryptography (ECC), for example) of downloadable kernel modules and real-time processes can effectively protect the integrity of the system and safeguard intellectual property from piracy and code from reverse engineering.
User management features are required to safeguard devices from unauthorized access and enable the definition and enforcement of user-based policies and permissions, implementing restrictions and controlling access to the device based on user credentials.
It is critical for a connected device to incorporate features to effectively secure network communications using technologies such as SSL (Secure Sockets Layer protocol), SSH (Secure Shell protocol), IPsec and IKE.
Technologies such as encrypted containers can help safeguard data when the device is powered down, as data in containers remain encrypted even when the device is idle or powered off.
Security and Performance In Balance
In today’s demanding market, a controller must not only deliver maximum performance, but also provide seamlessly integrated security. Strict security policies and potent firewalls prevent unauthorized intrusions. Communications and data exchange are subject to additional scrutiny through separate processes. However, the control of a smart plant needs to go beyond this traditional paradigm and offer new security features well suited to harsh environments, and fully reliable for industrial processes.
Let’s imagine a European power grid vendor that develops its own PPC-based controller running VxWorks. The production of such hardware, including the download and testing of the related firmware, would be carried out in China. It becomes mission critical to transfer the license from the vendor headquarters to the production facility through a secure channel, and maintain full control over the workflow.
The vendor can easily attain protection against know-how piracy, reverse engineering and tampering, by introducing Security Profile and CodeMeter Security. In particular, IP protection would be achieved through the combined use of CodeMeter and the Secure ELF Loader from Wind River and Wibu-Systems. Reverse engineering protection would be ensured by CodeMeter high encryption standards, which would make it impossible to analyze the cyphered firmware. Copy protection would be the result of CmActLicense, the soft license container bound to a secure element on the embedded system. Tamper protection would be reached through code signing operated by authorized team members only, secure boot and signature verification performed by the Secure ELF Loader in VxWorks. The staff would in fact own CmDongles, in the form of CmStick for USB ports and CmCards for SD slots; the private key would then be securely stored in the smart card chip, the dongles would be configured for use with a password, and set to expire after a pre-determined time.
The return in investment stems not just from ensuring optimal security standards, but also from redesigning the licensing blueprint, and introducing scalable business models based on logistic efficiency and feature on-demand dynamics, which could be realized with the Secure ELF Loader and CmActLicense.
A Safe and Secure RTOS for IoT
Powering billions of embedded devices, VxWorks® is the world’s most widely deployed real-time operating system. Enhanced by Security Profile for VxWorks, the RTOS provides a comprehensive set of software-based security features that enable manufacturers of intelligent embedded devices deliver cutting-edge, rock-solid security in their products. The expandable, upgradable architecture of VxWorks separates the core kernel from middleware, applications, and other packages, enabling bug fixes, upgrades, and new feature additions to be performed as frequently as necessary and without disrupting other technologies in an installation.
Security Profile for VxWorks is a readily expandable solution that can be enhanced with Wibu-Systems’ CodeMeter® hardware-based security to enable a comprehensive solution for security-sensitive applications. With software and hardware components as well as activation-based licensing, the joint solution delivers an optimal way to protect devices, data and IP in the Internet of Things.
Daniela Previtali is a Global Marketing Manager at Wibu-Systems, responsible for both corporate and channel marketing strategy and activities.