This page contains a Flash digital edition of a book.
FEATURE IOT SUPPLEMENT DEFENDING A CYBER ATTACK


5. Long life cycle: The life cycle for embedded devices is typically much longer than for PCs or consumer devices. Devices may be in the field for 15 or even 20 years.


6. Deployed outside of enterprise security perimeter: Many embedded devices are mobile or are deployed in the field. As a result, these devices may be directly connected to the Internet with none of the protections found in a corporate environment.


Alan Grau, President and Co-Founder of Icon Labs discusses what is really needed to secure the Internet of Things against cyber attacks


T


here has been a lot of discussion regarding the hacking of devices and systems across


the IoT infrastructure to obtain information and data. However, just as critical are cyber-attacks against the devices themselves - attacks which take over control of the device and cause them to operate in dangerous and insecure ways. As a line of defence it is now time to establish “The Internet of Secure Things”. Unfortunately many of these systems –


thought to be safe – are still vulnerable. For instance, even though Industrial Automation and Critical Infrastructure devices are usually installed inside the secure perimeter of an enterprise network, that perimeter is porous and can be penetrated. On top of that, insider threats, whether malicious or accidental, make up 70% of cyber-attacks, and they usually originate inside that perimeter. Now part of the expanding web connected network, embedded devices are very different from standard PCs or other consumer devices. Many of them use a specialised operating system such as VxWorks, MQX or INTEGRITY, or a stripped down version of Linux. Installing new software on the system in the field either requires a specialised upgrade process or is simply not supported. In most cases, these devices are optimised to minimise processing cycles and memory usage and do not have extra processing resources available to support traditional security mechanisms. As a result, standard PC security solutions


won’t solve the challenges of embedded devices. In fact, given the specialised nature of embedded systems, PC security solutions won’t even run on most embedded devices. Use of multiple layers of protection is the


driving principle for enterprise security. It includes firewalls, authentication/encryption, security protocols and intrusion detection/


S4 Figure 1:


An unmitigated cyber attack possess serious threat to the IoT infrastructure


intrusion prevention systems. These are well established and proven security principles. Despite this, firewalls are virtually absent in


embedded systems, instead relying on simple password authentication and security protocols. This is based on assumptions that embedded devices are not attractive targets to hackers, embedded devices are not vulnerable to attacks, or authentication and encryption provide adequate protection for embedded devices. These assumptions are no longer valid; the number and sophistication of attacks against embedded devices continues to rise and greater security measures are needed. What are the challenges for implementing


the Internet of Secure Things and assuring security of embedded devices? The specialised nature of these devices presents the following challenges: 1. Critical functionality: Embedded devices control the world’s transportation infrastructure, the utility grids, communication systems and many other capabilities relied upon by modern society. A cyber-attack on these systems could have catastrophic consequences.


2. Replication: Once designed and built, embedded devices are mass produced. If a hacker is able to build a successful attack against one of these devices, the attack can be replicated across all devices. 3. Security assumptions: Many embedded engineers have long assumed that embedded devices are not targets for hackers, relying on security by obscurity. As a result, security is often not considered a critical priority for embedded designs.


4. Not easily patched: Most embedded devices are not easily upgraded. Once they are deployed, they will run the software that was installed at the factory.


/ ELECTRONICS


CYBER WARFARE AND THE MOTIVATED HACKER If there is one lesson to be learned from well publicised cyber-attacks like StuxNet, it is that hacking is not just the domain of bored teenagers, hacking drones or even the small groups of motivated hackers. When the stakes are high enough, Cyber-attacks are multi-phased, multi-year efforts carried out by large, well-funded teams of hackers or even by nation states. Hacking organisations invest significant


resources in gathering information on the device or devices they wish to attack. They hack corporate networks to steal design information. If possible, they physically obtain target devices they wish to hack and attempt to reverse engineer the device and use it to test possible attacks. It’s likely that they have attempted to obtain design information on networks and devices using other methods of espionage including attempts to hire engineers involved in designing the devices they wish to hack. A security solution for embedded devices


must ensure the device firmware has not been tampered with, it must secure the data stored by the device, secure communication and it must protect the device from cyber-attacks. This can only be achieved by including security in the early stages of design. Features that need to be considered are: • Building protection into the device itself provides a critical security layer - the devices are no longer dependent on the corporate firewall as their sole layer of security. In addition, the security can be customised to the needs of the device.


• Support for secure boot or device tamper detection requires specific hardware capabilities, so this capability must be considered prior to that decision. Since many embedded devices are deployed


outside of the standard enterprise security perimeter, it is critical that security be included in the device itself.


Icon Labs www.iconlabs.com +1 408 204 0194


Enter 216 ELECTRONICS | DECEMBER/JANUARY 2015


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56