FEATURE Industry 4.0
Defending and protecting IoT
By Stephane di Vito, Senior Principal MTS, Robert Muchsel, Fellow, and Don Loomis, Vice President, all from the Micros, Security & Software division at Analog Devices
T
en billion IoT nodes are connected today – that’s more than ten times than just a decade ago – with the trend showing further growth.
However, with the growing number of IoT nodes come opportunities for attackers, too; the estimated annual cost of cyberattacks is over a trillion dollars today, and likely to rise. Therefore, security considerations are essential to continue the successful scaling of the IoT. Companies must protect their data and that of their customers’. Also, connected devices are subject to government regulations, such as FDA rules for medical devices, US/EU cybersecurity requirements for Industry 4.0 critical infrastructures, and several new emerging standards for the automotive industry. All these push for higher and higher levels of security.
Secure nodes Creating a secure IoT node begins with a “root of trust”, also known as “Secure Element” – a small aff ordable integrated circuit (IC) designed to off er security- related services to the node. Its goal is to ensure that the secret keys used for data encryption or digital signatures are protected against disclosure. Examples include data encryption for preserving confi dentiality and digital signatures to ensure information integrity and authenticity. The biggest challenge for “root of trust” security ICs is resistance against physical attacks, such as direct probing and so-called side-channel attacks.
Physically unclonable function Memory technologies like EEPROM or Flash used in general-purpose microcontrollers easily succumb to direct probing of the circuits’ internals. Attackers use something called scanning electron microscopy (SEM) to gain access.
The semiconductor industry has
responded with the “physically unclonable function”, or PUF, technology. It derives
20 December/January 2023 | Automation
a unique key from the intrinsic physical properties of the chip, properties that are far more diffi cult to probe directly. In some instances, the PUF-derived key encrypts the rest of the internal memory of the root of trust and, therefore, protects all other keys and credentials stored on the device. Side-channel attacks are even cheaper and less intrusive. They leverage the fact that electronic circuits tend to leak a signature of the data they are manipulating, via the power supply, radio or thermal emissions. The subtle correlation between measured signals and the processed data can lead to successfully guessing the value of a secret key after a moderately-complex statistical analysis when the circuit uses that key, say, to decrypt data. A root of trust is explicitly designed to prevent such data leakage using various countermeasures.
Security IC example The benefi ts of a hardware-based “root of trust” become evident in the type of secure applications shown in the fi gure above, for a medical application. The protocol is a simple challenge/response authentication: 1. The meter requests a challenge from the pump in preparation for sending a command.
2. The pump challenges the requestor with a random number, R.
3. The meter uses its private key to sign the command, the random number R, and some fi xed padding. This operation is deferred to the “root of trust” of the meter. 4. The pump verifi es that the signature is
correct and that the random number is the same number it sent out earlier to avoid the trivial re-sending of a valid command. In addition to the fact that every new attempt at sending a command requires a new random number, the security of this protocol relies on the secrecy of the private key used to authorise commands and the integrity of the public key used to verify the authorisations. If these keys were stored
inside common microcontrollers, they could be extracted or manipulated, and fake meters or pumps could be manufactured, potentially endangering the patients’ safety. In this case, “root of trust” ICs make it much more diffi cult to counterfeit meters or pumps, manipulate the credentials, or tamper with the communications protocol.
Benefits of dedicated security ICs Overall, a sound node device design will cause the cost of breaking a device to be much higher than the potential rewards for the attacker. The benefi ts of an architecture relying on a dedicated security IC are many: • IoT security is an endless battle. Attack techniques keep improving but, at the same time, security IC vendors continue to enhance their countermeasures so that the ICs remain extremely costly to attack. The security of a connected device can be increased by upgrading the security IC with little impact on the overall device design and cost.
• Concentrating the critical functions in a strong, tamper-proof physical environment separated from the application processor allows for an easier “proof of security” when evaluating regulatory compliance. Isolation also makes it harder to leverage weaknesses in the device’s application processor, which are very diffi cult to detect and remove entirely.
• Ensuring the security of an IoT node across its entire life cycle is easier when the security IC is commissioned early by the security IC vendor. This approach eliminates the need for sharing critical information with contract manufacturers, and a secure personalisation fl ow and OTA updates are made possible. Overbuilding and cloning become much harder, as well.
CONTACT:
ADI
www.analog.com
automationmagazine.co.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50
