Industrial automation will be one of the biggest areas of spending on the internet of things (IoT) in 2019. So, how can the devices connecting the systems to the network be trusted, and what’s the best way to ensure that their industrial IoT (IIoT) systems are secure: software or hardware? In this article, we look at the case for hardware-based security as the preferred choice for IIoT and its benefits beyond just security — such as time to market, scalability, and performance and manufacturing flexibility.
An industry forecast published by International Data Corp. (IDC) highlights manufacturing, transportation, and utilities as the leading sectors expected to spend on IoT solutions in 2019 — these are the sectors typically addressed with IIoT systems. With total global spend this year expected to reach $745 billion, industries that will spend the most are discrete manufacturing ($119 billion), process manufacturing ($78 billion), transportation ($71 billion), and utilities ($61 billion). Among manufacturers, this will largely be focused on solutions that support manufacturing operations and production asset management. In transportation, more than half of IoT spending will go toward freight monitoring, followed by fleet management. IoT spending in the utilities industry will be dominated by smart grids for electricity, gas, and water.
Hardware spending will be about $250 billion, led by more than $200 billion in module/sensor purchases. Given this growth, the potential risk from cyberattacks will also increase significantly. System developers will be looking to rapidly deploy security technology, with both hardware and software solutions available on the market. A key factor determining which route to go is essentially around vulnerability.
Software is arguably much more vulnerable because it can more easily be analyzed by attackers to undermine security. On the other hand, hardware security chips are more likely to be tamper-resistant and have additional features that can efficiently prevent attacks. This includes protected processing and storage of software, code, and data — enabled through encrypted memory and processing, fault and manipulation detection, and secure code and data storage. Hence, the software running on the secured hardware can also then be protected from reading, copying, and cloning and from being analyzed, understood, and sabotaged.
What the standards say
International industry standards like IEC 62443 require hardware security for the highest levels of security, as do the National Institute of Standards and Technology (NIST) and the Industrial Internet Consortium (IIC). The NIST “Platform Firmware Resiliency Guidelines” talk about the functions of the roots of trust (RoTs) and the chains of trust (CoTs) needing to be resistant to tampering attempted by any software running under, or as part of, the operating system on the host processor. It explicitly states that information transferred from the software on the host processor to the platform firmware should be treated as untrusted.
The RoT is the foundation of security and resiliency in an industrial control system and serves as an anchor in a CoT. Generally, successive elements are cooperative in maintaining the chain of trust started by the RoT. Components in a chain of trust have the privileges not available to less trusted software to perform security-critical functions like carrying out device updates. RoTs and CoTs may have mechanisms to relinquish these privileges once the security function is complete or if it is determined that the security function is not required. A CoT may also relinquish privileges before passing control to a non-cooperative element.
Because RoTs are essential to providing critical security functions, they need to be secure by design. Major considerations for determining confidence in RoTs are an analysis of the attack surface of a RoT and an evaluation of the mitigations used to protect that attack surface. The responsibility of ensuring the trustworthiness of an RoT is on the vendor that provides the root of trust. Vendors typically protect RoTs by either making them immutable or by ensuring that the integrity and authenticity of any changes to RoTs are verified prior to performing such updates. Often, RoTs run in isolated environments, at greater privilege level than anything that could modify it, or complete their function before anything can modify it to ensure that devices cannot compromise their behavior during operation.
Offering more than just security
Steve Hanna, senior principal at Infineon Technologies, highlights why hardware-based security is the most secure and how it provides more than just the security aspect. He commented, “Hardware-based security not only implies tamper-resistance, but it also enables benefits in terms of time to market, scalability, and performance. It also plays a part in protecting against theft and counterfeiting through the logistics supply chain. A dedicated security chip, which is evaluated by independent security testing laboratories and certified by international institutions, can be used as a building block to carry out cryptography and reduce the overall complexity of your design. This can reduce time for security implementation to just weeks rather than months.”
Haydn Povey, a board member on the IoT Security Foundation and CEO and founder of Secure Thingz, added, “You need to be able to build a root of trust, and hardware is better placed to enable an immutable boot path. You have more control with the hardware root of trust, and it provides an audit path. Hardware enables the secure enclave, can run fundamental boot services like the secure boot manager, and can bring the device into a known good state should it be required.”
He said that from a “secrets” perspective, a trusted ecosystem is essential. A silicon vendor is well placed to provision the secure elements of a device, or the keys can be injected by an OEM. For volume quantities, the chip company can provision these at wafer-level, but for lower quantities, part of the trusted ecosystem would include distributors such as Arrow, who can then provide the programming of the secure elements.
Infineon’s Hanna is keen to emphasize the time-to-market aspect of utilizing hardware-based security. The argument is that there are building blocks already available from some silicon vendors, and these hardware security chips are often evaluated by independent security testing laboratories and then security-certified. Certification can prove the highest barriers to attackers looking to penetrate a chip’s defenses.
By deploying these independently tested chips, the ready-made solutions can help a designer quickly add functions like hardware protection for device authenticators or protecting supplier keys and data as roots of trust (see chart). This is particularly appropriate because it’s often the case that IIoT security requires a huge learning curve, so by using devices already available, this can take a lot of the pressure and time off of the development work.
Chart: Infineon’s OPTIGA product family provides a range of security chips for authentication and other functions. (Source: Infineon Technologies)
Scalability, performance, and manufacturing flexibility
With the growth in industrial IoT highlighted for 2019 at the beginning of this article, in addition to time to market, scalability is also a key requirement. Hardware-based security devices lend themselves well to scaling for different performance levels, different security levels, and different platforms. In order to protect the integrity, authentication, confidentiality, and availability of products and data being handled by the system, the same discrete security controller could be deployed across an entire product portfolio. This has the benefit of providing assurance of the same level of security implementation across a number of products.
Performance can be a real concern when adding security to a device. This is where the hardware approach can provide significant advantages over software-based solutions for functions such as secure storage and calculations. An example might be in securely hiding the calculation carried out by a cryptographic key: A dedicated tamper-resistant chip will complete the calculation in one pass because it’s happening in a protected environment, but getting the same level of security with a software solution could require multiple “cover-up” operations to hide the key during calculation — thus impacting both performance and power consumption.
Manufacturing supply chain logistics can present a significant challenge for IoT device manufacturers because devices and their private keys could be susceptible to theft and counterfeiting. The security concept in most IoT devices is based on injecting a key pair, one public and one private, providing a unique identity to be assigned to a device that, in turn, enables it to be authenticated within a network and allocated access according to its privileges. But the way that many manufacturing operations are set up as part of global supply chains, it is possible that if private keys are intercepted or stolen along their route, then it’s possible for someone outside the system to manufacture counterfeit devices, resulting in a potential threat to system security. This is where hardware-based security can offer secured tracking on a value chain and offer manufacturing flexibility being that the chip can be interrogated at appropriate points to verify authenticity.
Ultimately, Hanna commented, hardware-based security offers significant benefits for connected devices and systems in IIoT. “Even if an attacker did get in, they can’t easily decipher what’s happening in the chip. Our security technology can make it extremely difficult for an attacker to find or probe those vulnerabilities.”
>> This article was originally published on our sister site, EE Times: “Why Hardware Security is the Preferred Choice for IIoT.”