Securing Edge Devices

Transcription

1 Securing Edge Devices Derrick Lavado Sr. Manager, OSBU

2 What we will cover.. Cybersecurity Risks in a Software Defined World Wind River Security Overview Introduction to Pulsar Linux 2

3 Our software has been deployed in over 2 billion devices; into environments, systems, and applications subject to the highest standards of safety, security, and performance Wind River. All Rights Reserved.

4 For over 30 years, Wind River has helped the world's most recognizable brands power generation after generation of embedded devices. 4 HERITAGE LEADERSHIP 1981: Founded 1993: IPO 2009: Acquired Leading Commercial Operating System Market Share Broadest Portfolio SCALE INVESTMENT 1,200+ Employees Presence in 20 countries 30+% of Annual Spend Is on R&D Rich History of M&A 2016 Wind River. All Rights Reserved.

5 CHEMICAL SECTOR COMMERCIAL BUILDING SECTOR COMMUNCIATIONS SECTOR CRITICAL MANUFACTURING DAMS SECTOR DEFENSE BASE SECTOR EMERGENCY SERVICES SECTOR ENERGY SECTOR FINANCIAL SERVICES SECTOR FOOD & AGRICULTURE SECTOR GOVERNMENT BUILDING SECTOR HEALTH CARE SECTOR IT SECTOR NUCLEAR SECTOR TRANSPORTATION SECTOR WATER & WASTEWATER SECTOR 6

6 Cybersecurity for the Software Defined World Each node in the end-to-end topology represents one or more attack vectors. North-South Consequences of compromise are significant. East-West age/ 6

7 Software Complexity 7

8 Effective embedded cybersecurity requires a comprehensive approach that encompasses: Silicon North-South Software infrastructure Development tools East-West 8

9 Pillars of Device Security Technological Securing a platform via hardware/software security enablement Secure communications Remote attestation Security monitoring 9 Operational Security alert and response process Security product development process Device manageability & OTA Lifecycle Software maintenance Bug fixes Security patches CVE monitoring/reporting Providing software updates over n years of a Linux LTS distribution

10 Device/Service & Communication Security Layers Intrusion Detection Intrusion Prevention SIEM Analytics Deception Security Intelligence Secure Update Mandatory Access Control / Least Privilege Cryptography Secure Boot & Initialization Identity 10 Compliance Auditing Secure Separation Role Based Access Control Key/Certificate Store Public Key Infrastructure HW/SW Identity Root of Trust Protected Networks Measured Boot & Initialization Protected Storage Protected Communications Protected Storage Crypto Acceleration Trusted Execution Environment Trusted Execution Enhanced Security Protected Access Softw are Auditing & Logging Foundational Security Hardware Silico n

11 Wind River Cybersecurity Strategy 2. SECURE COMMUNICATIONS 3. SECURITY MONITORING & MANAGEMENT North-South SECURE DEVICES & SERVICES* SECURE PROCESSES 1. Cloud / Enterprise Fog * Supports Intel consistent security capabilities Trusted Execution Intel Consistent Security HW/SW Identification Capabilities Protected Boot Protected Storage 11 East-West An Intel Company

12 Security Development Process Assessment Select and review process standards Select and review process checklists Architecture Architecture definition Architecture review Design Design definition Design review Static analysis Test execution CVE Checker Test plan preparation Manual code review Establish and review requirements baseline 12 Implement Deploy Process compliance analysis Security validation Final release review PSIRT

13 Communication and Response MITRE CERT Customers windriver.com Product Security Response Team Does Not Affect Product Applicable to Product Consolidated OLS Notification Proactive OLS Notification Defect Filed Patch and OLS Notification 13

14 Continuous Security Monitoring Alerts Fixed Releases CVE CVE CVE CVE CVE aka HeartBleed CVE aka Ghost CVE CVE aka DROWN

15 Wind River Security Solution Portfolio Simics simulation device thru system Wind River Professional Services 15 Helix Device Cloud device management Helix CarSync secure OTA updates Titanium Cloud carrier grade NFV/SDN Titanium Edge carrier grade NFV/SDN Titanium Control embedded xfv/sdx Pulsar ready-to-use embedded Linux VxWorks Portfolio real-time safety & security Wind River Linux secure embedded Linux Pulsar ready-to-use embedded Linux Device Agents connectivity, monitoring, & management Cloud / Enterprise Fog

16 INTRODUCING PULSAR Wind River Pulsar Linux is a small, high-performance, secure, and manageable container o.s. designed to simplify and speed development of IoT devices software. 16

17 Relationship between Pulsar and Wind River Linux Wind River Linux is a Distribution Builder Manufacturers Design and manufacture commercial devices Select Hardware Customize BSP Linux Platform Source code Customize, Configure, Build Board Support Package 17 Applications User-Space Libraries Profiles Wind River Linux $$$ Linux Binary Distribution Wind River Linux is designed to create distribution for any architecture and any board Fine grain control on customization for size, performance and business needs Cross build tools run on Desktop

18 Relationship between Pulsar and Wind River Linux Pulsar Linux takes care of building of binaries End Users Customize installed devices to suit individual requirements Select Hardware Customize BSP Linux Platform Source code Customize, Configure, Build Board Support Package 18 Applications User-Space Libraries Profiles Wind River Linux $$$ Pulsar Binary Distribution Pulsar Linux is customized and certified for a selected hardware Certified boards boot up with default configuration. Users can then add or delete packages

19 Containers A good balance of simplicity & isolation Virtual Machines Containers Applications Applications Applications User Space Libraries Linux Kernel User Space Libraries Virtual board User Space Libraries Linux Kernel Linux Kernel Linux Kernel Hardware Board Hardware Board Hardware Board Self-contained, independent Micro-Services Self-contained, independent Virtual Appliance Containers allow devices to be easily updated in field with very good isolation Containers allow porting of applications from other distros like Red Hat & Ubuntu 19

20 Pulsar Linux Security Binary platform with WR Linux pedigree Open Virtualization Profile Carrier Grade Profile Security Profile Wind River Linux 20 Wind River Linux secure kernel Secure Boot Linux IMA Secure backup/restore SELinux TPM 2.0 and TPM2-TSS IPsec/L2TP/PPTP VPN Rootfs & Storage encryption Package signing Secure update

21 Current Intel Security Support across the Portfolio Intel Solution VxWorks Linux Titanium UEFI Secure Boot TXT (trusted execution) (PS) FSP (fast start) (PS) (PS) (PS) PTT (platform trust/tpm) AES-NI (cryptography instructions) VTx/VTd (separation/virtualization) NX (execution protection) QuickAssist (QAT cryptography accelerators) (PS) DPDK (network acceleration and DPI) (PS) Intel NIC Virtualization (network separation) (PS) Note: Specific 21profiles PS = enabled through

22 Certified distribution, secured and extensible WR 3rd party Software Maintenance Package Repository Device Applications Package Manager agent (SmartPM, Open standard) Integrator s Pulsar Linux Hardware Board Security updates and patches are pulled from Wind River repository Additional packages & applications are easily added directly from Pulsar Linux from various repositories Self hosted builds - ability to build packages from source on the device without cross development tools 22 Provide Solution by integrating commercial hardware & software

23 Wind River Pulsar Linux for Advantech Certified binary distribution for the Advantech UTX Gateway Includes Pulsar Security Framework UTX-3115 & 3117 Gateway Container Container Manager Open JRE Node JS MQTT Modbus Helix Device Cloud Agent Additional Containers Security (secure boot - TPM) Updated with security fixes and patches Minimal Secure Kernel Complete SDK Shim loader / Grub 2.x Providing Export and IP compliance artifacts UTX-3115 Bay Trail Advantech UTX-3117 Gateway (Intel Atom X5-E3930) 23 Extensibility via packages and/or containers

24 24 Advantech UTX-3117 Gateway Intel Atom E3900 Processor Pulsar Linux pre loaded Integrated Pulsar Security Framework Includes software maintenance

25 Build vs. Buy Lower Total Cost of Ownership When considering embedded Linux for a device, it s important to take the long-term view into account. Embedded devices are often in production and in service for many years, sometimes decades. In the long run, commercial offerings that provide a reliable embedded Linux OS with support and maintenance are cheaper than maintaining a roll-your-own Linux solution in-house. Initial Investment Maintenance Hidden costs include upkeep of code base, bandwidth drain, ever-evolving compliance, and safety standards. Try our TCO calculator to see how Wind River Linux can save you up to 53% Get Started with Wind River Linux WIND RIVER. ALL RIGHTS RESERVED WIND RIVER. ALL RIGHTS RESERVED. Stay Current and Productive Long-Term Cost Control

26 Open Source IP Compliance Challenges Different File Formats Different Definitions and Terms Spreadsheets Open Source Software? Word Docs Open Source License? Text Files Public Domain? PDF Source vs. Disclosure Doc Accurate & Complete Different Record Fields License for each file? Governing package license? List of Copyright holders? Attribution notices? Dependencies? 26 XML Hardcopy

27 Useful Links How to get Pulsar Free Linux TCO Calculator Learn more about Linux security CVE Database Tool 27

28 28