IoT It s All About Security Colin Walls colin_walls@mentor.com Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Fashions in Embedded Software C++ Windows CE Java Eclipse UML low power design IoT 2
Home Automation 3
Home Automation Introducing IoT 4
Home Automation Introducing IoT Merry Christmas! 5
Wearables Indirect IoT 6
7
Defining IoT Devices Standalone For purpose built device no network connection Connected Networked device with limited capabilities and one way access Managed Monitor Configure Update 8
CLOUD WAN SERVICES LAN Open fridge remind me to track food eaten PAN 9
Safety vs Security Safety: Protecting the world from the device Security: Protecting the device from the world The two can be related: e.g., a security breach could result in a safety issue 10
Security Standards Industrial Automation ISA/IEC 62443:EDSA www.isa.org/isa99/ Federal Mandate U.S. Federal Executive Order (EO) 13636 www.whitehouse.gov/the-press-office/2013/02/12/executive-orderimproving-critical-infrastructure-cybersecurity Power Grid/Smart Grid NERC CIP www.nerc.com/pa/stand/pages/cipstandards.aspx NIST IR 7628 www.nist.gov/smartgrid/upload/nistir-7628_total.pdf NITRD (Tailored Trustworthy Spaces) www.nitrd.gov/pubs/nitrd_tts-smartgrid_workshop_2011.pdf OMG Security Fabric http://sfsig.omg.org/index.htm 11
Security Building Blocks Harden the device Hypervisor TrustZone Secure boot, attestation, anti-tamper Leverage hardware security features (TPM/TEE, Secure device ID, crypto acceleration) Protect the data Data encryption, key and password obfuscation Secure the communication path Security protocols Mutual authentication Firewall Enable visibility and management Management system integration (policy management, event reporting) Secure firmware updates, key management 12
Security Building Blocks: Virtualization Embedded hypervisors High performance, e.g. runtime and boot time Strong isolation Highly robust Apps Linux Mem vdev vcpu vcpu App RTOS Mem Dev vcpu App BME Mem Dev vcpu Hypervisor Security Strong isolation and containment of guests Secure critical information and software Based on hardware such as ARM TrustZone Consolidation and Widespread use of open source software Embedded Linux gaining widespread adoption System robustness allowed by separation IP protection provided through system partitioning CPU Devices Hypervisor CPU Memory 13
Additional Virtualization Benefits Security and Robustness Isolation of critical software from the rest of the code and reducing the burden of testing and re-certification Licensing and IP Separation Partitioning of the software with incompatible licensing terms and protecting of proprietary IP from open source licensing terms Software Reuse Upgrade path from an RTOS based device to the one that incorporate Linux, allowing to leverage Linux software ecosystem while preserving legacy investment Real Time Performance Devices that take advantage of Linux ecosystem and wealth of existing functionality could benefit from real time responsiveness of BM guest Fast Startup Starting VMs in a particular order would help with staged boot process 14
Securing Embedded Device Data Data at rest: device is off, how the data is protected? Anti-tampering, encrypted files and databases, trusted boot Data in use: while generated or being processed is it secured? Obfuscation, chain of trust, attestation, ADRING, TrustZone, MMU based protection methods, user privileges and secure file systems Data in transit: leaving the device, is it being hijacked? Encryption, tunneling protocols, VPN, SSL, IKE/IPSEC, denial of service, firewall 15
When to address device security? Securing IoT device is not just a matter of selecting the right processor and software, one has to be concerned with many aspects of device lifecycle! Design Destruction or disposal Vulnerability Landscape Production Operation & Maintenance Deployment Data needs to be protected at rest, use and transit at all phases! Cryptography Security! 16
17
Thank you Colin Walls colin_walls@mentor.com http://blogs.mentor.com/colinwalls Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.