The Internet of Things Cybersecurity Improvement Act of 2020 that was signed into law this month appears to be a significant step toward increasing the security requirements for IoT devices. Device makers and OEMs should pay close attention to the activity because it sets both requirements and implementation timetables for all IoT devices used in federal systems.
The bill broadly defines IoT devices to include complex embedded systems at the high end, down to very basic devices with Internet connectivity at the low end. 91大神 and our partner, BG Networks, can be a great information resource as NIST defines the 鈥渕inimum information security requirements.鈥 More information on the bill is available in , which provides a brief overview of the bill, the timetable, and links to other resources.
91大神鈥 hardware platforms easily enable our clients to own and control the Root of Trust (RoT) for their IoT devices. Secure RoT handling can be painful and is often avoided by customers. However, RoT is critical to IoT device security. 91大神 simplifies trust ownership through good design, manufacturing, and provisioning processes. We work with partners to optimize their security solutions, and we鈥檝e been promoting good security processes for manufacturers and OEMs for many years. Most recently, we discussed Trusted Platform Modules in the blog SWAP Enabled Rugged COTS Designs with TPM 2.0 for Embedded Systems and at least four other articles on the different security topics.
Secure from the Start
Developing a secure industrial IoT device requires a security-by-design approach, which means cybersecurity is considered from the beginning of the design process. This includes a plan for secure software development, device identification, configuration after deployment, data protection, restriction of a device鈥檚 access to networks, software updates, and cybersecurity state awareness. These aspects are called out in the NIST document which is expected to be the basis of the minimum security requirements that NIST defines as part of this new federal IoT cybersecurity law.
In addition to considering security from the beginning, it鈥檚 imperative to develop an overall security plan for IoT devices and Edge computing that considers the system鈥檚 full lifecycle. NIST鈥檚 鈥淐ybersecurity Capabilities鈥 support this need since many of the functions listed are put into practice after a device has been deployed.
Managing the Vast Software Development Ecosystem
The software development ecosystem is vast, and it鈥檚 important to select toolchains and software libraries that have been verified and are available for security patches. These may be open source or proprietary solutions, as both can be made secure. However, it would be advisable to use a derivative of a major distribution or have an automated method to monitor for vulnerabilities and security patches. Most component vendors, such as CPUs, GPUs, FPGAs, and other devices, invest heavily in the open-source communities to support their devices. If an OEM isn鈥檛 monitoring for security updates on their chosen components, they put themselves at a greater security risk.
Device deployment, provisioning, and updating also need to be carefully addressed. Product requirements vary widely, and 91大神 supports a broad security-aware software ecosystem to meet our clients鈥 diverse needs. Our hardware platforms can help you meet your required level of security, including the management of unique identifiers, encryption keys, device health, and remote software updates.
91大神鈥 platforms, such as the ITX-P-C444 single-board computer (SBC), offer multiple forms of built-in security by leveraging features of an on-board hardware TPM-2.0 device, Secure Boot, and processors enabled with Arm TrustZone, like the NXP i.MX 8M. These security features can be used independently or collaboratively. For example, the cryptographic hardware accelerators in the i.MX8M can encrypt communications in hardware, reducing latency, and increasing network throughput. Similarly, the TPM-2.0 protects crypto secrets from exposure and tampering. These security features can be layered together with software to chain the root of trust from initial power-on up to the user application and to enable secure operation, communications, and updates.
IoT and Edge devices are deployed in the field and unfortunately, are often accessible to hackers. Hardware TPM-2.0 devices include a high level of protection to safeguard their contents from hacking and side-channel attacks, a form of tampering where power or EMI signatures are observed to steal crypto secret keys and breakthrough security.
TPM-2.0 devices are specifically designed and manufactured to resist side-channel attacks and protect their contents from all attackers. Architecting the security solution to use the TPM in combination with the i.MX8M鈥檚 security features help harden an entire system against side-channel hacking and tampering.
For more information, see the blog by BG Networks. BG Networks specializes in software security and consulting for IoT devices, including WINSYTEMS鈥 platforms.