Connected Industrial Devices – How to Protect them Against CyberAttacks
July 13, 2021
Story
In todays connected environment, strong data protection for IoT devices and connected machines is no longer a nice-to-have—it is essential.
Cyberattacks are on the rise. Government and industry cybersecurity legislation for IoT devices is becoming increasingly common worldwide, and network operators are beginning to require higher levels of security. To remain competitive, OEMs must address security in all their products, no matter how small or complex.
The new rule is that security must be built into devices from the early stages of product design. Manufacturers can no longer wait for something to go wrong and then scramble to fix the security problem.
Figure 1 - All connected devices and machines, in factories, industrial facilities and on the edge, need to be protected before they even roll off the assembly line. If a device is connected to the internet, it will be found and attacked by cyber criminals.
Industrial IoT solutions continue to grow and expand into almost all market and industrial niches, including manufacturing, warehousing, transportation, and logistics, as well as consumer and home electronics devices.
Most connected devices generate and collect tremendous amounts of data that must be secured against tampering and discovery. Every day throughout the world, new and dramatic cyber attacks are making headlines. It may be a case of infected PLCs ruining industrial equipment, it can be a malware that takes over and destroys a business’s system, it can be ransomware that steals access to a company’s records, data, and networks, forcing it halt operations or revert to paper processes until the ransom is paid.
In many of these cases, the root causes of successful attacks are devices and machines that were developed, manufactured, shipped out and then installed with weak or non-existent security.
Some manufacturers may claim that their products and systems are immune from attack because they are not connected to the Internet. Rather, they rely on isolation using so-called “air gapped networks” so there is no way for cyber attackers to find and target their systems. However, one of the world’s most notorious and successful attacks was via infected USB jump drives. The well-known Stuxnet attack ruined much of Iran’s uranium production by a virus that infiltrated the PLCs that controlled the centrifuges. The infected PLCs then ran the centrifuges at an extremely high speed that destroyed them, and this happened despite the PLCs being on a completely isolated or “air-gapped” network.
Other manufacturers may claim that their systems and their businesses are too small and insignificant to attack. This is simply not true. Many types of malware and viruses initiate attacks by searching for susceptible systems. These attacks are not targeting specific companies or systems, they simply search for vulnerable devices to attack.
Companies developing and building any kind of IoT-connected machines must ensure their devices are protected from these attacks. But how do they begin?
How to Design & Build Data Protection into Connected Devices
From day one of design and development, engineers need to be thinking about security. IoT security can only be achieved by integrating cyber protection directly into the device itself. Embedding the security provides a critical security layer as many connected machines are used on the edge and in the field, and cannot be dependent on a corporate firewall as their sole layer of security.
Data Security Requirements
To be truly secure, critical security capabilities must be built into the device. These include:
- Secure communication
- Data at rest protection
- Secure key storage
- Certificates and device identity
Each of these provides a critical component of security but are only a facet of securing a device. No one capability alone can ensure a device is protected from attack, rather these capabilities work together to ensure the security of a device.
Secure Communication
In recent years, many embedded devices have added support for secure communication protocols such as TLS, DTLS, and SSH. These protocols provide a critical first level of defense against cyberattacks.
Security protocols that are designed to protect against packet sniffing, man-in-the-middle attacks, replay attacks, and unauthorized attempts to communicate with the device, are essential beginning points for building secure devices.
Data at Rest (DAR) Protection
Unlike enterprise servers, IoT devices are usually not locked away in a data center. Located in the field, they are at risk of physical theft or attack. Any sensitive data stored on these devices should be encrypted to ensure it is protected from attempts to read from the device, either by copying the data from the device, or by physically removing and reading data directly from their internal flash drive.
Many IoT devices do not have the computing power to support full disk encryption, but sensitive data such as credit card numbers or patient information should always be encrypted. To protect the stored data, manufacturers need to take measures to hide the encryption keys in a protected memory space on the device. Data at Rest (DAR) protection works by encrypting data stored on the device, providing protection for sensitive data stored on the device. Even if a bad guy physically accesses the machine, they still cannot see or read the data.
Secure Key Storage
Secure boot, secure communication protocols, data at rest protection, and secure firmware updates all rely on strong encryption and certificate-based authentication.
A device must have the ability to securely store the encryption keys used to encrypt data, authenticate firmware, and to support machine-to-machine authentication. If a hacker can find the encryption keys, they can then bypass an otherwise robust security solution. Secure key storage can be provided using a TPM or other Hardware Secure Element. If the device does not have a hardware module available, a software based secure key storage method can be utilized.
PKI, Certificates and Device Identity
PKI (Public Key Infrastructure) is a set of technologies and services for managing authentication of computer systems. PKI is based on a mechanism called a digital certificate – often referred to as X.509 certificates or simply as certificates. In a way, a certificate is a virtual ID card, like a driver’s license. It provides an identity and a set of permissions and is issued by a trusted entity. For example, my driver’s license identifies me (Alan Grau), provides a picture to show that I am the proper bearer of the license, and defines my permissions as a driver of a motor vehicle. I am authorized to drive any standard passenger motor vehicle, but not certain commercial vehicles. And the license was issued by a trusted entity (the government of the State of Iowa).
Figure 3 – Much like a driver’s license, a digital certificate identifies the holder and must be renewed.
A certificate is very similar. A certificate is issued by a trusted entity (a certificate authority), contains permissions, and is used to identify the holder of the certificate. A driver’s license contains information that allows the holder of the license to be verified, just as a certificate contains the public key allowing it to be used only by the entity that holds the associated private key.
This security technology enables a connected device to verify that the certificate holder is actually the entity specified by the certificate. The result is that a device can verify, with cryptographic certainty, the holder of the PKI certificate is truly who they claim to be and not a hacker or imposter.
Figure 4 - A security framework, such as Sectigo’s IoT Identity and Integrity platform, provides an integrated set of security building blocks.
Alan Grau has 25 years of experience in telecommunications and the embedded software marketplace. He is VP of IoT, Embedded Solutions at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.
Prior to founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola. He has an MS in computer science from Northwestern University.