trusted computing for iot · 9/26/2017 · security effects of industrial iot › "closed...
TRANSCRIPT
Agenda
• IoT Security
• Industrial Security
• Trusted Computing– IoT Applications– Industrial Applications
• Call to Action
2Copyright 2017 Trusted Computing Group
Definition
Internet of Things (IoT) is:
a world where physical objects are seamlessly integrated into the information network
4Copyright 2017 Trusted Computing Group
Why IoT?Smart Home Automotive Industrial ICT
Greater efficiency2
Increased flexibility and customization3
New capabilities and services1
Source: Infineon Technologies | graphics are courtesy of Infineon
5Copyright 2017 Trusted Computing Group
IoT Trend Affects All Markets
Factory automation› Industrial automation
- Motor & motion controller- Power quality- Power tools
› Industrial robotics
Smart vehicles
Smart cars› ADAS / autonom. driving› Connected car› Car security› (H)EV
Commercial, agriculture & construction vehiclesincl. Trucks & Busses› ADAS / autonom. driving› Secured connectivity› (H)EV
Smart city & energy Smart industry & business
Smartphones, tablets & PCs
Consumer Electronics & wearables› Media players, smart glasses,
smart watches› Well-being (health & fitness,
assisted living› Gaming
Smart home› Home automation incl. home
appliances› Home energy management› Home security & safety› Lighting
Smart home & consumer devices
Other businesses› e. g. Banking & securities,
education, mining, retail and wholesale, transportation and logistics
Other forms of transport › Commercial aircraft› Connected trains› Ships (ferry & container)› Light electric vehicles
Energy & infrastructure› Generation (renewables)› Advanced transmission
& distribution / storage› Utilities (water), traffic (electr.
toll collection), outdoors, government
› Environmental sensors
Building automation› Automation› Access control› Air conditioning› Elevators/escalators
Professional lighting- Building lighting - Street lighting- etc.
Data Center / Server FarmsCommunication Networks
ICT
Medical equipment› Health sensors
Diagnostics› Rehabilitation systems
Source: Infineon Technologies | graphics are courtesy of Infineon
6Copyright 2017 Trusted Computing Group
IoT ArchitectureGather data
AnalyzeSend commands
Reliably convey data and commands
Send and receive data and commands
Source: Infineon Technologies | graphics are courtesy of Infineon
7Copyright 2017 Trusted Computing Group
Each Layer can be Attacked
An Eavesdropper listening in on data or commands can reveal confidential information about the operation of the infrastructure. A Bad Device injecting
fake measurements can disrupt the control processes and cause them to react inappropriately or dangerously, or can be used to mask physical attacks.
A Bad Server sending incorrect commands can be used to trigger unplanned events, to send some physical resource (water, oil, electricity, etc.) to an unplanned destination, and so forth.
Bad Server
Bad Device
Source: Infineon Technologies | graphics are courtesy of Infineon
9Copyright 2017 Trusted Computing Group
IoT Defenses
Source: Infineon Technologies | graphics are courtesy of Infineon
10Copyright 2017 Trusted Computing Group
Industrial IoT Brings Changes
› "Lot size 1": Ability to produce highly individualized products› Cloud analysis: Enabling data mining, deep learning and cost reduction› Predictive maintenance: Based on sensor data gathered and analyzed as big data
Implications
› Greater communication within the plant and beyond› Reconfigurable, smart manufacturing equipment› New business models and opportunities› New security risks
Smart Factories / Industrial IoT / Industry 4.0
13
Security Effects of Industrial IoT
› "Closed shop floor" paradigm not applicable anymore› Security risks touch all machines with greater potential impact› Industrial security is becoming part of corporate strategies
Implications
› Strong protection required› Availability has higher priority than Confidential or Integrity› System-wide security approach required
New security paradigms
14
Industrial IoT Countermeasures
Copyright 2017 Trusted Computing Group 15
Source: Industrial Internet Security Frameworkhttps://www.iiconsortium.org/IISF.htm
graphics are courtesy of Industrial Internet Consortium
A trusted system is…predictable, even under stresstrusted based on experience and/or evidencebased on fundamental properties (identity, integrity)
What is a Trusted System?
Copyright 2017 Trusted Computing Group 17
Principle of Least Privilege Leads toRoot of Trust (RoT) Concept
• RoT = Minimized, strongly protected security function
• RoT used for highly security-sensitive functions– Generate random numbers– Store and use long-term keys– Verify system integrity
• Benefits– Reduce risks
• Compromise of long-term keys• Undetected system compromise
Copyright 2017 Trusted Computing Group 18
Trusted Platform Module (TPM)
• Standard Hardware Root of Trust• TPM = ISO/IEC 11889
• Benefits• Foundation for secure software• Resistant to attacks/hacks• Built-in virtual smart card
• Features• Authentication• Encryption• Attestation
Identity
Integrity
19Copyright 2017 Trusted Computing Group
Why Hardware?
Graph used withpermission ofCapers Jones.
Software Security is Not Enough
20Copyright 2017 Trusted Computing Group
Who Uses TPM?
• Desktops, Laptops, Tablets, Phones• Financial Services
– ATMs– Cash registers– Slot machines
• Industrial Control Systems• Cars• Network routers• Gateways• Printers
21Copyright 2017 Trusted Computing Group
• TCG standards are used in many IoT devices
• Based on this experience, TCG has developed– Common use cases– Framework showing how to use TCG tech– Implementation guidance– Demonstrations of Trusted Computing in IoT
Trusted Computing for IoT
Copyright 2017 Trusted Computing Group 22
• Who are you?
• Can I trust you?
• Can you protect yourself against malware infection?
• Can you protect yourself against hardware tampering?
• Can you protect data at rest?
• Can you prepare a device for resale or decommissioning?
• Can you safely engage in cryptographic protocols?
• Can you support common models of provisioning?
• Can you securely maintain evidence?
• Can you be managed easily?
• Can you secure legacy hardware?
Top Questions in IoT Security
Copyright 2017 Trusted Computing Group 23
TCG IoT Use Cases
• Device Identity• Secure Software and Firmware Updates• Secure Communications• Secure Data Storage• Device Resale and Decommissioning• Device Provisioning• Protecting Against Malware Infection• Maintaining Audit Logs• Remote Device Management• Securing Legacy Hardware
Copyright 2017 Trusted Computing Group 24
TCG Collaborating with IoT Industry• Formal liaison relationship with ETSI, international telecoms
standards body, for work on secure networking protocols• Formal liaison relationship with Mobey Forum to help enable
trusted mobile transactions, etc.• Working with SAE Vehicle Electrical Hardware Security Task
Force, a sub-committee of the SAE Vehicle Electrical System Security Committee re auto security requirements and solutions
• Regular input to NIST, NHTSA and other agencies and government groups
• Relationships with information assurance agencies worldwide
Copyright 2017 Trusted Computing Group 25
IoT Security Resources• TCG IoT Architect’s Guide:
https://trustedcomputinggroup.org/tcg-architects-guides
• TCG Guidance for Securing the IoT: https://trustedcomputinggroup.org/guidance-securing-iot-using-tcg-technology-reference-document
• 6 ways to Boost IoT Security article: http://ubm.io/1LahjI4
• IoT Security Groundswell article: http://ubm.io/1K7MOPW
• Practical Tips to Securing the IoT article: http://bit.ly/1K7WUTH
26Copyright 2017 Trusted Computing Group
Industrial Security Resources• TNC IF-MAP Metadata for ICS Security
https://trustedcomputinggroup.org/tnc-if-map-metadata-ics-security/
• Architects Guide: ICS Security Using TNC Technologyhttps://trustedcomputinggroup.org/architects-guide-ics-security-using-tnc-technology/
• Industrial Internet Security Framework: https://www.iiconsortium.org/IISF.htm
• ISA/IEC 62443https://www.isa.org/isa99/
Copyright 2017 Trusted Computing Group
IISF References TPM
Copyright 2017 Trusted Computing Group 28
Source: Industrial Internet Security Frameworkhttps://www.iiconsortium.org/IISF.htm
graphics are courtesy of Industrial Internet Consortium
Call to Action
1. Use Trusted Computing to Secure IoT and Industrial Systems
2. Join TCG and then Industrial Sub Group– https://trustedcomputinggroup.org/membership
3. Help Create Deliverables– Guidance for Securing Industrial Equipment– Platform Firmware Profile
For more information, [email protected]
Copyright 2017 Trusted Computing Group 31