The Internet of Things Cybersecurity Improvement Act of 2020 that was signed into law this month appears to be a significant step toward increasing the security requirements for IoT devices. Device makers and OEMs should pay close attention to the activity because it sets both requirements and implementation timetables for all IoT devices used in federal systems.
The bill broadly defines IoT devices to include complex embedded systems at the high end, down to very basic devices with Internet connectivity at the low end. WINSYSTEMS and our partner, BG Networks, can be a great information resource as NIST defines the “minimum information security requirements.” More information on the bill is available in What You Need to Know About the Fed’s New Cybersecurity Law, which provides a brief overview of the bill, the timetable, and links to other resources.
WINSYSTEMS’ hardware platforms easily enable our clients to own and control the Root of Trust (RoT) for their IoT devices. Secure RoT handling can be painful and is often avoided by customers. However, RoT is critical to IoT device security. WINSYSTEMS simplifies trust ownership through good design, manufacturing, and provisioning processes. We work with partners to optimize their security solutions, and we’ve been promoting good security processes for manufacturers and OEMs for many years. Most recently, we discussed Trusted Platform Modules in the blog SWAP Enabled Rugged COTS Designs with TPM 2.0 for Embedded Systems and at least four other articles on the different security topics.
Secure from the Start
Developing a secure industrial IoT device requires a security-by-design approach, which means cybersecurity is considered from the beginning of the design process. This includes a plan for secure software development, device identification, configuration after deployment, data protection, restriction of a device’s access to networks, software updates, and cybersecurity state awareness. These aspects are called out in the NIST IoT Device Cybersecurity Capability Core Baseline document which is expected to be the basis of the minimum security requirements that NIST defines as part of this new federal IoT cybersecurity law.
In addition to considering security from the beginning, it’s imperative to develop an overall security plan for IoT devices and Edge computing that considers the system’s full lifecycle. NIST’s “Cybersecurity Capabilities” support this need since many of the functions listed are put into practice after a device has been deployed.
Managing the Vast Software Development Ecosystem
The software development ecosystem is vast, and it’s important to select toolchains and software libraries that have been verified and are available for security patches. These may be open source or proprietary solutions, as both can be made secure. However, it would be advisable to use a derivative of a major distribution or have an automated method to monitor for vulnerabilities and security patches. Most component vendors, such as CPUs, GPUs, FPGAs, and other devices, invest heavily in the open-source communities to support their devices. If an OEM isn’t monitoring for security updates on their chosen components, they put themselves at a greater security risk.
Device deployment, provisioning, and updating also need to be carefully addressed. Product requirements vary widely, and WINSYSTEMS supports a broad security-aware software ecosystem to meet our clients’ diverse needs. Our hardware platforms can help you meet your required level of security, including the management of unique identifiers, encryption keys, device health, and remote software updates.
WINSYSTEMS’ platforms, such as the ITX-P-C444 single-board computer (SBC), offer multiple forms of built-in security by leveraging features of an on-board hardware TPM-2.0 device, Secure Boot, and processors enabled with Arm TrustZone, like the NXP i.MX 8M. These security features can be used independently or collaboratively. For example, the cryptographic hardware accelerators in the i.MX8M can encrypt communications in hardware, reducing latency, and increasing network throughput. Similarly, the TPM-2.0 protects crypto secrets from exposure and tampering. These security features can be layered together with software to chain the root of trust from initial power-on up to the user application and to enable secure operation, communications, and updates.
IoT and Edge devices are deployed in the field and unfortunately, are often accessible to hackers. Hardware TPM-2.0 devices include a high level of protection to safeguard their contents from hacking and side-channel attacks, a form of tampering where power or EMI signatures are observed to steal crypto secret keys and breakthrough security.
TPM-2.0 devices are specifically designed and manufactured to resist side-channel attacks and protect their contents from all attackers. Architecting the security solution to use the TPM in combination with the i.MX8M’s security features help harden an entire system against side-channel hacking and tampering.
For more information, see the blog The IoT Cybersecurity Act of 2020: The 9 Key Points Explained by BG Networks. BG Networks specializes in software security and consulting for IoT devices, including WINSYTEMS’ platforms.