Security breaches at the device operating system level in the Internet of Things (IoT) can have severe consequences, including steep financial losses, damage to credibility and trust, or even endangerment of human life. Several high-profile data compromises illustrate that large-scale breaches typically result from not one but multiple points of failure. Closing any one of these gaps can help mitigate a breach or at least minimize the damage.
Designing security into devices at the operating system level poses different challenges from securing enterprise software or networks. How can developers know how much security is “just enough” to protect a device without hindering performance? This article explores the criteria for determining the security requirements of devices connected to IoT infrastructures. It also presents a flexible and scalable approach for implementing cost-effective security measures.
By Dinyar Dastoor, Wind River VP and GM of Operating Systems
Securing the Point of Interaction
Device security in the Internet of Things is of paramount importance. After all, devices are the “things” in IoT that actually perform the system function and generate the data the system relies on. They are often the points at which humans interact with the system. Securing devices is particularly problematic because they are vulnerable to both physical tampering and network-borne threats.
The consequences of a compromise can be severe. Large-scale consumer identity theft can destroy a commercial enterprise’s reputation and credibility. A breach of a process controller on an industrial shop floor can cause costly downtime and safety hazards. And in the case of networked medical devices, a breach can put lives at risk.
When a large-scale breach of devices occurs, it is typically not the result of a single point of failure but a series of failures at multiple points of vulnerability. Closing the gap at any one of those points can go a long way toward preventing a breach altogether, or at least detecting an attack in progress and limiting the damage.
Developers need to address security at the device design phase, which requires identifying those potential vulnerabilities based on how and where the device will be used. There are a number of security measures device manufacturers can take. The challenge is determining how much or how little security is needed, and which measures will be most effective.
Designing for “Just Enough” Security
Designing security into devices for IoT applications poses different challenges from securing enterprise software or networks. Embedded devices generally have a small footprint, and computing resources are limited. Too much security functionality can hinder the performance of the device or the system and increase the overall cost of development. Yet too little can leave critical points unprotected. The trick is building “just enough” security to mitigate a breach—and the challenge for developers is figuring out how much is “just enough” (see Figure 1).
Figure 1. Three criteria for designing “just enough” security
The answer depends on three key criteria:
- The environment in which the device will be deployed: Is the device in a shopping mall, visible to thousands of people and at risk of tampering? Or is it behind locked doors in a secure facility? These contrasting scenarios raise different types of security considerations.
- How the device will connect and communicate: How is the device connected to a network? Will it communicate over the air via a protocol such as ZigBee or Wi-Fi, which may necessitate some form of encryption? Is it behind a firewall? Is it connected to the public Internet or to a private intranet, where it would be less vulnerable to outside interference?
- The type of data the device is storing: Is the device collecting sensitive data, such as personal financial or medical information? Or is it capturing less-sensitive information such as weather conditions? The latter case would likely require a lower level of security than the former.
Figure 2. The four pillars of device security
The answers to these questions will help you determine the security features you need to integrate into the device’s operating system to ensure the appropriate level of security. To give yourself optimal flexibility, it is helpful to use a real-time operating system that does not lock you into a set of prescribed security functions, but instead gives a menu of security functionality from which you can choose the features you need.
The Four Pillars of Device Security
In addition to addressing these three key criteria for determining the right level of security, developers need to account for security at each phase of the device lifecycle (see Figure 2).
- Design: At the inception, it’s critical to prevent the introduction of malicious code during the development process. Prevention measures might include signed binary delivery, assuring the authenticity and non-alteration of code, and developing on a software platform that has been certified under industrial security standards such as IEC 62443 and IEC 27034.
- Execute: In the execution phase, the goal is to establish a “root of trust” to prevent untrusted binaries from running, which in turn ensures that the right software is in place on the right hardware and that they trust each other. Establishing a root of trust might entail the use of secure boot technology and cryptographic key signatures to prevent unsigned code from executing.
- Operate: Multiple measures can be deployed to prevent malicious attacks in operation mode, including controls to prevent unauthorized access and securing networks using encryption.
- Power down: When the device is at rest, measures such as encrypted storage and secure data containers should be in place to prevent onboard data access.
A Scalable Approach to Device Security
Security does not always require preventive measures at every point of vulnerability. Often it makes sense to start with a few measures to secure the device for deployment, then add security functionality as you progress through the device lifecycle. You can achieve this with an operating system that allows you to scale and add features over time as new threats become apparent.
Figure 3. Security Profile for VxWorks addresses the four pillars of device security
Security Profile for VxWorks® is an example of a technology that allows this type of scalable approach. Security Profile provides a set of security capabilities designed for easy integration into the core VxWorks real-time operating system.
As shown in Figure 3, the profile enhances the VxWorks Core Platform with features that address each of the four pillars of security across the device lifecycle typical of any type of networked device (the same vulnerabilities exposed in the retail breach case study).
With Security Profile, developers can select the security features they need based on their design criteria: deployment environment, communication and connectivity, and sensitivity of data stored. It enables them to implement blocking features at various levels to make it more difficult to break through security and breach the device. And it gives them the flexibility to add security functionality over time.
Security of devices has to be a prime concern of IoT system developers and device manufacturers, and needs to be addressed at the design stage. Building security into devices poses unique challenges—devices require “just enough” security to mitigate intrusions without compromising device performance.
Experience shows that attacks on devices typically exploit multiple points of vulnerability. Closing even a few of these gaps can mitigate the damage.
Fortunately, technology such as Security Profile allows developers to take a scalable approach to security, adding as much or as little as the device requires for its purposes, making it possible to control costs and deliver devices on schedule while reducing the risks of security breaches.
Dinyar Dastoor manages the Operating Systems portfolio of products at Wind River. He is actively engaged in the end-to-end elements of the Internet of Things, especially as applied to the industrial, medical, aerospace, and defense markets that require high levels of safety and security. He has nearly 30 years of embedded device industry experience, holding various senior executive positions managing product management, engineering, sales, professional services and customer support. He holds an M.B.A. and Master’s Degree in Control Systems. He is based in Wind River’s Santa Clara, CA office.