the untrusted iot · application over the public network with tcg tnc standards and the tpm: cisco,...
TRANSCRIPT
![Page 1: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/1.jpg)
THE UNTRUSTED IOT
A Path to Securing Billions of Insecure Devices
Steve Hanna
Senior Principal, Infineon Technologies
Co-Chair, IoT Sub Group, Trusted Computing Group
![Page 2: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/2.jpg)
Growing Trend of IoT Security Problems
Copyright 2015 Trusted Computing Group
![Page 3: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/3.jpg)
We’ve Been Here Before
Copyright 2015 Trusted Computing Group
Photo of Armagh Rail Disaster, June 12, 1889
![Page 4: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/4.jpg)
Untrusted Systems
Copyright 2015 Trusted Computing Group
Source: S E C Railway Narrow Gauge Museum of Nagpur
![Page 5: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/5.jpg)
Trusted Systems
Copyright 2015 Trusted Computing Group
Source: Bruce Fingerhood
License: CC BY 2.0
Link: http://www.flickr.com/photos/springfieldhomer
![Page 6: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/6.jpg)
A trusted system is…
designed to be predictable, even under stress
based on fundamental properties
therefore trusted
What is a Trusted System?
Copyright 2015 Trusted Computing Group
![Page 7: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/7.jpg)
Benefits of Trusted Systems
Copyright 2015 Trusted Computing Group
Source: Evans, A. W. (2003), Estimating Transport Fatality Risk from Past Accident Data,
Accident Analysis and Prevention, Vol. 35, Issue 4.
![Page 8: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/8.jpg)
1. Build in a Hardware Root of Trust
Building Trusted IoT Systems
Copyright 2015 Trusted Computing Group
![Page 9: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/9.jpg)
What is a Root of Trust (RoT)?
• RoT = Minimized, strongly protected security function
• RoT used for highly security-sensitive functions
– Generate random numbers
– Store and use long-term keys
– Verify system integrity
• Benefits
– Reduce risk of compromise• Compromise of long-term keys
• Undetected system compromise
Copyright 2015 Trusted Computing Group
![Page 10: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/10.jpg)
Why Hardware?
Copyright 2015 Trusted Computing Group
Graph used with
permission of
Capers Jones.
Software Security is Not Enough
![Page 11: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/11.jpg)
Trusted Platform Module:
The Standard Hardware Root of Trust
Copyright 2015 Trusted Computing Group
• Hardware Security
• Trusted Platform Module (TPM)
• Benefits
• Foundation for Secure Software
• Impervious to attacks/hacks
• Built-in virtual smart card
• Features
• Authentication
• Encryption
• Attestation
Identity
Integrity
![Page 12: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/12.jpg)
1. Build in a Hardware Root of Trust
2. Employ Hardware Storage Encryption
Building Trusted IoT Systems
Copyright 2015 Trusted Computing Group
![Page 13: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/13.jpg)
Hardware Storage Encryption
Copyright 2015 Trusted Computing Group
• Hardware Security
• Self-Encrypting Drive (SED)
• Benefits
• Always on encryption
• No performance impact
• Protection against Physical Attacks, loss and theft
• Cryptographic instant erase/Wipe
• Features
• Encryption
![Page 14: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/14.jpg)
1. Build in a Hardware Root of Trust
2. Employ Hardware Storage Encryption
3. Add Security Automation
Building Trusted IoT Systems
Copyright 2015 Trusted Computing Group
![Page 15: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/15.jpg)
Security Automation
Copyright 2015 Trusted Computing Group
• Security Automation Standards
• IEEE 802.1AR, TNC, TAXII
• Manage IoT Devices
• Control Network Access
• Connect Security Systems
• Benefits
• Automation for All Phases of Cyber
• Preparation
• Detection
• Analysis
• Response
![Page 16: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/16.jpg)
1. Build in a Hardware Root of Trust
2. Employ Hardware Storage Encryption
3. Add Security Automation
4. Protect Legacy Systems
Building Trusted IoT Systems
Copyright 2015 Trusted Computing Group
![Page 17: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/17.jpg)
Protect Legacy Systems
Copyright 2015 Trusted Computing Group
• Legacy Systems
• ICS/SCADA or Old Systems
• Vulnerable to Disruption or Infection
• Need Protection
• Protection
• Place into Enclaves
• Overlay Secure Communications
• Restrict to Authorized Parties
![Page 18: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/18.jpg)
1. Build a Hardware Root of Trust
2. Employ Hardware Storage Encryption
3. Add Security Automation
4. Protect Legacy Systems
Building Trusted IoT Systems
Copyright 2015 Trusted Computing Group
![Page 19: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/19.jpg)
• TCG is the only group focused on trusted computing standards
• TPM specification implemented in more than a billion devices
– Chips integrated into PCs, servers, printers, kiosks, industrial systems, and many embedded systems
• Trusted Computing is more than TPM
– Secure storage
– Security automation
– Secure mobile devices
– Secure legacy devices
TCG = Open Standards for Trusted
Computing
Copyright 2015 Trusted Computing Group
![Page 20: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/20.jpg)
Why Open Standards?
Copyright 2015 Trusted Computing Group
Interoperability Vendor Neutrality
Security Certification
Lower Costs Ubiquity
![Page 21: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/21.jpg)
• TCG standards have been used in many IoT devices
– Slot machines, cash registers, network routers, multi-function devices, enterprise printers/copiers, industrial control systems, kiosks, etc.
• Based on this experience, TCG has developed
– TCG Guidance for Securing IoT
– TCG Architect’s Guide for Securing IoT
– Demonstrations of Trusted Computing in IoT
Trusted Computing for IoT
Copyright 2015 Trusted Computing Group
![Page 22: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/22.jpg)
TCG and Auto Security Initiative
• Initial focus on two key areas
– Electronic Control Unit (ECU) integrity
– Secure data communications
• to manufacturer
• to third parties
• to other vehicles
Copyright 2015 Trusted Computing Group
![Page 23: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/23.jpg)
Secure Automotive Architecture
Copyright 2015 Trusted Computing Group
Head Unit / Gateway
HW
4 Core < RAM
OS
Others
Applications
TPM
Head Unit / Gateway
HW
1~2 core RAM
OS
Others
Applications
TPM
ECU
HW
1 core RAM
Others
Application
TPM
Vehicle
• Works as a heterogeneous cluster with ECUs
• Internal communication: on-chip bus, system bus, Controller Area Network (CAN), Media
Oriented Systems Transport (MOST), FlexRay.
• External communication directly or via Gateway
ECU
HW
1 core RAM
Others
Application
TPM
ECU
HW
1 core RAM
Others
Application
TPM
![Page 24: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/24.jpg)
Which TCG Technologies for Auto?
• TPM and TNC
– Create, store, and manage cryptographic keys in the ECU
– Measure and report on the integrity of firmware and software used in the ECU
– Provide attestation and assurance of identity of the ECU
– Support secure firmware and software updates in the ECU
– Provide anti-rollback protection and secure configuration memory for the ECU
• TCG TPM 2.0 Automotive Thin Profile
– Addresses unique automotive requirements• temperature, vibration, acceleration, reliability
• limited processing, power, and memory
• long lifecycle (20 years+)
Copyright 2015 Trusted Computing Group
![Page 25: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/25.jpg)
Secure Update Process
1. Securely verify software configuration
2. Initiate, verify, and perform software updates
3. Gather and securely store audit logs
Copyright 2015 Trusted Computing Group
![Page 26: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/26.jpg)
TCG IoT Demos
• Industrial control systems (SCADA) network with a TNC interface and TPM (Artec IT Solutions)
• Securing IoT sensors and actuators managed by a cloud application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel
• Near real-time network security with an IF-MAP-based SIEM to enable various components to monitor, evaluate and visualize the network state: Decoit and the University of Hannover
• Establishing trust in embedded systems in the IoT with a TPM 2.0 and TPM Software Stack 2.0 to determine firmware and software state: Fraunhofer SIT
Copyright 2015 Trusted Computing Group
![Page 27: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/27.jpg)
More TCG IoT Demos
• A remote firmware update with integrity enabled by the TPM for automotive electronic control units: Fujitsu
• Trusted computing in a network device using the TPM for measured boot for detection of tampering of software: Huawei
• Managed IoT security from silicon to cloud with separation of hardware, software and data security capability from operational applications: Intel
• Trusted device lifecycle management for IoT devices, using enterprise key management structures for industrial controllers and vehicles: Integrated Security Services
• A secure overlay network for M2M connectivity and communications, including process control networks: Tempered Networks and PulseSecure
Copyright 2015 Trusted Computing Group
![Page 28: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/28.jpg)
Product Availability
• TPMs available from four chip manufacturers
– SPI, LPC, and I2C interfaces
– Support in Microsoft Windows and Linux
• SEDs available from every drive maker
– HDD, SSD, enterprise, and USBs
– No need for OS support
– Extensive ISV support for management
• TNC supported by most network vendors
– Switches, routers, wireless access points
– Support in Microsoft Windows and Linux
Copyright 2015 Trusted Computing Group
![Page 29: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/29.jpg)
TCG Collaborating with IoT Industry
• Formal liaison relationship with ETSI, international telecoms standards body, for work on secure networking protocols
• Formal liaison relationship with Mobey Forum to help enable trusted mobile transactions, etc.
• Working with SAE Vehicle Electrical Hardware Security Task Force, a sub-committee of the SAE Vehicle Electrical System Security Committee re auto security requirements and solutions
• Regular input to NIST, NHTSA and other agencies and government groups
• Relationships with information assurance agencies worldwide
Copyright 2015 Trusted Computing Group
![Page 30: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/30.jpg)
IoT Resources• TCG IoT Architect’s Guide: http://bit.ly/1RzLRa6
• TCG Guidance for Securing IoT: http://bit.ly/1J0SBZ2
• IoT Demos: http://bit.ly/1GmmNrk
• Secure auto update prototype: http://bit.ly/1Hv8On3
• Auto Thin TPM profile: http://bit.ly/1J0SWL9
• 6 ways to Boost IoT Security article: http://ubm.io/1LahjI4
• IoT Security Groundswell article: http://ubm.io/1K7MOPW
• Practical Tips to Securing the IoT article: http://bit.ly/1K7WUTH
Copyright 2015 Trusted Computing Group
![Page 31: THE UNTRUSTED IOT · application over the public network with TCG TNC standards and the TPM: Cisco, HSR, Infineon, Intel • Near real-time network security with an IF-MAP-based SIEM](https://reader033.vdocument.in/reader033/viewer/2022042309/5ed6e634df0eda5e752aecd0/html5/thumbnails/31.jpg)
Copyright 2015 Trusted Computing Group
Questions?