Unsettled by attacks on embedded devices such as the point-of-sale terminals used by retailers such as Target and the potential for hackers to target critical infrastructure, the industry focused squarely on security at this year’s Embedded World in Nürnberg, Germany.
Andrey Nikishin, future technologies projects director for Kaspersky Lab, said: “Through the critical infrastructure, cyber threats become physical. When it comes to the Internet of Things, unfortunately most of the devices are designed without security in mind. They are not designed to keep data private. That’s a huge concern.”
Steve Wainwright, Freescale Semiconductor’s EMEA general manager, said: “Security is something that’s going to be a big derailer. It’s not getting enough attention in end-node applications.”
John Dixon, director of corporate marketing for Freescale, added: “The internet of tomorrow is where security exists at every single node. But there are not a lot of guidelines out there for people to understand what is a secure embedded system.”
Chris Smith, vice president of marketing at Green Hills Software, warned in the field of embedded systems, “to a large extent, security is an effort yet to be started by many companies”.
As a result, companies such as Freescale and Green Hills have embarked on education efforts. Dixon said Freescale is setting up four centers around the world that it would use to educate customers on security, with two in US at Austin and Phoenix, one in Shanghai, China and the fourth to be located in Bucharest, Romania.
“These locations around the world are where we will bring in customers and show them security at every single node,” Dixon claimed.
Joe Fabbre, director of platform solutions, business development, said the most visible result of Green Hills’ security work is the Integrity separation kernel, which can be used to build a secure core that protects elements of a larger embedded system from each other in case one externally facing part is compromised.
“We often go and talk about the separation kernel. I believe it’s a strong proof point but there is so much beyond just having the secure kernel. There needs a secure development process. We’ve had secure development processes for a long time and we are starting to share that with a select group of customers,” Fabbre added.
“We try to take a very holistic approach. We work with customers to determine what is the security architecture, such as how you do componentization and which of those components are critical for security. It’s managing the lifecycle of a device starting from the development process. We run the gamut from design to deployment. We teach customers this is how we manage our code and this is how we test our code. We ask them things such as: what is your keying infrastructure and how are you storing the keys?”
From design to supply chain
A further question, Fabbre said is “how are you manufacturing these devices?” pointing to potential issues in the supply chain where manufacturers may deliberately or inadvertently allow access to attackers by revealing supposedly private keys.
To help with their security push in IoT and embedded, companies such as Freescale, Infineon Technologies and NXP Semiconductors have deployed experience gained with security in existing markets such as smartcards and military and aerospace projects. Dixon pointed to the crypographic engines added to the QorIQ family for telecom systems and antitamper technologies developed for military products.
Infineon has developed security devices aimed at IoT devices using the cores the company supplies into the smartcard market and NXP added to its LPC series a pair of ARM Cortex-M-based microcontrollers with hardware random number generators and crypto-engines.