Hardware-based security eliminates numerous threats and helps you safeguard devices, networks and data. Explore effective defenses with Infineon.
My name is Stefania Boiocchi. I'm the business development manager for IoT security at Infineon Technologies. And today I want to talk to you about why hardware-based security is essential for IoT.
But let's start with defining IoT. There are many definitions out there. At Infineon we define it as a world where physical objects are seamlessly connected and introduced into the information network. That is to say this is where the physical world and the cyber world merge. Now, why do we care about IoT? Well, we care because of the bottom line because of increased profits, because of increased business value that IoT promises and is already delivering.
It's affecting market segments, all market segments in different ways. And systems do look, at times, different depending on the market segment. But let's look at what an IoT system typically looks like. Because there's certainly commonalities across these segments. In an IoT system you'll always have devices. These devices are connected via a network to servers or the cloud, what's also known as the cloud. And they're connected in a way that devices send information up to the cloud and the cloud sends information back to the devices.
So these devices can either be sensors or actuators depending on whether their sending data or responding to data. The business value derives from this interaction, derives from gathering data, analyzing data and creating new business models new revenue streams for manufacturers, for service providers. If, that is if, the system behaves in an intended way.
Now, unfortunately, devices that were not previously meant to be connected now are, and are unfortunately exposed to significant risk in several of the IoT systems that are deployed. So there are unintended ways that IoT systems can function. And let's look at what these unintended ways and threats are for IoT systems.
So, what could go wrong basically in an IoT system? Well, a device could become infected and therefore send wrong information up to the cloud and maybe disrupt the control process that the system was intended to function with. A bad device can be introduced in the system. A fake device can be introduced in a system and eavesdrop on a network, eavesdrop on confidential information on privacy data. A bad server can also be introduced in the equation.
Servers can be infected and if the cloud or servers get compromised, then basically it can take control over devices, over the edge, the edge devices. And this can obviously cause problems. I mean, we've all read about web cam devices that all of a sudden become spying devices. We've read about attacks on industrial plants, causing significant disruption. These are all real life examples that have happened and have exploited attacks and methodologies similar to the ones that I just described.
Now, why do we care about security and why do we want to prevent this from happening? Because, obviously there's a lot at stake with systems that may be part of a critical infrastructure or part of industrial systems. So we care about the reliability that these systems need to have. We care about privacy and we care about safety. And obviously we care about the revenue opportunities that we want to derive out of IoT.
So, how can we prevent this from happening? Well the good news is that there are countermeasures that can be brought to mitigate these threats and prevent them. There are several of these and depending on systems, some may be more suitable than others for this purpose. Now, let's look at authentication.
Authentication is a common, very common defense that can serve almost every IoT system that's out there. And devices need to be able to authenticate to what they're talking to, they need to be authenticated by devices that are talking to them. Authentication cannot rely on user name and password. User name and password does not work for IoT. We need authentication that's based on cryptography. And cryptographic methods rely on keys that need to be kept secret as long as certificates or - confidential secret material that needs to be guarded. So it's best not to store these in software.
Another method that is often very useful in protecting IoT systems is Boot Process Protection. This method ensures that only certain software configurations get loaded, or intended software configurations get loaded onto devices. And prevents devices from being compromised. Another method is Platform Integrity Verification which is also tied to the Boot Process Protection. And this is the method that allows devices to declare their integrity state to the cloud or to the server. So that the cloud and the server can trust the configuration. Tied to all of this is also another method which is called, Secure Firmware Upgrade. And this is also extremely important for IoT.
IoT devices are increasing in complexity and software is a critical component for the functioning of these systems. Unfortunately, software is affected by bugs and bugs turn in to vulnerabilities that can be discovered at some point in time not always before a device launches or before a device gets deployed in the field. So, manufacturers and service providers have a need to upgrade firmware and software on a constant basis. Upgrading software and firmware unfortunately may also open the door up for attacks.
So, we want to make sure that only authorized sources can in fact upgrade the software of the devices. So, hence the word secure. These countermeasures can be implemented in a variety of ways. Of course one option is to do nothing at all. That's not a good option but it is a possibility. The next best thing is to implement these solutions or these countermeasures in software. And although that's better than doing nothing, it's still not enough. Especially when it comes to storing confidential information such as keys, encryption keys or certificates. So although this is better than doing nothing, it's still not sufficient.
When it comes to, for example, storing encryption keys, encryption keys are stored in software are vulnerable to discovery because they often, unlike the rest of the software exhibit a certain randomness that make them a clear target when software is reverse engineered or observed. So, retrieving an encryption key, means breaking possibly the whole security system. And the best way to really store these confidential material is to do it in hardware. And to do it with certified hardware, hardware that's built with this purpose. To really maintain secrets secret. And to keep encryption keys and certificates from being disclosed.
Infineon has developed a family of products specifically with these countermeasures in mind. And I invite you to look at our website, IoT-security on our Infineon website to discover more about the countermeasures, about how they can be implemented, how they can help your product designs, your system designs. And also more about the benefits of hardware based security.
In particular, I want to mention the Optiga product family. The Optiga product family is a family of products which addresses the countermeasures that we talked about and offers the right security for the right application. So customers that look for authentication functions only, can for example utilize the Optiga Trust which is the simplest device in the line. And customers that want to introduce additional countermeasures, such as Boot Protection, Platform Integrity, verification and secure for more upgrade, can look at the other products such as the Optiga Trust P or the TPM which do include more functionality.
So in summary, IoT shows tremendous promise. There's a lot of business value to be realized but in order to do that, security needs to be part of the equation. And for IoT, it needs to be baked in at the beginning, at the design concept of the systems. So please look for hardware trust anchors to help you with that and I invite you to look at our website for more information.
Thank you.
