A paper has been released detailing an approach to securing the Internet of Things entitled Security Guidance for Critical Areas of Embedded Computing.
The prpl Foundation has announced the availability of a new document entitled Security Guidance for Critical Areas of Embedded Computing that lays out its revolutionary vision for a secure Internet of Things. It describes a fresh hardware-led approach that is easy to implement, scalable and interoperable. The prpl Foundation’s guidance aims to improve security for devices in a rapidly expanding connected world where failure to do so can result in significant harm to individuals, businesses and to nations.
“The Internet of Things is connecting our world in ways not anticipated even a decade ago. This connectivity finds its way into everything from light bulbs and home appliances to critical systems including cars, airlines and even hospitals,” said Art Swift, president of the prpl Foundation. “Security, despite its huge and increasing importance, has so far been addressed in piecemeal and often proprietary ways.
“Given ubiquitous connectivity and the rapid emergence of IoT, the need for a well-designed, structured and comprehensive security architecture has never been greater,” he continued.
Embedded systems and connected devices are already deeply woven into the fabric of our lives, and the footprint is expanding at a staggering rate. Gartner estimates that 4.9 billion connected things were in use by the end of 2015, a 30% increase from 2014. This will rise to 25 billion by 2020 as consumer-facing applications drive volume growth, while enterprise sales account for the majority of revenue.
Security is a core need for manufacturers, developers, service providers and others who produce and use connected devices. Most of these – especially those used on the “Internet of Things” – rely on a complex web of embedded systems. Securing these systems is a major challenge, yet failure to do so can result in catastrophic consequences.
“Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach,” added Cesare Garlati, prpl’s chief security strategist.
The new Security Guidance Document lays out a vision for a new hardware-led approach based on open source and interoperable standards. It proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as developers begin deal with security in earnest.
These areas include:
Addressing fundamental controls for securing devices. The core requirement, according to the document, is a trusted operating environment enabled via a secure boot process that is impervious to attack. This requires a root of trust forged in hardware, which establishes a chain of trust for all subsystems.
Using a Security by Separation approach. Security by Separation is a classic, time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as para-virtualization, hybrid virtualization and other methods.
Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.
By embracing these initial areas of focus, stakeholders can take action to create secure operating environments in embedded devices by means of secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. Open, secure APIs thus are at the centre of securing newer multi-tenant devices. In the document, the prpl Foundation offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.
David Lingenfelter, Information Security Officer, IBM Security Systems and Co-Chair Mobile Group at Cloud Security Alliance said, “Great paper, very well laid out and easy to read and comprehend. Focus is around constructing the hardware and virtual layers of the endpoints to be designed properly to limit exposure should they come under attack. The four types of IoT systems mentioned in this paper (auto, medical, weapons, and airlines) can all have very personal ramifications to an individual’s health if something should go wrong”