The Right Security for IoT July 21, 2015 Michael Armentrout Regional Marketing / Business Development Manager Infineon Technologies Agenda Business Drivers for IoT Security INDUSTRIE 4.0 MOBILITY Real-World Examples LOGISTICS GRIDS INTELLIGENT FACTORY Finding the Right Solutions BUILDINGS Into the Future DEVICES 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 2 Agenda Business Drivers for IoT Security INDUSTRIE 4.0 MOBILITY Real-World Examples LOGISTICS GRIDS INTELLIGENT FACTORY Finding the Right Solutions BUILDINGS Into the Future DEVICES 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 3 Internet of Things Drives Increased Profits Smart Home Connected Car Industrial 1 New capabilities and services 2 Greater efficiency 3 Increased flexibility and customization 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Critical Infrastructure Page 4 How can you benefit from the right security in IoT? Maximize uptime of services (e.g. production line, smart home service) Protect revenue stream Enable and create business models Differentiation from competition Reduce costs Increase quality and reliability Data Security Information/ IP Communication 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 5 IoT impact on system architecture Supervisor Level 1 Generation, analysis, and usage of data Control Level 2 Continuous communication 3 Automated adjustments Field Level 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 6 Security Threats for IoT An Eavesdropper listening in on data or commands can reveal confidential information about the operation of the infrastructure. A Fake Device injecting fake measurements can disrupt the control processes and cause them to react inappropriately or dangerously, or can be used to mask physical attacks.* A Fake Server sending incorrect commands can be used to trigger unplanned events, to send some physical resource (water, oil, electricity, etc.) to an unplanned destination, and so forth. 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 7 Security protects your essential values Get Data Security Requirements Passwords/Keys/ID’s Anti-counterfeiting Espionage Sensitive information Manipulate System Physical access IP protection and feature activation Secure SW updates Infrastructure security Sabotage System control 2015-07-14 Process know-how protection Copyright © Infineon Technologies AG 2015. All rights reserved. Page 8 Agenda Business Drivers for IoT Security INDUSTRIE 4.0 MOBILITY Real-World Examples LOGISTICS GRIDS INTELLIGENT FACTORY Finding the Right Solutions BUILDINGS Into the Future DEVICES 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 9 Security Breach Examples 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 10 Heartbleed bug in OpenSSL had strong visible and hidden impacts on industry Damage Time Cost Reputation 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 11 Agenda Business Drivers for IoT Security INDUSTRIE 4.0 MOBILITY Real-World Examples LOGISTICS GRIDS INTELLIGENT FACTORY Finding the Right Solutions BUILDINGS Into the Future DEVICES 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 12 Trust Anchors are essential for system security Key integrity is essential for system security Trust Anchors Key store Crypto operation Key management 1 Compromised keys = no Security 2 Cloning of key leaves no traces 3 2015-07-14 Key handling must be secured through the whole lifecycle including manufacturing Copyright © Infineon Technologies AG 2015. All rights reserved. Page 13 Bad security is result of bad processes and weak technology Root Causes Process / Organizational Lack of security processes Quality of Security Lack of structured attack analysis Lack of security evaluation Technology Lack of strong isolation of security critical function 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 14 Security processes determine security quality PROCESS Threat and attack scenario analysis Security objectives and measurement Security-certified production Secured personalization Operation & Maintenance Security hardware & software architecture expertise Security Requirements & Architecture The result Detailed Design Secured design and development environments 2015-07-14 of System Verification & Validation processes Large portfolio of security controller products Integration, Test & Verification Security Lab for security penetration testing Copyright © Infineon Technologies AG 2015. All rights reserved. Page 15 ... Attack n Use case ... Use case 2015-07-14 Security Evaluation Attack 2 Test QUALITY Specified Security Measures Attack 1 In Specified Operating Modes Out of Spec operating Modes Security evaluation addresses attacks with a structured methodology Security Documents 1. Defined attack scenario 2. Defined countermeasures 3. Evaluation report by independent 3rd party Test coverage for specified operation Copyright © Infineon Technologies AG 2015. All rights reserved. Page 16 The challenge of complex systems evaluation evaluation effort/time QUALITY Out of Spec Evaluation/ Certification Out of Spec In Spec Testing In Spec complexity Security Economically Controllerfeasable 2015-07-14 Economically Copyright © Infineon Technologies AG 2015. All rights reserved. System on a chip infeasable (SOC) Page 17 Comparing Hardware & Software-based Trust Anchors Main MCU TECHNOLOGY Crypto functionality SW Strong isolation Security certified Tamper proof Manufactured using security certified processes Personalized using security certified processes 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Main MCU SE Page 18 IoT embedded systems require scalable solutions and great variety of devices Performance / Footprint ~ 3 Ghz CPU ~ x GByte ~ 400 Mhz ~ 1 GByte ~ Mhz MCU ~ 50 kByte 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Security needs to scale with system foot print and abilities Page 19 Scalable Trust Anchors for Manufacturing OPTIGA™ Trust OPTIGA™ Trust E OPTIGA™ Trust P OPTIGA™ TPM Security Level + +++ CC EAL 5+ CC EAL 4+ Design in complexity low low medium medium Feature set Personalization (loading of keys and certificates) Authentication PKI-supported Programmable TPM standard Authentication System complexity 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 20 Agenda Business Drivers for IoT Security INDUSTRIE 4.0 MOBILITY Real-World Examples LOGISTICS GRIDS INTELLIGENT FACTORY Finding the Right Solutions BUILDINGS Into the Future DEVICES 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 21 Likely Future Developments Additional functionality Expanded security features Expanded cryptographic algorithms Tighter integration with IoT systems Hardware Root of Trust standard ― As it is today for IT equipment Growing requirements for stronger security Regulations, insurance, etc. Continuing exploitation and damage 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 22 Summary 2015-07-14 IoT requires solid security. Security is a result of solid processes, quality, and technology. Scalable Hardware Trust Anchors provide the right security for IoT in manufacturing. Copyright © Infineon Technologies AG 2015. All rights reserved. Page 23 IoT Smart Home Demo at Infineon Booth Smart Home Showcasing Use cases shown Authentication License Management System Integrity Secure Communication Boot process protection Products shown OPTIGA™ Trust OPTIGA™ Trust E OPTIGA™ Trust P OPTIGA™ TPM 2015-07-14 Copyright © Infineon Technologies AG 2015. All rights reserved. Page 24