Page 51 - EE|Times Europe Magazine

Page 51 - EE|Times Europe Magazine - December 2020

P. 51

EE|Times EUROPE 51

Protecting the Endpoint in IIoT: A Snapshot of Chip-Level Security

to regenerate keys without secure storage and to identify themselves post-processing is required to ensure the stability and reliability of the
to remote servers without requiring a previous trust relationship or PUF. SRAM PUF can also be affected by factors like the degree of mis-
shared key. match between MOSFET pairs on constant power-up and power-down
Tunneling in semiconductors is inevitable when manufacturing at and by variations in ambient conditions such as temperature, noise,
the nanoscale. Based on the variations in thickness of the tunneling, voltage, and interference. PUFsecurity says its solution combines quan-
the chip uses quantum tunneling in nanodevices to generate random tum tunneling PUF with its one-time-programmable (OTP) solution
numbers. This quantum effect in QDSC means a single chip can gener- to build a circuit design, using this as a seed to create random-number
ate multiple unique, unforgeable cryptographic keys on demand. The generation. Its PUFrt function therefore can provide the ID, the key
company is focused not only on devices and licensing its intellectual storage in the OTP, and true random-number generation.
property but on secure key management throughout the life cycle of We’ve illustrated some of the various approaches to device-level
the devices via its key management service. security. To protect the industrial cloud from cyberattacks, a key part of
Using the same quantum tunneling technique, another company the vulnerability that needs to be managed is the connected endpoint
established in 2019, PUFsecurity, also recently introduced its own device. Protecting this device means having the most appropriate chip-
PUF-based RoT intellectual property called PUFrt. The startup argues level security and identity management systems. ■
that the SRAM PUF typically utilized by some chip manufacturers has
a vulnerability every time the power is turned on and turned off: the Nitin Dahad is editor-in-chief of Embedded.
number on the SRAM PUF will change, which means a lot of pre- and

OPINION | SECURITY The Mirai botnet, which still plagues IoT

devices with weak authentication mech-
Data on the Edge: anisms, led directly to the passing of IoT
security legislation in various jurisdictions.
The main problems stem from the usage of
A Common Blind Spot default (also known as static) username/pass-
word authentication. Attackers found easy
targets in closed-circuit cameras and other
in Industrial Security IoT devices and used those vulnerable devices
in mass quantities to successfully perform
denial-of-service (DoS) attacks against major
By Jason Soroko internet services, such as DYN’s DNS service.
California passed the original IoT security
legislation in a direct response to what was
Data increasingly is being transmitted across hostile territory learned from the Mirai botnet.
or stored at a network edge. Within industrial, operational tech-
nology (OT), and IoT settings, this data can be critical operational Traditional wisdom held
information or important intellectual property.
Information that used to be stored in silos of proprietary systems that industrial environments
“behind the firewall” is much more valuable when it is transmitted had immunity to credential
and stored where it can be analyzed. Often, that means usage of
public cloud systems and content delivery networks (CDNs). A quick harvesting because of firewalls
scan of news feeds on this topic shows an abundance of evidence
that there are common mistakes being made that can be avoided. and air gaps. That turned out
to be far from the truth.
IAM: FAR BEYOND PASSWORDS
For several years, incident handling reports have shown that credential harvesting is a tactic
often used by adversaries to maliciously gain access to enterprise systems. This has highlighted the importance of
Social engineering is a fact of life. Traditional wisdom held that industrial environments had strong authentication to defeat attacks on
immunity to credential harvesting because of firewalls, air gaps, and proprietary computing weak, static credentials. At minimum, it
environments. That turned out to be far from the truth. In reality, what we often find are weak should be possible to change weak, static
credentials that are not difficult to harvest. credentials such as default usernames/
Commercial off-the-shelf (COTS) computing systems, pervasive in industrial environments, passwords included with an IoT device at the
are difficult to update, making them vulnerable to credential harvesting attacks. point of purchase. The latest versions of IoT
Username/password combinations of any strength should not be considered safe without security legislation, such as the proposed U.K.
multi-factor authentication (MFA). Unfortunately, not all MFA is created equal. Older forms, IoT security legislation and Australia’s IoT
such as hard tokens, are difficult to provision to users and cumbersome to use in modern multi- security legislation, go much further. They
application environments. Many organizations, including banks, have used SMS to text message propose authentication mechanisms that are
one-time passcodes, only to discover their weakness for Android users who were tricked into more dynamic than usernames/passwords,
downloading malware that redirected SMS messages to attackers. These are now deprecated as a as well as other important security consider-
recommended MFA methodology by the National Institute of Standards and Technology (NIST), ations for IoT device vendors that want to sell
which notes in a blog on the guidance, “While SMS is a popular and convenient option today, the devices into those important markets.
security concerns of SMS as a second factor should be part of agencies’ decisions.” From an identity and access management

www.eetimes.eu | DECEMBER 2020

46 47 48 49 50 51 52 53 54 55 56