Companies need a framework for implementing security in IoT systems and embedded devices

Security is foundational to the reliability of IoT systems and devices, writes Arlen Baker, the chief security architect at Wind River. Everyone from the developer to the operator to the end beneficiary needs to have confidence that an IoT solution will perform as promised, without putting anyone’s privacy or safety at risk. Moreover, the ability to demonstrate effective security is increasingly critical for compliance with stringent standards such as the EU’s General Data Privacy Regulation (GDPR), and for obtaining product safety certifications from various regulatory entities.

Given the rapid pace of IoT adoption and the pressure on developers to bring solutions to market quickly, that’s a fairly tall order. How can IoT developers address security efficiently across the solution lifecycle?

IoT developers would benefit from a systematic approach to security, grounded in a clear understanding of security needs and objectives. A prime example of such an approach is the Wind River Helix Security Framework, designed to help developers optimise the security capabilities built into Wind River embedded software solutions.

The Helix Security Framework starts with the industry standard model of Confidentiality, Integrity and Availability – the widely accepted CIA Triad. Then we take it a step further and deconstruct each of these three principles into tangible security implementations. In the context of the Triad, confidentiality encompasses implementations designed to maintain the privacy of an asset. Integrity refers to measures that protect the content of the asset from disruption or corruption. Availability includes implementations that ensure accessibility of the asset. We then apply these implementations specifically to the requirements of the embedded systems our customer needs to secure.

That’s the high-level explanation of the framework, but how does it work in practical terms? To put it more simply, security functionality is built into every product across our portfolio that we offer for embedded system developers. However, that in itself is not enough to ensure that devices built with these solutions will be secure. It takes an additional measure of expertise and analysis in a comprehensive approach to identify and implement the right security capabilities for each system’s requirements. The Helix Security Framework enables users to determine which security features they need for their specific applications and how to activate those features.

Three stages of training

In practice the framework comes to life through a customised embedded security training class. The class is based on the specific Wind River solution the customer is using and the application they’re using it for. Classes typically entail three stages over three days. Day one is focused on understanding the framework, breaking it down into security implementations, and laying the foundation for what is needed to secure an embedded device. Day two involves going through the various security features within the Wind River product that will put those implementations into effect. Importantly, no single security solution by itself will provide complete protection for an IoT device. Rather, it is the proper layering of these defences that will provide a much stronger, multifaceted protection, commonly referred to as defence-in-depth.

On the third day, we conduct a hands-on lab that enables the customer to bring it all together – to use the tools identified on day two to implement the security requirements identified on day one.

That’s the educational component of the framework, essentially teaching our customers how to secure their devices using the tools built into the solutions they’ve acquired from Wind River. Another key component of the framework is a security assessment. It’s similar to the training class in that it starts with laying the foundations, going through the implementations coming out of the CIA Triad, and making sure the customer understands what it means to secure the device. We follow that with a deep dive into the customer’s specific need to define the system assets, the vulnerabilities of those assets, and the security implementations needed to secure them. We put all that in a written report that the customer can execute against.

Versatile deployment

In different scenarios with several customers, the Helix Security Framework has proven effective in empowering development teams to meet their security objectives. It has been applied in securing medical devices, head-up displays for military aircraft, industrial control systems, power plants, wastewater and sewage systems, and other IoT systems for critical infrastructure. We’ve applied it on behalf of customers building new systems from scratch, as well as for industrial and critical infrastructure operators faced with upgrading and connecting brownfield legacy systems and equipment.

The beauty of the framework from the customer’s perspective is that it is repeatable and transferrable. One client with a major defence contractor told us his team was applying our process not just to the initial engagement, but to multiple projects across the corporation. We gave them the framework and taught them how to use it, and they ran with it.

Another customer in the medical device arena was looking for a commercially available operating system (OS) that provided continuous security monitoring and vulnerability protection. In fact, the company had incurred a great deal of negative press about the vulnerabilities in its devices, and was causing them financial impacts. Walking through the Helix Security Framework was a big factor in the company’s decision to go with Wind River Linux, along with our continuous security monitoring and vulnerability protection, and the next release of its device incorporated the recommendations derived through our security assessment.

IoT and embedded system developers need a systematic approach to security that can be integrated into the development process. For users of Wind River technology, the Wind River Helix Security Framework has been proven in the trenches. It’s a way for IoT developers and system operators to gain the upper hand against malicious actors, while enabling them to meet the marketplace and regulatory demand for safe, secure and reliable systems.


SiTime expands addressable market with its new precision timing solution for autonomous vehicles

Posted on: September 30, 2022

Santa Clara, United States. 27 September, 2022 – SiTime Corporation, a provider in precision timing, introduced a new automotive oscillator family, based on SiTime’s advanced MEMS technology. The new differential oscillators are 10x more resilient and ensure reliable operation of ADAS across extreme road conditions and temperatures. The launch of the new automotive oscillator, AEC-Q100 SiT9396/7,

Read more

Semtech’s LoRa devices featured in Kiwi Technology gas metering solution

Posted on: September 30, 2022

Camarillo, United States. 29 September, 2022 – Semtech Corporation, a global supplier of high performance analog and mixed-signal semiconductors and advanced algorithms, announced that Kiwi Technology, an advanced internet of things (IoT) turn-key solutions and data analytics provider, is using Semtech’s LoRa devices for its new third party class B network control unit (NCU) that connects gas meters

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox