Five pillars of IoT security start with a root of trust
As the number of connected devices that make up IoT proliferate, Robin Duke-Woolley, the chief executive of Beecham Research, interviews Eric Heiser the head of services and business development, at u-blox to understand the importance of implementing security that addresses five vital pillars.
Robin Duke-Woolley: A couple of years ago, u-blox introduced its Five Pillars of Security. How has that developed since then?
Eric Heiser: The five principles are: Secure Boot, Secure firmware over the air (FOTA), Secure Physical Interfaces and application programme interfaces (APIs), Secure Physical Transport Layer and Robustness. Having introduced those principles, the next step has been to implement them.
That takes time and we have now launched these in our new SARA-R5 series which was announced in June. These are multi-band LTE-M/NB-IoT cellular modules, so aimed at the low power wide area network (LPWAN) market which has some particular constraints that have made this an interesting challenge.
RD-W: Is this something you have developed on your own at u-blox or have you worked with partners?
EH: We have worked extensively with world class partners. Firstly, we have a strategic relationship with Kudelski, also known as Nagra. This company has a security background and it has been doing this for decades. The company provides the security you find in set top boxes, for example, where you download content to your TV. It developed the platform that a lot of the TV content providers use to ensure their content is not hacked or stolen. This means Kudelski protects billions of dollars of content revenue every year, which proves it has a lot of good expertise in security. It also has good experience of doing this at scale, which is very important and very applicable to IoT. Other partners then include Mocana helping us secure the communications stack.
Take the example of the set top box which goes with your TV into your living room and sits there for ten years. You have to keep the security in that up to date for the entire ten years to prevent people from trying to hack into it. That is very similar to the challenge we have with LPWA and the narrowband world in the IoT market.
RD-W: Can you describe how that works?
EH: This process was very much focused on cellular to start with. We have a secure production process, where our IT system is hooked together with Kudelski’s cloud-based system. Throughout our production process, the secure keys are basically wrapped up inside a layer of encryption, so at no point are the keys ever exposed. They are then inserted into the Root of Trust (RoT) – the secure area of the silicon.
RD-W: How do u-blox’s Five Pillars line up with others in the market?
EH: The Five Pillars were our founding principle, which evolved to line up with what others in the industry are saying. ARM, for example, talks about it with its PSA (Platform Security Architecture). Qualcomm and Intel are also similar in their approaches. Secure Boot – that’s where you start. You have to have some kind of immutable ID in your chipset, your IoT device, that says this is physically who I am, it can’t be spoofed, it can’t be changed, this is my identity so it has to be a unique identity in every device. The Secure Boot process has to be wrapped up around that.
RD-W: How important is the Root of Trust?
EH: The RoT is what guarantees all your security functions. Are you doing a secure communication? Are you doing a random number generation? Whatever you are trying to do, you need a RoT, that mix of hardware and software to do a secure function. Can you detect if you have been hacked? If someone can get into your device, you need to be able to detect it and update it. So that’s a very important part of the u-blox RoT and our partnership with Kudelski. Our RoT is cryptographically tied from our manufacturing process, then to the cloud with Kudelski’s proven architecture. So, we can then say now this device is out there in the world, and it’s doing its normal thing, are things OK? If not, can you detect it? Can you update it? Can you do all the things you want?
RD-W: What are the next steps in the secure process?
EH: After Secure Boot you need secure updates. Typically, you hear about FOTA. You have to make sure a secure process can download that code to your device so you know you’re only running firmware that you made, then you need secure communications and secure interfaces. These are the first four of the Five Pillars.
RD-W: These are the technical terms. Do you find they resonate well with device designers in the market?
EH: I’m seeing more people talk about the convergence of IT and operations technology (OT), the main point being that IoT is the connection to physical things where cyber is just data. But this is controlling physical things which is why the security is so important. It’s a bit different when you start to look at it in terms of what device IoT solution providers are focused on. They look at it from the standpoint of protecting their device security, their data security and then they get into protecting the individual’s privacy. So, where I talk about secure boot, secure updates, with those I can provide integrity, confidentiality and availability and then authenticity is part of availability. Those all come from our security stack, our RoT, but from a customer point of view they think of it in terms of device security, data security and protecting the individual’s privacy. Those three things actually loop back to the things I was talking about, just expressed differently.
RD-W: The fifth pillar is Robustness. Is that not already an integral part of the first four pillars?
EH: It is certainly included in the first four, but there are parts in robustness that we take in that a security expert might not. For example, making sure that incoming data is valid and should be acted on. This is often outside of a security expert’s domain. It may be crucial though, for example in security and safety issues. It has more to do with robustness of the whole solution, the whole design and making sure that data arrives in a manner that says – I can trust this data, I can execute on it, or say: hold on, there’s something suspicious here. The robustness goes outside your normal security domain, because you’re connected to the physical world.