Providing a secure future for billions of IoT devices through cyber resilience

The Internet of Things (IoT) is rapidly increasing in popularity, with predictions that there will be 27.1 billion devices this year, according to Cisco, making it imperative that cyber resilience becomes a priority to ensure a safe future for all, says Rob Spiger, vice president of Trusted Computing Group

With enterprises and people depending on technology now more than ever, it is critical devices remain safeguarded to prevent damage worldwide, as the rollout of 5G networks and gigabit broadband continues.

As demand for technology continues to grow, so too does the rate of innovation, as vendors seek to keep addressing the needs of consumers and businesses. But this has created a greater risk than ever before, with the very nature of security having to shift to meet the changing methods of cyber-attacks.

Enhanced security is vital

Without sufficient protection in place, there is more to lose now than ever as more vulnerable devices such as microphones, sensors and cameras are seeing increasing usage, with the possibility of personal or even commercially sensitive data being intercepted with devastating consequences.

The SolarWinds attack of 2020 demonstrates exactly how damaging attacks can be. Hackers were able to access the infrastructure of the company, which produces a platform called Orion, which was used to produce trojan updates to software users.

Through this, they were then able to access computer systems belonging to multiple US government departments in a long campaign that spanned most of the year, with other victims comprising of cyber security organisations, telecom businesses, and universities and colleges worldwide.

One lesson learned from the incident suffered by SolarWinds was that the use of supply chain attacks may increase in the future. Manufacturers can better prepare by designing their products so vulnerabilities identified in software components can be corrected reliably and at scale. With attacks causing an average of US $200,000 (€166133.70) worth of damage, there is now a real urgency for a “security first” approach, where cyber resilience is critically important in the continued protection and recovery of devices.

Building a cyber resilient foundation

To increase resilience for IoT devices, the Trusted Computing Group (TCG) is releasing a new specification entitled “Cyber Resilient Module and Building Block Requirements,” for which a draft version is available now. The specification will help vendors to develop a solid foundation for cyber resilience, giving the security industry a powerful way of tackling the proliferation of cyber threats that now exist.

Resilience not only affords better protection, but it also allows for the detection of security issues and for the recovery of a device after it becomes compromised. With IoT of increasing importance for enterprises and consumers, it is important that there is a way to securely manage devices and be able to regain control without requiring manual steps from a person. IoT devices with built in cyber resilience will become vitally important as more and more devices, networks, and systems become interconnected.

The TCG Cyber Resilient Technologies work group, which has developed the specification, has designed the concept of a Cyber Resilient Module. The module is a logical unit that consists of two layers. The lower layer, called the Recovery Engine, can recover the upper layer, called the Resilience Target.

Building blocks inside the Cyber Resilient Module provide a safe environment for the engine to run and make updates to the target, even when it has become compromised. The current version of the specification does this by sequencing the engine to always run before the target. Another building block called a Latchable Watchdog Counter prevents the target from running indefinitely.

The counter serves the important purpose of reliably interrupting the target and starting the recovery engine, even if the target has suffered a security compromise or an unanticipated error. A final storage building block helps the engine protect itself, its recovery policy, and data from tampering by the target.

For a complex device with multiple layers or individual subcomponents, the Cyber Resilient Module concept can be applied repeatedly for each layer and for each subcomponent to make the whole device resilient and recoverable.

Cyber resilience in motion

The goal for Cyber Resilient Modules is to support devices in protecting themselves, identifying when they may have been compromised and initiating recovery actions without manual help. As the number of connected devices increases, these resilience features will help manage devices reliably at scale.

Imagine the benefits if a widespread attack infects the recovery target layer of a device or subcomponent, the owner just needs to wait for the device’s counter to reset a Cyber Resilient Module in the device. After the reset, the recovery engine has a safe environment to run in and it can check online if there is a security issue with the device model.

Rob Spiger

If there are remediation instructions available from the manufacturer, they can be used to recover the device. If a fix is still being developed, the device could quarantine itself or switch to a more defensive posture until the manufacturer gets a handle on the situation and provides instructions for devices to recover. If there is no security issue with the device model, the device can resume normal operation.

The new specification sets out a minimal set of mechanisms and building blocks that enable cyber resilience systems to be built with limited resources. The building blocks perform simple reusable actions such as protecting storage until the next reset and providing different capabilities for giving the recovery engine a chance to check for updates.

Cyber resilient techniques also allow vendors, end users, or manufacturers to update the system securely and ensure any necessary security measures are incorporated to protect the device throughout its lifecycle. Protection, detection, and recovery also means any unpatched or misconfigured code can be promptly identified and fixed.

Future security is ensured

With IoT deployments set to soar, it is critical that there is a way for manufacturers to safeguard devices throughout their lifecycle to protect any commercially sensitive or personal data from attack. At a time when human reliance on technology is greater than ever, it is crucial that developers look at incorporating this latest TCG specification to ensure the best protection for the future of IoT devices.

The author is Rob Spiger, vice president of Trusted Computing Group

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more

MNOs want clearer views of network performance and user experience to generate new 5G revenues

Posted on: October 21, 2021

Quebec City, Canada – While 88% of mobile network operators (MNOs) are set to deploy 5G standalone (SA) in the next two years, many are still searching for the tools that will enable these networks to generate revenues from enterprises and industry. This is according to joint research findings from Heavy Reading and EXFO Inc., the communications industry’s

Read more