As the Internet of Things (IoT) proliferates, billions of cloud-connected devices are expected to be designed, manufactured and deployed over the next decade. However, the challenges are growing, requiring ever-increasing efforts to prevent hacking of connected devices and protect critical data and intellectual property. The industry is rapidly converging on best practices for keeping next-generation IoT devices safe by demanding a robust “chain of trust” across the entire product lifecycle.
At Secure Thingz, we believe there are three critical areas to consider when applying trust across the supply chain to create a chain of trust:
In two previous articles, we addressed how Secure Development is the first step in creating a chain of trust and discussed Secure Mastering. In the final installment of this series, we discuss how to complete the Supply Chain of Trust through Secure Production.
For truly secure products, the only real solution is to develop a "zero trust" approach across the supply chain to minimize vulnerabilities and continually authenticate and individualize deliverables as far as possible. The chain of trust can be thought of as a process flow, where any step in the process depends upon the security of the previous step.
The steps to Secure Production include Secure Provisioning and Secure Programming/Manufacturing.
Given an OEM-centric provisioning model, the programming center needs to implement a model for securely accepting and handling the OEM’s keys and certificates and provision these into the device that engenders the secure services on the device. To achieve this, a zero-trust secure channel must be implemented to enable secrets to be passed from the OEM through a non-secure channel, without delegating any knowledge of the secrets themselves outside of the secure provisioning process.
At a simple level, the secure provisioning of the device is exemplified as a secure IPSec connection between two secure enclaves, the OEM mastering and key appliance held by the OEM, and the Secure Manufacturing appliance integrated within the programmer itself. Via this mechanism, it is possible to reduce the potential attack surface to a minimum, removing liability and risk from the programming center, and limiting the threat surface for the OEM.
Once the OEM’s keys, certificates and SBM have been programmed to the device, the programming center also needs to accept the encrypted image from the OEM. Then the programming center needs to accept the production information for the system, including which devices may be targeted and how many devices are enabled. To enable the exchange and to maintain security, a secure channel is created between the OEM’s mastering system, and the Secure Manufacturing appliance integrated into the programmer itself.
"Zero-trust" secure programming fundamentally requires that the image is protected from all stakeholders through encryption, and that no stakeholders can act upon the image through its deployment to the device. To enable this, the programmer must firstly identify that the device is valid; it must then download the application image to the memory of the device; the on-chip SBM must then confirm the download image and decrypt the image and program it to flash.
The splitting of the Secure Provisioning and the Secure Programming enables flexibility in how provisioning is accomplished, while enabling forward movement on secure programming. For example, the provisioning of the MCU devices may initially be carried out within the programming center, but may migrate to the silicon vendor foundry over time, increasing security further; however, the OEM programming can be maintained as is, ensuring continuity, minimizing costs and reducing any impacts on delicate manufacturing processes.
Product security is not something that can be just added at the end of the design and production process; rather, it is something that an OEM must architect from the very beginning, starting with the software development process and continuing with the production of the product.
The only solution is to implement a "zero trust" design philosophy across the supply chain to minimise vulnerabilities and continually authenticate and individualize deliverables, from the start of development through to the deployment of millions of devices into our systems. Secure Development, Secure Mastering, and Secure Production are critical parts of ensuring a secure infrastructure and a chain of trust.
For more information, please visit www.securethingz.com.
Secure Thingz is a founder member of the IoT Security Foundation where many “"Best Practice" guidelines are currently being deployed.
This article is written by Secure Thingz, a leading provider of advanced security solutions focused on the IoT.
For more information about Secure Thingz, go to www.securethingz.com