Develop Your IoT Device with a “Security State of Mind”
December 18, 2020
Security breaches are now a regular occurrence. They are so common that the end-user community barely blinks when they hear news of the latest hack—until it happens to them, of course.
Security breaches are now a regular occurrence. They are so common that the end-user community barely blinks when they hear news of the latest hack—until it happens to them, of course. Most experts agree that a 100% secure system is not reality. The general rule is that you need to be secure enough so that the bad guys will go looking elsewhere for easier prey. I’m paraphrasing something I heard from Haydn Povey, the CEO of Secure Thingz and General Manager of Embedded Security Solutions at IAR Systems, in a recent video explaining why is so important to think security first.
If you’re in that camp, and I believe you should be, the effort of staying ahead of the enemy needn’t take you down a painful path. In fact, if you instill a secure design methodology right from the beginning of your design process, which means before you even write one line of code, it may be easier than you think. You just have to have “design securely” in the back of your head at all times. To understand where that “secure path” begins and where it should lead you, check out the webcast The Embedded Developers’ Journey to a Secure IoT Device. Note that there is a whitepaper by that same title that provides some tangible detail.
(Art courtesy of devops.com)
I’d love to tell you that you just need to check off a few boxes on your compiler/debugger and you’re good to go. That’s sounds too good to be true, but in reality, it’s not that far from the truth. But again, having security be top of mind is the best path to a secure device or system. To give you an example, see the recent Embedded Toolbox video, where IAR Systems’ Shawn Prestridge shows developers how to create fully-encrypted, trusted application packages within IAR’s Embedded Workbench.
While these arguments hold true whether you are designing hardware or software, I’ll keep the discussion here focused on the software. Because technology moves so quickly, the security requirements for today may be different than they were in your previous design, and likely will change again in your next generation. As a result, it’s important that your security tool chain evolves as well. Once such tool that continues to keep up with the pace is IAR Systems’ C-Trust security development tool.
IoT systems in particular can be difficult to secure because your network is typically only as secure as the weakest link in the network. In other works, if you plug an insecure device into your network, the hackers may have access to the entire network through that device. C-Trust helps provide that “end to end” security to ensure that there are no gaps.
C-Trust starts working with you right from inception. As such, it’s deemed a security “development” tool that works seamlessly as an extension to IAR’s popular Embedded Workbench. That combination lets the developer protect his application without having to master the deeper complexities of security. The steps are very intuitive and frankly, very simple.
C-Trust employs Security Context Profiles to build the foundation of a secure device. By including the codebase and setting manufacturing limits, you greatly reduce the risk of counterfeiting and cloning during and through production. And existing security configuration profiles can be imported without the risk of being compromised.
The beauty of C-Trust is that there is very little change to your existing design flow, because you’re using the same development tools you’ve been using previously. The integration between C-Trust and Embedded Workbench automatically removes a lot of the external development work, and all of the guesswork. The result is an end device that boots securely, with IP that can’t be compromised, even when system updates are made.
And thanks to secure provisioning, a necessary step from development to production, you have assurances that as much information as possible is protected. This means that the keys are provisioned securely into the device with a cryptographically secured image of the application. This is another example of what is meant by “end-to-end” security.
Remember, security must be a state of mind, not an add-on. But it also has to be easy and not time consuming. With the tools available today, there’s no excuse to not be secure. Security from inception.