Assigning an ID to 'things' with secure SD cards

March 15, 2017

IT security professionals know that identification, authentication and authorization are the three steps to access a "secure channel". Clear identific...

IT security professionals know that identification, authentication and authorization are the three steps to access a “secure channel”. Clear identification of individuals is the first step to safeguard communication. Encryption is the second.

Today these processes are taken for granted by human users within the IT network. But this is quite different for the “things” within the Industrial Internet of Things (IIoT). Here, sensors, actuators and their gateways as well as machines, IT systems, etc. still mostly communicate without adequate security measures in place.

A closed system within a factory without any connection to the internet may be able to get away with it. However, as soon as just one component is connected to the internet, vulnerable security gaps appear. How does a “thing” know that it is talking to a controller or another system component and not a hacker or malware? To prevent sabotage and espionage in industrial environments, Smart Factory communication must be secured. How can this be managed? Above all, how can existing equipment and components be retrofitted and provide customers with investment security?

In search of a simple and sustainable solution

A company can implement a two-step authentication process for all its employees for access to IT systems by replacing employee ID/photo cards with smart cards, and scan-ware is simply added to the keyboard. Can such an identity card be created for machines as well? How can each communicator within the IIoT be assigned with a secure token?

Thus far, fitting a device with a secure element either meant soldering identifiable hardware components (Trusted Platform Module (TPM)) onto the relevant components or using processors that can be unambiguously identified via integrated elements (Trusted Execution Environment (TEE)). The option to retrofit is virtually impossible under these circumstances. What would happen if the quantum computer suddenly made the asymmetrical cryptography obsolete? Cryptography that is resistant to such technology has yet to be developed. Product planning over the entire life cycle therefore is difficult to achieve with soldered components under these conditions. At the same time, IT security laws require latest state-of-the-art technology. What is needed now are future-proof concepts.

At Swissbit I have responsibility for storage solutions that offer security functions – for example, our SD and microSD cards which feature integrated security, encrypted memory or CD-ROM functionality. These products are widely used in tap-proof mobile phones, industrial installations and police body cameras.

The Swissbit concept for the IIoT is simple: Interfaces for SD cards or USB are already widely provided on industrial devices. In addition, many devices require a storage medium anyway. So why not equip this with a secure element? An SD card with integrated crypto chip fulfills the function of the TPM, but can be replaced if and when necessary. Even legacy systems can easily be assigned a forgery-proof identity in this way.

I invite all developers concerned with security in the IIoT to share their thoughts and questions with me. How about at embedded world in Nuremberg on the Swissbit booth (Hall 1, booth 1-534)?

Hubertus Grobbel is Head of the Security Products Department at Swissbit AG. This business unit is responsible for products combining security and storage. Hubertus holds a master’s degree (Dipl.Ing.) in electrical engineering from the RWTH university in Aachen, Germany.

Hubertus Grobbel, Swissbit AG