Smart Industry 1/2017

More documents

Info

<strong>Smart</strong> Solutions Avnet supply Chain Supply Chain Security Bridging the Gap As enterprises enter the new world of IoT, they do so at their peril. Traditional methods of securing devices and systems break down when data flows through the global internet and corporate networks, all with different levels of trustworthiness. Personalization is the key – and Avnet Silica has found a way to provide it as a service quickly and efficiently. ■ By Guillaume Crinon S ecurity has become a real IoT buzzword these days. With the Internet of Things, the focus is on being able to correctly identify a certain device, often one embedded within production or logistics systems, and make sure that it only performs the tasks for which it was intended. A recent series of DDoS (distributed denial of service) attacks on large network operators, reportedly, came from Russian hackers. They managed to create a huge global botnet from digital cameras, refrigerators and other consumer electronics devices showing that future threats will seem to come out of the blue. A traditional response would be to use cryptography for proper mutual authentication, signing and encryption to control these threats. While encrypting data before you send it over the network is very well known and deployed, key distribution and renewal is the real problem to solve. Guillaume Crinon Technical marketing manager for EMEA at Avnet Silica In our experience at Avnet Silica, the question most customers ask about is the cost of personalizing devices through unique IDs, MAC addresses, keys and certificates, either on the production line or for field deployments. Personalization is actually a very effective way to enable higher levels of security at hardly any added cost. It is also a good way to bridge the gap between embedded devices and the IT infrastructure. What needs to be solved Regardless of the application and the security scheme associated with it, there is always a point in the life of one device connecting to another, or to a distant server, when someone needs to program unique identifiers and secret keys into memory. This process is called personalization. It can be a hurdle or even a burden and it always impacts the cost of the manufacturing process, resulting in raised prices for end users. One example from the realm of building automation would be the installation of an alarm system. Modern alarms consist of a central unit and several monitoring devices, which may be sold individually or bundled, all communicating locally via a radio frequency (RF) protocol. Someone then needs to ’pair’, or associate, the peripherals with the central unit and register the central unit with the global surveillance service. This can be done by the manufacturer, by the installer, or by end-users with accomplished do-ityourself IT skills. In any case, someone has to pay for the personalization and pairing process, and the complexity of these processes often creates security weaknesses. Be honest: How often do you change your home WiFi passkey? Never, right? That’s because it’s too much of a hassle. How often do administrators renew secret AES encryption keys in their networked systems? Not very often, for the very same reason. In the IoT world, ‘end-to-end’ security needs to be addressed by every single element in the supply chain and over multiple communications and networked systems and at different levels of the protocol stacks, such as IPsec for IP, WPA for 802.11, and local mechanisms for 802.15.4, Bluetooth, and so on. This, however, does not mean you have created end-to-end application security. Indeed, having a WPAsecured WiFi connection to a local router is definitely not enough to ‘HTTP' privately into a distant server, bearing in mind that most local network keys are hardly ever renewed – as explained above. It’s fairly common that data generated by a sensor or a machine will be conveyed through many different networks using various protocols belonging to different service providers before reaching the targeted application server. Each link in the chain is only responsible for its own security, and is completely unaware of what is happening in the links 90
efore and after it. This means the data needs to be decrypted and reencrypted every step of the way. It is often said that the security level of an entire system depends on its weakest link. Since a lot of outside vendors and suppliers are involved, like connectivity providers and gateway manufacturers, the number of possible weak points begins to rise exponentially. So how about adding an extra layer of strong device-to-server security, over a LAN, a WAN and IP? It sounds very interesting but it also sounds rather complex. We need a simple – and cheap – solution. Avnet Silica has devised a way to provide personalization and provisioning services to every single device in the supply chain quickly, efficiently and, above all, at less cost than ever before. Before examining Avnet's solution, let’s ask ourselves what a typical task involves? Let’s say your mission is to deliver a ‘Top Secret’ predictive maintenance message from your device, a robot, securely over the internet to a target server in the robot’s production factory. Connected objects talk to servers through the internet but the problem is that your message is usually decrypted and encrypted a few times on its journey. Remember, the transmission has always to be highly secure. The challenge is to secure this supply chain with HTTPS featuring transport layer security (TLS). This calls for a complex security system. First, you need someone trustworthy to do the certificate management so the objects can encode messages with unique IDs and keys that can only be decrypted with specific certificates. The robot and the target server now each have their own unique, very secret private key. The robot sends its certificate to the server to authenticate itself. The server tells the Key Management System to check the certificate to make sure it really comes from the robot. If the certificate is okay, the server then sends its own certificate to the robot, which checks it in turn. Next, the robot and the server generate a session key from the certificates and their private keys. Finally, the message is encrypted with this unique session key and is sent to the server. As the server has generated the same session key, it can decrypt the message and read it. So far so good! But it’s not quite as easy as it looks because it’s still not really safe. You have first to make sure the key management and certificate are tightly secured and for this we need: • a Hardware Security Module (HSM) to generate keys for access only • servers and firewalls for communication with the outside world • a virtual fortress with thick walls, safety steel doors and armed guards to keep the HSM safe. You’ve guarded your HSM, but the robot still needs to be secured. This means another HSM, a firewall and a personalized secure element, or MCU, containing a certified microcontroller and embedded software. And you still need more! You also have to provision your server with keys and certificates and codes to establish end-to-end security. To build all these elements from scratch and ensure a really secure transaction would probably require a couple of million euros – even for a very small installation. The Avnet initiative Avnet Silica has developed a unique solution to cut time and cost from this complicated process. In May 2016, we introduced a competitive service business model to simplify access to this technology through our advanced logistics facility at our German headquarters in Poing, near Munich. Here, secure microcontrollers are programmed by the Avnet Silica staff using firmware supplied by our partner Trusted Objects – adding a new set of functions and commands tailored to the exact requirements of the customer’s final application and global security architecture. To build this from scratch would cost you many millions even for a small installation Objects you can trust: At Avnet's Advanced Logistics facility in Poing near Munich, engineers routinely program secure microprocessors . The resulting microcontroller is programmed as a secure element to execute cryptographic primitives and complex functions. These comprise AES, ECC encryption, decryption, signature, secure key renewal, onboard key generation, true random number generation, handling of certificates, and much more – while never exposing secret keys to the outside world. This fortified warehouse is capable of personalizing secure elements, in small to large volumes, in order to meet the needs of any customer project. In this way, Avnet Silica and its partners enable customers to benefit from the depth and breadth of their expertise to address personalization and security for IoT projects. We are currently developing our own stacks and APIs which will be able to handle TLS derivatives, and easy-provisioning schemes running on various radio links, a service we will offer together with UbiquiOS Technology and Avnet Services. Finally, Avnet Silica is establishing certification authority services with a trusted partner for customers who wouldn't wish to invest in a full public key infrastructure themselves. Personalization and securely provisioning devices to servers end-to-end are the best, and by far the simplest, way to secure the Internet of Things. And we at Avnet Silica can help you make it happen. 91
Page 1 and 2:
smart powered by industry The IoT B
Page 3 and 4:
Editorial RevErsing the Trend Tim C
Page 5 and 6:
84 How Ants Avoid Traffic Jams Cars
Page 7 and 8:
construction, for example would obv
Page 9 and 10:
9
Page 11 and 12:
Blockchain Internet Unchained Today
Page 13 and 14:
“If you are interacting with Bitc
Page 15 and 16:
Unbanking is the future in Norway
Page 17 and 18:
RENESAS SYNERGY - THE WORLD‘S FI
Page 19 and 20:
micro-devices to monitor the status
Page 21 and 22:
Barcelona has avoided the raucous r
Page 23 and 24:
It’s hard to find a big company a
Page 25 and 26:
factory floor. They are commonly us
Page 27 and 28:
For decades, European and American
Page 29 and 30:
in the reshaping of their work envi
Page 31 and 32:
Näraffär A supermarket minus the
Page 33 and 34:
3D printing is popularly regarded a
Page 35 and 36:
in a hard wax which is then closely
Page 37 and 38:
General functional principle of las
Page 39 and 40: As the Internet of Things (IoT) con
Page 41 and 42: A billion billion operations per se
Page 43 and 44: High-performance, with highavailabi
Page 45 and 46: Equipment-as-a-service is moving ou
Page 47 and 48: There are few companies that can ma
Page 49 and 50: In June 2016, Nokia brought everyth
Page 51 and 52: A disruptive technology like the In
Page 53 and 54: developers who are merely intereste
Page 55 and 56: Hilscher / Pepperl+Fuchs Digital Tw
Page 57 and 58: OnlyGlass Times Square Everywhere M
Page 59 and 60: its footprint by the year-end. AT&T
Page 61 and 62: At the end of 2013, the Smart- Amer
Page 63 and 64: Berlin: A grid that manages itself
Page 65 and 66: Google The Grand Vision of IoT Thro
Page 67 and 68: when one considers that several low
Page 69 and 70: The traffic infrastructure across E
Page 71 and 72: photo ©: Hajo Dietz, Nürnberg Luf
Page 73 and 74: eplacement of a SIM. This can bring
Page 75 and 76: IoT platforms can turn farmers into
Page 77 and 78: other insights in the available inf
Page 79 and 80: technology for employees. Rapid dev
Page 81 and 82: Interview Doctor In the age of IoT,
Page 83 and 84: IQ-ad-2.2017_with_marks.pdf 2 2/10/
Page 85 and 86: of ordinary people. In Minsky and M
Page 87 and 88: y their ability to perform actions
Page 89: 89
Page 93 and 94: TempTraq Track your baby's temperat
Page 95 and 96: Advertorial Technologies, products,
Page 97 and 98: Future Bus Autopilot for public tra
Page 99 and 100: The Internet of Things is fueling d
show all

Smart Industry 1/2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?