SlideShare a Scribd company logo

Security framework for connected devices

HCL Technologies
HCL Technologies

The document presents a security framework for connected devices in the Internet of Things (IoT), emphasizing the importance of integrating security measures throughout the product life cycle due to rising cyber threats. It outlines a framework, referred to as FEDS, which identifies security requirements, assesses vulnerabilities, and generates specific security profiles tailored to embedded devices. Key objectives include ensuring device confidentiality, integrity, and availability while providing a modular solution that adheres to NIST's cybersecurity standards.

Business
1 of 15
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Security Framework for Connected devices
Abstract Abbreviations Market Trends and Challenges Security Goals Our Solution Core Functions Interactive Interface Threat Detection Module Security Goal Identifier Security Profile Generator Security Engine Security API Abstraction Layer FEDS Use Case Solution Benefits Best Practices Conclusion Reference Author Info Table of Contents
Connectivity is a double edged sword, on one hand it gives a user an opportunity to stay connected and get data anywhere anytime; on the other hand it opens up a gateway for hackers. The hackers can, not only hack the data but they can further use the device as a bot to attack another device. Year 2014 has witnessed many such incidents. Earlier the main focus of embedded systems designer was to minimize the energy consumption while also ensuring maximum output in real time. Security was not a consideration then. With the advent of IoT and connected Devices, security is becoming more and more important. This paper presents a framework that can be used to identify the security requirements of Embedded Devic- es in IoT and suggest a specific security profile for them. The presented approach makes use of the Cyber- Security Framework version 1.0 by NIST. Abstract Abbreviations SI. NO Acronyms Fullform 1 2 3 4 5 IoT NIST DoS M2M OEM Internet of Things Original Equipment Manufacturer Denial of Service National Institute of Standards and Technology Machine to Machine
Today there are some 6 billion subscriptions to mobile networks, mostly people, but the next 6 billion users will mainly be devices (Machine-to-Machine or M2M).This trend will revolutionize and disrupt the operations of many industries beyond telecommunications and make device security increasingly more important. Now security is considered in different domain where the devices need to communicate and authenticate each other thus increasing the risk of cybercrime. According to a survey the likely annual cost to global economy from cybercrime is more than $400 billion. According to Gartner, Risk Based Security/ Self Protec- tion is one of the ten technology trends to be observed in 2015. Main challenges in device security for con- nected devices are - • Connected devices are controlled and operat ed remotely. • Robust authentication and authorization is required to prevent access to malicious users. Market Trends and Challenges UNAUTHORIZED ACCESS • Dos attack exhausts device resources and prevent valid users from accessing device services. • Launching a DoS attack is easier on embedded devices. DOS ATTACK • Untrusted code, such as worms, viruses, spy ware, and other malware installed on a device compromise the device. • Firmware modification attacks can affect entire families of devices. UNTRUSTED CODE EXECUTION • Device contains stored and received Data. Both types of data are sensi tive to the consumer and should not be accessible to any mali cious user. DEVICE DATA SECURITY • Device needs to be updated online, man aging secure firmware upgrade for remotely deployed devices is a prime requirement for OEMs REMOTE FIRMWARE UPGRADE • The data in a public network passes through a number of untrusted intermediate points. Therefore the secure data must be scrambled and sent ensuring the authenticity and authori zation of communcat ing party INSECURE COMMUNICATIONS
Security Goals Connected devices poses a severe security threat. There is an urgent need for a Security Framework that use proven security technology to address the security goals for connected devices, the primary security goals for connected devices are - DEvice security goals 24 Confidentiality Ensure that information is not disclosed unless authorized Non-Repudiation Ensure that communicating parties have authenticated and authorized themselves for the transaction Availability Ensure that the system is always available and the sysytem data is safe Integrity Verify that data sent between the appliance and utility cannot be altered for destroyed
With the security goals identified and considering the embedded nature of the device there is a need to find the optimal security requirements of the device. The optimal security requirement can be identified using the details of system hardware, software, deployment scenario and threats to device. A security mechanism is incomplete without proper analysis of device capabilities, threats and vulnerabilities. An Ideal Security Solution for embedded devices in IoT should focus on security goals, hardware capabilities and threat profile of the device. There should also be a mechanism to identify the right amount of security or the appropriate security level for the device on the basis of processing, memory requirements and the level of security achieved. It should be customizable so that OEMs can pick and choose the desired security profile for their device on the basis of device capability (Processing, memory etc.). We propose a Framework for Embedded Device Security i.e. FEDS. It is a framework that evaluates the Security /Vulnerability of embedded devices and suggests a Security Profile for them. The suggested profile can be applied to the device using the Components and APIs provided by the Framework. It is a comprehen- sive end to end Device Security Framework that Identifies and detects the Security requirements for an Embedded Device and then protects it using its own library of Security Components. FEDS is based on the suggestions of Cybersecurity Framework and supports IDENTIFY, DETECT and PRO- TECT core functions of the framework. It executes these functions in a cyclic manner as shown in the figure 1 Our Solution Core Functions Identify Protect Detect Identify the security goals. List the assets to be protected like device software, hardware, data, interfaces etc. Implement the appropriate safeguards to limit the security risk. This functionality protects the data at rest and data in transit. Discover the occurrence of threats and attacks by malicious code, monitor unauthorized access and perform vulnerability scans.
Interactive Interface Block Diagram of FEDS is shown in the figure 2. The main components of the FEDS architecture are User interface captures device and application inputs. The inputs captured in this layer includes device capa- bility in terms of processing speed, memory, device deployment details, application installed on the the device, OS, version, type of connectivity and Security goals identified by OEMs as primary security requirements. Some of the inputs are taken directly from user interface and others can be automatically detected using system tools. Threat Detection Module This module is responsible for generating the threat profile of the device. It uses device specific data and standard threat database to get device specific threats. These threats are verified by threat assessment tools and collection of attack scripts specific to the threats. The verified threats form the threat profile of the system. Security Goal Identifier This component is used to identify the absolute security goals namely authentication, confidentiality, integrity, availability, non-repudiation for the device on the basis of threats and security requirements as captured in the Input layer. Security Profile Generator This component generates the security profile on the basis of threat profile and security requirement of the device. The generator generates two types of profile one is basic security profile and the other is advanced security profile. The basic security profile consists of the components that are required to provide the bare minimum security to the system considering only the OEMs security requirements. The advanced security profile consists of components that are required to provide the desired security goals and the ones that protect the system from the likely threats detected by threat detection module.
This component is the repository of libraries implementing security protocols and optional modules like access control module, logging module and identity management module. The components are managed in a database containing the list of vulnerabilities that can be averted/minimized using the components. The database also contains the processing and memory requirement for each component and the level of securi- ty achieved in terms of low, medium and high. Security engine comprises of open source and COTS compo- nents. This layer works as an abstraction layer for Open source and COTS components. It enables FEDS to switch between various protocols implementations. The abstraction layer abstracts the implementation and provides a uniform API layer. Security Engine Security API Abstraction Layer FEDs UI Security profile generator Threat detection module Security goal identifier Security Engine Security API Abstraction Layer Custom Vulnerability DB Standard Vulnerability DB Security Management layers (Access Control, Audit Logging, Trust Mechanism) Communication Security Layer (Firewall, SSL, TLS, IPSec, Bluetooth, ZB Security Protocols Device Security Layer (Secure OS, Secure file System, System Boot Secure Chip (Cryptographic Engine, TPM Module, Secure Storage) Update
FEDS Use Case The framework performs a list of sequential operations to evaluate the Security Requirements of an Embedded Device. Let’s consider the case when FEDS is used to generate security profile for an embedded device part of M2M and sends intermittent data over the network to the cloud the user wants to ensure the confidentiality of the data sent.
Identify the security requirement of the device using questionnaire for device assessment. User inputs for this sensor device could be OS – RTOS, Connectivity TCP/IP, Application – Client, Processing – Low, and Memory – Low. Gather User Inputs ISecond step for vulnerability detection and threat profile generation comprising of a set of possible threats considering the common weaknesses of the OS, network protocol, application type etc. Generate Threat Profile Security Profile containing the list of Security Components required for securing the Device. Basic Profile( Based on User Requirements) - Confidentiality Component Advanced Profile (Based on User Requirements and Threats to Device) – Confidentiality and Authentication Component. Generate Security Profile This step provides the list of APIS to be integrated in the device for securing the Device. Generate API List
Solution Benefits Framework identifies the real security risk to device by correlating the device threats and vulnerability information with the device capability. Risk Based Security The framework provides a complete end to end and scalable platform giving holistic view of the security requirment of the device Scalable Framework The security profile generated by FEDS provides just the right type and amount of securi- ty to defend against the real threats Appropriate Security OEMs can pick and choose the desired configuration fro their device and get device spe- cific profile Modular Framework is based on NIST based cybersecurity framework and provides FIPS compli- ant open source components. Standards Based
Best Practices Security processes as part of SDLC Including security planning in the life cycle management of device is critical. Embedded systems designers and developers must adopt the following product life cycle design aspects to include security as an integrated part of product development life cycle. SDLC Phases Security Processes Requirements Design Coding and Unit Testing Integration and System Testing Deployment Support Security analysis for requirements and Security Policy definition to check abuse/misuse cases Architectural Assessment, Security Scenario Identification, Attack Surface Analysis and Threat Modeling Adherence to Secure Coding Standards, introduction of security components, bug fixes for security holes. Penetration Testing, Static and Dynamic Security Testing, Integration and Fuzz Testing Reduce Attack Surface, Update Default Configuration, Configuration management, Access Policy Updation Build Integrated Security Patch Updation, and impact analysis of Patch application.
Conclusion Reference Security attacks underline the need for stronger protective measures in critical embedded systems. Embedding security in an embedded device need to be considered throughout the product life cycle—from- design and inception, through development and testing, to delivery and maintenance and also at every layer of the product from hardware platforms and virtualization technologies to the operating system, the network stack, or other communications middleware, packets of data being sent across the network, and purpose- built applications required to support device functionality. Security has to be an exercise built into the product development process instead of adding as an add-on feature. [1] Srivaths Ravi , Anand Raghunathan , Paul Kocher , Sunil Hattangady, Security in embedded systems: Design challenges, ACM Transactions on Embedded Computing Systems (TECS), v.3 n.3, p.461-491, August 2004 [2] Nachiketh R. Potlapally, Srivaths Ravi, Anand Raghunathan, Niraj K. Jha, "A Study of the Energy Con sumption Characteristics of Cryptographic Algorithms and Security Protocols," IEEE Transactions on Mobile Computing, vol. 5, no. 2, pp. 128-143, February, 2006 [3] Fengyuan Xu; Zhengrui Qin; Tan, C.C.; Baosheng Wang; Qun Li, "IMDGuard: Securing implantable medi cal devices with the external wearable guardian," INFOCOM, 2011 Proceedings IEEE , vol., no., pp.1862,1870, 10-15 April 2011 [4] “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.0 National Institute of Standards and Technology February 12, 2014 [5] Simin Nadjm-Tehrani and Maria Vasilevskaya, “Towards a Security Domain Model for Embedded Sys tems”, 2011, The 13th IEEE International Symposium on High Assurance Systems Engineering (HASE), Boca Raton, November 2011 [6] J. Wan, C. Zou, and J. Liu, "Security in the Internet of Things: A Review," in Computer Science and Elec tronics Engineering (ICCSEE), 2012 International Conference on, vol. 3, 2012, pp. 648-651. [7] L. Khelladi, Y. Challal, A. Bouabdallah, N. Badache, "On Security Issues in Embedded Systems: Challeng es and Solutions", International Journal of Information and Computer Security 2008, Vol. 2, No.2, pp. 140-174.
[8] S. Zhang, X. Ou, and J. Homer. “Effective network vulnerability assessment through model abstraction. In Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment”, DIMVA’11, pages 17–34, Berlin, Heidelberg, 2011. Springer-Verlag [9] http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014[10]http://w ww.techrepublic.com/blog/10-things/gartners-top-10-technology-trends-for-2015-all-about-the-cloud/ Shivani Tomar HCL Engineering and R&D Services Author Info
ABOUT HCL Our propositions include: • Global deployment • Instance consolidation • Fundamental cost reduction • Target operating model transformation • Benefits delivery • Large program management • Applications development • Design, build and run services TRUE GLOBAL DELIVERY HCL operates as a single global organization, allowing us to deploy consulting teams that leverage proven industry and solution best practices from our offices and delivery centres around the world. With revenues of $6.5 billion, employing 100,000 technology experts and operating in 31 countries worldwide, HCL is a leading global technology services provider. HCL helps its clients transform their business and IT assets, deliver complex Digital Systems Integration programs and operate their application and infrastructure estates. HCL’s Digital Systems Integration business works with its clients to drive business outcomes through large IT program delivery. HCL employ 15,000 systems integration experts and are established partners with leading enterprise application providers—SAP, Oracle and Microsoft. Hello there! I am an Ideapreneur. I believe that sustainable business outcomes are driven by relationships nurtured through values like trust, transparency and flexibility. I respect the contract, but believe in going beyond through collaboration, applied innovation and new generation partnership models that put your interest above everything else. Right now 105,000Ideapreneurs are in a Relationship Beyond the Contract™ with 500 customers in 31 countries. How can I help you? TM

More Related Content

What's hot (18)

PPTX
High dependability of the automated systems
Alan Tatourian
 
PDF
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
PDF
IRJET- A Review on Intrusion Detection System
IRJET Journal
 
PPTX
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
PPTX
Operational Security Intelligence
Splunk
 
PDF
Android Security: A Survey of Security Issues and Defenses
IRJET Journal
 
PPT
Ch09 Performing Vulnerability Assessments
Information Technology
 
PDF
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
PDF
Intrusion Detection in Industrial Automation by Joint Admin Authorization
IJMTST Journal
 
PDF
MBM Security Products Matrix
Charles McNeil
 
PDF
A Collaborative Intrusion Detection System for Cloud Computing
ijsrd.com
 
PPTX
Aca presentation arm_
Mudassar Mehmud
 
PPTX
Teknisen tietoturvan minimivaatimukset
Teemu Tiainen
 
PPT
Security technologies
Dhani Ahmad
 
PDF
50320130403001 2-3
IAEME Publication
 
PPTX
what is security
Dedi Dwianto
 
PPTX
Network Security Risk
Dedi Dwianto
 
PDF
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Shakeel Ali
 
High dependability of the automated systems
Alan Tatourian
 
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
IRJET- A Review on Intrusion Detection System
IRJET Journal
 
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
Operational Security Intelligence
Splunk
 
Android Security: A Survey of Security Issues and Defenses
IRJET Journal
 
Ch09 Performing Vulnerability Assessments
Information Technology
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
Intrusion Detection in Industrial Automation by Joint Admin Authorization
IJMTST Journal
 
MBM Security Products Matrix
Charles McNeil
 
A Collaborative Intrusion Detection System for Cloud Computing
ijsrd.com
 
Aca presentation arm_
Mudassar Mehmud
 
Teknisen tietoturvan minimivaatimukset
Teemu Tiainen
 
Security technologies
Dhani Ahmad
 
50320130403001 2-3
IAEME Publication
 
what is security
Dedi Dwianto
 
Network Security Risk
Dedi Dwianto
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
Shakeel Ali
 

Similar to Security framework for connected devices (20)

PDF
System-level Threats: Dangerous Assumptions in modern Product Security
Cristofaro Mune
 
PDF
Track 5 session 4 - st dev con 2016 - life cycle management for web
ST_World
 
PDF
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
PPT
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
PPTX
How to create a secure IoT device
Abhijeet Rane
 
PPTX
Pentesting embedded
antitree
 
PPTX
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
PPTX
Safe and secure autonomous systems
Alan Tatourian
 
PDF
Securing IoT medical devices
Benjamin Biwer
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
PPT
Embabded system security for feuture .ppt
gunjansingh2917683
 
PPTX
Security Testing for IoT Systems
Security Innovation
 
PDF
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
PPTX
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
PPT
3. security architecture and models
7wounders
 
PDF
A method for detecting abnormal program behavior on embedded devices
Raja Ram
 
PPTX
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
PDF
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
PDF
Sfa community of practice a natural way of building
Chuck Speicher
 
System-level Threats: Dangerous Assumptions in modern Product Security
Cristofaro Mune
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
ST_World
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
How to create a secure IoT device
Abhijeet Rane
 
Pentesting embedded
antitree
 
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
Safe and secure autonomous systems
Alan Tatourian
 
Securing IoT medical devices
Benjamin Biwer
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Embabded system security for feuture .ppt
gunjansingh2917683
 
Security Testing for IoT Systems
Security Innovation
 
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
3. security architecture and models
7wounders
 
A method for detecting abnormal program behavior on embedded devices
Raja Ram
 
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Sfa community of practice a natural way of building
Chuck Speicher
 
Ad

More from HCL Technologies (20)

PPT
Emergence of ITOA: An Evolution in IT Monitoring and Management
HCL Technologies
 
PDF
USING FACTORY DESIGN PATTERNS IN MAP REDUCE DESIGN FOR BIG DATA ANALYTICS
HCL Technologies
 
PPTX
HCL HELPS A US BASED WIRELINE TELECOM OPERATOR FOR BETTER LEAD-TO-CASH AND TH...
HCL Technologies
 
PPTX
HCL HELPS A LEADING US TELECOM PROTECT ITS MARKET SHARE AND MAINTAIN HIGH LEV...
HCL Technologies
 
PDF
Noise Control of Vacuum Cleaners
HCL Technologies
 
PDF
Comply
HCL Technologies
 
PDF
Cost-effective Video Analytics in Smart Cities
HCL Technologies
 
PDF
A novel approach towards a Smarter DSLR Camera
HCL Technologies
 
PDF
Connected Cars - Use Cases for Indian Scenario
HCL Technologies
 
PDF
A Sigh of Relief for Patients with Chronic Diseases
HCL Technologies
 
PDF
Painting a Social & Mobile Picture in Real Time
HCL Technologies
 
PDF
A Novel Design Approach for Electronic Equipment - FEA Based Methodology
HCL Technologies
 
PDF
Intrusion Detection System (IDS)
HCL Technologies
 
PPT
Manufacturing Automation and Digitization
HCL Technologies
 
PDF
Managing Customer Care in Digital
HCL Technologies
 
PPT
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
HCL Technologies
 
PPTX
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
HCL Technologies
 
PPTX
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
HCL Technologies
 
PPT
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
HCL Technologies
 
PPT
"Cost Savings Enabled for European Financial Services company "
HCL Technologies
 
Emergence of ITOA: An Evolution in IT Monitoring and Management
HCL Technologies
 
USING FACTORY DESIGN PATTERNS IN MAP REDUCE DESIGN FOR BIG DATA ANALYTICS
HCL Technologies
 
HCL HELPS A US BASED WIRELINE TELECOM OPERATOR FOR BETTER LEAD-TO-CASH AND TH...
HCL Technologies
 
HCL HELPS A LEADING US TELECOM PROTECT ITS MARKET SHARE AND MAINTAIN HIGH LEV...
HCL Technologies
 
Noise Control of Vacuum Cleaners
HCL Technologies
 
Comply
HCL Technologies
 
Cost-effective Video Analytics in Smart Cities
HCL Technologies
 
A novel approach towards a Smarter DSLR Camera
HCL Technologies
 
Connected Cars - Use Cases for Indian Scenario
HCL Technologies
 
A Sigh of Relief for Patients with Chronic Diseases
HCL Technologies
 
Painting a Social & Mobile Picture in Real Time
HCL Technologies
 
A Novel Design Approach for Electronic Equipment - FEA Based Methodology
HCL Technologies
 
Intrusion Detection System (IDS)
HCL Technologies
 
Manufacturing Automation and Digitization
HCL Technologies
 
Managing Customer Care in Digital
HCL Technologies
 
Digital Customer Care Solutions, Smart Customer Care Solutions, Next Gen Cust...
HCL Technologies
 
The Internet of Things. Wharton Guest Lecture by Sandeep Kishore – Corporate ...
HCL Technologies
 
Be Digital or Be Extinct. Wharton Guest Lecture by Sandeep Kishore – Corporat...
HCL Technologies
 
Transform and Modernize -UK's leading specialists in Pension and Employee Ben...
HCL Technologies
 
"Cost Savings Enabled for European Financial Services company "
HCL Technologies
 
Ad

Recently uploaded (20)

PDF
Why Unipac Equipment Leads the Way Among Gantry Crane Manufacturers in Singap...
UnipacEquipment
 
PDF
Kirill Klip GEM Royalty TNR Gold Presentation
Kirill Klip
 
PDF
Keppel Investor Day 2025 Presentation Slides GCAT.pdf
KeppelCorporation
 
PDF
Factors Influencing Demand For Plumbers In Toronto GTA:
Homestars
 
PDF
NJ GST Collection Summary - June2025.pdf
writer28
 
PDF
Top Farewell Gifts for Seniors Under.pdf
ThreadVibe Living
 
PPTX
Build Wealth & Protect Your Legacy with Indexed Universal Life Insurance
iulfinancial6
 
PPTX
Hackathon - Technology - Idea Submission Template -HackerEarth.pptx
nanster236
 
PDF
Jordan Minnesota City Codes and Ordinances
Forklift Trucks in Minnesota
 
PDF
Thane Stenner - An Industry Expert
Thane Stenner
 
PDF
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
PDF
Flexible Metal Hose & Custom Hose Assemblies
McGill Hose & Coupling Inc
 
PDF
SUMMER SAFETY FLYER SPECIAL Q3 - 16 Pages
One Source Industrial Supplies
 
PDF
Buy Boys Long Sleeve T-shirts at Port 213
Port 213
 
PDF
Raman Bhaumik - A Passion For Service
Raman Bhaumik
 
DOCX
TCP Communication Flag Txzczczxcxzzxypes.docx
esso24
 
PPTX
epi editorial commitee meeting presentation
MIPLM
 
PPTX
Why-Your-BPO-Startup-Must-Track-Attrition-from-Day-One.pptx.pptx
Orage technologies
 
PDF
Importance of Timely Renewal of Legal Entity Identifiers.pdf
MNS Credit Management Group Pvt. Ltd.
 
PDF
Securiport - A Global Leader
Securiport
 
Why Unipac Equipment Leads the Way Among Gantry Crane Manufacturers in Singap...
UnipacEquipment
 
Kirill Klip GEM Royalty TNR Gold Presentation
Kirill Klip
 
Keppel Investor Day 2025 Presentation Slides GCAT.pdf
KeppelCorporation
 
Factors Influencing Demand For Plumbers In Toronto GTA:
Homestars
 
NJ GST Collection Summary - June2025.pdf
writer28
 
Top Farewell Gifts for Seniors Under.pdf
ThreadVibe Living
 
Build Wealth & Protect Your Legacy with Indexed Universal Life Insurance
iulfinancial6
 
Hackathon - Technology - Idea Submission Template -HackerEarth.pptx
nanster236
 
Jordan Minnesota City Codes and Ordinances
Forklift Trucks in Minnesota
 
Thane Stenner - An Industry Expert
Thane Stenner
 
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
Flexible Metal Hose & Custom Hose Assemblies
McGill Hose & Coupling Inc
 
SUMMER SAFETY FLYER SPECIAL Q3 - 16 Pages
One Source Industrial Supplies
 
Buy Boys Long Sleeve T-shirts at Port 213
Port 213
 
Raman Bhaumik - A Passion For Service
Raman Bhaumik
 
TCP Communication Flag Txzczczxcxzzxypes.docx
esso24
 
epi editorial commitee meeting presentation
MIPLM
 
Why-Your-BPO-Startup-Must-Track-Attrition-from-Day-One.pptx.pptx
Orage technologies
 
Importance of Timely Renewal of Legal Entity Identifiers.pdf
MNS Credit Management Group Pvt. Ltd.
 
Securiport - A Global Leader
Securiport
 

Security framework for connected devices

  • 2. Abstract Abbreviations Market Trends and Challenges Security Goals Our Solution Core Functions Interactive Interface Threat Detection Module Security Goal Identifier Security Profile Generator Security Engine Security API Abstraction Layer FEDS Use Case Solution Benefits Best Practices Conclusion Reference Author Info Table of Contents
  • 3. Connectivity is a double edged sword, on one hand it gives a user an opportunity to stay connected and get data anywhere anytime; on the other hand it opens up a gateway for hackers. The hackers can, not only hack the data but they can further use the device as a bot to attack another device. Year 2014 has witnessed many such incidents. Earlier the main focus of embedded systems designer was to minimize the energy consumption while also ensuring maximum output in real time. Security was not a consideration then. With the advent of IoT and connected Devices, security is becoming more and more important. This paper presents a framework that can be used to identify the security requirements of Embedded Devic- es in IoT and suggest a specific security profile for them. The presented approach makes use of the Cyber- Security Framework version 1.0 by NIST. Abstract Abbreviations SI. NO Acronyms Fullform 1 2 3 4 5 IoT NIST DoS M2M OEM Internet of Things Original Equipment Manufacturer Denial of Service National Institute of Standards and Technology Machine to Machine
  • 4. Today there are some 6 billion subscriptions to mobile networks, mostly people, but the next 6 billion users will mainly be devices (Machine-to-Machine or M2M).This trend will revolutionize and disrupt the operations of many industries beyond telecommunications and make device security increasingly more important. Now security is considered in different domain where the devices need to communicate and authenticate each other thus increasing the risk of cybercrime. According to a survey the likely annual cost to global economy from cybercrime is more than $400 billion. According to Gartner, Risk Based Security/ Self Protec- tion is one of the ten technology trends to be observed in 2015. Main challenges in device security for con- nected devices are - • Connected devices are controlled and operat ed remotely. • Robust authentication and authorization is required to prevent access to malicious users. Market Trends and Challenges UNAUTHORIZED ACCESS • Dos attack exhausts device resources and prevent valid users from accessing device services. • Launching a DoS attack is easier on embedded devices. DOS ATTACK • Untrusted code, such as worms, viruses, spy ware, and other malware installed on a device compromise the device. • Firmware modification attacks can affect entire families of devices. UNTRUSTED CODE EXECUTION • Device contains stored and received Data. Both types of data are sensi tive to the consumer and should not be accessible to any mali cious user. DEVICE DATA SECURITY • Device needs to be updated online, man aging secure firmware upgrade for remotely deployed devices is a prime requirement for OEMs REMOTE FIRMWARE UPGRADE • The data in a public network passes through a number of untrusted intermediate points. Therefore the secure data must be scrambled and sent ensuring the authenticity and authori zation of communcat ing party INSECURE COMMUNICATIONS
  • 5. Security Goals Connected devices poses a severe security threat. There is an urgent need for a Security Framework that use proven security technology to address the security goals for connected devices, the primary security goals for connected devices are - DEvice security goals 24 Confidentiality Ensure that information is not disclosed unless authorized Non-Repudiation Ensure that communicating parties have authenticated and authorized themselves for the transaction Availability Ensure that the system is always available and the sysytem data is safe Integrity Verify that data sent between the appliance and utility cannot be altered for destroyed
  • 6. With the security goals identified and considering the embedded nature of the device there is a need to find the optimal security requirements of the device. The optimal security requirement can be identified using the details of system hardware, software, deployment scenario and threats to device. A security mechanism is incomplete without proper analysis of device capabilities, threats and vulnerabilities. An Ideal Security Solution for embedded devices in IoT should focus on security goals, hardware capabilities and threat profile of the device. There should also be a mechanism to identify the right amount of security or the appropriate security level for the device on the basis of processing, memory requirements and the level of security achieved. It should be customizable so that OEMs can pick and choose the desired security profile for their device on the basis of device capability (Processing, memory etc.). We propose a Framework for Embedded Device Security i.e. FEDS. It is a framework that evaluates the Security /Vulnerability of embedded devices and suggests a Security Profile for them. The suggested profile can be applied to the device using the Components and APIs provided by the Framework. It is a comprehen- sive end to end Device Security Framework that Identifies and detects the Security requirements for an Embedded Device and then protects it using its own library of Security Components. FEDS is based on the suggestions of Cybersecurity Framework and supports IDENTIFY, DETECT and PRO- TECT core functions of the framework. It executes these functions in a cyclic manner as shown in the figure 1 Our Solution Core Functions Identify Protect Detect Identify the security goals. List the assets to be protected like device software, hardware, data, interfaces etc. Implement the appropriate safeguards to limit the security risk. This functionality protects the data at rest and data in transit. Discover the occurrence of threats and attacks by malicious code, monitor unauthorized access and perform vulnerability scans.
  • 7. Interactive Interface Block Diagram of FEDS is shown in the figure 2. The main components of the FEDS architecture are User interface captures device and application inputs. The inputs captured in this layer includes device capa- bility in terms of processing speed, memory, device deployment details, application installed on the the device, OS, version, type of connectivity and Security goals identified by OEMs as primary security requirements. Some of the inputs are taken directly from user interface and others can be automatically detected using system tools. Threat Detection Module This module is responsible for generating the threat profile of the device. It uses device specific data and standard threat database to get device specific threats. These threats are verified by threat assessment tools and collection of attack scripts specific to the threats. The verified threats form the threat profile of the system. Security Goal Identifier This component is used to identify the absolute security goals namely authentication, confidentiality, integrity, availability, non-repudiation for the device on the basis of threats and security requirements as captured in the Input layer. Security Profile Generator This component generates the security profile on the basis of threat profile and security requirement of the device. The generator generates two types of profile one is basic security profile and the other is advanced security profile. The basic security profile consists of the components that are required to provide the bare minimum security to the system considering only the OEMs security requirements. The advanced security profile consists of components that are required to provide the desired security goals and the ones that protect the system from the likely threats detected by threat detection module.
  • 8. This component is the repository of libraries implementing security protocols and optional modules like access control module, logging module and identity management module. The components are managed in a database containing the list of vulnerabilities that can be averted/minimized using the components. The database also contains the processing and memory requirement for each component and the level of securi- ty achieved in terms of low, medium and high. Security engine comprises of open source and COTS compo- nents. This layer works as an abstraction layer for Open source and COTS components. It enables FEDS to switch between various protocols implementations. The abstraction layer abstracts the implementation and provides a uniform API layer. Security Engine Security API Abstraction Layer FEDs UI Security profile generator Threat detection module Security goal identifier Security Engine Security API Abstraction Layer Custom Vulnerability DB Standard Vulnerability DB Security Management layers (Access Control, Audit Logging, Trust Mechanism) Communication Security Layer (Firewall, SSL, TLS, IPSec, Bluetooth, ZB Security Protocols Device Security Layer (Secure OS, Secure file System, System Boot Secure Chip (Cryptographic Engine, TPM Module, Secure Storage) Update
  • 9. FEDS Use Case The framework performs a list of sequential operations to evaluate the Security Requirements of an Embedded Device. Let’s consider the case when FEDS is used to generate security profile for an embedded device part of M2M and sends intermittent data over the network to the cloud the user wants to ensure the confidentiality of the data sent.
  • 10. Identify the security requirement of the device using questionnaire for device assessment. User inputs for this sensor device could be OS – RTOS, Connectivity TCP/IP, Application – Client, Processing – Low, and Memory – Low. Gather User Inputs ISecond step for vulnerability detection and threat profile generation comprising of a set of possible threats considering the common weaknesses of the OS, network protocol, application type etc. Generate Threat Profile Security Profile containing the list of Security Components required for securing the Device. Basic Profile( Based on User Requirements) - Confidentiality Component Advanced Profile (Based on User Requirements and Threats to Device) – Confidentiality and Authentication Component. Generate Security Profile This step provides the list of APIS to be integrated in the device for securing the Device. Generate API List
  • 11. Solution Benefits Framework identifies the real security risk to device by correlating the device threats and vulnerability information with the device capability. Risk Based Security The framework provides a complete end to end and scalable platform giving holistic view of the security requirment of the device Scalable Framework The security profile generated by FEDS provides just the right type and amount of securi- ty to defend against the real threats Appropriate Security OEMs can pick and choose the desired configuration fro their device and get device spe- cific profile Modular Framework is based on NIST based cybersecurity framework and provides FIPS compli- ant open source components. Standards Based
  • 12. Best Practices Security processes as part of SDLC Including security planning in the life cycle management of device is critical. Embedded systems designers and developers must adopt the following product life cycle design aspects to include security as an integrated part of product development life cycle. SDLC Phases Security Processes Requirements Design Coding and Unit Testing Integration and System Testing Deployment Support Security analysis for requirements and Security Policy definition to check abuse/misuse cases Architectural Assessment, Security Scenario Identification, Attack Surface Analysis and Threat Modeling Adherence to Secure Coding Standards, introduction of security components, bug fixes for security holes. Penetration Testing, Static and Dynamic Security Testing, Integration and Fuzz Testing Reduce Attack Surface, Update Default Configuration, Configuration management, Access Policy Updation Build Integrated Security Patch Updation, and impact analysis of Patch application.
  • 13. Conclusion Reference Security attacks underline the need for stronger protective measures in critical embedded systems. Embedding security in an embedded device need to be considered throughout the product life cycle—from- design and inception, through development and testing, to delivery and maintenance and also at every layer of the product from hardware platforms and virtualization technologies to the operating system, the network stack, or other communications middleware, packets of data being sent across the network, and purpose- built applications required to support device functionality. Security has to be an exercise built into the product development process instead of adding as an add-on feature. [1] Srivaths Ravi , Anand Raghunathan , Paul Kocher , Sunil Hattangady, Security in embedded systems: Design challenges, ACM Transactions on Embedded Computing Systems (TECS), v.3 n.3, p.461-491, August 2004 [2] Nachiketh R. Potlapally, Srivaths Ravi, Anand Raghunathan, Niraj K. Jha, "A Study of the Energy Con sumption Characteristics of Cryptographic Algorithms and Security Protocols," IEEE Transactions on Mobile Computing, vol. 5, no. 2, pp. 128-143, February, 2006 [3] Fengyuan Xu; Zhengrui Qin; Tan, C.C.; Baosheng Wang; Qun Li, "IMDGuard: Securing implantable medi cal devices with the external wearable guardian," INFOCOM, 2011 Proceedings IEEE , vol., no., pp.1862,1870, 10-15 April 2011 [4] “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.0 National Institute of Standards and Technology February 12, 2014 [5] Simin Nadjm-Tehrani and Maria Vasilevskaya, “Towards a Security Domain Model for Embedded Sys tems”, 2011, The 13th IEEE International Symposium on High Assurance Systems Engineering (HASE), Boca Raton, November 2011 [6] J. Wan, C. Zou, and J. Liu, "Security in the Internet of Things: A Review," in Computer Science and Elec tronics Engineering (ICCSEE), 2012 International Conference on, vol. 3, 2012, pp. 648-651. [7] L. Khelladi, Y. Challal, A. Bouabdallah, N. Badache, "On Security Issues in Embedded Systems: Challeng es and Solutions", International Journal of Information and Computer Security 2008, Vol. 2, No.2, pp. 140-174.
  • 14. [8] S. Zhang, X. Ou, and J. Homer. “Effective network vulnerability assessment through model abstraction. In Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment”, DIMVA’11, pages 17–34, Berlin, Heidelberg, 2011. Springer-Verlag [9] http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014[10]http://w ww.techrepublic.com/blog/10-things/gartners-top-10-technology-trends-for-2015-all-about-the-cloud/ Shivani Tomar HCL Engineering and R&D Services Author Info
  • 15. ABOUT HCL Our propositions include: • Global deployment • Instance consolidation • Fundamental cost reduction • Target operating model transformation • Benefits delivery • Large program management • Applications development • Design, build and run services TRUE GLOBAL DELIVERY HCL operates as a single global organization, allowing us to deploy consulting teams that leverage proven industry and solution best practices from our offices and delivery centres around the world. With revenues of $6.5 billion, employing 100,000 technology experts and operating in 31 countries worldwide, HCL is a leading global technology services provider. HCL helps its clients transform their business and IT assets, deliver complex Digital Systems Integration programs and operate their application and infrastructure estates. HCL’s Digital Systems Integration business works with its clients to drive business outcomes through large IT program delivery. HCL employ 15,000 systems integration experts and are established partners with leading enterprise application providers—SAP, Oracle and Microsoft. Hello there! I am an Ideapreneur. I believe that sustainable business outcomes are driven by relationships nurtured through values like trust, transparency and flexibility. I respect the contract, but believe in going beyond through collaboration, applied innovation and new generation partnership models that put your interest above everything else. Right now 105,000Ideapreneurs are in a Relationship Beyond the Contract™ with 500 customers in 31 countries. How can I help you? TM