Enhanced Cybersecurity for the IIoT

Meet at Hannover Messe, Sponsored by April 1–5, 2019 Amazon Web Services (AWS) Booth F46, Hall 6 Infineon will be demonstrating secured cloud connectivity in a smart factory with OPTIGATM TPM in industrial grade Enhanced Cybersecurity for the IIoT INSIDE

3 10 Steps to IIoT Security By Steve Hanna, senior principal, Infineon Technologies Embedding Security at the Edge Why Hardware Security is the Preferred Choice for IIoT 29 8 By Nitin Dahad, European correspondent, EE Times By Nitin Dahad, European correspondent, EE Times Protecting communication within the smart factory Real-Life Industrial IoT Cyberattack Scenarios 13 and to the cloud: Infineon presents the world’s first By Ann R. Thryft, Industrial Control & Designline 35 TPM 2.0 for Industry 4.0 Editor, EE Times, and Nitin Dahad, European correspondent, EE Times Sponsored content 22 Designer’s Guide to IIoT Security 37 Maximizing Security with OPTIGATM TPM SLM 9670 By Nitin Dahad, European correspondent, EE Times Sponsored content 2 Sponsored by Steps to 10 IIoT Security By Steve Hanna, senior principal, Infineon Technologies

he urgency of industrial internet of things derstand how to design in IIoT security. (IIoT) security is becoming more and more Tapparent. It’s clear that security has come Start with an industrial standard to the top of the agenda as a result of many Before we get into the list, it’s worth understand- high-profile cyberattacks, such as that on the ing the foundation for these 10 steps, based on Ukraine power grid, a German steel mill, and an international standard already available. The Iran’s nuclear program. Despite the heightened IEC 62443 is a series of standards and technical awareness, the hardest part for developers of reports providing authoritative guidance on se- electronics systems in industrial control systems curing industrial automation and control systems is how to implement that security. (IACS). More details can be found in the breakout In this article, we present 10 steps to help un- box — The Basics of IEC 62443.

3 Sponsored by The 10 steps understand how and where everything for the SCADA workstation, and enter- Educate yourself on this topic. is connected in the network. prise zone for the business management 1 Implementing security is the hardest systems and external internet connection. part of developing the technology for an  Conduct initial high-level risk industrial control system using IoT. With 3 analysis. Assign target security levels the convergence of operational technol- This should involve clearly spelling out 5 to zones. ogy (OT) and information technology the risks if the systems should be From the five security level classifications (IT), new security paradigms need to compromised and the level of those (SL 0 to SL 4, as described earlier), be understood as the attack surface of risks. For example, in a gas pipeline, assign the appropriate level of protection an OT system is increased by the con- the potential for a gas leak and required for each zone based on the risk nectivity, yet the legacy IT systems that explosion presents a high level of risk. analysis in Step 3. This is defined as the are often at the enterprise management target security level required for that zone layer of the industrial system may not Divide assets into security zones. based on the risk level for that zone if it is have safety and security as an integral 4 All of the assets should be grouped into compromised. part of its fabric. zones that can then be identified and iso- lated. In the event of a failure or compro-  Determine security requirements Identify the system under mise of one zone, the security policy and 6 for systems and components based 2 consideration. process can then be designed to ensure on the specified target security Consider what it is you are trying to that the breach is restricted to that zone level (SL). secure. Map out the system from the and doesn’t affect the others. In a typical This involves deciding which security sensors and controllers at the factory industrial scenario, the zones might be requirements apply to the systems and or plant level to the management sys- segregated into a control station zone in- components based on the security level tems at enterprise level. Ensure that you cluding the device level, supervisory zone targets determined in Step 5. For ex-

4 Sponsored by ample, for a target security level of SL 4, components capable of achieving them? taken, you are now ready to put in a security requirement could be fulfilled place a set of policies and procedures in the supervisory zone by implementing If residual risk is too high, at the system level to enable cyberse- multi-factor authentication for humans 8 improve capabilities or apply curity. For example, this might include accessing the system through any countermeasures. things like “network segmentation must network — using both passwords and If your target security level is higher than not be bypassed” and “users must not biometric information. For SL 4, another the system components are actually ca- share passwords or tokens”; plus, there requirement calls for hardware security pable of, then appropriate countermea- may be policies on password length. for all devices and processes. sures need to be taken. For example, if your target security level at a factory Secure operations according to Evaluate systems and component floor level is SL 3, but your actual ca- 10 the policies developed. 7capabilities in context of counter- pability based on Step 7 is only SL 1, It’s one thing to develop policies and measures. you need to figure out if you are able procedures, but security is a never- Now that you have an understanding to upgrade the system or component ending process, so these need to be of the risks and the security protection to achieve SL 3 or whether something constantly in force and be updated as levels needed to address those threats, needs to be added (such as a new part of secure operations; otherwise, it is then necessary to evaluate what secure gateway) to enable the security the security policies become pointless. the capabilities of the systems and level target to be achieved. components actually are in countering What we’ve established in this article is those threats and if there is a shortfall in Develop a cybersecurity that IEC 62443 is an important industrial the capability. Put differently, you know 9 management system (policies security standard, which is organized into what you want to achieve in terms of and procedures). four different layers from a general policies security level requirements, but are the Once all of the above steps have been and procedures level down to the system

5 Sponsored by The IEC 62443 standard and component level, with five security level is organized into four classifications based on the risk levels of an categories: General, attack. Policies & Procedures, System, and Component. This helps in developing a 10-step (Image: Infineon approach to designing security into IIoT or Technologies) industrial automation and control systems. In these 10 steps, we start with a high level of system mapping and risk-level analysis and then drill down to the capability of the system and components in countering the cyber-threats and what measures need to be taken to improve or update legacy systems to meet those needs. It then continues in operations throughout the life of the system in order to maintain security as long as the system is in commission.

For more information, follow these links: Introduction to IEC 62443 ISA Security Compliance Institute (for IEC The basics of IEC 62443 against cybersecurity threats, covering every 62443 conformance guidance on the IEC 62443 enables a systematic approach stage and aspect of protecting systems from cybersecurity of industrial automation to provide a thorough set of recommen- cyberattack from risk assessment through control systems) dations for defending industrial networks operations. The standard describes tech-

6 Sponsored by The five security niques enabling industrial stakeholders to levels defined in assess the cybersecurity risks to each sys- IEC 62443. tem and to set out policies and procedures (Image: Infineon Technologies) to decide how to address those risks. In order to understand the context for the 10 steps to IIoT security, it’s a good idea to understand how IEC 62443 is organized into four categories and five security levels.

• The “general” documents provide an overview of the industrial security pro- cess and introduce essential concepts.

• The documents on “policies & proce- dures” highlight the importance of poli- cies, which are often neglected but are critical to establishing industrial systems tem cannot be secured unless you use In order to classify how much security security; even the best security is useless them in the right way and treat them as protection is needed and recognizing that if people are not trained and committed part of an integrated system. one size of security doesn’t fit all, IEC 62443 to supporting it. defines five security levels, from SL 0 (no • The “component” documents describe security) to SL 4 (resistant against nation- • The “system” documents recognize that the requirements that must be met for state attacks). Each level is characterized even if you have the right parts, the sys- secured industrial components. based on what they can protect against.

7 Sponsored by Why Hardware Security is the Preferred Choice for IIoT By Nitin Dahad, European correspondent, EE Times

ndustrial automation will be one of the Industrial to drive IoT in 2019 biggest areas of spending in the internet An industry forecast published by Iof things (IoT) in 2019, according to the International Data Corporation (IDC) latest industry forecast. The questions are, highlights manufacturing, transportation, how can the devices connecting the and utilities as the leading sectors systems to the network be trusted, and expected to spend on IoT solutions what’s the best way to ensure that their in 2019 — these are the sectors industrial IoT (IIoT) systems are secure — typically addressed with IIoT systems. software or hardware? In this article, we With total global spend this year look at the case for hardware-based secu- expected to reach $745 billion, industries rity as the preferred choice for IIoT and its that will spend the most are discrete benefits beyond just security, such as time manufacturing ($119 billion), process to market, scalability, and performance and manufacturing ($78 billion), transportation manufacturing flexibility. ($71 billion), and utilities ($61 billion). Among

8 Sponsored by manufacturers, this will largely be focused features that can efficiently prevent attacks. processor. It explicitly states that information on solutions that support manufacturing This includes protected processing and stor- transferred from the software on the host operations and production asset manage- age of software, code, and data — enabled processor to the platform firmware should ment. In transportation, more than half of IoT through encrypted memory and processing, be treated as untrusted. spending will go toward freight monitoring, fault and manipulation detection, and secure The RoT is the foundation of security and followed by fleet management. IoT spending code and data storage. Hence, the software resiliency in an industrial control system in the utilities industry will be dominated by running on the secured hardware can also and serves as an anchor in a CoT. Gener- smart grids for electricity, gas, and water. then be protected from reading, copying, ally, successive elements are cooperative in Hardware spending will be about $250 and cloning and from being analyzed, under- maintaining the chain of trust started by the billion, led by more than $200 billion in stood, and sabotaged. RoT. Components in a chain of trust have the module/sensor purchases. Given this privileges not available to less trusted soft- growth, the potential risk from cyberattacks What the standards say ware to perform security-critical functions like will also increase significantly. System de- International industry standards like IEC carrying out device updates. RoTs and CoTs velopers will be looking to rapidly deploy 62443 require hardware security for the may have mechanisms to relinquish these security technology, with both hardware and highest levels of security, as do the National privileges once the security function software solutions available on the market. Institute of Standards and Technology (NIST) is complete or if it is determined that the A key factor determining which route to go and the Industrial Internet Consortium (IIC). security function is not required. A CoT may is essentially around vulnerability. The NIST “Platform Firmware Resiliency also relinquish privileges before passing Software is arguably much more vulnerable Guidelines” talk about the functions of the control to a non-cooperative element. because it can more easily be analyzed by roots of trust (RoTs) and the chains of trust Because RoTs are essential to providing attackers to undermine security. On the other (CoTs) needing to be resistant to tampering critical security functions, they need to be hand, hardware security chips are more likely attempted by any software running under, or secure by design. Major considerations for to be tamper-resistant and have additional as part of, the operating system on the host determining confidence in RoTs are an analy-

9 Sponsored by sis of the attack surface of an RoT and an but it also enables benefits in terms of time He said that from a “secrets” perspective, evaluation of the mitigations used to to market, scalability, and performance. It a trusted ecosystem is essential. A silicon protect that attack surface. The responsibility also plays a part in protecting against theft vendor is well-placed to provision the secure of ensuring the trustworthiness of an RoT is and counterfeiting through the logistics elements of a device, or the keys can be on the vendor that provides the root of trust. supply chain. A dedicated security chip, injected by an OEM. For volume quantities, Vendors typically protect RoTs by either which is evaluated by independent security the chip company can provision these at making them immutable or by ensuring that testing laboratories and certified by interna- wafer level, but for lower quantities, part of the integrity and authenticity of any changes tional institutions, can be used as a building the trusted ecosystem would include distrib- to RoTs are verified prior to performing such block to carry out cryptography and reduce utors such as Arrow, who can then provide updates. Often, RoTs run in isolated environ- the overall complexity of your design. This the programming of the secure elements. ments, run at a greater privilege level than can reduce time for security implementation Infineon’s Hanna is keen to emphasize the anything that could modify it, or complete to just weeks rather than months.” time-to-market aspect of utilizing hardware- their function before anything can modify it to Haydn Povey, a board member on the IoT based security. The argument is that there ensure that devices cannot compromise their Security Foundation and CEO and founder of are building blocks already available from behavior during operation. Secure Thingz, added, “You need to be able some silicon vendors, and these hardware to build a root of trust, and hardware is bet- security chips are often evaluated by inde- Offering more than just security ter placed to enable an immutable boot path. pendent security testing laboratories and Steve Hanna, senior principal at Infineon You have more control with the hardware then security-certified. Certification can Technologies, highlights why hardware- root of trust, and it provides an audit path. prove the highest barriers to attackers look- based security is the most secure and how Hardware enables the secure enclave, can ing to penetrate a chip’s defenses. it provides more than just the security as- run fundamental boot services like the secure By deploying these independently tested pect. He commented, “Hardware-based boot manager, and can bring the device into chips, the ready-made solutions can help security not only implies tamper-resistance, a known good state should it be required.” a designer quickly add functions like hard-

10 Sponsored by ware protection for device authenticators or IEC 62443 defines many protecting supplier keys and data as roots specific security requirements and requirement enhance- of trust (see chart). This is particularly appro- ments. Depending on their scope and applicability, priate because it’s often the case that IIoT these are known as System security requires a huge learning curve, so Requirements (SR), Component Requirements by using devices already available, this can (CR), Embedded Device Requirements (EDR), take a lot of the pressure and time off of the Network Device Require- development work. ments (NDR), or Host Device Requirements (HDR). As the Security Level (SL) increases, the set of require- Scalability, performance, and ments increases also. For example, Security Levels 3 manufacturing flexibility and 4 require that devices With the growth in IIoT highlighted for 2019 and users must authenticate each other and use hard- at the beginning of this article, in ware security to protect their addition to time to market, scalability is credentials and Root of Trust (ROT). also a key requirement. Hardware-based security devices lend themselves well Infineon’s OPTIGATM product family provides a range of security chips for authentication and other functions. (Image: Infineon Technologies) to scaling for different performance levels, different security levels, and different portfolio. This has the benefit of providing cant advantages over software-based platforms. In order to protect the integrity, assurance of the same level of security im- solutions for functions such as secure authentication, confidentiality, and availability plementation across a number of products. storage and calculations. An example might of products and data being handled by the Performance can be a real concern when be in securely hiding the calculation carried system, the same discrete security controller adding security to a device. This is where out by a cryptographic key: A dedicated could be deployed across an entire product the hardware approach can provide signifi- tamper-resistant chip will complete the

11 Sponsored by calculation in one pass because it’s part of global supply chains, it is possible happening in a protected environment, that if private keys are intercepted or stolen but getting the same level of security with along their route, then it’s possible for a software solution could require multiple someone outside the system to manufacture “cover-up” operations to hide the key counterfeit devices, resulting in a during calculation — thus impacting both potential threat to system security. This is performance and power consumption. where hardware-based security can offer Manufacturing supply chain logistics can secured tracking on a value chain and offer present a significant challenge for IoT device manufacturing flexibility being that the chip manufacturers because devices and their can be interrogated at appropriate points to private keys could be susceptible to theft verify authenticity. and counterfeiting. The security concept in Ultimately, Hanna commented, hardware- most IoT devices is based on injecting a key based security offers significant benefits pair, one public and one private, providing for connected devices and systems in IIoT. a unique identity to be assigned to a device “Even if an attacker did get in, they can’t that, in turn, enables it to be authenticated easily decipher what’s happening in the Implementing IEC 62443 — How to Meet the Challenges within a network and allocated access ac- chip. Our security technology can make Learn how to achieve strong industrial security with the cording to its privileges. But the way that it extremely difficult for an attacker to find IEC 62443 standard. This whitepaper gives a short intro- duction to this needed standard, which was developed to many manufacturing operations are set up as or probe those vulnerabilities.” prevent equipment damage, downtime, and safety issues in industrial environments.

DOWNLOAD WHITEPAPER

12 Sponsored by Real-Life Industrial IoT Cyberattack

By Ann R. Thryft, Industrial Control & Automation Designline Editor, EE Times, Scenarios and Nitin Dahad, European correspondent, EE Times

hat are the worst-case possibilities if your company gets hacked? Imagine these Wscenarios: • The world’s largest pure-play semiconductor company shuts down some of its fabs after a WannaCry variant spreads through the production network. • After being fired, an engineer who still has access to a water and sewage company’s SCADA system opens up the valves so that the system dumps sewage everywhere. •  take control of production management software and then the industrial control system at a steel mill, causing massive physical damage.

13 Sponsored by • Unknown attackers change process The wind farm hack was an experiment may include critical infrastructure such as parameters in the recipe for a food and to show just how easy it was to do. The power grids, dams, oil rigs, chemical pro- beverage product by altering process manufacturing robot hack hasn’t happened cessing plants, manufacturing plant equip- controller code, increasing the quantity yet — as far as we know — but the ease of ment, and production lines. of salt to three times what it should be. intruders gaining control of industrial robot The change goes undetected until cus- systems has been demonstrated by several Inside jobs tomers complain. industry groups. Although the typical image of a cyberat- • Hackers take control of an entire tacker is an outside (usually wearing network of wind turbines at a U.S. The hacking of the IIoT a hoodie), note that not all of the attackers wind farm using a Raspberry Pi-based What do these all have in common? The in the list above were outsiders: Some of card with a cellular module for remote systems that got hacked and/or compro- these events were inside jobs, which many access to programmable automation mised were industrial control systems (ICS), companies see as their greatest threat. controllers. a central part of operational technology Potential internal attackers could include • Competitors of an electronics company (OT) networks that form, along with IT net- disgruntled ex-employees who may still rewrite the code on the robots used in works, the industrial internet of things (IIoT). have access to the control system, said its manufacturing process, which begins As more and more devices get connected Chris Sistrunk, principal consultant for in- introducing subtle defects that reduce to IIoT networks, many of the increasingly dustrial control systems at FireEye’s Mandi- yields and cause product recalls. sophisticated cyberthreats originally direct- ant cybersecurity service. ed at IT environments are now entering OT Sistrunk told us about the Australian water The first four have already happened, environments, including ICS. and sewage company’s attack and, more and the first one happened to Taiwan Semi- These threats pose very different and recently, a Louisiana case wherein an engi- conductor Manufacturing Co. (TSMC) last potentially larger, more hazardous risks as neer who was let go still had remote access summer. they migrate to OT environments. Targets from home and shut down a paper mill.

14 Sponsored by Although a production shutdown could be inspection could easily introduce a piece of very costly, it’s not the biggest concern that malware to enable an attack by inserting a could result from your IIoT being hacked, USB stick into a computer attached to an said Joe Slowik, adversary hunter for indus- internal network, including those located at trial cybersecurity firm Dragos. “Not counting a remote facility and connected to the inter- the money lost by a day or so of a shutdown net. — at least with that, you know what hap- Another example of third-party breaches pened, and things [might be] stopped before is one event among the additional Russian something more pernicious could take root.” hacks of U.S. power grids and other critical Slowik told us about the possibility of infrastructure revealed last year by the U.S. hackers attacking production robots and Department of Homeland Security (DHS). affecting quality control, which could be Attackers got access via spear-phishing much worse. “This causes a dramatic in- emails sent to equipment maintenance crease in your defect rate in a way that’s staff, who have legitimate remote access, hard to troubleshoot. So then your produc- to steal their login credentials, said Phil tion doesn’t meet standards and you suffer Neray, vice president of industrial cyberse- a reputation loss among your customers curity for OT cybersecurity firm CyberX. and vendors.” Even with some of the best physical se- curity in place, that’s not enough to protect Third-party breaches physical assets in a cyberattack, said Andrea Other attacks have been executed by pre- Carcano, chief product officer and co-found- sumably trustworthy third parties. For ex- er of Nozomi Networks, who told us about ample, a fake official pretending to do a fire the food and beverage product hack. That

15 Sponsored by company still doesn’t know if the change to deliver better services more effectively and 2018 21st CEO Report from Pricewater- its process code was introduced by external economically, including public safety. houseCoopers (PwC) (North American malware or someone inside the plant. • But the IIoT and microprocessors are executives said that cyberthreats are “So you may have physical protection, but emerging battlegrounds for cyberat- the chief threat). changing process parameters could cause a tacks, according to the global 2018 • In just the last couple of years, a perfect much more dangerous effect than too much SonicWall Cyber Threat Report. Both storm of conditions and trends has led salt,” said Carcano. “If altered program code areas are also often overlooked and to a huge jump in the number of cyber- inside a process controller changes the way unsecured. security events targeting the OT side of a product is created, without cybersecurity • In 2017, there were 9.32 billion malware the IIoT. We detail the elements of that protection, you won’t know why or even that attacks and more than 12,500 new perfect storm in a companion article in it’s happened. All of the pharmaceutical and common vulnerabilities and exposures this special report, “What Makes IIoT chemical manufacturing companies are con- worldwide. Data breaches and Systems So Vulnerable to Cyberat- cerned about this possibility of changing the cyberattacks overall are seen by tacks?” This jump includes discoveries recipes and the processes.” executives as the No. 1 business, of vulnerabilities in industrial control or operations, and financial risk, to the related hardware and software, cyberat- Data breaches & cyberattacks now extent that Lloyd’s of London considers tack incidents, and actual breaches. No. 1 concern them a greater threat than catastrophic • As defined by theVerizon 2018 Data In factories and other industrial settings, the natural disasters, says the report. Breach Investigation Report, in cyberse- IIoT is often heralded as the answer to many • That perception is echoed in the 2018 curity-speak, an incident is commonly challenges. The connectivity assists in pro- World Economic Forum Global Risks understood as “a security event that ductivity, efficiency, and profitability. For utili- Report (Cyberattacks are the risk of compromises the integrity, confidential- ties, it also helps manage demand. In public greatest concern to business leaders ity, or availability of an information asset” infrastructure, it assists governments to in advanced economies) as well as the (Translation: The barn door is open, but

16 Sponsored by the cows haven’t left), while a breach is interest in security for control systems. “an incident that results in the confirmed At that time, security features were not disclosure, not just potential expo- being built into industrial control system sure, of data to an unauthorized party” equipment.” (Translation: The cows have now gotten The increase in ICS-related events can out). This report identified more than be appreciated by looking at a sampling of 53,000 overall cybersecurity incidents events in 2018 contrasted with a sampling and 2,216 breaches around the world in of those between 2007 and 2014. multiple industries during the previous Between 2007 and 2014, the first three 12 months. malware types targeting ICS were devel- oped: the worm, the Havex/Back- 2007 to 2017: ICS cyberevents door.Oldrea remote access Trojan (RAT), increase and the SCADA-targeting version of Black- “Attacks on control systems have been oc- Energy. In December 2016, cyberattackers curring since the late 1990s, but they didn’t began ratcheting up their efforts against in- become mainstream until 2010, when Stux- dustrial systems with release of the fourth, net malware was discovered and reported the Industroyer/Crashoverride malware on — that changed everything,” said Man- framework that shut down large parts of diant’s Sistrunk. FireEye’s Mandiant cyber- the Ukraine energy grid. security service discovered the TRITON/ During 2017, both industrial and more TRISIS malware designed to attack ICS- broadly targeted cyberattacks escalated. connected safety instrumented systems While the WannaCry and NotPetya ransom- (SIS). “After that, we started seeing a lot of ware attacks were capturing world attention Image: EE Times

17 Sponsored by by revealing Windows vulnerabilities, DHS 2018: ICS cyberevents escalate warnings to manufacturers and infrastructure Security events multiplied in 2018: owners about ICS vulnerabilities jumped. • The Meltdown and Spectre micropro- In October 2017, those warnings became cessor vulnerabilities that started out reality when the DHS and the FBI issued the year a joint technical alert stating that attacks • The DHS/FBI identification of Russia as were now targeting the ICS of U.S. manu- the source of the years-long attack on facturers and the previously known energy, U.S. critical infrastructure and manufac- nuclear, and water organizations. The alert turing also revealed that all of those attacks com- • Hacks of oil pipeline EDI systems, caus- prised an ongoing, long-term campaign by ing their temporary shutdown unnamed actors targeting small and low- • Vulnerabilities detected in multiple types security networks as vectors for gaining of industrial hardware and software, access to larger, high-value networks in the including some PLCs, security cameras, energy sector. routers, bridges/access points, and net- In December 2017, a new type of mal- work management software ware targeting industrial processes struck • A revised version of TRITON/TRISIS that an unnamed foreign critical infrastructure now attacks many more brands of safe- facility. The TRITON/TRISIS malware frame- ty system hardware and has breached work was the first designed to attack an U.S. firms industrial plant’s safety systems connected • Revelations that the China-based to ICS, making this a watershed event. It “Thrip” group has infiltrated satellite also targeted a specific hardware model. communication, telecom, geospatial im-

Sponsored by 18 Image: EE Times aging, and defense organizations in the Internet of Evil Things report, 85% of believe that their company will likely be the U.S. and Southeast Asia security professionals believe that cyber- target of a cybersecurity incident affecting Cyberthreat activity within the industrial security threats will lead to an attack on their industrial control networks. environment is definitely increasing, said major critical infrastructure over the next It’s not only industry executives and cyber- Dragos’s Slowik. His firm extensively ana- five years, and that opinion was echoed security professionals who are concerned lyzed the TRITON/TRISIS attack and identi- by many of the cybersecurity experts to about cyberattacks and vulnerabilities. fied the malware’s inventors. whom we spoke in preparing this special More than half of critical infrastructure op- “Is that because we’re looking harder, or report. erators in the energy, utilities, and manufac- is this truly a new trend?” he said. “My • The annual Kaspersky Lab survey of turing sectors said that they weren’t confident answer is that it’s both greater awareness global OT/ICS cybersecurity practitio- that either their own organizations or other and greater capability to do the analysis ners at industrial organizations, The infrastructure companies are protected from versus five years ago, when it was difficult or State of Industrial Cybersecurity 2018, security threats to their OT environments, not even sensible to say, ‘This is definitely a found that more than half view the in- according to a poll released last spring by malware event.’ That said, the threat land- creased risks associated with connec- industrial cybersecurity firm Indegy. scape for both commodity non-targeted tivity and integrating IoT ecosystems, and professional targeted instances seems in addition to the management of these Protection often lacking for ICS/OT to be increasing. By ‘commodity,’ we mean risks, as a major OT/ICS cybersecurity- networks criminal, often publicly available infections related challenge. As has been noted in previous studies such as repurposed WannaCry, and by • That report also cited new challenges of ICS/OT cybersecurity readiness, both ‘professional,’ we mean a dedicated, almost from a growing percentage of organiza- awareness of and budgets for ICS/OT se- exclusively state-sponsored activity without tions that are deploying both IIoT systems curity have been increasing, yet protection a primary motivation for monetizing events.” and cloud solutions for SCADA systems. levels are low. • According to the Pwnie Express 2018 More than three-quarters of respondents • According to a study conducted in 2017

19 Sponsored by by CyberX, the Global ICS and IIoT Risk a cellular or Wi-Fi module for remote Kinds of threats Report, one-third of OT networks with access to programmable automation In the ICS/OT environment, cyberthreats ICS-controlled processes are exposed controllers. Staggs and his colleagues are potentially larger and much more dam- to the public internet. Of more concern would have been able to cause signifi- aging than threats made to the IT environ- is how few are protected against that cant damage or loss if they’d been real ment. They can include: exposure. More than half use easily attackers. •  demands backed by shut- hackable plain-text passwords in con- • In a report in Wired on his research, down threats trol networks, and half lack anti-virus Staggs reportedly said, “They don’t • altering production process code that protection. More than 75% run obsolete take into consideration that someone can change industrial robot safety lev- Windows systems like XP and 2000 can just pick a lock and plug in a Rasp- els, affect product contents and manu- unsupported with security patches, berry Pi.” The turbines that his team facturing yields, or even cause massive while 82% run well-known remote ac- broke into were protected only by eas- damage, as in the steel mill attack cess management protocols, making ily picked standard five-pin locks or by • industrial espionage it easier to access and manipulate net- padlocks that took seconds to remove Several cybersecurity experts pointed out work equipment. Twenty percent have with a pair of bolt cutters. the importance of possibly unintentional wireless access points, which can be But regardless of how cyberattackers get effects of attacks originating either inside compromised in multiple ways. into an insufficiently protected OT network, or outside the company. In giving examples • In 2017, information security researcher once they’re in, they can move around the of commodity non-targeted versus profes- Jason Staggs from the University of network and compromise or control indus- sional targeted instances, Dragos’s Slowik Tulsa, Oklahoma, demonstrated how he trial devices relatively easily. The types of identified the recent TSMC fab shutdowns could take control of entire networks of cyberattacks that can be made, and the as an opportunistic, non-targeted event. wind turbines at U.S. wind farms us- types of effects that threat actors are after, “It looks like it was caused ultimately by ing just a Raspberry Pi-based card with vary widely. the WannaCry virus, yet after all that time,

20 Sponsored by Example scenario of the potential consequences of a wind farm ransomware at- tack, as demonstrated by in- formation security researcher Jason Staggs at a talk given at Black Hat USA 2017. (Image: Jason Staggs/Black Hat USA 2017)

[the virus] was still effective in spreading by vulnerability. So while the exploit is fairly part of the original author. It’s very possible hitting production,” he said. sophisticated, its implementation is not. that such an event was not even foreseen “WannaCry is a ‘dumb weapon’ in that it Thus, in cases such as TSMC, a relatively by the MS17-010 author, given the difficulty spreads indiscriminately through infected unsophisticated, untargeted threat can rap- of monetizing ICS intrusions — at least networks based on what network nodes idly spread, causing an impact in the victim without attracting significant law enforce- are vulnerable to the Windows MS17-010 environment without any intention on the ment attention.”

21 Sponsored by Designer’s Guide to IIoTSecurity How to fit all the security puzzles together

By Nitin Dahad, European correspondent, EE Times

e’ve all heard of the internet of things (IoT) and the industrial internet of things (IIoT). We Wknow that the two are different because IoT is commonly used for consumer usages and IIoT is used for industrial purposes. But how does a professional group like the Industrial Internet Consortium (IIC) actually define the IIoT? The group sees IIoT as a system that connects and integrates operational technology (OT) environments, including industrial control systems (ICS), with enterprise

22 Sponsored by Resources systems, business processes, and analytics. provide for real-time situational awareness. IEC 62443 — How to achieve strong These IIoT systems differ from ICS and First this needs to be done in the form of industrial security OT because they are connected extensively a secure gateway for brownfield, or legacy, IEC 62443 on-demand webinar to other systems and people. And they dif- power system devices, then as an internal How to Achieve the Highest Levels fer from IT systems in that they use sensors field-programmable gate array (FPGA) up- of Industrial Security and actuators that interact with the physical grade designed as part of greenfield, or pres- Get your free whitepaper: “Strong world, where uncontrolled change can lead to ent-day, devices. industrial security with the IEC 62443 hazardous conditions. The goal is to reduce the cyberattack surface standard” The benefits of IIoT are the ability of sensors in a way that doesn’t impede the normal func- or connected devices, as part of a closed-loop tioning of the critical energy delivery functions. Smart factories call for robust security: OPTIGATM TPM in industrial system, to collect and analyze data and then do Sven Schrecker, chief architect of IoT secu- grade something based on what the data reveals. The rity solutions at and co-chair of the secu- very connectivity, however, also grows the risk rity working group at the IIC, said that security Security for smart factories — learn of attack — and increasingly cyberattacks — by should not be the sole consideration when more those who may want to bring down the system. designing and deploying devices for IIoT sys- One of the many projects under a Depart- tems, but developers should be thinking more ment of Energy (DoE) program to reduce cy- broadly about five overall key factors: ber-incidents is being driven by Intel, looking at enhanced security for the power system edge. • safety Because grid edge devices communicate • reliability with each other directly and through the • security cloud, the research is developing security en- • privacy hancements to emphasize interoperability and • resilience

23 Sponsored by While design engineers might have to • CxO level ration and a steering committee member of implement security elements into a chip, • security architect the IIC, said, “Connected industrial systems software, or platform, they may not • development engineer have so many different tech stacks.” necessarily be aware of how their work • operations manager In fact, he cautioned, “A small change in fits into their company’s bigger-picture a microprocessor can have an unintended security policies. “The security policy must The development or design engineers are impact on the software running on it. If we be authored by both the IT team and the the ones that need to take the company’s recompile the software, run it on a different OT team together so that everyone knows security policy. They may also define fac- OS, it will work differently, but no one will what device is allowed to talk to what,” tors such as how to identify and verify that be accountable for software failures result- Schrecker said. a product is theirs and how to securely pro- ing from the changes.” vide software and hardware updates and He added, “Compare this to the build- Building a chain of trust implement this in chips or software. ing trade, where you would be penalized A common theme is to establish a The fourth part of the chain is where for making changes that affected safety — security policy and chain of trust from the OEMs are involved in manufacturing prod- there’s regulation, certification. But we just outset and then ensure that it is maintained ucts for IIoT networks or in deployment of don’t have the same regime in software- through design, development, production, those products. Here, the production or based technologies.” and the entire life cycle of a device. Trust operations manager needs to ensure that must be built into the device, the network, every electronic component has its own Design considerations for IIoT security and the entire supply chain. unique identity and can be securely authen- So where does one start with designing Haydn Povey, a board member of the IoT ticated at every point in the supply chain. security for the IIoT, and what design con- Security Foundation and CEO and founder In discussing the lack of a chain of trust in siderations must be looked at? of Secure Thingz, said that security needs hardware and software, Robert Martin, se- Various industry guidelines exist, such as to be addressed at four levels: nior principal engineer at the MITRE Corpo- the IIC’s IoT Security Framework, together

24 Sponsored by with its manufacturing profile providing de- architecture (PSA) last year to support de- whole ecosystem, from chip to cloud, in tails for implementing the Framework in the velopers of IoT devices. Babla says that the terms of implementing a system that com- plant, or the National Institute of Standards PSA is device-agnostic, as the company prises an immutable device or one with a and Technology Cybersecurity Framework. is trying to encourage the industry to think non-changeable identity; enabling trusted The main task for the design engineer about security. boot; and ensuring that over-the-air (OTA) is determining how to translate a security updates and authentication can be carried policy or security framework into the design Analyze, architect, implement out securely. “Then you can think about and life cycle management of a device that The PSA framework comprises three stag- mitigation in silicon, the access points, and forms all, or part of, an IIoT endpoint. es — analyze, architect, and implement. the cloud,” said Babla. The considerations range from enabling “Analysis is the core part of what we are devices with unique identities to being able trying to stress,” said Babla. Life cycle management to protect the device, identify an attack, This means, for example, conducting a An important consideration that some say recover from it, remediate it, and patch the threat model analysis, and Arm has intro- differentiates IIoT security from traditional device. duced three analysis documents for com- IoT security concerns is the life cycle man- “The process is no different from safe- mon use cases in asset trackers, water me- agement (LCM). guarding other systems,” said Chet Babla, ters, and network cameras. This analysis is Secure Thingz’s Povey said that LCM has vice president of solutions for IoT devices essential and echoed by others. an impact on when software updates or at Arm. “We need to think about security MITRE Corp.’s Martin commented, “We configuration changes are deployed to IIoT from the ground up.” need to start talking about what the poten- devices. In IIoT environments, the connect- He explained, “The first part is the analy- tial weaknesses in the hardware are and be ed devices, sensors, and control systems sis — what are the threat vectors and what able to emulate attack patterns and make will typically not, or should not, be connect- are you trying to protect?” test cases.” ed to the open internet. Arm introduced its own platform security Design engineers need to think about the Therefore, some type of device LCM con-

25 Sponsored by All of the endpoint devices need to be managed and controlled in an industrial system as part of the LCM function. This allows the industrial factory to control the introduction, configuration, and man- agement of endpoint devices/products that are added to the internal factory network. Some high-level objectives of a security solution for IIoT are: • Product endpoint authentication (device, sensor, control system): Is the endpoint product authentic and not a clone? Provides traceability back to product manufacturer, manufacturing date, and any other Arm’s platform security architecture (PSA) framework encourages designers to first consider the threats and then look at design and implementation. (Image: Arm) pertinent information. • Product endpoint configuration and trol layer needs to be part of IIoT devices. because it may comprise both an offline usage control: secure management This can be complex software for the internal network of non-IP-based smart and configuration control of the end- reporting, configuration, and management controllers and some type of protection point with various rights and usage of devices. or isolation from the external internet, and models controlled or limited But security needs vary in an IIoT network there will also be wireless devices and sen- • Secure control of the endpoint control depending on the endpoints in the system sors that may or may not be IP-based. state

26 Sponsored by • Maintenance of the endpoint: This in- that allow the device to support bilateral level configuration updates to the end- cludes secure software updates. authentication and enable secure soft- point device/product. • Secure communications between con- ware updates. Some parts of the RoT • LCM software/services: Some type trol systems and the endpoints and require that keys and other items are of low-level LCM control services that secure storage of control system data. protected in some type of secure stor- enables management of the endpoint • Advanced security protection: intrusion age area so that they cannot easily be product, including software updates detection and security monitoring extracted from the product. and configuration changes Fundamental to enabling this endpoint • Immutable secure boot loader: Some product security at a lower level are the type of low-level secure boot manager Security enclaves following requirements for the endpoint that verifies all firmware and configu- Secure Thingz’s Povey said, “Device pro- device: ration updates to the device/product curement is influenced by factors like en- • Immutable device identity: The device before they are applied. Only the secure abling standard mechanisms to push out has to have a non-changeable/pro- boot manager can install and apply low- updates, how the update will be stored on tected identity, which must be verifiable by cryptographic means. This allows a product to identify itself and authenti- cate who made it, pertinent dates, and other information. Considerations when • Immutable root of trust (RoT): Besides designing for security at the device level as the device identity, there also are RoTs well throughout the provisioned into the product. These life cycle of an IoT include low-level secure boot loaders, device. certificates, and asymmetric key pairs (Image: Secure Thingz)

27 Sponsored by an edge device, and the device and memo- to establish the root of trust that starts at doesn’t replace software security; it just ry resource impacts.” the hardware level. Our ‘defense-in-depth’ augments it. He added, “You need to think about the approach requires that if a compromise oc- In summary, the key considerations when security enclaves, where to hide the secrets curs, it won’t propagate through the designing for security in IIoT devices are and the base keys, how to watermark the system.” making the devices immutable, being able device.” Engineers should consider a devel- He says that GE uses off-the-shelf trusted to provide trusted and secure boot, and opment environment that allows these fac- platform modules (TPMs) and is working managing device security over the entire life tors to be considered independently from with Intel and AMD processors. cycle, which includes OTA software up- silicon vendor and architecture. Expectedly, Intel is focused on the hard- dates and patches. The general industry consensus is that ware approach. Schrecker said, “Having a In case of an attack, there needs to be a the secure elements really need to be in hardware root of trust is vital. Hardware- way of accurately identifying the device, re- hardware to ensure embedded trust be- based identity is burned into the system instating it to a previous known good state, cause chip-level encryption can be en- and having identity at the chip level means and then being able to resolve the issue forced and protected. it can be tracked. But the key is to be able at the point of attack as appropriate. Tak- Rich Carpenter, general manager for to ensure that the chips are genuine, to be ing these principles into account is a good control and edge platforms for GE Power, able to authenticate, and for updateability.” start for going to the next step — hardware Automation, and Controls, said, “We try He adds that hardware-based security implementation.

28 Sponsored by Embedding Security at the Edge Lay of the land for IIoT security solutions

By Nitin Dahad, European correspondent, EE Times

s safety and reliability have become lutions. First, we start with the chip critical in IIoT systems, embedding level, where there are several options. A the highest levels of trust is now essential. Infineon So while the PC connected to the net- Infineon provides the OPTIGATM family of work might have traditionally been the hardware security controllers with software point at which security was enabled, the containing the cryptographic keys and trust anchors now need to be located certificates, plus the drivers and software down at the hardware level, in silicon, libraries. It enables engineers to integrate and as close to the edge as possible — security into their systems. even in the sensors. For simple authentication, the Trust B In the following pages, we will offer product is used for IoT edge devices you the lay of the land for IIoT security so- and “dumb” sensors that simply supply

29 Sponsored by Security Level High

OPTIGATM Trust X OPTIGATM TPM information; the device supports smaller says that Trust X is designed for environ- > High-end security > Turnkey solution for IoT > Common Criteria cryptographic key sizes that might be used ments in which the main CPU may not have > Easy to integrate Certi ed for authenticating a spare part or a battery, full-fledged power, and asymmetric and OPTIGATM Trust E for example. symmetric cryptography must be offloaded > Turnkey Trust E addresses the security require- from the main CPU. OPTIGATM Trust B ments of devices that are more feature-rich Two of the world’s largest industria > Turnkey and need a higher level of security; it is a equipment manufacturers use Infineon’s turnkey solution with OS, Applet, and security chips at the IIoT gateway and the Low with Software Security implementation Single function Advanced Extensive (TCG compliant) complete host-side integration support endpoints. “Industrial IoT is very much a Feature set and up to 3-kB memory. complete system, so you need to look at Infineon OPTIGATM family of security controllers. (Image: Infineon Technologies) The company’s main solution for high-end the endpoint, the gateway, and the cloud,” security for industrial automation is the he said. nodes, and gateways earlier this year. OPTIGATM Trust X. It’s a discrete hardware “Our chips are designed to be easily Designed to secure peer-to-peer or cloud security module built on elliptic curve integrated into the system as well as cloud- connections, the chip comes with the re- cryptography (ECC) with 256-bit, AES128, based architectures. The gateway is an quired credentials pre-injected for autono- and secure hash algorithms (SHA)-256 ideal choke point to implement security mous cloud onboarding and peer-to-peer encryption. without touching the edge, so our custom- authentication. It enables functions like mutual authenti- ers are integrating security chips into [both] It provides a root-of-trust (RoT) solution at cation, secured communication, data store gateways and endpoints.” the silicon level with security functionalities protection, life cycle management, secured such as encrypted key storage, key genera- updates, and platform integrity protection NXP tion, and derivation to protect private informa- and has up to 10-kB user memory. NXP introduced its A71CH secure element tion and credentials for mutual authentication. Steve Hanna, senior principal at Infineon, embedded solution for IoT devices, edge The A71CH is designed for use in indus-

30 Sponsored by trial applications, including sensor “That’s not enough anymore — software Microsoft TCPS networks, gateways, and IP cameras. ends up being on the inside of these Most vendors addressing security for Like many solutions on the market, it networks, so isolating the network is the IIoT emphasize the need to take a holis- claims a “plug-and-trust” approach support- no good. Hardened protection introduced tic approach across the development flow ing easy integration of security and cloud at the chip level enables strong and life cycle of a device. onboarding — for example, through host authentication at the gateway, and as Microsoft added its flavor in this with the libraries and a development kit compat- time passes, we’ll see more security at announcement earlier this year of its trusted ible with different NXP microcontroller and the endpoint, too.” cyber-physical systems (TCPS) solution to microprocessor (MCU and MPU) platforms Asked about regional differences in the protect critical infrastructure. Microsoft says such as Kinetis and i.MX. implementation of IIoT security based on that its TCPS creates a It also collaborates with data I/O for high- NXP’s experience, Nassar noted, “The security pattern to process critical data volume personalization capabilities for any smart grid and smart metering market is throughout distributed quantities beyond the capacity of NXP’s the most serious about security and systems. trust provisioning service. embedding security. In public utilities, it Data in execution must be protected by Sami Nassar, vice president of cybersecu- depends on government influence and the trusted execution environments (TEEs) rity solutions at NXP, said that the industry different political systems.” such as Intel SGX, Arm TrustZone, and has moved on from software-based secu- He added, “The U.S. was first to think SecureElements. Components must not rity and traditional methods of securing an about it, but China has been the first to only use secure protocols and protect keys industrial environment, such as isolation of implement, with millions already using the and data at rest; they must also perform all the network. embedded security functions. However, in critical operations in a TEE that is protected “In the past, protection was through isola- Europe, where you have more standards, from public cloud hosts and OS vendors. tion, private networks rather than public, and much of the security aspects are just The overarching security principle for an isolated command center,” said Nassar. guidance; therefore, adoption is slower.” TCPS is that the solution owner/opera-

31 Sponsored by Microsoft’s trusted cyber-physical the IIoT environment. systems (TCPS) solution to protect Secure Thingz says that a secure devel- critical infrastructure, shown here applied in a typical industrial opment flow needs to start with the cor- environment. rect security frameworks and a secure (Image: Microsoft) boot manager (SBM), which is injected into MCUs at “birth” alongside the provisioning of secure keys and certificates that provide a robust RoT. Its key product is the Secure Deploy Architecture, a high-security framework ensuring simple management of critical intellectual property within the development process. It also offers secure key manage- tor must not lose control over their critical content on the credit card and the credit ment targeted for development, manufactur- systems. card’s processing center, preventing any ing, and applications. Microsoft likens the TCPS approach of other system in the path from accessing The architecture can be integrated into preventing unauthorized access and control confidential information, cloning a card, or Tier 1 programming and manufacturing of connected devices to the transition in replaying messages. systems, thus eliminating overproduction the credit card industry that is embedding a and counterfeiting through constrained de- secure element (SE) in the cards instead of Secure Thingz vice programming. magnetic strips. Establishing an RoT as the foundation for a It includes firmware that is integrated with The SE-based solution establishes an secure supply chain is another way of pre- the core cryptographic hardware to ensure end-to-end trusted connection between the senting the case for building security into that credentials — keys and certificates

32 Sponsored by Mocana’s TrustCenter platform for managing security across the life cycle of IIoT and industrial control devices includes its own TrustPoint endpoint protection software. (Image: Mocana)

Secure Thingz’s secure integrated development environment. (Image: Secure Thingz)

— can be managed and stored correctly across the critical phases of factory provi- sioning, operational startup, and patching Mocana through integrated cryptographic keys. and remediation cycles. Providing device-level security with over TPM was conceived by the Trusted Earlier this year, the company introduced 70 chipsets, Mocana has its own endpoint Computing Group, a computer industry its Embedded Trust security development protection software: TrustPoint. It is part of consortium, and was later standardized environment. It integrates security into the its TrustCenter platform to manage security by the International Organization for workflow by defining identity, thus simpli- across the life cycle of IIoT and industrial Standardization (ISO) and the International fying security development, streamlining se- control devices. Electrotechnical Commission (IEC) in cure manufacturing, and enabling the man- The company recently announced 2009 as ISO/IEC 11889. agement of devices across their life cycles. support for (TPM) Some key features of Mocana’s support The Embedded Trust solution includes a 2.0 features on IIoT devices. for TPM 2.0 are support for advanced ci- scalable SBM that leverages secure device TPM is an international standard for a phers, including ECC and 256- and 512-bit hardware to provide low-level secure services secure crypto-processor, a dedicated mi- SHA 2, and multiple ownership of keys, and foundation update management. crocontroller designed to secure hardware separating owners for the TPM endorse-

33 Sponsored by ment key for signing/attestation from the Earlier this year, the company introduced storage root key with support for endorse- its PACSystems “outcome-optimizing” RX3i ment hierarchies and storage hierarchies. CPx400 series of controllers, which provides It also offers better seeding for entropy — near-real-time dynamic adjustment of indus- GE’s mini field seeding and reseeding of a non-determin- trial controls based on the data that they have agent for secure istic pseudorandom number generator with collected in connected industrial systems. industrial internet connectivity. an entropy source internal to the TPM’s These currently use 1.2-GHz AMD G (Image: GE) cryptographic boundary to ensure a high Series quad-core processors and standard degree of randomness for key generation. TPMs along with secure, trusted, and measured boot. GE Automation: a user perspective on Carpenter said that they are looking to IIoT security move to eight- and then 16-core proces- One of the prominent companies involved sors. The controllers are designed to in providing industrial automation systems perform in a range of applications including dation of the security constructs in the is GE Power Automation and Controls. So water, metro, industrial steam, and chemical. control system. what are the factors that they are focused For existing installations and for collecting Hence, GE features TPM technology in all on with some of their key customers? data securely, it uses Mini Field Agent tech- of its controllers, which stores the private Rich Carpenter, general manager for nology based on an 800-MHz Arm Cortex- keys for all GE-signed boot firmware, ensur- control and edge platforms for GE Power A8 processor. ing that only GE-authenticated firmware will Automation and Controls, said, “We try and Carpenter emphasized the need for a run on the hardware. “We believe a con- establish a root of trust that starts at the defense-in-depth approach to apply cyber- nected device is more secure than a non- hardware. We are working with Intel and defense capabilities at every level. connected device because we can easily AMD to get that at the chip level.” The hardware RoT should form the foun- identify if there is a problem,” he said.

34 Sponsored by Sponsored content

Protecting communication within the smart factory and to the cloud: Infineon presents the world’s first TPM 2.0 for Industry 4.0

UNICH, — Infineon Technologies AG (FSE: IFX / OTCQX: IFNNY) presents the world’s Mfirst Trusted Platform Module (TPM) specifically for industrial applications at this year’s Hannover Messe (Han- nover, Germany, April 1–5, 2019). The OPTIGATM TPM SLM 9670 protects the integrity and identity of industrial PCs, servers, industrial controllers, or edge gateways. It controls access to sensitive data in key positions in a connected, automated factory as well as at the interface to the cloud. The TPM acts as a vault for sensitive data in connected devices and lowers the risk of data and production losses due to cyberattacks. Users’ benefit is not limited to se- curity only, as TPMs also help to shorten time to market and reduce costs for industrial applications. Through the use of Infineon’s audited and certified TPMs, manufactur- ers of industrial devices can achieve higher security levels

35 Sponsored by Sponsored content

of the IEC 62443* standard and accelerate industry in terms of robustness and quality business PCs and routers, connected their certification processes. Furthermore, as it is qualified according to the industrial vehicles, or cloud applications. they can cut costs for maintenance of the JEDEC JESD47 standard. The OPTIGATM TPM SLM 9670 will be devices through secured remote software presented for the first time at this year’s updates. Availability Hannover Messe, the world’s leading The OPTIGATM TPM SLM 9670 fully meets The OPTIGATM TPM SLM 9670 is manufac- industrial show. Infineon will show various the TPM 2.0 standard of the Trusted tured at Infineon’s security-certified facilities products and a demonstrator for energy- Computing Group and is certified by an in Germany and will be available in large efficient and secured smart factories at the independent test lab in accordance with volumes from the second half of 2019. Amazon Web Services stand (Hall 6, Stand Common Criteria.** With a service life of For more information, please go to F46). This demo also includes an edge gate- 20 years and the ability to update the www.infineon.com/industrial-tpm. way, which is a perfect place for the strong firmware on the chip, the TPM is able to security of the OPTIGATM TPM SLM 9670 cope with long-term security risks that Infineon at the Hannover Messe because of the gateway’s central and may be encountered in an industrial The internet of things is increasing the fields security-critical function in industrial networks. environment. The chip boasts an extended of application for the TPM. With its exten- *IEC 62443 is an international series of standards that defines the temperature range of –40°C to 105°C sive OPTIGATM TPM product family, Infineon IT security requirements for industrial communication networks. **Common Criteria is an international standard for computer and meets the stringent requirements of offers application-specific solutions for security certification.

36 Sponsored by Sponsored content

Maximizing Security with OPTIGATM TPM SLM 9670

• Industrial IoT and Industry 4.0 bring many opportunities and many risks. • To maximize the opportunities, you must understand how to minimize the risks. • The following slides explain the most common security industrial use cases, how and when they are used, and how to implement them.

37 Sponsored by Sponsored content

OPTIGA™ TPM SLM 9670 for Industrial Use Cases

www.infineon.com/industrial-TPM

38 Sponsored by Sponsored content

Industrial Use Cases are enabled by hardware-based security in OPTIGA™ family

Industrial use cases … … enabled by hardware-based security › Predictive maintenance OPTIGA™ TPM SLM 9670 Supervisory and › Remote diagnosis & service Tamper-resistant certified and standardized Control Levels (Remote maintenance) security chip enabling … (e.g. PLC, RTU, › Counterfeit detection › Digital Device ID, including HMI, IPC) › Equipment-as-a-service Mutual authentication › Cloud analysis and optimization › Device Integrity & Secured Boot › After-market revenues › Remote Software and Firmware updates – Feature upgrades › Secured communication – Services (e.g., security) › Secured storage of data and keys › Protecting proprietary IP

Field Level › Predictive maintenance OPTIGA™ Trust X (e.g. Sensor, › Remote diagnosis & service › Tamper-resistant security chip enabling: Actuator, (Remote maintenance) – Mutual authentication Controller Board) › Counterfeit detection – Secured communications › Equipment-as-a-service – Secured storage › Asset tracking & inventory – Remote SW & FW updates management – Integrity verification › Protecting proprietary IP › Streamlined offering

Copyright © Infineon Technologies AG 2019. All rights reserved. 2 39 Sponsored by Sponsored content

Secured Communication

Industrial Level Description Addressed Threats › Protection of communications with the cloud and within the › Malicious access or control industrial networks by unauthorized parties › Mutual authentication and confidential data exchange with › Loss of keys and ability of integrity & replay protections authentication (clones, false › Critical keys securely stored in secured Hardware data, invalid access) › Needed to secure many customer use cases: predictive › Extraction of proprietary IP maintenance, remote maintenance, equipment-as-a-service, cloud analysis and optimization, after-market revenues, feature Customer Benefits upgrades, and protecting proprietary IP › Increase safety and reliability › Enable new online business Solution Approach models › Secured › Contribute to company communication library reputation and image adapted to use keys in secured OPTIGATM Hardware for first Solution Benefits of OPTIGATM authentication phase › Tamper resistant key storage › Subsequent data transfer and bulk › Turn-key solution encryption use › Security certified (TPM only) performant session › Industrial temperature range keys derived from the › Extended lifetime › Long-term authentication keys are kept in the secured authentication key OPTIGATM Hardware

Copyright © Infineon Technologies AG 2019. All rights reserved. 3 40 Sponsored by Sponsored content

Remote Software & Firmware Updates

Industrial Level Description Addressed Threats › Secured update of SW or FW in supervisory, control, and field › Malicious or manipulated devices updates › Remote feature activation & deactivation › Reverse engineering of › Enabling safe fixes for bugs and vulnerabilities updates › Updates signed by OEM, verified by device › Rollback attacks › Detect and recover from improper updates › Unauthorized feature access › Distribute updates via networks, USB, etc.

› Needed to secure many customer use cases: remote Customer Benefits maintenance, equipment-as-a-service, after-market revenues, › Reduce update costs and feature upgrades › Enable new business models Solution Approach › Contribute to company › Long-term keys are reputation and image kept in the OPTIGATM › Ease Software improvements Hardware and used to › Increase safety and reliability verify and/or decrypt updates and feature TM licenses Solution Benefits of OPTIGA › Proper installation of › Tamper resistant key storage updates and feature › Turn-key solution licenses can be verified locally and › Security certified (TPM only) remotely via policies › Industrial temperature range and attestation › Updates and feature licenses are loaded into the device › Extended lifetime

Copyright © Infineon Technologies AG 2019. All rights reserved. 4 41 Sponsored by Sponsored content

Device Identity

Industrial Level Description Addressed Threats › Providing a strong, unique digital device identity › Unauthorized access and › Enabling one-way or mutual authentication control › Impersonation and forgery › Fundamental Requirement of IEC 62443 for all devices › False data, improper (supervisory, control, field, etc.) commands › Basis for most other security use cases such as secured › Cloning and counterfeiting communications › Unauthorized access to IP & › Needed to secure many customer use cases: remote data maintenance, equipment-as-a-service, counterfeit detection, after-market revenues, asset tracking and inventory Customer Benefits management › Reduce update costs Solution Approach › Enable new business models › Contribute to company › More keys and reputation and image certificates may be › Ease Software improvements added securely later › Increase safety and reliability › Device identity keys and certs are used to Solution Benefits of OPTIGATM authenticate the device and establish › Tamper resistant key storage secured › Turn-key solution communications › Security certified (TPM only) › Industrial temperature range › Extended lifetime

TM › Supports X.509 & other › Device identity keys and certs are loaded into the OPTIGA standards Hardware during Infineon manufacturing

Copyright © Infineon Technologies AG 2019. All rights reserved. 5 42 Sponsored by