Securing Factories and Infrastructures in the Age of IoT

With the rise of the Internet of Things (IoT) and “Industry 4.0,” factories and critical national infrastructures are becoming connected networks. Processes are remotely monitored through sensing and connectivity solutions, allowing for greater control, powering predictive analytics, and optimizing throughput, leading to a higher return on investment. But strong security becomes indispensable when processes rely on the integrity of connected sensors and their data. Sensitive data is transported on connected networks, which must be kept safe from eavesdropping and alteration. Herein we discuss how data should be protected from IoT devices to cloud services.

Problem

  • Mission-critical continuity and safety in connected networks depend on accurate transmission of sensor data
  • Data is vulnerable to eavesdropping and alteration when it travels from device to dashboard or cloud
  • Resource and budget constraints impede traditional security measures in IoT
  • Once deployed, Industrial IoT (IIoT) devices cannot easily adopt a security system upgrade with traditional methods

Results

  • Secure data transfer from its creation
  • An unclonable, immutable, invisible, and unique identity to authenticate every device
  • Low-cost solution for a scalable market
  • Low resource requirements for IoT devices
  • Flexible integration in hardware or software
  • For software integration, retrofitting of in-field devices is also possible

Solution

  • Start security where the data is created, by deriving a unique and unclonable identity, based on SRAM PUF, for every device
  • Use the identity to authenticate and encrypt all data to protect it from the moment it leaves the device all the way to the cloud system

In all Industrial IoT networks, sensors are the genesis of the journey for IoT data streams. These sensors create the data on which decisions are based, and action is taken. Imagine what happens when attackers manipulate sensor data, which can bring entire production lines to a halt or endanger the well-being of people in and around a factory or infrastructure. It is highly important that sensor data is transported accurately from its source to where decisions are made — at an on-premises control server or in the cloud.

Keeping sensor data safe is not trivial since it requires end-to-end security. A secure channel needs to be established to get data safely from IoT devices into the cloud. The secure channel ensures data cannot be eavesdropped upon or altered in transit. The device and the cloud service must exchange keys and certificates to establish this channel. Many methods exist for this, such as “zero-touch provisioning.”

The biggest challenge when applying these methods is to get the required keys and certificates on the IoT device. The traditional method for provisioning keys and certificates uses an additional chip in the device, such as a secure element (SE). However, this comes with significant downsides:

  • Higher BOM cost for an additional chip
  • Dependency on SE vendor to handle keys
  • Extra effort to onboard SE
  • SE cannot be added to in-field devices

Solution: Synopsys Secure Sensors

Synopsys' secure sensor-to-cloud solution resolves these problems. Using Synopsys’ patented SRAM PUF technology, the IP creates a unique and unclonable identity for every IoT device, which is never stored in memory and cannot be copied from device to device. The identity is immutable and invisible to adversaries, creating an unequaled anchor of trust for every device. Keys derived from the SRAM PUF are used to create a secure channel.

Semiconductor manufacturers may license Synopsys solutions as IP. Module and IoT device manufacturers can procure chips with Synopsys PUF IP included or can license a software version of the IP directly. This is the only software solution that can create a strong root of trust in hardware.

Since no additional hardware components (such as secure elements) are required, the solution can be flexibly integrated and comes at an IoT-scale-friendly price point. Deployed devices can even be upgraded with an over-the-air update without the need for an expensive redesign of the system.

Bottom Line Benefits

  • Unclonable, immutable and invisible ID
  • Authentication and encryption of data
  • Strong security at a low price point
  • Flexible integration in software, allowing for over-the-air updates for existing devices

Resources