Alliance Activities : Publications : Embedded Hardware Security for IoT Applications

Embedded Hardware Security for IoT Applications

Publication Date: December 2016

From connected homes to cities to international industrial applications, it is no longer possible to consider the Internet of Things (IoT) as a novelty. The world of IoT crossed the six billion connected endpoints mark in 2016, according to Gartner’s market research. Every day over five million new things are being connected. It has been projected that by 2020, the world will have over 20 billion connected devices – that’s around three smart objects for every single person on the planet.

Healthcare, smart city, consumer electronics, industrial, payments and numerous other verticals are developing services that rely on an IoT infrastructure. Security is a core inherent requirement to deliver safe and reliable IoT services spanning from the cloud to connected devices. Industry security practices, however, differ significantly, leading to a lack of common ground to deploy these services with ease, consistency, and ubiquity.

High-profile cases from hacking of IoT devices have already been reported. In July 2015, Fiat Chrysler announced a voluntary recall of 1.4 million vehicles to fix security issues after two security researchers hacked into a Jeep. They were able to interfere with the vehicle’s entertainment system, engine, and brakes while it was being driven on the highway, miles away from the hackers. While this received media attention due to a direct and potential deadly impact to consumers, there have been other incidents that have not received as much mainstream press. In 2014, Germany’s Federal Office for Information Security (BSI) issued a report that a steel plant had suffered “massive” damage due to the digital manipulation and disruption of control systems to such a degree that a blast furnace could not be properly shut down. The attackers gained access to the steel mill through the plant’s business network using a spear-phishing attack.

The Smart Card Alliance IoT Security Council was formed to develop and promote best practices and provide educational resources on implementing secure IoT architectures. This white paper is the first in a series of efforts to provide an overview of considerations for securing IoT ecosystems. IoT security encompasses many different aspects of security such as secure boot, device authentication, encryption, secure communication, authorized transactions and lifecycle management. Multiple software- and/or hardware-based approaches may be employed in the industry to implement security in each of these areas to meet the requirements of the specific market.

This white paper describes basic security principles that are critical for IoT implementations and then reviews the application of these security principles for an example use case – managing the lifecycle of IoT devices. The white paper discusses embedded security – where hardware and/or software security mechanisms are built into the end devices used in an IoT architecture. The white paper then further focuses on embedded hardware security, where end devices include hardware features and functions to ensure that the appropriate security requirements are implemented and maintained.

About the White Paper

This white paper was developed by the Smart Card Alliance IoT Security Council to provide a high-level educational resource on the value of embedded hardware security in end devices used in IoT applications.

Smart Card Alliance members that contributed to the white paper included: Accenture; Allegion; CH2M; Discover Financial Services; Exponent, Inc.; First Data; Gemalto; Giesecke & Devrient; Hewlett Packard Enterprise; Intercede Limited; IQ Devices; Metropolitan Transportation Commission (MTC); NextGen ID, Inc.; NXP Semiconductors; Safran Identity & Security; SigNet Technologies, Inc.; TSYS; Underwriters Laboratories (UL); Verifone.

About the Smart Card Alliance IoT Security Council

The Smart Card Alliance IoT Security Council was formed to develop and promote best practices and provide educational resources on implementing secure IoT architectures using “embedded security and privacy.” The Council focuses on IoT markets where security, safety and privacy are key requirements and will leverage the industry expertise and knowledge gained from implementing embedded security technology for payment, identity, healthcare, transport and telecommunications systems to provide practical guidance for secure IoT implementations. The Council provides a unified voice for the industry to the broader IoT ecosystem.