Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Autonomous SecurityHardware-Based Security Model & Trust Stack
Jay Fallah CTO NXMArm TechCon 2019, Booth #931
Outline
1) About us
2) Securing IoT: OEM responsibility or end user’s dilemma?
3) Autonomous Security’s use of hardware Root of Trust & machine identity
4) Cyber Physical Security vs. Cyber Security
5) Evolution of security: personal computing, to mobile, to IoT & beyond
6) From centralized systems to distributed & decentralized models
7) Questions
© 2019 NXM Labs, Inc. - Propietary & Confidential 2
NXM - Next Generation Machines
Founded in 2016
Developing Autonomous IoT Security platform & Data Integrity trust-stack
‘Chip-to-Cloud’ solution leverages PSA & trusted enclave
Frost & Sullivan 2019 NA Visionary Innovation Leadership Award for IoT Security
© 2019 NXM Labs, Inc. - Propietary & Confidential 3
Catch MEIF
YOU Can
© 2019 NXM Labs, Inc. - Propietary & Confidential 4
About a decade ago an FBI agent explained:“There are 2 types of people”
© 2019 NXM Labs, Inc. - Propietary & Confidential 5
Those who have experienced
a cyber-threat
And Those who have not
A few years later the same FBI agent said:“There are two groups of people”
© 2019 NXM Labs, Inc. - Propietary & Confidential 6
Those who have experienced
a cyber-threat
And Those who do not know
that they have
“Amateurs HACK DevicesProfessionals HACK People”
Criminals chose targets based on least effort for the highest reward
Cybercrime damages has surpassed all illegal drugs crime
Phishing attacks of the past have graduated to whaling
© 2019 NXM Labs, Inc. - Propietary & Confidential 7
Real People NOT Actors
© 2019 NXM Labs, Inc. - Propietary & Confidential 8
Do you feel secure? Are you secure?
Are you a human firewall?
Is feeling secure the same as being secure?
Why do we all need to be vigilant about security?
Isn’t there a better way than username, passwords & settings?
Would it be possible to secure the tsunami of future IoT devices using password?
© 2019 NXM Labs, Inc. - Propietary & Confidential 9
Are we making smart devices more secure?
© 2019 NXM Labs, Inc. - Propietary & Confidential 10
Replace “Smart” with “Hackable”Replace “Connected” with “Exposed”
SMART CITY
SMART DEVICES
CONNECTED DEVICES
SMART CONNECTED VEHICLES
© 2019 NXM Labs, Inc. - Propietary & Confidential 11
HACKABLE CITY
HACKABLE DEVICES
EXPOSED DEVICES
HACKABLE EXPOSED CARS
=
=
=
=
Feeling Secure ≠ Being SecureThey relate to each other by a model
© 2019 NXM Labs, Inc. - Propietary & Confidential 12
Vulnerable: Not secure & not feeling secure
False sense of security: Not secure but feeling secure
Paranoid: Secure but feeling insecure
Secure: Being secure & feeling secure
Model
Feeling Secure
Being Secure
IoT Security ≠ Internet SecurityAutonomous Security ≠ Cyber Security
© 2019 NXM Labs, Inc. - Propietary & Confidential 13
IoT proliferation is based on use of analytics & big data
Autonomous Security is a Cyber Physical Security
Its purpose is securing Edge Computing devices
Utilizing hardware to anchor cybersecurity primitives in TEE
“Innovation”
© 2019 NXM Labs, Inc. - Propietary & Confidential 14
The action or process of innovating. The invention or application of methods, ideas or devices. From Latin, “innovare”, to renew or make new.
Autonomous Security is the modelfor “Edge Cyber Physical” security
© 2019 NXM Labs, Inc. - Propietary & Confidential 15
Value Chain: ARM, Chip, Module, OEM, User (B2B2C)
Life Cycle: Make, Ship, Sell, Provision, Use, Discard
Target User: OEM (integrating security in final design)
Autonomous: Provisioned upon first network connection
Chip Designer
Chip Maker
Module Maker
OEM
User
Money is the currency of transactionsTrust is the currency of interactions
© 2019 NXM Labs, Inc. - Propietary & Confidential 16
Evolution of Trust: Local, Institutional, Distributed
Autonomous Security: Distributed Trust Stack
Securing: Firmware, Software, Data, Communications
Based on: Hardware & Trusted Firmware
Known UnknownTrust
Uncertainty
3. other user
2. platform
1. idea
THE TRUST STACK
Known Unknown
Autonomous SecurityNeighborhood Watch of/for/by Devices
© 2019 NXM Labs, Inc. - Propietary & Confidential 17
Security interactions separated from data interactions
Configurations defining data context & data path
All data signed and encrypted at rest & inflight
Single source of truth in a collaborative digital ledger
Automated Configuration ManagementPre-definition rather than post-learning
© 2019 NXM Labs, Inc. - Propietary & Confidential 18
Data integrity & privacy at the edge
Network segmentation based on device identity
Can you trust Big Data if you can not trust Little Data?
Should IT & the vendor collaborate on device security
Delegating system & data threats to the hardware
© 2019 NXM Labs, Inc. - Propietary & Confidential 19
Trusted Firmware & PSA CertificationSecurity requires friction & delimitation
© 2019 NXM Labs, Inc. - Propietary & Confidential 20
OEM should be responsible as the integrator for security
Security vendors target IT departments as purchasers
Operational technology must have a security component
Chip designers are too far from device security
Evolve security from a commodity to a common good
Security journey of an IoT must start in the field
Manufacture Build
Shipping
Wholesale Retail
Provisioning
Ownership changes
Disposal
Digital ledger tracking security
Warranty
Late
-Bin
ding
Late-binding & life-time Warranty
© 2019 NXM Labs, Inc. - Propietary & Confidential 21
Tracked By Serial number
Autonomous SecurityConfigurationMachine ID
PKI
Ledger as IAM & Key Exchange Management
© 2019 NXM Labs, Inc. - Propietary & Confidential 22
Globally unique device identity (Late-Binding, TRNG).
PKI created & private key stored in the trusted zone.
Identity & public key provisioned on the blockchain.
Identity tracks the device security posture in the ledger.
What is stored on the Ledger? Do we really need a blockchain?Why can’t databases do the same thing?
© 2019 NXM Labs, Inc. - Propietary & Confidential 23
Security needs a distributed & decentralized model
Variables are Identity, public key & a JSON string
Blockchain is not just a database in this implementation
Smart Contracts allow customized device programming
Smart Contracts could be delimited by resources
Who owns the device? And who owns the blockchain?
© 2019 NXM Labs, Inc. - Propietary & Confidential 24
Autonomous devices means no human ownership
One admin device & 0 to ∞ users provisioned in field
4 possible implementation of permissioned blockchain
Ethereum & Hyperledger blockchain microservices
Security & only security is handled by the ledger
Autonomous Security for next generation machines
IOT
Data sent to cloud
High Latency
Not Scalable
High Bandwidth Needs
M2M
Machine to Machine interaction
Realtime
Scalable
Edge processing of data
© 2019 NXM Labs, Inc. - Propietary & Confidential 25
Two views on any IoT infrastructure
SYSTEM VIEW
Things, IoT devices, machines
Gateways, networking hubs, routers
Network services, connection
Cloud services, APIs, IoT Frameworks
Device management, control
BUSINESS VIEW
IoT platform, big data, analysis
Connectivity, device management
Business model, business transactions
Services offered, sectors served
Applications, customer interactions
© 2019 NXM Labs, Inc. - Propietary & Confidential 26
Edge devices & IoT requirements
© 2019 NXM Labs, Inc. - Propietary & Confidential 27
Requirement: Power, Connectivity (IP at the edge)
Abilities: Sensing, actuating or both mostly headless
Trusted: Enclave, Storage, Application, Memory, TRNG
Categories: Automotive, 5G, IoT (Health, Smart City, …)
MACHINES THAT WORK
INDEPENDENTLY
PEERS IN NETWORK
AUTOMATED
RESILIENT
Cyber Physical Root of Trust
© 2019 NXM Labs, Inc. - Propietary & Confidential 28
Trusted Software
Trusted Hardware
CryptoSecureSystem
SecureStorage TRNG
Trusted
Non-trusted
© 2019 NXM Labs, Inc. - Propietary & Confidential 29
CUPSControl
and User Plane
Separation
CUPS in 5G LTE as inspiration
© 2019 NXM Labs, Inc. - Propietary & Confidential 30
Layer 2 Layer 3
FDD
TDD
Layer 1
25.3
21 –
MA
C
25.3
22 –
RLC
BM
CP
DC
P
Physical Layer
RR
C
CP
UP
Control Plane
User PlaneBroadcast
Packet Switched
Circuit Switched
Using blockchain as overlay layer for IoT control
© 2019 NXM Labs, Inc. - Propietary & Confidential 31
Layer 2 Layer 3
RF
Wire
Layer 1
MA
C
IP
Physical Layer
over
lay
CP
UP
Control Plane
User Plane
MQTT Pub-Sub
DLT
Discovery & visibility in the NetworkFunctional edge network segmentation
© 2019 NXM Labs, Inc. - Propietary & Confidential 32
Single security context based on device identity
Multiple data/service context for each physical device
Device mission specification by OEM at configuration
Single admin, multi-user & life time device identity
Trusting the device starts with Root of Trust (RoT)PKI involved in creating as well as extending the RoT
© 2019 NXM Labs, Inc. - Propietary & Confidential 33
Autonomous cyber physical devices must safeguard their RoT
Machine identity is essential to implementing an IoT security framework
Firmware, application, data & communication should all be trustworthy
A trust stack allows devices to trust each other based on rules on engagement
IAM & key management should be event based, auditable & distributed
Mission-based edge devices form the first line of defense against intruders
Summary1: Catch me if you can!
I can only catch the misbehaving physical devices that I can identify
Device should be able to do secure boot & secure update over the air
The evolution of computing (PC, Mobile, IoT) each need their own security journey
We need more than IT people to deal with security issues of a trillion IoTs
Monitoring device behavior makes catching a rogue actor easier
© 2019 NXM Labs, Inc. - Propietary & Confidential 34
Summary2: Human firewall is not working
You only remember the combination of a lock that you open on daily basis
Should OEM be responsible for the security of the device or should the owner
Swimming with the sharks only works when you can keep track of the sharks
Autonomous vehicles need Autonomous Security, humans not required
Security paradigm should include privacy & data integrity
Professionals hack people, let their devices defend them!
© 2019 NXM Labs, Inc. - Propietary & Confidential 35
Summary3: Realtime or near real time remedy
Getting back to state of grace means repairing the damage & replacing RoT
All authorized access recorded in a decentralized & distributed ledger
Ledger providing actionable third party for peer-to-peer interactions
The remedy begins when the numbers are different
Networking as well as computing needs to be controlled & delimited
IoTs are made with predetermined missions in mind & can be configured as such
© 2019 NXM Labs, Inc. - Propietary & Confidential 36
QuestionsJay Fallah, CTO NXM Labs
+1-647-927-9990
Visit us at Booth #931 for a Demo!
© 2019 NXM Labs, Inc. - Propietary & Confidential 37