PECM Issue 22 2016 | Page 9

Don Schleede, Information Security Officer for Digi International, a Minnesota-based manufacturer of embedded systems, as well as routers, gateways and other communications devices for the Industrial Internet of Things. Don manages security operations and security compliance for Digi. Six IoT device tips to check off Authenticate – a manufacturersupplied certificate should be presented by customers when they access the device, authenticating the system every time it starts up or is accessed. Hackers, of course, won’t have access to this certificate Digital signature – a unique digital signature for every legitimate, authorised device, unavailable in firm are and unable to be faked, will prevent hackers from creating counterfeit devices and fooling the system. Only genuine data from confirmed devices ill be accepted Check for updates – the system should regularly check for and automatically download updates. his ill help stop firm are update backlogs and keep the burden off users, while still ensuring the device is as up to date on its protection as possible. Put the key in a box – if you leave your front door key under your doormat or in a convenient plant pot when you’ve locked up and left your house, you’ve really left it vulnerable to a determined criminal. The same applies to decryption keys – these should go in a secured lockbox, to stop hackers from accessing the stored data. This lockbox will require its own code to get access to the key. Get physical – challenge any physical system attackers by making them follow the same authentication process as is used when the device is accessed over a network. This applies to access through any of a device’s physical ports. Have capacity – to future-proof your IoT devices and your system, we’ll begin to see hardened coprocessors with responsibility for security functions. This will aid in providing the maximum security levels and extending device lifespans without overburdening their main processors. There will also be additional security features accessed via the cloud. In summary: make sure you have the capacity to accommodate new levels of protection, because you’re going to need it in future. Leading the Charge Digi TrustFence™, available on a variety of the company’s embedded products, is specifically designed to address these IoT security issues. Digi TrustFence incorporates authenticated boot to check a manufacturer s certificate every time the device is booted. Users are validated every time the device is accessed. This occurs whether access takes place over a network or at any of the device’s physical ports. Through Digi TrustFence, the device, in turn, presents a digital signature when uploading on the network. This signature would not be available to counterfeit devices. TrustFence regularly checks the igi evice loud for firm are updates, securely downloading them to keep systems up-to-date without burdening support staff For users that are prevented by regulation from accessing updates via the cloud, the system supports local update entry. Digi TrustFence encrypts stored data and keeps the decryption key in a lockbox to keep it safe from hackers. To accommodate growing and changing security demands, Digi TrustFence will include a hardened co-processor to store security functions separately from those on the main processor. In addition to providing another layer of security, this will expand the storage capacity for security functions and allow co-processor swap-out in future designs without impacting the device’s main processor. Some security functions will not be device-resident, but accessible via secured Digi Device Cloud, allowing greater sophistication than could be accommodated directly on an IoT device. In conclusion Regular news stories remind us that there is no such thing as ‘perfect security’ – break-ins at highly secured sites and hackers accessing critical systems happens much more often than we would like it to. In reality, the security goal can’t be to make all interference impossible. That would be a futile mission. Rather, the aim is to make interference difficult enough that it puts hackers off o devices are tempting targets, but if the effort required to access them outweighs the rewards, rational hackers will look for an easier life elsewhere. www.digi.com Issue 22 PECM 9