Don Schleede, Information Security Officer
for Digi International, a Minnesota-based
manufacturer of embedded systems, as well as
routers, gateways and other communications
devices for the Industrial Internet of Things.
Don manages security operations and security
compliance for Digi.
Six IoT device tips to check off
Authenticate – a manufacturersupplied certificate should be
presented by customers when they
access the device, authenticating the
system every time it starts up or is
accessed. Hackers, of course, won’t
have access to this certificate
Digital signature – a unique digital
signature for every legitimate,
authorised device, unavailable in
firm are and unable to be faked,
will prevent hackers from creating
counterfeit devices and fooling the
system. Only genuine data from
confirmed devices ill be accepted
Check for updates – the system
should regularly check for and
automatically download updates.
his ill help stop firm are update
backlogs and keep the burden off
users, while still ensuring the device
is as up to date on its protection as
possible.
Put the key in a box – if you leave
your front door key under your
doormat or in a convenient plant pot
when you’ve locked up and left your
house, you’ve really left it vulnerable
to a determined criminal. The same
applies to decryption keys – these
should go in a secured lockbox, to
stop hackers from accessing the
stored data. This lockbox will require
its own code to get access to the
key.
Get physical – challenge any
physical system attackers by making
them follow the same authentication
process as is used when the device
is accessed over a network. This
applies to access through any of a
device’s physical ports.
Have capacity – to future-proof
your IoT devices and your system,
we’ll begin to see hardened coprocessors with responsibility for
security functions. This will aid in
providing the maximum security
levels and extending device
lifespans without overburdening
their main processors. There will
also be additional security features
accessed via the cloud. In summary:
make sure you have the capacity
to accommodate new levels of
protection, because you’re going to
need it in future.
Leading the Charge
Digi TrustFence™, available on a variety
of the company’s embedded products,
is specifically designed to address these
IoT security issues.
Digi TrustFence incorporates
authenticated boot to check a
manufacturer s certificate every time
the device is booted.
Users are validated every time the
device is accessed. This occurs
whether access takes place over a
network or at any of the device’s
physical ports.
Through Digi TrustFence, the device,
in turn, presents a digital signature
when uploading on the network. This
signature would not be available to
counterfeit devices.
TrustFence regularly checks the
igi evice loud for firm are
updates, securely downloading them
to keep systems up-to-date without
burdening support staff For users
that are prevented by regulation
from accessing updates via the
cloud, the system supports local
update entry.
Digi TrustFence encrypts stored data
and keeps the decryption key in a
lockbox to keep it safe from hackers.
To accommodate growing and
changing security demands, Digi
TrustFence will include a hardened
co-processor to store security
functions separately from those on
the main processor. In addition to
providing another layer of security,
this will expand the storage capacity
for security functions and allow
co-processor swap-out in future
designs without impacting the
device’s main processor. Some
security functions will not be
device-resident, but accessible via
secured Digi Device Cloud, allowing
greater sophistication than could be
accommodated directly on an IoT
device.
In conclusion
Regular news stories remind us that
there is no such thing as ‘perfect
security’ – break-ins at highly secured
sites and hackers accessing critical
systems happens much more often
than we would like it to. In reality,
the security goal can’t be to make all
interference impossible. That would
be a futile mission. Rather, the aim is
to make interference difficult enough
that it puts hackers off o devices
are tempting targets, but if the effort
required to access them outweighs the
rewards, rational hackers will look for an
easier life elsewhere.
www.digi.com
Issue 22 PECM
9