Security | IoT Security | Security as a service | Security Provisioning

Reducing the Complexity of Secure IoT Device Provisioning and Manufacturing

Written by Jennifer Higgins | Nov 20, 2020 10:50:15 PM

IoT devices are increasingly pervasive in our homes, vehicles, hospitals and workplaces, from smart speakers, smart electricity meters, connected medical devices to vehicles that can synchronize with modern traffic management systems to optimize route finding. Yet as these connected devices become ever more intertwined with our daily lives, their basic security (or lack of it) becomes an area of growing concern. That’s because the interconnected and distributed nature of IoT applications, if left unsecured, is very vulnerable to a variety of attacks by hackers and other bad actors.

 

The focus of these attacks may include:

  • Hacking into devices to steal data or firmware
  • Injecting malware into devices or modifying existing firmware to change operations
  • Introducing fake devices into IoT networks by stealing identities
  • Corrupting data exchanged between device and application operations.

Securing IoT applications to protect data and intended functionality from cyber threats should be a primary consideration for OEMs—not an afterthought—and needs to be built into device hardware from the beginning, at the time of manufacturing. Yet for many OEMs, making choices among hardware-based security options is complicated and confusing, due to the myriad IoT security standards groups, device security frameworks, and the cost pressure and complexity of the global electronics supply chain.

 

In the world of device manufacturing, the supply chain is dispersed across different vendors and geographies. It is common practice for an OEM to develop an IoT device at an OEM development lab in one part of the world, procure integrated circuits (ICs) such as microprocessors or microcontrollers and program firmware and data into these ICs at a third-party factory in a different part of the world. These devices then get assembled and tested by yet another, different third-party contract manufacturer (CM) in a different geographic location. Post-manufacturing, devices are typically configured and operated in an altogether different operation and location distinct from all of the pre-manufacturing and manufacturing locations and operational entities.

 

Due to the complexity of this global supply chain, there is no simple way for OEMs to ensure that devices manufactured at a third-party CM premises use authentic ICs and not counterfeits. There is no guarantee that devices are programmed with the OEM-specified firmware and data without modification. There is no guarantee that OEM intellectual property (IP) like PCB board design, firmware or data will not be stolen during the manufacturing process. There is no way for OEMs to manage the manufacturing process so that only an OEM-specified number of devices is produced. Use of counterfeit ICs, cloning of devices, spoofing of devices and overproduction of devices are acute concerns in electronic manufacturing that cost OEMs billions of dollars in lost revenue and brand value. For consumers, these potentially unsecured devices run the risk of malfunctioning, data sniffing and eavesdropping, or placing personal data in the wrong hands.

 

OEMs realize that hardware-based security is required to protect modern connected devices from IP theft, product cloning and system hacking, but deploying security for different use cases is difficult and can impact security robustness, user experience and time to market.

 

The SentriX® security deployment-as-a-Service platform from Data I/O was developed to address the multiple layers of complexity that OEMs encounter during secure device provisioning and manufacturing. Using SentriX, OEMs have the ability to secure their supply chain and manufacture secure devices at scale using a trusted security deployment service. Part of the platform is a deployment tool called SentriX Product Creator™ that OEMs can use to collaborate with silicon vendors and programming partners to define the security features, profiles or definitions to be deployed in their devices.

 

To simplify the security deployment process, Sentrix Product Creator employs pre-configured use cases to help OEMs specify and design their security requirements. The pre-configured model presents the most common IoT use cases to the OEM along with other common choices, policies and settings. The pre-configured use cases are IC-dependent but typically include deployment of:

  • Chip identity
  • Chip authenticity
  • Cloud on-boarding
  • Secure boot
  • Access control
  • Encrypted firmware
  • Secure communication
  • Static data

Pre-configured use cases remove much of the complexity of secure provisioning and manufacturing and offer OEMs greater ease-of-use by abstracting the complications of securing ICs and microcontrollers. Because the pre-configured use cases are offered as automated services, it also means that OEMs are less dependent on finding and retaining highly specialized software, security and operations teams.

To learn more about SentriX IoT Security as-a-Service, download our new e-book Securing the Electronics Supply Chain with SentriX IoT Security as-a-Service or visit our web site at www.dataio.com/SentriX.