This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Picture this scenario. You’re in your car driving on a freeway at 70 miles per hour. Without you doing anything, the air conditioning system starts to blast cold air. The radio changes stations and jacks up the volume. The windshield wipers come on and washer fluid streams across the window. The situation goes from annoying to terrifying when the gas pedal stops responding. You can push it to the floor and the car still slows to a crawl—while you are on a busy freeway.
This isn't some hypothetical scenario. It really happened to Andy Greenberg, a writer with WIRED magazine. Greenberg was part of a demonstration of how hackers can take control of a moving vehicle wirelessly over the Internet through software that is designed to control any number of the car's on-board systems. In this case, white hat hackers Charlie Miller and Chris Valasek wanted to prove a point: that vehicles' electronic systems, which are part of the Internet of Things (IoT), are vulnerable to hacking.
Shortly after this scary demonstration using a Jeep Cherokee made headlines, Fiat Chrysler issued a safety recall for 1.4 million U.S. cars and trucks that involved a software update to patch the vulnerability. Hopefully that's enough.
This episode should serve as a wakeup call to manufacturers and system integrators of all sorts of industrial-level devices that are increasingly part of IoT. As Andrew Hay, Director of Security Research with OpenDNS Security Labs points out, "IoT devices are actively penetrating some of the world's most regulated industries, including healthcare, energy infrastructure, government, financial services and retail."
Can you imagine a malicious hacker taking over the country's energy grid, or a hospital's glucometers and heart rate and blood pressure monitors? It's possible.
This is the environment that Gemalto is stepping into with the recent release of its Cinterion Secure Element for automotive and industrial IoT solutions. Gemalto is bringing the success it has had with secure element (SE) security solutions for the payments industry to industries embracing IoT.
In technology terms, a secure element is a tamper-resistant component that gets embedded into a device to enable advanced digital security and lifecycle management. For example, the latest Apple iPhones have an SE to enable the Apple Pay application. A tokenized version of a consumer's credit card information, along with a cryptogram that is used for every transaction, is stored on the SE. Only authorized applications and people can gain access to the information on the SE. As for lifecycle management in this example, a trusted service manager (such as Gemalto) can enter or update the card information or the payment application on the SE over the air.
Now Gemalto is bringing this technology and its solution integration expertise to industrial aspects of IoT, such as automotive companies and utility companies that utilize smart meters to control energy consumption and costs. Other areas that are ripe for this type of solution include healthcare systems, government services, public infrastructure and manufacturing systems.
Gemalto says it is taking a holistic approach to bringing security to industrial IoT. Reducing the vulnerabilities can't be solved just by embedding a secure element into an enabled device, so the company has a three step process that reaches from end-to-end in an industrial process.
The first step is to help the customer assess the security it already has in its infrastructure and to provide an overall risk assessment of the entire system. For example, Gemalto is working with energy providers in Germany to ensure that smart meters in the consumer market are secure. Gemalto looks beyond the SE-equipped meters themselves to assess the security vulnerabilities and risks in the process that flows from the smart meters to the gateways to the smart grid and the utilities' backend servers. The outcome of this assessment is usually a lengthy report which provides details of all the existing and potential security issues.
The second step of Gemalto's security support is to provide tools to address the needs uncovered in the assessment. The vendor has a suite of security countermeasures that do several things:
- Identify each IoT device and authenticate its entitlement to access the system
- Guarantee the integrity of the data to ensure that what is sent from the device is what is meant to be sent
- Safeguard the confidentiality of the data through encryption
- Provide non-repudiation, which involves digital signatures and incontrovertible proof of the validity and origin of all data transmitted
Gemalto offers a suite of both embedded software and a tamper-resistant secure element to address the security vulnerabilities that have been highlighted in the risk evaluation process. In some cases, embedded software is sufficient, but in others such as metering or the medical field, having a tamper-resistant SE is necessary.
The third step of Gemalto's service is to update the security countermeasures over the lifetime of the system. In something like an automobile, a utility metering system, or an industrial control system, the IoT solution is obviously meant to last for a decade or more. After that time, the original security countermeasures are likely to be obsolete, so an important part of the system design is to include security management for the lifecycle of the system. Gemalto ensures the security credential is renewed annually and provides the means to update the authentication scheme and the security application itself as needed.
Getting back to our car takeover scenario, it's obvious that the programmable components of the vehicle that are accessible via the Internet need a much more secure infrastructure. A solution like Gemalto's Cinterion Secure Element could help ensure that critical applications can't be tampered with and overtaken by malicious hackers. When you're cruising down the highway at 70 mph, this level of security can truly be the difference between comfort and chaos.