Secure Hardware and Software

Data and product security are on all engineers’ minds these days. More and more systems are connected to each other and to the web. Whether you are designing consumer products , medical systems, industrial control, or, of course, military communications systems you care a lot about security.

I first talked to Alan Grau, president and co-founder of Icon Labs , about device security. Alan emphasized that historically most embedded devices have relied on security at the perimeter for defense against cyber threats – an approach relies on two outdated assumptions. The first assumption is that the embedded device is always deployed within the enterprise security perimeter. The second assumption is that if the device is within the enterprise security perimeter it is then safe from attack. Alan stated that industrial control, consumer, and DoD devices within an industrial or enterprise network must include security as a core capability, including intrusion detection and prevention software to protect the device specific attack vectors. Each device is unique, so customizable software that can be tailored to the specific requirements of each device is critical. It is important to provide integration with enterprise security management systems so that attacks can be reported and action taken to mitigate against attacks when they occur.

Infineon Technologies has the SLJ 52ACA member of its OPTIGA trust authentication product family, which, as a fully programmable chip, provides a flexible solution for a full range of security functions, such as authentication, secure updates, key generation and storage, protected storage, memory integrity, secure boot, and access control management.

As a hardware security 16-bit microcontroller, it provides advanced and efficient protection against side-channel, fault-induction, and physical attacks. It also provides a physical separation and the options for access controls and memory integrity checks to protect against software attacks. A wide range of cryptographic functions can be use through applications running on the device’s JavaCard operating system. Reference applets and host code enable quick and easy implementation of most common security functions while the included development tools allow the flexibility for full customization into proprietary security systems.​

Colin Geis, product marketing manager for Red Lion Controls , told me that, similar to traditional land-line networks, many cellular devices use VPNs to securely extend a link network to remote locations. Red Lion, for example, allows the use of IPSEC and OpenVPN, each of which offers unique VPN features for different applications. IPSEC uses robust encryption and shared parameters to secure data traffic from the head end to the remote cellular asset. OpenVPN uses shared certificates to ensure data security while providing secure data transmissions between cellular routers.

The next layer of security is a firewall that uses Stateful Packet Inspection (SPI), which scans individual packets of data and approves or denies each packet based on known services that are currently running. For instance, a remote site may only be allowed to transmit Modbus data packets to limit the usage of data required. Any non-Modbus data would be rejected by firewall in the cellular router. Red Lion has the Sixnet series IndustrialPro cellular routers and RAM cellular RTUs that provide fast, secure and economical wireless connectivity.

Next I talked to Ben Smith, manager of security software at Maxim Integrated . Ben said, “Traditionally, security is something that happens between  systems: We encrypt messages from one party to another, or we authenticate one system attempting to access another. But with the amount of valuable, sensitive data being passed, almost casually, between disparate systems all over the world, it is no longer sufficient to protect the information on the way out. Security is something that must be considered from the time the data is created to the point at which it is consumed, even at the chip level. And that’s what Maxim is doing: making security an integral part of each device that touches the flow of critical data.”

Zilog has ZGATE Embedded Security, which combines multiple technologies for safer, faster and better deployment of embedded communication applications. Their eZ80F91 MCU has a a 10/100-BaseT EMAC, a full-featured TCP/IP stack, an embedded firewall, and tools to design, build and bring a communication product to market. The firewall provides static filtering, stateful packet inspection, port, protocol, and address limits, and threshold-based filtering.

The high-performance 50-MHz 8-bit MCU also features a power-efficient optimized pipeline architecture, 256 Kbytes of flash plus a 512-byte device configuration flash, and 16 Kbytes of SRAM and come in a 144-pin LQFP or BGA package.