Security in an Industrial IoT (IIoT) has been found to have become an over-rated aspect of late. Almost every service provider implements security at varying levels. However, experts believe security in an IIoT and in general the Internet of Everything (IoE) should come right from the chip level, rather than via over-the-top solutions.
Rahul R of Electronics For You connected with Ashok Ravula, Solutions Director, Core Platform at Infiswift; and Pawan Dubey, Senior Associate Consultant of Security Solutions at Infosys during the recent India Electronics Week (IEW 2017); to get their insights on effectively implementing security solutions at the Industrial level.
Q. How to take care of security in an IIoT setup right from the chip level? Please speak from an SME point of view?
Ashok: Security is a key aspect in any IIoT setup. It is important that security be engineered from the hardware level itself. To do this, you can make use of a Trusted Platform Module (TPM) that complies with ISO standards.
This TPM can be used in tandem with a Trusted Execution and Environment (TEE).
Now, by incorporation of the TPM in the hardware, you can write bits to the hardware. After the software development for this hardware, write the appropriate code for the integrated circuit to set values.
What the above system does is, prevent cybercriminals from tampering systems in their bid to access data. Even if hackers try to access this data, they would not be able to make any sense out of it. Additionally, your data is masked by the TPM so that it does not fall into the wrong hands.
The above, in tandem with regular Over-the-Air updates should lead to formulation of a long-term security solution.
Q. Recently there were instances of Russian cyber-criminals hacking into US defense servers and rendering these inoperable. So, being a security researcher, how do you position solutions to mitigate attacks like these?
Pawan: Cyber-attacks like these are today considered as another form of terrorism. These attacks take place and affect devices at the hardware level.
Now, as far as solutions are concerned, there is no immediate one at our disposal. However, for long term safety, we can follow the three-layered approach analysis model that comprises of the Hardware layer, Communication layer, and the Cloud layer.
Applications for all these layers need to be designed at the configuration cycle itself. At this point in time, I can think of the above immediate steps.
Q. For curiosity, how should an engineer build IoT for a facility associated with the defense sector? Do you have any simple suggestions?
Ashok: The first step is to plan for both Hardware and Software level of security using Trusted Platform Module (TPM) and Trusted Execution Environment (TEE) respectively and implement a fail proof automation. In case a device goes offline or stolen, the remaining connected devices in the network should work independent and autonomous.
Also, in case of device failures, a dynamic IoT solution designed using secure protocols (such as HTTP/MQTT) should be set in place. This is vital for to-and-fro external communication as well.
As much as possible, it is advisable to stick to a master-slave topology with an intelligent control station for monitoring and guiding the soldiers /equipment in the field. There should be consideration for Drones, Robots and autonomous devices controlled from the remote stations in the modern warfare.
Q. What training can engineers expect with respect to handling issues in an IIoT ecosystem; overall in the IoT space?
Ashok: First thing is to educate IoT engineers/developers on the problems plaguing the industry. Even scalability along with latency is an important aspect.
As far as budding engineers are concerned, IIoT is best understood when the overall Cloud infrastructure is grasped. This should help them in developing better scalability.
Focus on AI and Machine Learning is also vital while handling Big Data. Finally, If possible, training modules should include Cloud, Trusted Platform Module (TPM), Trusted Execution Environment (TEE), Zigbee, LoRA WAN, Authorization and Authentication and implementation.
Q. Any case study that you can think of, and which you have worked on at Infosys?
Pawan: Though not overly world-beating, I have worked on a Smart Home concept wherein the door of a Smart Home scan for people entering the house, and thereby allow only authorised people to gain entry.
This takes place with the owner of the house archiving all his family members, and storing their details in a custom database. A smart camera scans for unauthorised people, and sends this data; to the owner even if he/she is located remotely; over the internet.
This model helps in preventing thefts and burglaries, in case of criminals trying to forcibly gain entry, a call is placed to the police station automatically along with alerting neighbours.