While there is no one-size-fits-all security solution for embedded devices, solutions are available that provide a framework for OEMs. A security framework provides OEMs with the core capabilities required to protect their devices and the flexibility needed to customize the solution to the specific requirements of their device, while ensuring that critical security capabilities are included.
Device security requirements
Before selecting an IoT security framework, it is important to step back and look at the requirements at both device and system levels. Security requirements for IoT devices must take into consideration the cost of a security failure (economic, environmental, social, etc.), the likelihood of attack, possible attack vectors, and the cost of implementing a security solution.
Security capabilities needing consideration are:
Secure firmware updates
Data at-rest protection
Embedded firewall and intrusion detection
Key and certificate management
Integration with security management systems
Security policy management
Security event reporting
A security framework, such as the Floodgate Security Framework, provides an integrated suite of security building blocks (Fig. 2).
When most engineers think of security, they typically think of secure communication protocols such as SSL/TLS, SSH, and IPSec. In recent years, support for secure communication has been added to many embedded devices. While these protocols provide a first level of defence against protocol-based cyber attacks, they leave other attack vectors unprotected.
Security protocols are designed to protect against packet sniffing, man-in-the-middle attacks, replay attacks, and unauthorized attempts to communicate with the device, providing a good starting point for building secure devices.
Small IoT edge devices are adopting wireless protocols such as ZigBee, Bluetooth Low Energy (BLE), and other wireless and mesh networking