Smart SD cards simplify security for IIoT

Article By : Hubertus Grobbel

Flash-memory expert Swissbit offers a simple but smart security solution for connected factories: SD cards for system identification.

IIoT and smart factories rely on sensors, actuators and systems that are networked and communicate with each other, but how can that communication and data be safeguarded against espionage and sabotage? Flash-memory specialist Swissbit offers an answer – smart and highly flexible SD cards featuring integrated security for system identification.

Intelligent production that automatically adapts to products or circumstances, providing convenient remote control and remote maintenance are poised to bring manufacturing to a new level in terms of quality, efficiency and flexibility. However, networking industrial installations and the consequent autonomous communication between "things" also bring with it new risks. For instance, what happens if hackers or manipulated systems seize control of robots or industrial installations? In other words, how does a "thing" know that the data or data selections it receives from another "thing" are legitimate and that these system components are "who" they say they are?

3-step security: Identification, authentication, authorisation

IIoT issues can be addressed through the use of modern security solutions in classic IT, along with communication between human users. These solutions require identification, authentication and authorisation here on the example of a user.

• Identification involves users to log-in to reveal identity – in doing so confirms that they are a specific user.
• The next step is authentication, i.e. verifying that users are who they say they are. In order for this to occur, users need to identify themselves by means of a password/PIN and/or additional hardware-specific identification credentials, which can be a token, smart card or the like.For applications where security is mission critical, two-factor identification is needed comprising of elements such as a password/PIN in addition to a non-copyable means of validation such as face recognition or other biometrics tools.
• Once users hasve been successfully identified, access is granted and usage rights provided with approved permissions (authorisation).

The user could also be thought of as a (sub-) system in machine based processes.

Real-life problems

Pure software-based solutions for installations requiring security (including production lines and industrial installations) do not provide adequate protection and can be easily copied and manipulated. Systems that communicate with each other via the Internet or through IIoT gateways must, on one hand, provide an identity that cannot be cloned, and on the other, have the ability to send and receive highly secure encrypted data. Such protection always requires a solution that is integrated into hardware, known as a security anchor.

Selecting the right security anchor for a given application can be done in any of a number of ways:

• by installing SIM cards (as is done with mobile phones);
• by soldering identifiable hardware components (Trusted Platform Module (TPM)) onto the relevant components; or
• through the use of processors that can be unambiguously identified via integrated elements (Trusted Execution Environment (TEE)).

Although all of these solutions provide levels of protection and have a number of pros and cons, under real conditions they are subject to certain limitations which need to be considered. One thing they all have in common is that they limit the flexibility of the solution provider, binding equipment manufacturers to certain producers, components and or processors, and distribution channels in the technological development processes.

Flash memory using a TPM

Switzerland-based Swissbit, suggests a solution: industrial flash memory cards with embedded security that functions as a Trusted Platform Module (TPM). This solution is advantageous for IIoT component and solution developers and can meet safety requirements as well as performing other functions.

 

*Figure 1: Industrial flash memory cards are part of Swissbit's simple but secure soluton.
 

Industrial applications

The advantages kick in during the integration phase, which becomes very simple for developers for a number of reasons:

• the memory interfaces are standardised;
• middleware for cryptographic operations is available;
• flash memories with TPM-functionality are available in various form factors including SD cards, micro SD cards and USB sticks.

This solution is based on flash memory modules, which for many years have been highly rated for use under industrial conditions – such as a much larger temperature range than consumer/commodity cards and a far superior product life-span and availability.

Combinging memory and security

Swissbit’s idea of combining a unique identifier with a standard data storage device is elegant by virtue of the fact that most IIoT components and systems already need memory for their data and operating systems.

Secure memory cards, which are already widely used in big deployments for wiretapping-proof governmental mobile phones and police body cams, are mainly composed of a flash memory chip, a smart card and a controller. Their special firmware with integrated AES encryptor supports other application scenarios.

The fact that Swissbit uses crypto chips as security anchor means not only that communication is secure but also that data can be securely encrypted. This in turn allows for Trusted Boot implementation and license monetarisation. What’s more flash memory with an integrated encryptor can be used to encrypt a system’s data storage devices such as classic hard drives.

 
Next: Retrofit legacy systems »