The Internet of Things (IoT) is changing the way we interact with the world around us. Over the next few years, billions more connected devices will enable us to drive efficiency, boost productivity, and enhance comfort and convenience in our personal and professional lives. And we’re not the only ones to see the potential of this market.
IoT devices are the target of increasingly sophisticated cyberattacks and innovators must protect their assets and their customers from these emerging threats. In a time- and cost-sensitive environment, security can be mistakenly added later as an afterthought. But that approach puts individuals, organizations, and vital infrastructure at risk.
To meet the challenges of operating in this ever-changing and connected world, security can no longer be considered a separate component. It must be embedded in every element and process, starting with the product development phase. Arm’s Platform Security Architecture (PSA) framework simplifies this activity and makes it quicker and easier to build a secure device.
Arm PSA is divided into three stages: analyze, architect and implement. The first analyze is discussed in detail in this blog.
Identifying the right level of security for your device
To design-in security, Arm PSA recommends developers and manufacturers start by analyzing the operating environment and understanding and documenting the ways each device could be attacked. It is a process known as Threat Models and Security Analyses (TMSA), or an English Language Protection Profile, and it has been used in the mobile industry for some time but is rarely carried out in the IoT space.
The TMSA will highlight critical issues you need to address and challenge you to consider important questions, such as:
What are your most valuable assets?
What are the potential threats to your device?
What type of attack do you need to protect against?
How severe are the threats?
What counter-measures could you implement?
What are your security requirements?
How does your device meet your security requirements?
This process will help you decide how robust your security needs to be and what, exactly, you need to do to protect your IoT product. Rather than slowing down development, it will help you determine the right level of security for your device, which means you will not be over-spending or exposing your device, your organization or your customers to unnecessary risk.
Who will benefit from Threat Models and Security Analyses (TMSA)?
You can apply the methodology to any device, from simple, low-cost or even disposable applications, through to the most advanced edge and gateway devices.
The TMSA documentation is intended to make threat modeling more accessible to all, so you can secure your device even if you do not have access to dedicated security knowledge or expertise.
5 steps to design security into your next IoT device
Now we will take you through the TMSA process step-by-step to help you determine your security requirements. We are using a smart speaker, such as one you may have in your home, as a basic example but more detailed analysis of common IoT use cases , including an asset tracker, water meter and network camera, can be downloaded from our website.
1. Analyze use case, define the external entities and the assets to protectAnalyze the use case, or target of evaluation
The first step in designing-in security is understanding the ecosystem your device operates within and identifying your use case known as the target of evaluation (ToE) in the TMSA documentation. The use case is the product or the system that is the subject of the security evaluation.
In the example of the smart speaker, you can start with the device itself and the application that acts as the user interface. There will be cloud services that enable the device, plus a number of third parties who are creating content for you. If the speaker is being used in a home environment, there may be music, shopping, news, voice assistant or home automation applications. In a business or industrial setting, the applications may be targeted to provide information or services relevant to your sector.
Once you have an understanding of the use case, you can then develop a list of the main components of your device that need to be protected.
Attackers will be targeting the assets in your device in the same way as a thief who breaks into your home may be searching for jewelry or cash. So, you need to identify the assets or data that will be of most interest to them.
If we return to the smart speaker example, the assets we may need to protect include:
Certificates and device-unique keys
Log-in credentials (user or admin)
System configurations (to ensure your IP cannot be compromised or control taken away)
Device resources (for example: microphone array and speakers, computing power and battery, network bandwidth, debug interface, storage)
Your list of assets may not be exhaustive, but it will include the assets or data of most value to you and your customers.
To develop your understanding of the threats to your device you also need to identify users and external entities that would interact with the product. This may include legitimate users, for example, the owner of the device or the virtual system administrator, but it should also extend to potential attackers or adversaries looking to gain access or control of the device.
Step 1 checklist
Analyze the use case, or the target of evaluation (ToE)
Identify your most valuable assets
Identify users and external entities
2. Identify potential adversaries, the attack surface and threats
It helps to know who may be working against you. A generic adversary model groups attackers in five categories and can be used to identify potential adversaries:Remote software attacker: Most attacks fall into this category. Network attacker: For example, a man-in-the-middle attack, where communication between two parties is intercepted by an attacker. Malicious insider attacker: This is often overlooked but has potentially serious consequences. It could be a disgruntled employee inside your organization, or part of an OEM, an ODM supply chain or a silicon vendor. Simple hardware attacker: This assumes the attacker has physical access to your device and can connect a USB dongle, debug port, voltage/current measurement, port scanner, etc. Advanced hardware attacker: Advanced hardware attackers have unlimited resources and require physical access to the device. They will often deploy very sophisticated attacks, using specialized equipment, including ion-beam lithography or microscopy probing.
The attack surfaceBy this stage in the process, you know what you need to protect and who has the potential to attack. Now, it is time to consider your vulnerabilities, which Arm split into four main categories: communication, lifecycle, software and physical (also known as hardware). These categories act as entry points to your device and offer a way-in for attackers. Potent