Trusted Computing Group releases software, firmware guidelines for IoT systems

To safeguard embedded systems, manufacturers need to deliver regular updates and users must immediately install them for effective security mechanisms.

TCG is coming to their assistance by introducing a set of best practices manufacturers can follow to ensure security throughout product lifetime, not just at the time of purchase, and prevent infections. The updated guidelines also attempt to get manufacturers to do more, arguing that a hardware-based approach to device and software update verification that is integrated with trusted software mechanisms will make it much more difficult for bad actors to hijack systems.

“The state-of-the-art in information security is advancing rapidly and this is even more true for embedded systems security,” said in a prepared statement Steve Hanna, Chair of TCG’s Embedded Systems Work Group. “We must constantly raise the bar in the way that we build and maintain these systems so that the defenders can stay ahead of the attackers.”

Network-enabled embedded systems (IoT) have been embedded in an increasingly high number of smart applications and platforms, including automobiles, household appliances, industrial systems, and medical equipment. While network connectivity enabled advanced features and faster security upgrades, it also opens the door for new threats and unknown risks in critical infrastructures.

A malicious computer worm named Stuxnet nearly destroyed Iran’s nuclear program in 2010 by tampering with its Programmable Logic Controllers (PLCs) due to unsecured embedded systems. Years later, in 2015, a similar attack crippled Ukraine’s power grid, leaving some 225,000 people without power.

“As we put greater trust in things like autonomous cars, smart homes, and health care sensors, we need to take steps to make sure connected devices are tightly secured to protect them from data breaches and hackers,” added Hanna. “Over the years TCG has developed a range of technologies to address the challenges faced by the industry, resulting in widely deployed, proven solutions. These open standards are the ideal option for delivering the security needs for embedded systems as we move toward a world where everything is connected.”

In particular, the Trusted Platform Module that emanated from TCG’s work in 2009 adds a dedicated microcontroller designed to secure hardware through integrated cryptographic keys that provide secure storage, random number generation, and other privacy features. TCG’s updated guidance says that “The protections provided by a hardware TPM considerably exceed those that can be provided by a software TPM due to the lack of tamper-resistance and generally late start time for the software TPM.”

The guidelines, as well as TCG’s know-how on the topic will be presented at Embedded World in Germany in February, where a number of IoT security topics will be discussed among industry experts. TCG will be organizing a workshop on IoT where attendees can deep dive into TCG technologies such as Enabling TPM2.0 for Industrial and Automotive Applications with an Open Source Software Stack, Protection Technologies, Increasing Resilience of Connected Systems with Secure Flash and MARS — Trusted Computing for Low-end Devices.

Article Topics

embedded systems  |  IIoT  |  Intel  |  IoT  |  Microsoft  |  security