secure development of connected applications · we are living in the age of cloud computing and the...
TRANSCRIPT
Secure Development of Connected ApplicationsComplete IP Protection “Out of the Box”
Nigel ForresterMarketing Manager
Emerson Network PowerEmbedded Computing
www.emerson.com/[email protected]
Alexander DamischDirector of Industrial Solutions
Wind River
www.windriver.com [email protected]
Your Speakers For Today
Oliver WinzenriedCEO and co-founder
Wibu-Systems
www.wibu.com [email protected]
Agenda• Introduction
• Agenda (Cooperation, Speakers, …)Wind River
• Presentation • Business case for using an off the shelf security
solution• Use cases that demonstrate the necessity of
connected security• Details on the solution including hardware root of
trust, embedded software IP protection, embedded software license and flexible license management
Wind River
Emerson
Wibu-Systems
• Discussion All
• Closing Comments Wind River
The Security Business CaseExample: Critical InfrastructureAlexander Damisch, Wind River
Security in Connected Intelligent Devices
Asset Monetization
and Protection
Control
Packaging
Management
Tracking
o Asset Protectiono IP Protectiono Compliance
o Product Flexibilityo Business Modelo Agility
o Life-Cycle Intelligenceo Supporto Threat Detection
o Automationo Risk Reductiono Availability
INDUSTRIAL CONTROL SYSTEMSCYBER EMERGENCY RESPONSE TEAM HTTP://WWW.US-CERT.GOV/
Incidents by Sector – Fiscal Year 2012
Outdated and non-interoperable infrastructure is at high risk (~80%).
Essential for a functioning society and economy
Security? Connect? Safety? What Now?
Disconnecting is not a viable
option.
Disconnecting is not a viable
option.
Security is amassive threatto connectivity.
Security is amassive threatto connectivity.
It’s 5 past 12—violations
are being fined.
It’s 5 past 12—violations
are being fined.
POSSIBLE FINE1 = $1MIO * NUMBER OF INCIDENTS * DAY * UTILITY1NERC CIP Go to http://www.nerc.com/filez/enforcement/index.html for “Searchable Notice of Penalty Spreadsheet”
Strategic Partnership
Three strong players
Pre-integrated:
Minutes from being productive
Strategic partnership
Connected SecurityUse Case OverviewNigel Forrester, Emerson Network Power
Emerson At-A-GlanceUS $24.4 Billion in 2012 Sales
Diversified global manufacturer and technology provider
2012 Sales by Segment
31%
25%
21%
15%8%
Process Management
NetworkPower
Commercial & Residential Solutions
Industrial Automation
Climate Technologies
Embedded Computing is part of the Emerson Network Power Segment
What’s changed?
We are living in the age of Cloud Computing and The Internet of Things
A lot more of these devices are ‘connected’ rather than islands
Connectivity has driven security to the top of the priority list
Military Use Case
Connected battlefield where intelligence is available to the right people and with a centralised command structure
All devices must have a secure boot mechanism and IP protection
Military directive to make more use of COTS
Industrial Use Case
Just in time manufacturing links supply and factory systems Management and financial data is available in any location
Improved connectivity in Industrial Automation is driving more safety and security requirements
Other Use Cases
Healthcare
Transportation
Energy
Integrated Development Environment
NITX-315-DEVKIT– Long life embedded motherboard– Intel ® Atom processor– 1GB RAM– Power Supply– Documentation– Flash devices with Wind River and WiBu evaluation software
Begin your application
development in minutes, not
weeks
Emerson Network Power, Embedded Computing
ModulesAMCs, PMCs, COM Express
Blades and BoardsATCA, VME, CompactPCI,
Motherboards
Integrated SystemsFully Integrated and Validated
System Platforms
Markets and ApplicationsMarkets and Applications
Easily migrate to an embedded
hardware platform appropriate to your
application
CodeMeter with VxWorksCopy Protection, IP Protection, Business Enabler and Integrity ProtectionOliver Winzenried, CEO of WIBU-SYSTEMS
Piracy Problem
German Engineering Federation (VDMA) 2012:– 7,9 Billion € losses in 2012, about 4% of revenues– 9 of 10 companies affected by piracy (>1000 staff)– 48% affected by piracy of complete machines– Source countries of plagiats:
China decreasing from 79% in 2010 to 72% in 2012 Germany increasing from 19% in 2010 to 26% in 2012
– 28% of companies want to use technical solutions
JMF-Study: Losses in Japan 1,8 times higher BSA-Study: Losses 63 Billion US$, globally 42%
Top 10 Security Threats in ICS
Unauthorized remote service access Online attacks using office IT networks Attacks to commercial off-the-shelf systems,
COTS in ICS, like OS or networks Distributed Denial of Service Attacks
(DDOS) Human mistakes and Sabotage Intrusion of malware using USB sticks or
other hardware Reading and Writing of messages in ICS Unauthorized access to resources Attacks to Networks Failures and external events
Source: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/empfehlungen/fabrik/BSI-CS_010E.pdf
EDK - Embedded Development Kit
IP protection & copy protection Secure boot & integrity protection New business models through flexible licensing
EDK - Embedded Development Kit
EDK - Embedded Development Kit
Code Encryption & Code Signing
Licensing:Piracy PreventionIP ProtectionPay-Per-UseFeature-on-Demand
Code SigningIntegrity ProtectionTamper ProtectionSecurity
Protection Process and Use
provides security parameters
AxProtectorIxProtector
encrypt andprotect
End User
Software Vendor
CodeMeterLicenseSecurity creates
license
decryptand run
Licensecontainer
License Central
Embedded System Boot Process
Certificate Chain for Signature Verification
Advantages:Root Certificate only
initially used
Chain of certificates allow different signers
Revocation possible
Level 1Certificate
Signature
Public Key
Level 2Certificate
Signature
Public Key
RootCertificate
Signature
Public Key
IntegrityCertificate
SignatureHash 2
VxWorksBinary
Root Certificate
VIPDKMRTP
ComputesHash 1
ComparesHash 1 with Hash 2
Created byAxProtector Config
self-signing
VxWorks Loader
Certificate Chain sample
Root Certificate
Code Signer Root Config Signer Root
Boot Signer
Code Signer 1
Code Signer 2
Config Signer 1
Config Signer 2
Config Signer 3
Boot certificateSerial 1000-9999
VxWorksSerial 3000-9999
VxWorksSerial 1000-2999
Config certificateSerial 1000-2000
Config certificateSerial 2567
CRLCRL
CRL
EDK – Embedded Development Kit
Ready to use for easy Evaluation: CmStick/M as LiveUSB with 8GB Flash and preinstalled
Fedora Linux with Wind River Workbench and CodeMeter Tools
CmCard/uSD: preinstalled VxWorks image for NITX-315 CmStick/C: enables additional features of target software
Shows the following security and business functions:
IP protection & copy protection with code encryptionSecure boot & integrity protection with code signingNew business models through flexible licensing
Scalable solution: CodeMeter
CF-CardCmCard/CF
SD-CardCmCard/SD
USBCmStick/C Basic
µSD-CardCmCard/µSD
USBCmStick
Link to the data sheets:http://www.wibu.com/en/hardwarebasierter-kopierschutz.html
InternCmCard/I
Express-CardCmCard/E
ActivationCmActLicense
PC-CardCmCard
ChipCmASIC
CmActLicense: Software based activation to target fingerprint or Secure Element
CmDongle: highest security smart card based hardware
Meet us at the following eventsEmbedded WorldFebruary 26-28, 2013Nuremberg, GermanyHall 5-340
CeBIT 2013March 5-9, 2013Hannover, GermanyHall 12D82
Hannover MesseApril 8-12, 2013Hannover, GermanyHall 8D05
How to Order a Development Kit
Call Emerson Network Power North America (800) 759 1107 EMEA 49 089 9608 2430
Model number: NITX-315-DEVKIT
Nigel ForresterMarketing Manager
Emerson Network PowerEmbedded Computing
www.emerson.com/[email protected]
Alexander DamischDirector of Industrial Solutions
Wind River
www.windriver.com [email protected]
For more in-depth information
Oliver WinzenriedCEO and co-founder
Wibu-Systems
www.wibu.com [email protected]
Discussion
Thank You
CodeMeter Benefits
Same Licensing Solution for PC and Embedded Systems Same Solution for Partners and Customers Scalable security: CmActLicense and CmDongle CmDongle with highest security
– SmartCard technology (tamperproof, AES, ECC, RSA)– Optional Flash, industrial environment and interfaces
Individual Licensing of AxProtector Technology Solution for Backend Integration and easy deployment
– Connection to ERP / CRM, i.e. SAP or Salesforce
Solution for upgrading existing systems Consulting and support