Secure Development of Connected ApplicationsComplete IP Protection “Out of the Box”

Nigel ForresterMarketing Manager

Emerson Network PowerEmbedded Computing

www.emerson.com/embeddedcomputingnigel.forrester@emerson.com

Alexander DamischDirector of Industrial Solutions

Wind River

www.windriver.com alexander.damisch@windriver.com

Your Speakers For Today

Oliver WinzenriedCEO and co-founder

Wibu-Systems

www.wibu.com oliver.winzenried@wibu.com

Agenda• Introduction

• Agenda (Cooperation, Speakers, …)Wind River

• Presentation • Business case for using an off the shelf security

solution• Use cases that demonstrate the necessity of

connected security• Details on the solution including hardware root of

trust, embedded software IP protection, embedded software license and flexible license management

Wind River

Emerson

Wibu-Systems

• Discussion All

• Closing Comments Wind River

The Security Business CaseExample: Critical InfrastructureAlexander Damisch, Wind River

Security in Connected Intelligent Devices

Asset Monetization

and Protection

Control

Packaging

Management

Tracking

o Asset Protectiono IP Protectiono Compliance

o Product Flexibilityo Business Modelo Agility

o Life-Cycle Intelligenceo Supporto Threat Detection

o Automationo Risk Reductiono Availability

INDUSTRIAL CONTROL SYSTEMSCYBER EMERGENCY RESPONSE TEAM HTTP://WWW.US-CERT.GOV/

Incidents by Sector – Fiscal Year 2012

Outdated and non-interoperable infrastructure is at high risk (~80%).

Essential for a functioning society and economy

Security? Connect? Safety? What Now?

Disconnecting is not a viable

option.

Disconnecting is not a viable

option.

Security is amassive threatto connectivity.

Security is amassive threatto connectivity.

It’s 5 past 12—violations

are being fined.

It’s 5 past 12—violations

are being fined.

POSSIBLE FINE1 = $1MIO * NUMBER OF INCIDENTS * DAY * UTILITY1NERC CIP Go to http://www.nerc.com/filez/enforcement/index.html for “Searchable Notice of Penalty Spreadsheet”

Strategic Partnership

Three strong players

Pre-integrated:

Minutes from being productive

Strategic partnership

Connected SecurityUse Case OverviewNigel Forrester, Emerson Network Power

Emerson At-A-GlanceUS $24.4 Billion in 2012 Sales

Diversified global manufacturer and technology provider

2012 Sales by Segment

31%

25%

21%

15%8%

Process Management

NetworkPower

Commercial & Residential Solutions

Industrial Automation

Climate Technologies

Embedded Computing is part of the Emerson Network Power Segment

What’s changed?

We are living in the age of Cloud Computing and The Internet of Things

A lot more of these devices are ‘connected’ rather than islands

Connectivity has driven security to the top of the priority list

Military Use Case

Connected battlefield where intelligence is available to the right people and with a centralised command structure

All devices must have a secure boot mechanism and IP protection

Military directive to make more use of COTS

Industrial Use Case

Just in time manufacturing links supply and factory systems Management and financial data is available in any location

Improved connectivity in Industrial Automation is driving more safety and security requirements

Other Use Cases

Healthcare

Transportation

Energy

Integrated Development Environment

NITX-315-DEVKIT– Long life embedded motherboard– Intel ® Atom processor– 1GB RAM– Power Supply– Documentation– Flash devices with Wind River and WiBu evaluation software

Begin your application

development in minutes, not

weeks

Emerson Network Power, Embedded Computing

ModulesAMCs, PMCs, COM Express

Blades and BoardsATCA, VME, CompactPCI,

Motherboards

Integrated SystemsFully Integrated and Validated

System Platforms

Markets and ApplicationsMarkets and Applications

Easily migrate to an embedded

hardware platform appropriate to your

application

CodeMeter with VxWorksCopy Protection, IP Protection, Business Enabler and Integrity ProtectionOliver Winzenried, CEO of WIBU-SYSTEMS

Piracy Problem

German Engineering Federation (VDMA) 2012:– 7,9 Billion € losses in 2012, about 4% of revenues– 9 of 10 companies affected by piracy (>1000 staff)– 48% affected by piracy of complete machines– Source countries of plagiats:

China decreasing from 79% in 2010 to 72% in 2012 Germany increasing from 19% in 2010 to 26% in 2012

– 28% of companies want to use technical solutions

JMF-Study: Losses in Japan 1,8 times higher BSA-Study: Losses 63 Billion US$, globally 42%

Top 10 Security Threats in ICS

Unauthorized remote service access Online attacks using office IT networks Attacks to commercial off-the-shelf systems,

COTS in ICS, like OS or networks Distributed Denial of Service Attacks

(DDOS) Human mistakes and Sabotage Intrusion of malware using USB sticks or

other hardware Reading and Writing of messages in ICS Unauthorized access to resources Attacks to Networks Failures and external events

Source: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/empfehlungen/fabrik/BSI-CS_010E.pdf

EDK - Embedded Development Kit

IP protection & copy protection Secure boot & integrity protection New business models through flexible licensing

EDK - Embedded Development Kit

EDK - Embedded Development Kit

Code Encryption & Code Signing

Licensing:Piracy PreventionIP ProtectionPay-Per-UseFeature-on-Demand

Code SigningIntegrity ProtectionTamper ProtectionSecurity

Protection Process and Use

provides security parameters

AxProtectorIxProtector

encrypt andprotect

End User

Software Vendor

CodeMeterLicenseSecurity creates

license

decryptand run

Licensecontainer

License Central

Embedded System Boot Process

Certificate Chain for Signature Verification

Advantages:Root Certificate only

initially used

Chain of certificates allow different signers

Revocation possible

Level 1Certificate

Signature

Public Key

Level 2Certificate

Signature

Public Key

RootCertificate

Signature

Public Key

IntegrityCertificate

SignatureHash 2

VxWorksBinary

Root Certificate

VIPDKMRTP

ComputesHash 1

ComparesHash 1 with Hash 2

Created byAxProtector Config

self-signing

VxWorks Loader

Certificate Chain sample

Root Certificate

Code Signer Root Config Signer Root

Boot Signer

Code Signer 1

Code Signer 2

Config Signer 1

Config Signer 2

Config Signer 3

Boot certificateSerial 1000-9999

VxWorksSerial 3000-9999

VxWorksSerial 1000-2999

Config certificateSerial 1000-2000

Config certificateSerial 2567

CRLCRL

CRL

EDK – Embedded Development Kit

Ready to use for easy Evaluation: CmStick/M as LiveUSB with 8GB Flash and preinstalled

Fedora Linux with Wind River Workbench and CodeMeter Tools

CmCard/uSD: preinstalled VxWorks image for NITX-315 CmStick/C: enables additional features of target software

Shows the following security and business functions:

IP protection & copy protection with code encryptionSecure boot & integrity protection with code signingNew business models through flexible licensing

Scalable solution: CodeMeter

CF-CardCmCard/CF

SD-CardCmCard/SD

USBCmStick/C Basic

µSD-CardCmCard/µSD

USBCmStick

Link to the data sheets:http://www.wibu.com/en/hardwarebasierter-kopierschutz.html

InternCmCard/I

Express-CardCmCard/E

ActivationCmActLicense

PC-CardCmCard

ChipCmASIC

CmActLicense: Software based activation to target fingerprint or Secure Element

CmDongle: highest security smart card based hardware

Meet us at the following eventsEmbedded WorldFebruary 26-28, 2013Nuremberg, GermanyHall 5-340

CeBIT 2013March 5-9, 2013Hannover, GermanyHall 12D82

Hannover MesseApril 8-12, 2013Hannover, GermanyHall 8D05

How to Order a Development Kit

Call Emerson Network Power North America (800) 759 1107 EMEA 49 089 9608 2430

Model number: NITX-315-DEVKIT

Nigel ForresterMarketing Manager

Emerson Network PowerEmbedded Computing

www.emerson.com/embeddedcomputingnigel.forrester@emerson.com

Alexander DamischDirector of Industrial Solutions

Wind River

www.windriver.com alexander.damisch@windriver.com

For more in-depth information

Oliver WinzenriedCEO and co-founder

Wibu-Systems

www.wibu.com oliver.winzenried@wibu.com

Discussion

Thank You

CodeMeter Benefits

Same Licensing Solution for PC and Embedded Systems Same Solution for Partners and Customers Scalable security: CmActLicense and CmDongle CmDongle with highest security

– SmartCard technology (tamperproof, AES, ECC, RSA)– Optional Flash, industrial environment and interfaces

Individual Licensing of AxProtector Technology Solution for Backend Integration and easy deployment

– Connection to ERP / CRM, i.e. SAP or Salesforce

Solution for upgrading existing systems Consulting and support