Supply Chain Security IoT: Bridging the gap

Smart Solutions

Supply Chain Security IoT: Bridging the gap

As enterprises enter the new world of IoT, they do so at their peril. Traditional methods of securing devices and systems break down when data flows through the global internet and corporate networks, all with different levels of trustworthiness. Personalization is the key for  Security IoT – and Avnet Silica has found a way to provide it as a service quickly and efficiently.

by Guillaume Crinon

Security has become a real IoT buzzword these days. With the Internet of Things, the focus is on being able to correctly identify a certain device, often one embedded within production or logistics systems, and make sure that it only performs the tasks for which it was intended. A recent series of DDoS (distributed denial of service) attacks on large network operators, reportedly, came from Russian hackers. They managed to create a huge global botnet from digital cameras, refrigerators and other consumer electronics devices showing that future threats will seem to come out of the blue. A traditional response would be to use cryptography for proper mutual authentication, signing and encryption to control these threats. While encrypting data before you send it over the network is very well known and deployed, key distribution and renewal is the real problem to solve. In our experience at Avnet Silica, the question most customers ask about is the cost of personalizing devices through unique IDs, MAC addresses, keys and certificates, either on the production line or for field deployments. Personalization is actually a very effective way to enable higher levels of security at hardly any added cost. It is also a good way to bridge the gap between embedded devices and the IT infrastructure.

What needs to be solved

Regardless of the application and the security scheme associated with it, there is always a point in the life of one device connecting to another, or to a distant server, when someone needs to program unique identifiers and secret keys into memory. This process is called personalization. It can be a hurdle or even a burden and it always impacts the cost of the manufacturing process, resulting in raised prices for end users. One example from the realm of building automation would be the installation of an alarm system. Modern alarms consist of a central unit and several monitoring devices, which may be sold individually or bundled, all communicating locally via a radio frequency (RF) protocol. Someone then needs to ‘pair’, or associate, the peripherals with the central unit and register the central unit with the global surveillance service. This can be done by the manufacturer, by the installer, or by end-users with accomplished do-ityourself IT skills. In any case, someone has to pay for the personalization and pairing process, and the complexity of these processes often creates security weaknesses. Be honest: How often do you change your home WiFi passkey? Never, right? That’s because it’s too much of a hassle. How often do administrators renew secret AES encryption keys in their networked systems? Not very often, for the very same reason.

Guillaume Crinon - Security IoT

Guillaume Crinon – Technical marketing manager for EMEA at Avnet Silica.

In the IoT world, end-to-end security needs to be addressed by every single element in the supply chain and over multiple communications and networked systems and at
different levels of the protocol stacks, such as IPsec for IP, WPA for 802.11, and local mechanisms for 802.15.4, Bluetooth, and so on. This, however, does not mean you have created end-to-end application security. Indeed, having a WPA secured WiFi connection to a local router is definitely not enough to ‘HTTP’ privately into a distant server, bearing in mind that most local network keys are hardly ever renewed – as explained above. It’s fairly common that data generated by a sensor or a machine will be conveyed through many different networks using various protocols belonging to different service providers before reaching the targeted application server. Each link in the chain is only responsible for its own security, and is completely unaware of what is happening in the links before and after it. This means the data needs to be decrypted and reencrypted every step of the way. It is often said that the security level of an entire system depends on its weakest link. Since a lot of outside vendors and suppliers are involved, like connectivity providers and gateway manufacturers, the number of possible weak points begins to rise exponentially.
So how about adding an extra layer of strong device-to-server security, over a LAN, a WAN and IP? It sounds very interesting but it also sounds rather complex. We need a simple – and cheap – solution. Avnet Silica has devised a way to provide personalization and provisioning services to every single device in the supply chain quickly, efficiently and, above all, at less cost than ever before.
Before examining Avnet’s solution, let’s ask ourselves what a typical task involves? Let’s say your mission is to deliver a ‘Top Secret’ predictive maintenance message from your device, a robot, securely over the internet to a target server in the robot’s production factory. Connected objects talk to servers through the internet but the problem is that your message is usually decrypted and encrypted a few times on its journey. Remember, the transmission has always to be highly secure. The challenge is to secure this supply chain with HTTPS featuring transport layer security (TLS). This calls for a complex security system. First, you need someone trustworthy to do the certifcate management so the objects can encode messages with unique IDs and keys that can only be decrypted with specific certificates.

To build this from scratch would cost you many millions even for a small installation

The robot and the target server now each have their own unique, very secret private key. The robot sends its certificate to the server to authenticate itself. The server tells the Key Management System to check the certificate to make sure it really comes from the robot. If the certificate is okay, the server then sends its own certificate to the robot, which checks it in turn. Next, the robot and the server generate a session key from the certificates and their private keys. Finally, the message is encrypted with this unique session key and is sent to the server. As the server has generated the same session key, it can decrypt the message and read it. So far so good! But it’s not quite as easy as it looks because it’s still not really safe. You have first to make sure the key management and certificate are tightly secured and for this we need:

  • a Hardware Security Module (HSM) to generate keys for access only
  • servers and frewalls for communication with the outside world
  • a virtual fortress with thick walls, safety steel doors and armed guards to keep the HSM safe

You’ve guarded your HSM, but the robot still needs to be secured. This means another HSM, a firewall and a personalized secure element, or MCU, containing a certified microcontroller and embedded software. And you still need more! You also have to provision your server with keys and certificates and codes to establish end-to-end security. To build all these elements from scratch and ensure a really secure transaction would probably require a couple of million euros – even for a very small installation.

The Avnet initiative

Avnet Silica has developed a unique solution to cut time and cost from this complicated process. In May 2016, we introduced a competitive service business model to simplify access to this technology through our advanced logistics facility at our German headquarters in Poing, near Munich.

Avnet facility - Security IoT in a Advanced Logistics facility in Poing

Objects you can trust: At Avnet’s Advanced Logistics facility in Poing near Munich, engineers routinely program secure microprocessors – Security IoT.


Here, secure microcontrollers are programmed by the Avnet Silica staff using firmware supplied by our partner Trusted Objects – adding a new set of functions and commands
tailored to the exact requirements of the customer’s final application and global security architecture. The resulting microcontroller is programmed as a secure element to execute cryptographic primitives and complex functions. These comprise AES, ECC encryption, decryption, signature, secure key renewal, onboard key generation, true random number generation, handling of certificates, and much more – while never exposing secret keys to the outside world. This fortified warehouse is capable of personalizing secure elements, in small to large volumes, in order to meet the needs of any customer project. In this way, Avnet Silica and its partners enable customers to benefit from the depth and breadth of their expertise to address personalization and security for IoT projects. We are currently developing our own stacks and APIs which will be able to handle TLS derivatives, and easy-provisioning schemes running on various radio links, a service we will offer together with UbiquiOS Technology and Avnet Services. Finally, Avnet Silica is establishing certification authority services with a trusted partner for customers who wouldn’t wish to invest in a full public key infrastructure themselves. Personalization and securely provisioning devices to servers end-to-end are the best, and by far the simplest, way to secure the Internet of Things. And we at Avnet Silica can help you make it happen.

One Comment

  1. Pingback: Content: Smart Industry 2017 - SMART INDUSTRY

Leave a Reply

Your email address will not be published.