Wibu-Systems Blog

Terry Gaul

Recent Posts

Securing Industrial Systems by Design

Posted by Terry Gaul on Aug 19, 2015 4:38:01 AM

IIC-Securing_industrial_Internet_Systems_by_Design-1

 

The Industrial Internet Consortium (IIC) recently released the first version of a document entitled “Industrial Internet Reference Architecture Technical Report.” The document serves to initiate a process of evaluation and industrial transformation to create broad industry understanding about technical requirements, methodologies and roadblocks and to drive product interoperability and simplify the development of Industrial Internet systems (IISs). Because the Industrial Internet is being driven by participants in an array of diverse fields, the IIC is committed to building early consensus among stakeholders on major architecture questions.

As a member of the IIC and an active participant in the Security Working Group, we are very pleased to see that the IIC has emphasized the importance of security for IISs. The IIC points out that because IISs are connected and distributed, they continue to evolve over time and consequently offer an “attack surface that is significantly larger than isolated industrial control systems”. The IIC Reference Architecture calls for integrated security policies for physical plant, hardware, software and communication as core to system design. It is also important to note that the IIC recognizes that attacks can come from a variety of sources, whether it be employees or other insiders, casual hackers or terrorists.

The specific security issues addressed by the IIC report include:

  • End-to-end security: requires building in security by design rather than the often-tried and often-failed paradigm of bringing it in as an afterthought.
  • Securing legacy systems: most IISs incorporate legacy systems that offer limited or no security protocols and are not modifiable. Security of the overall system requires securing the endpoints of these legacy systems.
  • Security for architectural patterns: every architecture pattern has its own specific security requirements and challenges and must be addressed individually.
  • Endpoint security: many IISs need to embed security capabilities and policy enforcement directly in end-point devices. The embedded security measures should include mitigating controls, countermeasures and/or remediation actions defined by security policies to minimize the risk of being compromised and the impact when being compromised
  • Information exchange security: communication and data exchanges within an IIS must be protected for authenticity, confidentiality, integrity and non-repudiation.

Over the years, Wibu-Systems, in conjunction with several technology partners, has accumulated a wealth of knowledge in embedded system protection and is collaborating closely with the IIC Security Working Group to map out a security strategy for IISs. There are many technologies we can bring to the table, such as encryption, protection against software piracy and reverse engineering, tamper-proofing and integrity protection, authenticity and authentication, as well as license lifecycle management, feature on demand activation, and other embedded software monetization strategies.

Many of these security technologies and techniques were discussed in a recent Webinar, Embedded Security and the Internet of Things – Challenges, Trends, and Solutions. I invite you to view the recorded e-cast and contact us if you have questions or would like more information.

Topics: cybersecurity

Monetizing IoT Devices

Posted by Terry Gaul on Jul 31, 2015 7:59:31 AM

Aside from the widespread attention and hype surrounding the prolific growth expectations of the Internet of WP-integrityprotection-cov_Things (IoT), industry focus has been on potential (IoT) device vulnerabilities and cybersecurity. The recent well publicized cyberattack demonstration on an automobile adds more fuel to the fire. However, industry analyst firm Gartner adds another interesting topic to the IoT discussion. They point out that with software at the core of embedded systems, manufacturers of IoT devices will soon be consumed with understanding the importance of software monetization.

In a recent news release, Laurie Wurster, research director at Gartner, said: "By monetizing the software on their devices, these (IoT) vendors will be able to increase and drive recurring revenue streams, creating billions of dollars of additional value. For example, with an estimated 25-plus billion 'things' in the marketplace, and if manufacturers are able to collect an average of $5 for software from each of these installed units, that translates to additional revenue estimated at $130 billion."

While software monetization strategies were an ongoing focus for successful ISVs of conventional PC applications for the past decade or more, it is a novel concept for this new breed of embedded system manufacturers. But once they have a full understanding of the financial benefits of a solid software monetization strategy, these IoT “software vendors” will be heading down the same path to maximize revenues.

What can IoT device manufacturers learn from the past experiences of ISVs about monetizing their IoT devices? I see three key areas of note:

  1. license lifecycle management
  2. software protection for the ISV and security for the user of the IoT device
  3. security implementation

Let’s take a closer look:

License Lifecycle Management

Device manufacturers will need to learn how embedded software can be leveraged to create product differentiation and provide competitive advantages. An agile licensing schema will facilitate software monetization techniques that will enable them to quickly adjust product functionalities, pricing and compliance needs and enable new business models – such as Pay-Per-Use or Features on Demand - to adapt to the ever changing market requirements. A comprehensive license lifecycle management strategy will not only provide a flexible licensing component, but also help to increase revenue growth through operational and logistical cost reductions and efficiency optimization.

Software Protection and Security

Flexible licensing models paint only half of the license lifecycle management picture. The other half relates to the protection and security of the device and the software itself. Without fool-proof protection, it is all too easy for unscrupulous hackers to attack embedded devices by tampering with unprotected software code, disabling insecure license management systems, or extracting proprietary code to reverse engineer and build counterfeit products. ISVs have learned the hard way how this rampant criminal activity adversely affects bottom line revenues. And, this is just as true for IoT device manufacturers. But it’s not all about ISVs. Users of IoT devices also benefit from these security mechanisms.

Security Implementation

Finally, many ISVs learned over the years that licensing and security are complex and not necessarily a core strength of their developers. Some of those ISVs who struggled to build their own licensing systems often overburdened their development resources and took them away from their strength – developing application code. Other ISVs turned to commercial licensing solutions and security experts, and partnered with them. This is an important lesson for IoT device manufacturers as well. I’ve already seen many solutions where the access to a device or the activation of a feature was protected by a simple password. Once hacked over the Internet these features became available to anyone. Cryptographic methods are only one part of the equation; their implementation is as important as the technology itself. With the growing concerns over connected device vulnerabilities and cyberattacks, security is one area that needs to be considered as early as possible in the device development process together with security professionals.

I hope I have conveyed the importance of license lifecycle management. If you would like to learn more about license lifecycle management, I invite you to review our white paper Integrity Protection for more information.

Topics: License Management, secure licensing, software monetization, embedded security, Internet of Things, cybersecurity

The Role of Security in the Macroeconomy

Posted by Terry Gaul on Jul 2, 2015 3:45:59 AM

A recent report released by the Economist Intelligence Unit EIU-reportentitled Long-term Macroeconomic Forecasts: Key trends to2050 highlighted some of the emerging economic issues expected to shape global business in the coming decades. Some of the key findings of interest were:

  • China is anticipated to overtake the United States in 2026 in nominal Gross Domestic Product (GDP) and maintain its position as the largest economy by 2050 while India will likely move to third place with the US in second.
  • By 2050 Asia is predicted to account for 53% of global GDP.
  • Climate change, international security and global economic governance are key issues that will be addressed by the leading economies.

Also noteworthy was the projection that “economic growth will be driven by countries moving from less technologically intensive production to capital-intensive manufacturing production.” For more advanced economies, the report went on to predict that “gains from the more efficient usage of capital through increased technological progress as a result of investment in research and development (R&D) will boost growth.”

Undoubtedly, much of this technology investment and growth will be fueled by the Internet of Things and the efficiencies to be gained by the networking of machines, people and business in the so- called smart factory or Industry 4.0. In his article, Internet of Things – Security is a prerequisite for success, in the May 2015 issue of The Vault, Dr. Stefan Hofschen, Infineon Technologies AG, wrote:

“Especially in the context of Industry 4.0 and the automotive industry, the increasing connectivity provides a great number of opportunities for the economy. Yet, it also presents great challenges for businesses, foremost in questions of data security. How can business secrets and intellectual property be protected on the open Internet? How is data protection and confidentiality ensured? How secure is the communication between the different devices or components? And how can attacks be recognized and potential damage prevented? In short, data security and system integrity are essential for the success of new business models, because they protect the availability and reliability of products and services.”

And while many divergent issues will impact the macroeconomy of the future as reported by the EIU, cybersecurity, or the lack thereof, will undeniably be a key factor as the financial damages caused by security breaches can far exceed the upfront technology investments. For example, manipulation of the firmware during an update of a single production machine can cause damage to the entire production process.

Well planned and technologically superior security measures are vital to provide protection against manipulation and tampering of connected machines and devices, loss of Intellectual property and know-how, and theft of proprietary business or personal data. Fortunately, companies like Wibu-Systems have developed cryptographic technologies and other modern security mechanisms to protect the integrity of these smart systems and prevent such malicious activities.

At the IT Summit 2014 in Hamburg Germany, Infineon, Deutsche Telekom, Fraunhofer SIT, TRUMPF, Wibu-Systems and Hirschmann demonstrated such a security solution for an industrial manufacturing process. I invite you to read more about the technology solution and how it was implemented and visit our new Web site to learn more about all of our proven security solutions for PC applications and embedded systems.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

A Collaborative Approach to Cybersecurity

Posted by Terry Gaul on Jun 17, 2015 12:00:00 AM

“Attackers — in ever greater numbers and with increasing sophistication — see, in the growing promise of our tech-connected world, opportunities to steal or cause major disruption or destruction by exploiting vulnerabilities. Unfortunately, as technology’s benefits expand and evolve, so too will the threats. Countering those threats and ensuring the resilience of our cyber-enabled systems will require flexibility and anbsa-cybersecurity-cover ability to evolve as well.”

So states the BSA Software Alliance in their recently released report, EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace. The purpose of the report was to lay the groundwork for governments to develop the necessary policies, legal frameworks and implementation infrastructure to protect their connected systems and prevent, mitigate and respond to cyberattacks. And while the report was focused on members of the EU, the same policies and framework can be and should be considered globally. 

The report examined five key areas of cybersecurity policy:

  • Legal foundations

  • Operational capabilities

  • Public-private partnerships

  • Sector-specific cybersecurity plans, and

  • Education

I found the discussion around the importance of public-private partnerships of particular interest. The report concluded that since most infrastructure is owned by the private sector, making effective public-private cooperation is essential. Cooperation between stakeholders by sharing information, experience and perspective will greatly improve the effectiveness of risk management. I couldn’t agree more. This is the main reason why Wibu-Systems is involved with so many industry associations, such as the Allianz for Cyber Security, which consists of a community of enterprises, government bodies, municipalities and private users, dedicated to strengthening security protocols.

Just as collaborations between the public and private sectors is important, so are collaborations between technology companies. For example, as an active member in the Silicon Trust, we are working side by side with companies like Infineon, Deutsche Telecom and others to develop security solutions in support of the success of Industry 4.0. In partnership with Wind River, our technology is also helping to provide greater security for their VxWorks platform, the most widely used real-time operating system for embedded systems.

With Industry 4.0 and the Internet of Things, the vision of a world characterized by a myriad of interconnected embedded devices is rapidly emerging. So too is a wave of new cyberthreats to people, processes and technology. Intellectual property protection, tamper-proofing, and cybersecurity are becoming essential for the business of machine producers and operators alike. Our goal, in conjunction with our partners, is to make a significant contribution to this new interconnected world by continuing to develop and improve cybersecurity technology to protect against cyberattacks and make the world a safer place.

Read more about Wibu-Systems protection suite for embedded systems.

Topics: embedded security, Internet of Things, cybersecurity

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Jun 9, 2015 11:00:00 PM

connectedplanet-257pxSoftware for embedded systems is based more and more on open system platforms – Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (APIs). Such standards simplify software development between several teams within a large enterprise or even between different software companies. And similar to the success of software for traditional desktop systems or smart phones, developers can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from two main challenge points. First, the embedded system can be attacked directly from the Internet. Execution codes can be replaced or modified by malicious code during code updates. Weaknesses in the code itself can also be exploited. Secondly, hackers have access to the same open source information as the developer. With knowledge of the execution code binary structure, hackers can use powerful development/analytical tools to directly modify the code in a static attack. Furthermore, with knowledge of the memory and process architecture, the hacker can initiate a dynamic attack by inserting malicious code into the boot process.

Recent examples of such exploitations include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The Internet of Things (IoT) now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers who can be located anywhere in the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent hackers from installing their own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized operating system.

There are two advantages to this approach. First, the execution code is authenticated by a private key accessible by the developer or owner of the key; no other source is possible and the code cannot be modified during delivery or on the embedded system. Second, the execution code is encrypted and cannot be easily reverse engineered by a hacker or a competitor.

Our CodeMeter technology provides this type of code protection at all levels of an embedded system where software components are running. The authentication process begins in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different development departments or companies. Dynamic updates of any component are possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

I invite you to view a pre-recorded Webinar to see how CodeMeter enables the flexibility of secure code upgrades, which will be required in the ever evolving world of connected embedded systems, with the security of the closed, non-changeable, unconnected systems of today.

Access the recording now.

Topics: CodeMeter, Code Integrity, embedded security

Enhance the End User Experience with an Efficient and Flexible License Portal

Posted by Terry Gaul on May 18, 2015 3:00:00 AM

CL_LicensePortal-small

Streamlining the process of creating, delivering, and managing licenses will boost the level of satisfaction for your customers and ultimately lower your support calls and costs. Conversely, a cumbersome workflow that involves several steps, including multiple clicks from an email to your Website, the ecommerce portal, and/or the merchant page, can be irritating, time consuming, and totally unnecessary.

There are three important areas that your portal should address to make your licensing process most efficient for both you and your customers:

  1. All activities concerning licensing should be actionable from one dashboard – including activation, deactivation, and reactivation of licenses, registration of users and tickets, and creation and management of licenses.
  2. The user portal should offer the utmost flexibility so that not only are you in full control of the complete set of actions performed by the user, but you can also grant rights for the actions they can execute autonomously as well as those for which require your prior approval.
  3. The user portal should integrate seemlessly with your backoffice systems via connectors to all leading ERP, CRM and e-commerce platforms to automate the transfer of data from one database to another, instantly and without failure.

Our CodeMeter license portal has been designed around these important attributes, all geared towards increasing your efficiency. We will demonstrate how straightforward and efficient we make licensing at an upcoming Webinar, Bending and Stretching Capabilities of the License Portal. The one-hour Webinar will be held Wednesday, May 27 at the following times:

- 9:00 am PST
- 9:00 am CET and 6:00 pm CET
- The German language session will be held 2:00 pm CET.

You can find the full agenda for this Webinar and register here.

Please join us and learn how to take full advantage of your user license portal.

Certificates for Authenticity, Authentication or both?

Posted by Terry Gaul on Apr 23, 2015 10:50:21 AM

CETRIFICATES-WEBINAR_PAGE_old_website_01_790c0b753e

Live Event:

Certificates for Authenticity, Authentication or Both?
April 28, 2015
9 - 10 am PST

Register

Software developers have an affinity for encryption methods, but not all have quite mastered certificate management. Digital certificates are often seen in relation to authentication practices such as single sign-on, email signature, and file encryption, but they are also a key pillar in software protection.

This crash course will navigate you from theory to practice, illustrating basic principles and best application uses. Whether your goal is protecting a computer or embedded software, there are techniques that you can implement and requirements you should follow to achieve greater effectiveness in shielding your application from piracy and tampering.

Through the integrated use of certificates, CodeMeter serves a dual scope: authenticity and authentication. While mechanisms like Authenticode offer authenticity for the software user, CodeMeter offers authenticity for the software developer. If an application consists of more than one executable, small and easy to use proprietary certificates are used by CodeMeter to check the integrity of the whole application. In case of an embedded system such as VxWorks, the integrity of the entire embedded device can also be verified: the authenticity of each module from the bootloader and the operating system, up to each software running on this system is validated.

Additionally, with authentication, you can make sure only users with entitled credentials can use or maintain your software or can log in to cloud-based solutions.

Get familiar with the terminology and become a proficient user of certificates. Register Here

Topics: CodeMeter, software copy protection, Anti-piracy, Copy Protection

Webinar: Embedded Security and the IoT

Posted by Terry Gaul on Apr 6, 2015 6:24:28 AM

Live Event:

Embedded Security and the IoT - Challenges, Trends and Solutions
April 9, 2015
11:00 am PST

Cisco forecasts that by 2020 there will be 50 billion connected devices on the planet spanning everything from entertainment and information to the industrial and medical markets. The benefits are obvious. The risks are significant with catastrophic consequences. Internet of Things (IoT) security is a broad issue with many dimensions.

Security experts from RTI, Texas Instruments, Thingworx, and Wibu-Systems willl describe risks and solutions for securing IoT devices during this one hour Webinar hosted by OpenSystems Media.

Topics for discussion include:

  • Secure software updates via integrity protection
  • Data centric security for the IoT
  • Protecting Internet communications in IoT devices
  • Secure IoT deployments
Register for the Webinar

Speakers:

Dr. Stan Schneider
CEO
RTI

Gil Relter
Strategic Marketing Manager,
Wireless and IoT
Texas Instrments

Rob Black
Sr. Dir. Product Manager
Thingworx, PTC

Marcellus Buchheit
President and CEO
Wibu-Systems USA

Register for the Webinar

Topics: embedded security

Important Considerations in Choosing a 3rd Party Licensing Platform

Posted by Terry Gaul on Mar 26, 2015 5:42:57 AM

If you have decided to integrate a 3rd party licensing solution for your software application, you’ve made the right choice. By doing so, you’ve freed up your developers to do what they do best — write code; you’ve given your marketing team the ability to deliver the software in a manner that is most desirable for the customers in discrete market segments; and, you’ve protected and monetized your software so that you generate the revenues that you deserve from your development and commercialization efforts.CodeMeter License Central

But now the question is which 3rd party solution should you choose? There are several options out there and each solution offers a different approach to licensing. In making your decision, there are several key factors to consider:

Licensing Flexibility — the licensing platform of choice should enable you to create, deliver, activate, update and manage licenses using the business model that’s optimum for your customers without compromise, whether it is single user licenses, network licenses, feature on-demand licenses, demo/trial licenses, pay-per-use licenses, or whatever license model you dream up. This licensing flexibility gives your marketing team the tools they need to define and deliver the product in the optimal manner for each unique market segment and generate the most revenue.

License Security — the licensing platform should provide mechanisms to securely store and deliver licenses, whether it is via a hardware device (Dongle) or PC-bound soft license file. Dongles offer the highest security and portability from PC to PC while soft licenses offer the fastest delivery and activation. Either way, the licensing system should ensure that only authenticated, licensed users can activate and utilize the software.

Easy Integration into Your Business Processes — for ease-of-use and to reduce costs, the licensing solution should integrate seamlessly into your existing ERP, CRM, eCommerce or other business processes using industry standard tools such as SOAP. It should also be capable of accessing your existing databases, such as Oracle, MySQL, and MS-SQL. And, it should have a customer facing portal that can be branded and customized to support your end-users.

License Activation Options — the solution should provide activation options that are best suited for your business model. You should have the flexibility to activate licenses online from within the software application or via an internet web portal; or offline via file transfer from the computer with the software application to another computer with access to the portal.

Hosting Flexibility —the solution should provide you with the option to host your license server on a local web server or host and manage in the cloud of the provider of the licensing system.

Software Monetization — in addition to licensing flexibility, the solution should provide data mining, analytics and reporting capabilities to give you the ability to make sound business decisions and the agility to shift your marketing strategy as market requirements change.

Vendor Reliability — choose a 3rd party licensing partner that you can trust. How long have they been in business? What is their business strategy — are they dedicated to licensing or do they have other interests? Who are their key customers? How good is their support?

At Wibu-Systems, we have focused solely on software protection and secure licensing for more than 25 years and we remain committed to innovation and continuity for the future. Our ongoing mission is to accompany the growth of your business with stability, expertise, and long-term vision. Learn more about CodeMeter License Central, our comprehensive solution that enables you to easily create, manage and distribute your licenses.  I invite you to contact us to discuss your licensing needs, or try our licensing solution with the CodeMeter Evaluation System.

Request a CodeMeter Evaluation System

Topics: License Management, secure licensing, Wibu-Systems news, CodeMeter License Central, software monetization

Considering an Automated License Management System Hosted in the Cloud?

Posted by Terry Gaul on Mar 23, 2015 4:00:00 AM

With today’s cloud or virtual solutions, there are many available license management options to evaluate and even more questions to consider – what about security? Service levels? Architecture? Server location? Support? Cost and fees?

If you are you considering an automated license management system hosted in the cloud, you won't want to miss this upcoming Webinar:

High Availability for License Creation - Technical and Human Factors
March 31, 2015
12:00 pm - 1 pm EDT
RegisterCmLicenseCentral_120

Wibu-Systems Support and Cloud Consulting Experts will review the key factors involved in selecting a reliable hosted license management platform and present several options available for hosting CodeMeter License Central with our Wibu Operating Services (WOPS), from the cost-effective Datacenter Edition to high performance and high availability services.

During this one-hour event we will present:

  • Overview of available license management packages
    • Datacenter Edition
    • Dedicated Server
    • High Performance Edition
    • High Availability Package
  • Security requirements:
    • DMZ and security area in the Wibu-Systems datacenter
    • Security monitoring
    • Available access options and access protection measures
  • Hosting or operation, what is the difference?
    • Hardware components and overall infrastructure
    • System updates
    • Application updates
    • Application maintenance
    • Availability monitoring
  • Service Levels
    • Basic availability

Let us help you pick the optimum solution and protect your business profitability.

Webinar

High Availability for License Creation - Technical and Human Factors
March 31, 2015
12:00 pm – 1 pm EDT

Register for the Webinar

Topics: License Management, CodeMeter, secure licensing, Virtualization, Cloud License Management