Wibu-Systems Blog

Stay secure

Posted by Terry Gaul on Dec 22, 2015 5:21:21 AM

Blog_Post-USA_Stay-Secure.jpg

The close of a year and the anticipation of what’s to come in the New Year always brings about some interesting reviews of the past 12 months and predictions for the future by industry analysts, company executives and the trade press. Two articles recently caught my attention.

The first was an article on healthcareanalytics.com that noted Healthcare IoT topics dominated their top 10 stories of 2015. In fact, three IoT related stories made their top ten, including the year’s most popular story, Why Healthcare Big Data Analytics Needs the Internet of Things.

I found this quote from writer Jennifer Bresnick in particular to be a very clear indicator of the power of the IoT for healthcare: “While some may view the IoT as the perfect set-up for a post-apocalyptic novel, it has real power for healthcare. Analytics systems that integrate medical devices like imaging machines and beside monitors can reduce unnecessary spending, improve diagnostic accuracy, and slash repeated tests. Monitoring hand hygiene through internet-connected sanitizer stations can cut infection rates and save lives. Increasing patient engagement through smartphones and patient-generated health data doesn’t just improve satisfaction and overall health, but it also helps providers get paid.”

Secondly, Jahangir Mohammed, a member of the World Economic Forum, published his 5 Predictions for the Internet of Things in 2016. His first prediction caught my eye and I couldn’t agree more:

1. “The ‘security of things’ will take centre stage. In 2015, the market saw tremendous growth in the number of connected devices, and that proliferation gave rise to concerns about the security of IoT. Next year will be the one where IoT security takes centre stage – and the winners will be the solution providers who can help enterprises not only deliver connected services, but secure them, too.”

These two thoughts go hand in hand. There is great potential for the IoT to dramatically change the healthcare delivery landscape, from improving patient safety and outcomes to enhancing the way care is delivered. But, success will be predicated upon the ability to integrate these connected systems, devices and data in a secure manner while ensuring patient privacy and protecting against cyberattacks. And this applies to all industries where IoT solutions are being developed and deployed, and that’s just about everywhere.

Fortunately, technology exists today that enables the device developers to incorporate security into their designs and provide that safety assurance. Wibu-Systems co-Founder and CEO Oliver Winzenried, wrote an interesting article that appeared in Medical Device Developments magazine recently, entitled Stay Secure, where he addressed both the challenges and the security solutions for the medical device industry.

He wrote: “Manufacturers of IoT devices in the medical space must implement security mechanisms by design to safeguard patients’ safety and privacy, and device availability and robustness against cyberattacks and product piracy.”

The article goes into great depth about technologies that will help developers effectively meet these challenges.

Topics: embedded security, Internet of Things, cybersecurity

Security by Design for connected devices

Posted by Terry Gaul on Dec 4, 2015 7:52:53 AM

IoT_600.jpg

There were some interesting findings released in a global study this past June conducted by Harbor Research (in conjunction with Progress Software) on the State of IoT: 2015 Global Developer Study. Not surprisingly, inexperience, interoperability and security were at the top of the list of challenges mentioned by 678 developers polled in the study. Here are a few of the key findings: 

  • Only 50% of developers say they have the skills, resources and technological tools to deliver on IoT expectations.
  • Interoperability, integration, security and privacy are among the top concerns of IoT developers
  • Low levels of monetization reflect business models that have not kept pace with technology advances
  • Current activity to address these issues is scattered among government organizations, various company alliances and other disparate groups
  • Security must be factored in from the beginning of development of any IoT product or application
  • Developers believe commercial vendors and the open source community have the greatest power to help them overcome these challenges

Certainly security and software monetization are on the top of our list and the main focus of our business. In our ongoing discussions with customers, we’re finding that more and more developers are looking to vendors like Wibu-Systems to help them address security from the start rather than later in the development process. And this is a growing sentiment with embedded system developers of connected IoT devices, in particular.

WP-IoT-Licensing-cover.jpgTo put it all into perspective, I invite you to read our latest white paper, Licensing and Security for the Internet of Things. This document delves into the current trends in IoT device development, strategies for success, and standards for protection and licensing systems in the IoT. It also presents a detailed explanation of our extensive CodeMeter toolkit that provides protection that can be easily and securely integrated into the software. The technology protects against reverse engineering and software replication and provides integrity protection of the application, licensing options, and flexible management of access rights.

Download the white paper and learn about the benefits of security by design.

Topics: CodeMeter, embedded security, Internet of Things

Endpoint Security for a Rail System: Another Industrial Internet System Success Story

Posted by Terry Gaul on Nov 18, 2015 10:45:11 AM

CodeMeterTrain_550.jpg

When At&T, Cisco, GE, IBM and Intel founded the Industrial Internet Consortium in March 2014, I wonder if they had envisioned how quickly the International technology community would embrace the their mission to catalyze and coordinate the priorities and enabling technologies of the Industrial Internet. Many amazing collaborative solutions have already emerged – for example, RTI and Siemens teamed up on a solution to network and control hundreds of wind turbines for better control and optimization, and National Instruments and Airbus have developed tools for smarter factories. Just take a look at the many case studies published by IIC members in a variety of fields – communications, energy, healthcare, manufacturing, transportation and logistics, and security – and you will gain a sense of the enormous potential for the connected world.

Industry collaborations and technology partnerships are the foundation upon which these innovative Industrial Internet systems will be created. Wibu-Systems’ main focus is to provide the protection platform for our partners to secure these next generation systems. For example, as a member of the Infineon Security Partner Network (ISPN), we have worked closely with Infineon and other leading security vendors to secure devices and systems in various applications. In a recent collaboration, we employed Infineon’s SLE 97 security controller and our CodeMeter Embedded Protection to deliver an endpoint security solution to safeguard railway control systems.

Wibu_CS_Endpoint_Security-c.jpg

In this use case, the safety of the application was paramount. Hardware components had to comply with an extended operating temperature range, moisture challenges, and vibrational conditions. The software security elements were tasked to guarantee the highest level of security against cyber threats while protecting IP against reverse engineering and piracy. And, the solution needed to be compatible with the real-time VxWorks operating system already in use. The multiplicity of potential attack vectors called for an endpoint security solution. The CodeMeter-based solution met all these criteria and was then integrated into the existing power-controlling infrastructure.

You can read more specific details about the cryptographic elements of the solution, secure boot mechanism and other innovative development and implementation details in this case study.

 

Topics: CodeMeter, Code Integrity, embedded security, Internet of Things, cybersecurity

Protecting the Healthcare Landscape of 2020

Posted by Terry Gaul on Sep 8, 2015 1:00:00 AM

The Deloitte Centre for Health Solutions paints an interesting picture of the healthcare and life science sectors in their report, Healthcare and Life Sciences Predictions 2020 – a bold future? The landscape they envision is being shaped by the many scientific and technology innovations emerging today.

By 2020, they foresee an era of digitized medicine where patients manage their own electronic health records and provider and patients share crowd-sourced data via social media and other electronic communities. Today, wearable technologies have been embraced mainly by fitness buffs. But by 2020, Deloitte points to the development of new biosensors that will enable broad adoption of wearables for remote monitoring, disease management and early detection. And in the age of fully digitized medicine, Big Data will have found a way to leverage the healthcare data exposition and deliver information to patients and providers to make better and more informed decisions.

Deloitte imagines that “the convergence of biomedicine, IT, health data, wireless, and mobile will have transformed medicine from an art to a data driven science providing the right care, in the right place, at the right time and at affordable cost.”

The report presents quite an optimistic outlook, but quite plausible from Deloitte’s standpoint, based on the evidence presented. However, Deloitte also points out the many hurdles that will have to be addressed along the way. The two most prominent issues involve patient privacy and safety. While an abundance of patient data will help develop better treatments and improve outcomes, the protection of patient privacy and confidentiality is still paramount. Much more progress needs to be made in cybersecurity to provide the assurances that patient information is protected.

One area that was not addressed in detail in this particular report is the importance of protecting not only patient data, but the connected devices and embedded software themselves from malicious tampering. I like to use the example of former U.S. Vice President Dick Cheney when he acknowledged that he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. The device in question was a defibrillator that could detect irregular heartbeats and control them with electrical jolts. Cheney had his doctor turn off the device’s wireless function in case a terrorist tried to send his heart a fatal shock.

Deloitte delved further into these type of issues in a brief entitled, Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives. The brief notes that while connected medical devices have the potential to play a transformational role in healthcare, they also may be a vehicle that exposes patients and providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access.

With the rapid proliferation of electronic patient data, wearables and other connected medical devices in the healthcare landscape, cybersecurity will be more important than ever. Fortunately, proven technologies exist today for protecting embedded software and connected devices from tampering and execution of malicious code.

Read how custo med, a leading medical diagnostic company in Germany, employs Wibu-Systems’ technology to keep patient data private and protect their diagnostic cardio-respiratory acquisition and reporting system from tampering. Download the case study.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

Monetizing IoT Devices

Posted by Terry Gaul on Jul 31, 2015 7:59:31 AM

Aside from the widespread attention and hype surrounding the prolific growth expectations of the Internet of WP-integrityprotection-cov_Things (IoT), industry focus has been on potential (IoT) device vulnerabilities and cybersecurity. The recent well publicized cyberattack demonstration on an automobile adds more fuel to the fire. However, industry analyst firm Gartner adds another interesting topic to the IoT discussion. They point out that with software at the core of embedded systems, manufacturers of IoT devices will soon be consumed with understanding the importance of software monetization.

In a recent news release, Laurie Wurster, research director at Gartner, said: "By monetizing the software on their devices, these (IoT) vendors will be able to increase and drive recurring revenue streams, creating billions of dollars of additional value. For example, with an estimated 25-plus billion 'things' in the marketplace, and if manufacturers are able to collect an average of $5 for software from each of these installed units, that translates to additional revenue estimated at $130 billion."

While software monetization strategies were an ongoing focus for successful ISVs of conventional PC applications for the past decade or more, it is a novel concept for this new breed of embedded system manufacturers. But once they have a full understanding of the financial benefits of a solid software monetization strategy, these IoT “software vendors” will be heading down the same path to maximize revenues.

What can IoT device manufacturers learn from the past experiences of ISVs about monetizing their IoT devices? I see three key areas of note:

  1. license lifecycle management
  2. software protection for the ISV and security for the user of the IoT device
  3. security implementation

Let’s take a closer look:

License Lifecycle Management

Device manufacturers will need to learn how embedded software can be leveraged to create product differentiation and provide competitive advantages. An agile licensing schema will facilitate software monetization techniques that will enable them to quickly adjust product functionalities, pricing and compliance needs and enable new business models – such as Pay-Per-Use or Features on Demand - to adapt to the ever changing market requirements. A comprehensive license lifecycle management strategy will not only provide a flexible licensing component, but also help to increase revenue growth through operational and logistical cost reductions and efficiency optimization.

Software Protection and Security

Flexible licensing models paint only half of the license lifecycle management picture. The other half relates to the protection and security of the device and the software itself. Without fool-proof protection, it is all too easy for unscrupulous hackers to attack embedded devices by tampering with unprotected software code, disabling insecure license management systems, or extracting proprietary code to reverse engineer and build counterfeit products. ISVs have learned the hard way how this rampant criminal activity adversely affects bottom line revenues. And, this is just as true for IoT device manufacturers. But it’s not all about ISVs. Users of IoT devices also benefit from these security mechanisms.

Security Implementation

Finally, many ISVs learned over the years that licensing and security are complex and not necessarily a core strength of their developers. Some of those ISVs who struggled to build their own licensing systems often overburdened their development resources and took them away from their strength – developing application code. Other ISVs turned to commercial licensing solutions and security experts, and partnered with them. This is an important lesson for IoT device manufacturers as well. I’ve already seen many solutions where the access to a device or the activation of a feature was protected by a simple password. Once hacked over the Internet these features became available to anyone. Cryptographic methods are only one part of the equation; their implementation is as important as the technology itself. With the growing concerns over connected device vulnerabilities and cyberattacks, security is one area that needs to be considered as early as possible in the device development process together with security professionals.

I hope I have conveyed the importance of license lifecycle management. If you would like to learn more about license lifecycle management, I invite you to review our white paper Integrity Protection for more information.

Topics: License Management, secure licensing, software monetization, embedded security, Internet of Things, cybersecurity

The Role of Security in the Macroeconomy

Posted by Terry Gaul on Jul 2, 2015 3:45:59 AM

A recent report released by the Economist Intelligence Unit EIU-reportentitled Long-term Macroeconomic Forecasts: Key trends to2050 highlighted some of the emerging economic issues expected to shape global business in the coming decades. Some of the key findings of interest were:

  • China is anticipated to overtake the United States in 2026 in nominal Gross Domestic Product (GDP) and maintain its position as the largest economy by 2050 while India will likely move to third place with the US in second.
  • By 2050 Asia is predicted to account for 53% of global GDP.
  • Climate change, international security and global economic governance are key issues that will be addressed by the leading economies.

Also noteworthy was the projection that “economic growth will be driven by countries moving from less technologically intensive production to capital-intensive manufacturing production.” For more advanced economies, the report went on to predict that “gains from the more efficient usage of capital through increased technological progress as a result of investment in research and development (R&D) will boost growth.”

Undoubtedly, much of this technology investment and growth will be fueled by the Internet of Things and the efficiencies to be gained by the networking of machines, people and business in the so- called smart factory or Industry 4.0. In his article, Internet of Things – Security is a prerequisite for success, in the May 2015 issue of The Vault, Dr. Stefan Hofschen, Infineon Technologies AG, wrote:

“Especially in the context of Industry 4.0 and the automotive industry, the increasing connectivity provides a great number of opportunities for the economy. Yet, it also presents great challenges for businesses, foremost in questions of data security. How can business secrets and intellectual property be protected on the open Internet? How is data protection and confidentiality ensured? How secure is the communication between the different devices or components? And how can attacks be recognized and potential damage prevented? In short, data security and system integrity are essential for the success of new business models, because they protect the availability and reliability of products and services.”

And while many divergent issues will impact the macroeconomy of the future as reported by the EIU, cybersecurity, or the lack thereof, will undeniably be a key factor as the financial damages caused by security breaches can far exceed the upfront technology investments. For example, manipulation of the firmware during an update of a single production machine can cause damage to the entire production process.

Well planned and technologically superior security measures are vital to provide protection against manipulation and tampering of connected machines and devices, loss of Intellectual property and know-how, and theft of proprietary business or personal data. Fortunately, companies like Wibu-Systems have developed cryptographic technologies and other modern security mechanisms to protect the integrity of these smart systems and prevent such malicious activities.

At the IT Summit 2014 in Hamburg Germany, Infineon, Deutsche Telekom, Fraunhofer SIT, TRUMPF, Wibu-Systems and Hirschmann demonstrated such a security solution for an industrial manufacturing process. I invite you to read more about the technology solution and how it was implemented and visit our new Web site to learn more about all of our proven security solutions for PC applications and embedded systems.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

A Collaborative Approach to Cybersecurity

Posted by Terry Gaul on Jun 17, 2015 12:00:00 AM

“Attackers — in ever greater numbers and with increasing sophistication — see, in the growing promise of our tech-connected world, opportunities to steal or cause major disruption or destruction by exploiting vulnerabilities. Unfortunately, as technology’s benefits expand and evolve, so too will the threats. Countering those threats and ensuring the resilience of our cyber-enabled systems will require flexibility and anbsa-cybersecurity-cover ability to evolve as well.”

So states the BSA Software Alliance in their recently released report, EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace. The purpose of the report was to lay the groundwork for governments to develop the necessary policies, legal frameworks and implementation infrastructure to protect their connected systems and prevent, mitigate and respond to cyberattacks. And while the report was focused on members of the EU, the same policies and framework can be and should be considered globally. 

The report examined five key areas of cybersecurity policy:

  • Legal foundations

  • Operational capabilities

  • Public-private partnerships

  • Sector-specific cybersecurity plans, and

  • Education

I found the discussion around the importance of public-private partnerships of particular interest. The report concluded that since most infrastructure is owned by the private sector, making effective public-private cooperation is essential. Cooperation between stakeholders by sharing information, experience and perspective will greatly improve the effectiveness of risk management. I couldn’t agree more. This is the main reason why Wibu-Systems is involved with so many industry associations, such as the Allianz for Cyber Security, which consists of a community of enterprises, government bodies, municipalities and private users, dedicated to strengthening security protocols.

Just as collaborations between the public and private sectors is important, so are collaborations between technology companies. For example, as an active member in the Silicon Trust, we are working side by side with companies like Infineon, Deutsche Telecom and others to develop security solutions in support of the success of Industry 4.0. In partnership with Wind River, our technology is also helping to provide greater security for their VxWorks platform, the most widely used real-time operating system for embedded systems.

With Industry 4.0 and the Internet of Things, the vision of a world characterized by a myriad of interconnected embedded devices is rapidly emerging. So too is a wave of new cyberthreats to people, processes and technology. Intellectual property protection, tamper-proofing, and cybersecurity are becoming essential for the business of machine producers and operators alike. Our goal, in conjunction with our partners, is to make a significant contribution to this new interconnected world by continuing to develop and improve cybersecurity technology to protect against cyberattacks and make the world a safer place.

Read more about Wibu-Systems protection suite for embedded systems.

Topics: embedded security, Internet of Things, cybersecurity

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Jun 9, 2015 11:00:00 PM

connectedplanet-257pxSoftware for embedded systems is based more and more on open system platforms – Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (APIs). Such standards simplify software development between several teams within a large enterprise or even between different software companies. And similar to the success of software for traditional desktop systems or smart phones, developers can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from two main challenge points. First, the embedded system can be attacked directly from the Internet. Execution codes can be replaced or modified by malicious code during code updates. Weaknesses in the code itself can also be exploited. Secondly, hackers have access to the same open source information as the developer. With knowledge of the execution code binary structure, hackers can use powerful development/analytical tools to directly modify the code in a static attack. Furthermore, with knowledge of the memory and process architecture, the hacker can initiate a dynamic attack by inserting malicious code into the boot process.

Recent examples of such exploitations include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The Internet of Things (IoT) now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers who can be located anywhere in the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent hackers from installing their own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized operating system.

There are two advantages to this approach. First, the execution code is authenticated by a private key accessible by the developer or owner of the key; no other source is possible and the code cannot be modified during delivery or on the embedded system. Second, the execution code is encrypted and cannot be easily reverse engineered by a hacker or a competitor.

Our CodeMeter technology provides this type of code protection at all levels of an embedded system where software components are running. The authentication process begins in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different development departments or companies. Dynamic updates of any component are possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

I invite you to view a pre-recorded Webinar to see how CodeMeter enables the flexibility of secure code upgrades, which will be required in the ever evolving world of connected embedded systems, with the security of the closed, non-changeable, unconnected systems of today.

Access the recording now.

Topics: CodeMeter, Code Integrity, embedded security

Webinar: Embedded Security and the IoT

Posted by Terry Gaul on Apr 6, 2015 6:24:28 AM

Live Event:

Embedded Security and the IoT - Challenges, Trends and Solutions
April 9, 2015
11:00 am PST

Cisco forecasts that by 2020 there will be 50 billion connected devices on the planet spanning everything from entertainment and information to the industrial and medical markets. The benefits are obvious. The risks are significant with catastrophic consequences. Internet of Things (IoT) security is a broad issue with many dimensions.

Security experts from RTI, Texas Instruments, Thingworx, and Wibu-Systems willl describe risks and solutions for securing IoT devices during this one hour Webinar hosted by OpenSystems Media.

Topics for discussion include:

  • Secure software updates via integrity protection
  • Data centric security for the IoT
  • Protecting Internet communications in IoT devices
  • Secure IoT deployments
Register for the Webinar

Speakers:

Dr. Stan Schneider
CEO
RTI

Gil Relter
Strategic Marketing Manager,
Wireless and IoT
Texas Instrments

Rob Black
Sr. Dir. Product Manager
Thingworx, PTC

Marcellus Buchheit
President and CEO
Wibu-Systems USA

Register for the Webinar

Topics: embedded security

Is security an afterthought in the cyber world?

Posted by Terry Gaul on Mar 16, 2015 5:09:19 AM

CCTV-stock_600

I recently read an interesting article in Engineering and Technology Magazine, entitled ‘Immature’ Internet of Things Hackable with Primitive Methods. What caught my eye was the opening paragraph that stated: “The emerging Internet of Things lags massively behind conventional computers in terms of cyber security with manufacturers failing to implement basic security practices, one researcher has demonstrated.”

That researcher was James Lyne, Global Head of Security at Sophos, who spoke at the Mobile World Congress in Barcelona. During his talk, he demonstrated how to gain access to Internet-connected CCTV cameras using a simple brute force attack. The article went on to summarize many additional examples about the unsecure nature of IoT devices.

Part of the problem, Lyne said, “is the fact the market is driven by innovation and focused on marketable features instead of security and privacy concerns.” And this point, I believe, hits the nail right on the head. Our customers are very bright software engineers who are focused on developing innovative desktop applications, mobile apps, or the embedded systems that are at the core of IoT devices. While they understand the need to protect their software and IP against piracy and reverse engineering, implement a secure licensing strategy, and protect embedded systems against malicious tampering, they also recognize that they are not experienced in these areas. This is why they turn to security experts like Wibu-Systems for help. Jay Grenier of Faceware Technologies, one of our customers using our CodeMeter software protection and secure licensing platform, put it this way:

“With CodeMeter, I rest easy knowing that our technology is completely secure from hackers and reverse-engineering. With this weight lifted off my team, it allows us to focus on what’s most important in software development: creating great products.” (read the case study)

With all of the highly publicized security breaches occurring in the past few years as well as the rapid evolution of the IoT, it’s time to elevate the importance of software security. A sound security strategy should be designed into the product from the start, not as an afterthought.

View our customer case studies and see how easy it is to protect software and IP, secure embedded systems and connected devices, and securely manage licensing.

Topics: CodeMeter, embedded security, Internet of Things