Wibu-Systems Blog

Stay secure

Posted by Terry Gaul on Dec 22, 2015 5:21:21 AM

Blog_Post-USA_Stay-Secure.jpg

The close of a year and the anticipation of what’s to come in the New Year always brings about some interesting reviews of the past 12 months and predictions for the future by industry analysts, company executives and the trade press. Two articles recently caught my attention.

The first was an article on healthcareanalytics.com that noted Healthcare IoT topics dominated their top 10 stories of 2015. In fact, three IoT related stories made their top ten, including the year’s most popular story, Why Healthcare Big Data Analytics Needs the Internet of Things.

I found this quote from writer Jennifer Bresnick in particular to be a very clear indicator of the power of the IoT for healthcare: “While some may view the IoT as the perfect set-up for a post-apocalyptic novel, it has real power for healthcare. Analytics systems that integrate medical devices like imaging machines and beside monitors can reduce unnecessary spending, improve diagnostic accuracy, and slash repeated tests. Monitoring hand hygiene through internet-connected sanitizer stations can cut infection rates and save lives. Increasing patient engagement through smartphones and patient-generated health data doesn’t just improve satisfaction and overall health, but it also helps providers get paid.”

Secondly, Jahangir Mohammed, a member of the World Economic Forum, published his 5 Predictions for the Internet of Things in 2016. His first prediction caught my eye and I couldn’t agree more:

1. “The ‘security of things’ will take centre stage. In 2015, the market saw tremendous growth in the number of connected devices, and that proliferation gave rise to concerns about the security of IoT. Next year will be the one where IoT security takes centre stage – and the winners will be the solution providers who can help enterprises not only deliver connected services, but secure them, too.”

These two thoughts go hand in hand. There is great potential for the IoT to dramatically change the healthcare delivery landscape, from improving patient safety and outcomes to enhancing the way care is delivered. But, success will be predicated upon the ability to integrate these connected systems, devices and data in a secure manner while ensuring patient privacy and protecting against cyberattacks. And this applies to all industries where IoT solutions are being developed and deployed, and that’s just about everywhere.

Fortunately, technology exists today that enables the device developers to incorporate security into their designs and provide that safety assurance. Wibu-Systems co-Founder and CEO Oliver Winzenried, wrote an interesting article that appeared in Medical Device Developments magazine recently, entitled Stay Secure, where he addressed both the challenges and the security solutions for the medical device industry.

He wrote: “Manufacturers of IoT devices in the medical space must implement security mechanisms by design to safeguard patients’ safety and privacy, and device availability and robustness against cyberattacks and product piracy.”

The article goes into great depth about technologies that will help developers effectively meet these challenges.

Topics: embedded security, Internet of Things, cybersecurity

Security by Design for connected devices

Posted by Terry Gaul on Dec 4, 2015 7:52:53 AM

IoT_600.jpg

There were some interesting findings released in a global study this past June conducted by Harbor Research (in conjunction with Progress Software) on the State of IoT: 2015 Global Developer Study. Not surprisingly, inexperience, interoperability and security were at the top of the list of challenges mentioned by 678 developers polled in the study. Here are a few of the key findings: 

  • Only 50% of developers say they have the skills, resources and technological tools to deliver on IoT expectations.
  • Interoperability, integration, security and privacy are among the top concerns of IoT developers
  • Low levels of monetization reflect business models that have not kept pace with technology advances
  • Current activity to address these issues is scattered among government organizations, various company alliances and other disparate groups
  • Security must be factored in from the beginning of development of any IoT product or application
  • Developers believe commercial vendors and the open source community have the greatest power to help them overcome these challenges

Certainly security and software monetization are on the top of our list and the main focus of our business. In our ongoing discussions with customers, we’re finding that more and more developers are looking to vendors like Wibu-Systems to help them address security from the start rather than later in the development process. And this is a growing sentiment with embedded system developers of connected IoT devices, in particular.

WP-IoT-Licensing-cover.jpgTo put it all into perspective, I invite you to read our latest white paper, Licensing and Security for the Internet of Things. This document delves into the current trends in IoT device development, strategies for success, and standards for protection and licensing systems in the IoT. It also presents a detailed explanation of our extensive CodeMeter toolkit that provides protection that can be easily and securely integrated into the software. The technology protects against reverse engineering and software replication and provides integrity protection of the application, licensing options, and flexible management of access rights.

Download the white paper and learn about the benefits of security by design.

Topics: CodeMeter, embedded security, Internet of Things

Endpoint Security for a Rail System: Another Industrial Internet System Success Story

Posted by Terry Gaul on Nov 18, 2015 10:45:11 AM

CodeMeterTrain_550.jpg

When At&T, Cisco, GE, IBM and Intel founded the Industrial Internet Consortium in March 2014, I wonder if they had envisioned how quickly the International technology community would embrace the their mission to catalyze and coordinate the priorities and enabling technologies of the Industrial Internet. Many amazing collaborative solutions have already emerged – for example, RTI and Siemens teamed up on a solution to network and control hundreds of wind turbines for better control and optimization, and National Instruments and Airbus have developed tools for smarter factories. Just take a look at the many case studies published by IIC members in a variety of fields – communications, energy, healthcare, manufacturing, transportation and logistics, and security – and you will gain a sense of the enormous potential for the connected world.

Industry collaborations and technology partnerships are the foundation upon which these innovative Industrial Internet systems will be created. Wibu-Systems’ main focus is to provide the protection platform for our partners to secure these next generation systems. For example, as a member of the Infineon Security Partner Network (ISPN), we have worked closely with Infineon and other leading security vendors to secure devices and systems in various applications. In a recent collaboration, we employed Infineon’s SLE 97 security controller and our CodeMeter Embedded Protection to deliver an endpoint security solution to safeguard railway control systems.

Wibu_CS_Endpoint_Security-c.jpg

In this use case, the safety of the application was paramount. Hardware components had to comply with an extended operating temperature range, moisture challenges, and vibrational conditions. The software security elements were tasked to guarantee the highest level of security against cyber threats while protecting IP against reverse engineering and piracy. And, the solution needed to be compatible with the real-time VxWorks operating system already in use. The multiplicity of potential attack vectors called for an endpoint security solution. The CodeMeter-based solution met all these criteria and was then integrated into the existing power-controlling infrastructure.

You can read more specific details about the cryptographic elements of the solution, secure boot mechanism and other innovative development and implementation details in this case study.

 

Topics: CodeMeter, Code Integrity, embedded security, Internet of Things, cybersecurity

Industrial Internet System Security: several Good questions and many good answers

Posted by Terry Gaul on Nov 4, 2015 1:32:29 PM

The Industrial Internet Consortium held an interesting TweetChat last week in preparation for their Security event held on Tuesday, November 4 in NYC. The IIC-led chat posed 6 questions and received enthusiastic responses in a lively chat by the many security experts who participated. I’ll attempt to summarize answers to the questions in this post, but you can view the TweetChat in its entirety here

Q1: What are some examples of solutions you have already seen securing Industrial Internet Systems?

This question solicited pointers to many current security solutions, from wastewater facility control networks to anomaly detection and machine-learning-based approaches to uncover malicious activities. Others mentioned security solutions for embedded devices for protecting product know-how and software IP from theft and piracy, and of course, Wibu-Systems mentioned our solutions for railway control systems, data validation and reconciliation systems, and manufacturing. Case studies of many of these solutions can be found on the IIC website

Q2: Intentional vs unintentional threats: are there different approaches to protecting Industrial Internet systems?

There seemed to be general agreement that both types of threats will need to be addressed during the design phase, while intentional threats would require strong encryption measures and comprehensive security, and “unintentional threats require easy but strong user authentication”. The IIC unveiled an interesting security infographic of their own to add content to the conversation. 

Q3: Do the benefits of deploying Industrial Internet solutions outweigh the security risks?

This question was answered with a resounding "yes" by the group and several noted that “the greater the risk the greater the reward, and the IIoT is no exception.”  Wibu-Systems cautioned that a single incident can disrupt production, compromise safety, reveal confidential data with financial and legal consequences. 

Q4: Open standards or proprietary solutions for IIoT security? Why?

Most participants agreed that Open International Standards would “allow for greater participation, ease of adoption and accessibility for security researchers.” Transparency, industry cooperation, and interoperability are key. However, a few thought that there was still room for proprietary solutions or a mixture of both. 

Q5: What new security functions will future industrial devices need to support?

User authentication, encryption, signing, access control, measures against tampering and reverse engineering, are all key security features for Industrial Internet systems. Being secure, vigilant and resilient in the connected age seemed to be the consensus for this question. 

Q6: What are some measures an organization can take to ensure their system is secure?

It seemed here that common sentiments were to incorporate security by design mentality, get management buy-in early, educate, take great care in the amount and manner in which data is collected, and hire experts as necessary to help design and check device security. 

I’m sure this TweetChat was one of many more collaborative events focused on developing innovative solutions for securing Industrial Internet systems. Wibu-Systems is an active participant in the IIC Security Working Group and we will continue to report progress in the coming weeks.

Topics: Internet of Things, cybersecurity

Protecting the Healthcare Landscape of 2020

Posted by Terry Gaul on Sep 8, 2015 1:00:00 AM

The Deloitte Centre for Health Solutions paints an interesting picture of the healthcare and life science sectors in their report, Healthcare and Life Sciences Predictions 2020 – a bold future? The landscape they envision is being shaped by the many scientific and technology innovations emerging today.

By 2020, they foresee an era of digitized medicine where patients manage their own electronic health records and provider and patients share crowd-sourced data via social media and other electronic communities. Today, wearable technologies have been embraced mainly by fitness buffs. But by 2020, Deloitte points to the development of new biosensors that will enable broad adoption of wearables for remote monitoring, disease management and early detection. And in the age of fully digitized medicine, Big Data will have found a way to leverage the healthcare data exposition and deliver information to patients and providers to make better and more informed decisions.

Deloitte imagines that “the convergence of biomedicine, IT, health data, wireless, and mobile will have transformed medicine from an art to a data driven science providing the right care, in the right place, at the right time and at affordable cost.”

The report presents quite an optimistic outlook, but quite plausible from Deloitte’s standpoint, based on the evidence presented. However, Deloitte also points out the many hurdles that will have to be addressed along the way. The two most prominent issues involve patient privacy and safety. While an abundance of patient data will help develop better treatments and improve outcomes, the protection of patient privacy and confidentiality is still paramount. Much more progress needs to be made in cybersecurity to provide the assurances that patient information is protected.

One area that was not addressed in detail in this particular report is the importance of protecting not only patient data, but the connected devices and embedded software themselves from malicious tampering. I like to use the example of former U.S. Vice President Dick Cheney when he acknowledged that he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. The device in question was a defibrillator that could detect irregular heartbeats and control them with electrical jolts. Cheney had his doctor turn off the device’s wireless function in case a terrorist tried to send his heart a fatal shock.

Deloitte delved further into these type of issues in a brief entitled, Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives. The brief notes that while connected medical devices have the potential to play a transformational role in healthcare, they also may be a vehicle that exposes patients and providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access.

With the rapid proliferation of electronic patient data, wearables and other connected medical devices in the healthcare landscape, cybersecurity will be more important than ever. Fortunately, proven technologies exist today for protecting embedded software and connected devices from tampering and execution of malicious code.

Read how custo med, a leading medical diagnostic company in Germany, employs Wibu-Systems’ technology to keep patient data private and protect their diagnostic cardio-respiratory acquisition and reporting system from tampering. Download the case study.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

Let’s Get the IoT Buzz Straight

Posted by Terry Gaul on Aug 31, 2015 1:00:00 AM

USA-Blog_Post-get-the-iot-buzz-straigt-1

It has been several years since Kevin Ashton introduced the concept of the Internet of Things, based on RFID and sensor technology that enable computers to observe, identify and understand the world—without the limitations of human-entered data. That early concept of enabling objects to make decisions and function without human interaction has given rise to an incredible wave of new ideas, technologies and applications that could not have been conceptualized just a few years ago. And now the IoT is ubiquitous, a buzzword representing enormous change that can affect nearly every aspect of our life.

As new IoT applications begin to take shape, we can start to envision the future. When Mr. Ashton dreamed up the IoT, one has to wonder whether he had considered smart clothing – a dress, for example, that changes colors in response to sensors that interpret human emotions by reading brainwaves. Or wearable devices that can monitor our heart rate or other physiological factors for health safety purposes. We’ll also not only have smart appliances, but completely smart homes that will monitor energy usage and keep things running at optimal efficiency. We’ll have smart cars that can run without human drivers and intelligent factories that will operate with fewer workers.

The IoT is truly a revolution and we humans will need time to adapt to this rapidly evolving world. So to start the process, let’s get our buzzwords and catchphrases straight:

Industry 4.0 is the European movement that originated in Germany (born under the name of Industrie 4.0) and has been described as the Internet of Things of Industry. Industry 4.0 facilitates the vision of the Smart Factory where cyber-physical systems (CPS) monitor physical processes, create a virtual copy of the physical world and make decentralized decisions. Via the IoT, cyber-physical systems communicate and cooperate with each other and humans in real time. In the U.S., terms like “connected systems” or “connected devices” are popularly used to describe these capabilities. Cyber-physical systems are engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components. According to the US National Science Foundation, advances in CPS are expected to enable capability, adaptability, scalability, resiliency, safety, security, and usability that will far exceed the simple embedded systems of today.

The Industrial Internet Consortium (IIC) is using the terms Industrial Internet and the Industrial Internet of Things (IIoT) to express their mission to accelerate the development, adoption and widespread use of interconnected machines and devices, intelligent analytics, and people at work.

At the end of the day, pick your buzzword or catchphrase and begin to prepare and re-educate yourself for adapting to a whole new connected world. www.wibu.com is a good place to start.

Topics: Internet of Things

Monetizing IoT Devices

Posted by Terry Gaul on Jul 31, 2015 7:59:31 AM

Aside from the widespread attention and hype surrounding the prolific growth expectations of the Internet of WP-integrityprotection-cov_Things (IoT), industry focus has been on potential (IoT) device vulnerabilities and cybersecurity. The recent well publicized cyberattack demonstration on an automobile adds more fuel to the fire. However, industry analyst firm Gartner adds another interesting topic to the IoT discussion. They point out that with software at the core of embedded systems, manufacturers of IoT devices will soon be consumed with understanding the importance of software monetization.

In a recent news release, Laurie Wurster, research director at Gartner, said: "By monetizing the software on their devices, these (IoT) vendors will be able to increase and drive recurring revenue streams, creating billions of dollars of additional value. For example, with an estimated 25-plus billion 'things' in the marketplace, and if manufacturers are able to collect an average of $5 for software from each of these installed units, that translates to additional revenue estimated at $130 billion."

While software monetization strategies were an ongoing focus for successful ISVs of conventional PC applications for the past decade or more, it is a novel concept for this new breed of embedded system manufacturers. But once they have a full understanding of the financial benefits of a solid software monetization strategy, these IoT “software vendors” will be heading down the same path to maximize revenues.

What can IoT device manufacturers learn from the past experiences of ISVs about monetizing their IoT devices? I see three key areas of note:

  1. license lifecycle management
  2. software protection for the ISV and security for the user of the IoT device
  3. security implementation

Let’s take a closer look:

License Lifecycle Management

Device manufacturers will need to learn how embedded software can be leveraged to create product differentiation and provide competitive advantages. An agile licensing schema will facilitate software monetization techniques that will enable them to quickly adjust product functionalities, pricing and compliance needs and enable new business models – such as Pay-Per-Use or Features on Demand - to adapt to the ever changing market requirements. A comprehensive license lifecycle management strategy will not only provide a flexible licensing component, but also help to increase revenue growth through operational and logistical cost reductions and efficiency optimization.

Software Protection and Security

Flexible licensing models paint only half of the license lifecycle management picture. The other half relates to the protection and security of the device and the software itself. Without fool-proof protection, it is all too easy for unscrupulous hackers to attack embedded devices by tampering with unprotected software code, disabling insecure license management systems, or extracting proprietary code to reverse engineer and build counterfeit products. ISVs have learned the hard way how this rampant criminal activity adversely affects bottom line revenues. And, this is just as true for IoT device manufacturers. But it’s not all about ISVs. Users of IoT devices also benefit from these security mechanisms.

Security Implementation

Finally, many ISVs learned over the years that licensing and security are complex and not necessarily a core strength of their developers. Some of those ISVs who struggled to build their own licensing systems often overburdened their development resources and took them away from their strength – developing application code. Other ISVs turned to commercial licensing solutions and security experts, and partnered with them. This is an important lesson for IoT device manufacturers as well. I’ve already seen many solutions where the access to a device or the activation of a feature was protected by a simple password. Once hacked over the Internet these features became available to anyone. Cryptographic methods are only one part of the equation; their implementation is as important as the technology itself. With the growing concerns over connected device vulnerabilities and cyberattacks, security is one area that needs to be considered as early as possible in the device development process together with security professionals.

I hope I have conveyed the importance of license lifecycle management. If you would like to learn more about license lifecycle management, I invite you to review our white paper Integrity Protection for more information.

Topics: License Management, secure licensing, software monetization, embedded security, Internet of Things, cybersecurity

The Role of Security in the Macroeconomy

Posted by Terry Gaul on Jul 2, 2015 3:45:59 AM

A recent report released by the Economist Intelligence Unit EIU-reportentitled Long-term Macroeconomic Forecasts: Key trends to2050 highlighted some of the emerging economic issues expected to shape global business in the coming decades. Some of the key findings of interest were:

  • China is anticipated to overtake the United States in 2026 in nominal Gross Domestic Product (GDP) and maintain its position as the largest economy by 2050 while India will likely move to third place with the US in second.
  • By 2050 Asia is predicted to account for 53% of global GDP.
  • Climate change, international security and global economic governance are key issues that will be addressed by the leading economies.

Also noteworthy was the projection that “economic growth will be driven by countries moving from less technologically intensive production to capital-intensive manufacturing production.” For more advanced economies, the report went on to predict that “gains from the more efficient usage of capital through increased technological progress as a result of investment in research and development (R&D) will boost growth.”

Undoubtedly, much of this technology investment and growth will be fueled by the Internet of Things and the efficiencies to be gained by the networking of machines, people and business in the so- called smart factory or Industry 4.0. In his article, Internet of Things – Security is a prerequisite for success, in the May 2015 issue of The Vault, Dr. Stefan Hofschen, Infineon Technologies AG, wrote:

“Especially in the context of Industry 4.0 and the automotive industry, the increasing connectivity provides a great number of opportunities for the economy. Yet, it also presents great challenges for businesses, foremost in questions of data security. How can business secrets and intellectual property be protected on the open Internet? How is data protection and confidentiality ensured? How secure is the communication between the different devices or components? And how can attacks be recognized and potential damage prevented? In short, data security and system integrity are essential for the success of new business models, because they protect the availability and reliability of products and services.”

And while many divergent issues will impact the macroeconomy of the future as reported by the EIU, cybersecurity, or the lack thereof, will undeniably be a key factor as the financial damages caused by security breaches can far exceed the upfront technology investments. For example, manipulation of the firmware during an update of a single production machine can cause damage to the entire production process.

Well planned and technologically superior security measures are vital to provide protection against manipulation and tampering of connected machines and devices, loss of Intellectual property and know-how, and theft of proprietary business or personal data. Fortunately, companies like Wibu-Systems have developed cryptographic technologies and other modern security mechanisms to protect the integrity of these smart systems and prevent such malicious activities.

At the IT Summit 2014 in Hamburg Germany, Infineon, Deutsche Telekom, Fraunhofer SIT, TRUMPF, Wibu-Systems and Hirschmann demonstrated such a security solution for an industrial manufacturing process. I invite you to read more about the technology solution and how it was implemented and visit our new Web site to learn more about all of our proven security solutions for PC applications and embedded systems.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

A Collaborative Approach to Cybersecurity

Posted by Terry Gaul on Jun 17, 2015 12:00:00 AM

“Attackers — in ever greater numbers and with increasing sophistication — see, in the growing promise of our tech-connected world, opportunities to steal or cause major disruption or destruction by exploiting vulnerabilities. Unfortunately, as technology’s benefits expand and evolve, so too will the threats. Countering those threats and ensuring the resilience of our cyber-enabled systems will require flexibility and anbsa-cybersecurity-cover ability to evolve as well.”

So states the BSA Software Alliance in their recently released report, EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace. The purpose of the report was to lay the groundwork for governments to develop the necessary policies, legal frameworks and implementation infrastructure to protect their connected systems and prevent, mitigate and respond to cyberattacks. And while the report was focused on members of the EU, the same policies and framework can be and should be considered globally. 

The report examined five key areas of cybersecurity policy:

  • Legal foundations

  • Operational capabilities

  • Public-private partnerships

  • Sector-specific cybersecurity plans, and

  • Education

I found the discussion around the importance of public-private partnerships of particular interest. The report concluded that since most infrastructure is owned by the private sector, making effective public-private cooperation is essential. Cooperation between stakeholders by sharing information, experience and perspective will greatly improve the effectiveness of risk management. I couldn’t agree more. This is the main reason why Wibu-Systems is involved with so many industry associations, such as the Allianz for Cyber Security, which consists of a community of enterprises, government bodies, municipalities and private users, dedicated to strengthening security protocols.

Just as collaborations between the public and private sectors is important, so are collaborations between technology companies. For example, as an active member in the Silicon Trust, we are working side by side with companies like Infineon, Deutsche Telecom and others to develop security solutions in support of the success of Industry 4.0. In partnership with Wind River, our technology is also helping to provide greater security for their VxWorks platform, the most widely used real-time operating system for embedded systems.

With Industry 4.0 and the Internet of Things, the vision of a world characterized by a myriad of interconnected embedded devices is rapidly emerging. So too is a wave of new cyberthreats to people, processes and technology. Intellectual property protection, tamper-proofing, and cybersecurity are becoming essential for the business of machine producers and operators alike. Our goal, in conjunction with our partners, is to make a significant contribution to this new interconnected world by continuing to develop and improve cybersecurity technology to protect against cyberattacks and make the world a safer place.

Read more about Wibu-Systems protection suite for embedded systems.

Topics: embedded security, Internet of Things, cybersecurity

Is security an afterthought in the cyber world?

Posted by Terry Gaul on Mar 16, 2015 5:09:19 AM

CCTV-stock_600

I recently read an interesting article in Engineering and Technology Magazine, entitled ‘Immature’ Internet of Things Hackable with Primitive Methods. What caught my eye was the opening paragraph that stated: “The emerging Internet of Things lags massively behind conventional computers in terms of cyber security with manufacturers failing to implement basic security practices, one researcher has demonstrated.”

That researcher was James Lyne, Global Head of Security at Sophos, who spoke at the Mobile World Congress in Barcelona. During his talk, he demonstrated how to gain access to Internet-connected CCTV cameras using a simple brute force attack. The article went on to summarize many additional examples about the unsecure nature of IoT devices.

Part of the problem, Lyne said, “is the fact the market is driven by innovation and focused on marketable features instead of security and privacy concerns.” And this point, I believe, hits the nail right on the head. Our customers are very bright software engineers who are focused on developing innovative desktop applications, mobile apps, or the embedded systems that are at the core of IoT devices. While they understand the need to protect their software and IP against piracy and reverse engineering, implement a secure licensing strategy, and protect embedded systems against malicious tampering, they also recognize that they are not experienced in these areas. This is why they turn to security experts like Wibu-Systems for help. Jay Grenier of Faceware Technologies, one of our customers using our CodeMeter software protection and secure licensing platform, put it this way:

“With CodeMeter, I rest easy knowing that our technology is completely secure from hackers and reverse-engineering. With this weight lifted off my team, it allows us to focus on what’s most important in software development: creating great products.” (read the case study)

With all of the highly publicized security breaches occurring in the past few years as well as the rapid evolution of the IoT, it’s time to elevate the importance of software security. A sound security strategy should be designed into the product from the start, not as an afterthought.

View our customer case studies and see how easy it is to protect software and IP, secure embedded systems and connected devices, and securely manage licensing.

Topics: CodeMeter, embedded security, Internet of Things