By 2025, there will be more than 21 billion devices deployed in our Internet of Things (IoT) ecosystem, driving the digital transformation responsible for every industries’ innovation and growth. Just one year later in 2026, the IoT is estimated to provide over $1 trillion of revenue across markets worldwide. With such a promising projection and no signs of the IoT market slowing down as our economies increasingly rely on connectivity to survive and thrive, the success of many industries relies on the mitigation of risks with effective security measures.
The ever-expanding threat landscape
The explosion of intelligent connected devices presents a massive expansion of the “attack surface” hackers can target. Many of these devices are vulnerable to attacks with the level of risk continuing to rise. Each new device that connects to a network is potentially instantly exposed to viruses, malware, and other attacks that could result in industrial espionage or safety and security issues.
Machines and devices in virtually every industry can be connected and configured to send data over cellular networks to cloud applications and backends. Many IoT devices perform mission-critical functions in industries such as medical, industrial, infrastructure and military environments. Any unauthorized action with regards to confidentiality, integrity and availability (CIA) on an IoT system could result in irreversible damage to a company’s operations, reputation or cause a catastrophic event with life threatening consequences.
A failure to secure IoT systems has already led to several costly or dangerous incidents. For example, four years ago 1,700 commercial websites such as Amazon, PayPal and Netflix were brought down by a Mirai botnet which leveraged millions of IoT connected devices such as webcams and DVRs through an attack on an internet service provider. This cost millions of dollars in damages and loss of business with some of the world’s leading sites.
Increasing importance of security
As the market for IoT devices grows, the competition between manufacturers to offer the best capabilities at the cheapest price increases—carrying the dangerous risk of security being overlooked. This creates a threat climate like never before, as these devices become an increasingly enticing prospect for hackers. However, the cost of not acting now may cost a lot more in the future if damage occurs.
To create a trusted computing ecosystem comprised of billions of IoT devices, security measures must be considered during the design and manufacturing process. With an unprecedented number of IoT devices which all vary in size, functionality, data type and computing power, there is no ‘one size fits all’ approach that protects every IoT deployment. Several factors must be considered to ensure the most stringent security measures are taken to lower the risk of potential attacks.
Trusted computing is the answer
Firstly, data must be protected with encryption. To avoid eavesdroppers on data in transit, end-to-end encryption must be used to avoid unauthorized decryption. The self-encrypting drive (SED) standards from TCG enable stored data to be protected with encryption built into the drive. The SED standard is available in a wide variety of interoperable products, including hard drives, solid state drives, hybrid drives and enterprise storage systems, from a variety of vendors. These drives are already in use in a number of devices, including printers, edge gateways and multi-function devices.
Many devices will likely be in operation for decades and might be manufactured by vendors who provide infrequent or no updates. The latest Trusted Computing innovations in hardware security are essential to providing a simpler Root of Trust (RoT) foundation to build an anchor of cybersecurity protection. The RoT is a concept that starts a chain of trust, which is needed to ensure devices boot with legitimate code. If the first piece of code executed has been verified as legitimate, these credentials are trusted by the execution of each subsequent piece of code.
For demanding and high-risk real-time applications, such as in manufacturing and automobiles and other transportation systems, a Trusted Platform Module (TPM) hardware can be built in, not just into the plant’s firewall but also into the control system. This will enable real-time monitoring and allow sophisticated attacks to be identified and prevented at the time when it matters most. The TPM is a standard microcontroller that combines robust cryptographic identity with remote security management features such as remote attestation. Because the TPM is defined by open standards, designers can choose from a variety of TPM products from different vendors supported by common software.
Many IoT devices lack the computing power or memory capacity to support even basic security authentication and authorization. This is often the case with extremely small connected devices such as thermal sensors or small switches which presents the challenge of operating security functions with minimal space to operate in. Although small, these devices left without security measures in place will create a weak access point for a cyberattack. However due to very minimal space, power and cost limitations, even a tiny TPM chip would be impractical. Instead, TPM firmware can be created that has the same set of commands but sits just above the hardware—and is therefore more cost-effective.
Firmware and configuration data are also security-critical components in any IoT device and must remain available and trustworthy in the face of an attack. These mechanisms must be resilient to tampering or corruption by destructive malware and built upon trust in the platform recovery support. In the event of a device being compromised, it needs a safe place to fall back to recover. To do this, a trusted hardware environment is needed, whether it is a Device Identifier Composition Engine (DICE) or a TPM.
DICE provides an alternative for devices where inclusion of a TPM is impractical or infeasible. DICE creates a platform for data integrity, device recovery, and system updates. It does so with a layered boot architecture, leveraging Unique Device Secrets and individual fingerprints with each layer and configuration. It allows silicon vendors to leverage existing hardware security functionality to enable foundational security scenarios that rely on device identity and attestation.
A secure future for all
As the threat landscape becomes more complex, device manufacturers should leverage Trusted Computing technologies to provide more agility and speed of deployment—to be safe in the knowledge that all layers of security are implemented to protect against the growing sophistication of threats of the future.
Along with other industry specifications and standards including NIST 800-193, TCG is ensuring trusted computing and security is within reach across the broadest range of devices, from high-end servers and storage to the smallest IoT devices. As deployment of IoT and connected devices grows, it is imperative these specifications and standards are followed to ensure a safe, secure ecosystem for all.