Thursday, October 22, 2015

Internet of Things (IoT) Security Measures Insights from Patents

Centralized Security Architecture

Security is one of the most important concerns of the IoT deployment. Traditional security architectures regulate access to resources/services through the granting of authorization rights by a centralized authenticator (e.g., a "trustee"). The centralized authenticator is a device that has the ability to unilaterally establish a trust relationship between other devices in a federated trust domain, such as an authorization, authentication, and accounting (AAA) server. Current authentication schemes include public key infrastructure (PKI) based "Digital Signature" techniques. Cryptographic algorithms based digital signatures mark an electronic document (digital certificate) to signify its association with an entity. A trusted third party that certifies the digital signature issues the digital certificate. Irrespective of the authentication mechanism used, a successful authentication process assigns a static/fixed role to the requesting entity (e.g., the trustee). In turn, authorization processes determine access privileges based on the fixed role assignment.

US20150106616 illustrates the system that can provide secure and efficient communications between the IoT devices and back-end systems (e.g., cloud servers) through the Internet Protocol networks exploiting the established PKI techniques and algorithms such as public keys and private keys. The secure communication system uses the security server to communicate with the IoT devices and application servers. The security server receives data from the IoT devices and forwards the data to the application servers exploiting the set of cryptographic algorithms. The cryptographic algorithms can include asymmetric ciphering algorithms, symmetric ciphering algorithms, secure hash algorithms, digital signature algorithms, key pair generation algorithms, a key derivation function, and/or a random number generator. The IoT devices utilize the pre-shared secret key to authenticate with the security server. The IoT devices internally derive pairs of private/public keys using cryptographic algorithms. The security server authenticates the submission of derived public keys leveraging established PKI standards and the associated IoT device identity. The security server establishes the secure connection with the application servers to send the application message that includes server identity, encrypted update instruction, data from the IoT devices and IoT device identity. The application server stores the data for subsequent processing and analysis.

Distributed Security Architecture

Centralized security architectures are sometimes ill-suited for the IoT networks. For example, centralized authenticators may lack the flexibility, granularity, and extensibility to make efficient and informed security decisions in highly distributed and/or heterogeneous IoT networks. Accordingly, security architectures capable of providing efficient trust mechanisms in highly distributed open network environments are desired. US20150135277 illustrates the trust management framework that would be invaluable for addressing the current as well as future IoT environments needs.

The distributed security system provides various trust management schemes and blueprints for enabling a framework so that interested parties can determine the trustworthiness of disparate and heterogeneous IoT entities. The distributed security system exploits the point-to-point (P2P) trust management topology in which each peer node stores trust information of their immediate neighboring peer nodes. Trust based authorization mechanisms leverage the dynamic trust value assigned to the "trustee" entity and makes the access control decisions in a highly dynamic manner. The truster decides permissions based on principle's set of attributes instead of principle's identities. Trust attributes may include evidence-based as well as reputation-based attributes.

Smart Grid Security

With the development of smart grid technologies to modernize the electric grid, vulnerabilities were inherently introduced from using advanced, networked technologies in connection with electric grid operations. The electric industry has generally avoided the use of modern cyber security and routable protocols instead relying on obscure protocols and serial communications to comply with critical infrastructure regulations and requirements. Recognizing the need for a smarter and more secure grid, the electric industry and federal government have been working on security standards for the smart grid. US20150281278 illustrates the system for securing electric power grid operations from cyber-attack that that meets Federal Information Processing Standards for the electric grid.

The system comprises a collection of security services distributed throughout the smart grid in two main categories of services; central security services and edge security services. The central security services integrate security controls and enforcement of security policies through service components deployed centrally at a grid control center and at or near the perimeters of an electric power grid. The central security services are physically located at the grid control center and comprise security management services, cyber security infrastructure services, and automated security services. The edge security services are used for security configuration services and automated security services that perform distributed enforcement of security policies at or near the perimeters of an electric grid system.

Connected Car Security

Automobiles are becoming more sophisticated and increasingly use computerized technology (ECU--electronic control unit) to control critical functions and components such as brakes and airbags functionality. While the computerized technology enhances the performance of the vehicle, compromising the operation of the safety-critical ECUs may cause severe damage to the vehicle, its passengers and potentially even the surroundings if the vehicle is involved in an accident with other vehicle(s) or pedestrians. These ECUs are usually connected via a non-secure manner such as through CAN bus. Taking control of the vehicle's communication bus can result in compromising the safety critical ECUs. Some of the ECUs which are connected to the vehicle's communication bus have external connections, such as the telematics computer and the infotainment system. It is possible to compromise one of these ECUs using a cyber-attack. The compromised ECU serves as an entry point to deploy the aforementioned attack.

US20150020152 illustrates the security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

©2015 TechIPm, LLC All Rights Reserved

No comments: