According to a research report by Strategy Analytics, the number of connected IoT devices worldwide will reach 38.6 billion by 2025, and this number will grow rapidly to 50 billion by 2030. TIRIAS Research also predicts that by 2025, 98% of IoT edge devices will use some form of machine learning/artificial intelligence... These market analysis data show that in the foreseeable future, edge computing services will evolve at a very fast pace in terms of scale and user experience.
However, with the rise of IoT edge computing, there has always been a "shadow" that we cannot get rid of, and that is the security issue of edge devices.
Imagine that these tens of billions of edge devices are huge in number and scattered in distribution, and most of them are unattended, which will obviously give network hackers an opportunity to take advantage of; even more fatally, once these edge devices are lost, hackers will invade the entire IoT system through this attack interface, thereby threatening the security of the entire network. Studies have shown that among security attacks on the IoT, about 83% are initiated through edge terminal devices. No wonder some people say that edge devices are inherently "toxic."
Edge device security challenges
There are several main reasons why edge devices are so popular.
First of all, it is common sense that the security level that a device can achieve must be proportional to its performance and cost. However, many edge nodes of the Internet of Things are extremely sensitive to power consumption and cost, and often do not reserve sufficient resources for the deployment and implementation of security functions, which is also an inherent deficiency in edge device security.
Secondly, although the term "Internet of Things" contains the Internet, some security technologies and standards in the traditional Internet of Things (such as encryption technology, TSL protocol, etc.) cannot be directly "taken over" due to the particularity of edge application scenarios of the Internet of Things, such as limited device performance. Instead, they need to be specially optimized before they can be used. This lag in technology and standards will inevitably leave shortcomings in the overall security protection of the network.
Then there is the human factor. From the perspective of product development, secure edge devices require developers to have the corresponding network security knowledge and skills, which is not an area that traditional embedded engineers are good at and concerned about; from the perspective of device operation and maintenance, cloud data centers usually have dedicated security teams on duty, and such security expert support is of course a luxury for massive edge devices. The lack of professional talents is also a key factor restricting the security of edge devices.
The above-mentioned technical and resource bottlenecks, together with the rapidly growing demand for edge computing, will undoubtedly form a prominent contradiction. No wonder people lament that edge device security is "too difficult". Therefore, people naturally call for an edge security solution that can simplify and make things easier. Considering the particularity of edge devices, this solution should have three characteristics:
-
Simpler: It can be implemented without significantly increasing the complexity of the software and hardware systems;
-
Easier: Even developers without cybersecurity expertise can get started;
-
Cheaper: This is a rigid demand of many edge devices and must be taken into account.
Are there any solutions that can meet the above requirements?
Who can we rely on to simplify the deployment and implementation of edge device security?
Let's sort it out here.
Embedded processor with safety features
To add a security umbrella to edge devices, the work that needs to be done can be summarized into three aspects:
-
Confidentiality: Encrypting stored or transmitted data to prevent unauthorized persons from stealing information;
-
Integrity: through anti-tampering mechanisms, ensure that the message is not maliciously modified before reaching the destination;
-
Authenticity: Authenticate devices joining the network to ensure their authenticity and prevent impersonation.
This series of work is usually completed in accordance with a set of rigorous communication security protocols and using a series of security technologies (such as encryption and decryption), which also consumes some system resources accordingly.
Using pure software solutions to implement security functions is certainly more flexible and fast, but the software is easier to crack, and running software often consumes more processor computing resources, and power consumption will also increase accordingly, which is obviously unacceptable for edge devices.
Therefore, using hardware solutions to implement it has become the main technical path for implementing edge security.
For this reason, embedded security processors were born. The reason why the word "security" is added to the name of embedded processors is that they have built-in a variety of security modules (such as encryption and decryption engines, random number generators, etc.) on the general processor architecture, solidifying the computing functions of security software into hardware circuits. Compared with software solutions, this can achieve higher efficiency in security task processing on the one hand, and on the other hand, it is also conducive to more effective protection of sensitive data - currently many security processors use chip fingerprints with physical unclonable function (PUF) for key protection, which is an example.
There are also some security processors that separate security-related computing and processing work from the main processor in their architectural design and have it performed by an independent network protocol processor. This not only reduces the burden on the main controller, but also reduces the burden on developers - they do not need to have advanced network security experience and can get started quickly.
Figure 1: TI’s CC3200 WiFi wireless MCU integrates the TLS protocol stack on-chip, with a network processor dedicated to security protocol processing (Image source: TI)
In recent years, there has been an exciting change in embedded security processors. Technologies that were previously only seen on high-end processors can now be used by lower-end MCUs. For example, Arm has ported its TrustZone security technology to MCU-oriented IP cores based on the ARMv8-M architecture (Cortex-M23 and Cortex-M33). General-purpose MCUs with enhanced security features are now available on the market. This also means that in the future, when people consider security protection for low-cost, low-power edge devices based on MCUs, there will be more powerful "tools" to support them.
Figure 2: NXP’s LPC55S6x secure MCU features an Arm Cortex-M33 core with TrustZone security technology (Image source: NXP)
Plug and Play safety element
However, despite the increasing power and product portfolio of embedded security processors, they still cannot cover all needs in the fragmented IoT market. Some application scenarios may want to add security functions to the entire system in a "plug-and-play" manner without replacing the main control processor, so as to achieve more flexible and quick security deployment of edge devices. This is when the security element (SE) comes into play.
Security element
It is an independent chip responsible for security-related computing tasks, which can realize key encryption and decryption, signature authentication and sensitive information storage functions. It is connected to the main processor through
interfaces such as
I2C
and SPI, and can easily build a secure IoT edge node. Due to the use of the main controller + security element discrete system architecture, although there is one more material in the BOM, the flexibility brought to design development and supply chain management is also a very impressive factor in technical decision-making.
Many people have a clear understanding of the above-mentioned advantages of security elements. Today, the focus of the development of security elements is more on the four words "plug and play", that is, by improving and optimizing the functions of security elements themselves, the threshold for users to implement security functions on edge devices can be significantly lowered.
NXP's EdgeLock SE050
is a good example
in this regard
. Based on the security of Common Criteria EAL 6+, the device has built-in various functions required for secure connection between edge devices and the cloud: EdgeLock SE050 is pre-configured with credentials at the time of production, and these credentials are always saved in the IC; in IoT devices, SE050 is connected to the host processor through the I
2
C interface, and then uses middleware to connect to the cloud and establish a TLS connection (supporting TLS 1.3) using pre-set credentials; the entire end-to-end communication is encrypted to ensure the confidentiality and integrity of all exchanged data. For developers, the biggest advantage of using EdgeLock SE050 is that the entire security implementation process can be completed without writing any security code.
To further accelerate the development process, NXP also provides a complete support toolkit, provides libraries for different MCUs and MPUs, supports multiple operating systems (Linux, Windows, Android, and mainstream RTOS), and provides development resources such as sample codes and application notes. All these efforts are in the hope that the "plug and play" edge security development experience can be more perfect.
Figure 3: NXP’s EdgeLock SE050 secure element strives to provide a “plug and play” development experience (Image source: NXP)
End-to-end systematic security solution
So far, we have introduced two technologies that can make edge devices more secure: embedded security processors and security elements. If you think that edge device security is only a concern of chip manufacturers, you are wrong. In fact, cloud computing vendors are also very active in this regard, and the reason is easy to understand - the more secure edge devices connected to the cloud, the more value of cloud services can be realized.
In this regard, Microsoft can be regarded as the most active one. According to Microsoft's description, Azure Sphere, as a cloud computing-based security service platform, supports the maintenance, update and control of Azure Sphere-certified chips. These services include: establishing connections between devices and the Internet and various auxiliary cloud services, ensuring secure boot, authenticating device identity, integrity and trust root; ensuring that devices run audited code bases; providing a channel to automatically download and install Azure Sphere system updates and application updates on deployed devices.
It is worth mentioning that Azure Sphere is not a simple IoT cloud service. It is actually composed of a complete IoT security system covering from edge to cloud, including three parts:
-
Azure Sphere security service based on cloud platform: It mediates trust in device-to-cloud communications, detects threats, and updates device security to provide continuous security protection for devices.
-
Azure Sphere OS, a custom Linux-based operating system, is designed to create a trustworthy platform and provide a new IoT experience.
-
Azure Sphere-certified silicon with built-in Microsoft security technologies: providing connectivity and a reliable hardware root of trust.
Figure 4: Azure Sphere security service platform architecture (Image source: Microsoft)
In the construction of the entire system, Microsoft personally completed the first two software development tasks, while the third "hard" task was handed over to professional chip manufacturers through ecological chain cooperation. Chip manufacturers will pre-install Microsoft's Pluton security subsystem in their own chips, which includes an Arm Cortex-M4F core as the root of trust for Azure Sphere, and is also responsible for handling matters such as secure boot and secure operation. In fact, this can be regarded as a security processor built specifically for Azure Sphere. At present, chip manufacturers such as MediaTek, NXP, STMicroelectronics, Qualcomm, Nordic, Nuvoton, Silicon Labs, and Toshiba have joined this plan, and corresponding chip products are also being developed and launched one after another.
Backed by Microsoft's strong technical strength, for users, choosing Azure Sphere-certified chips to develop edge devices means placing themselves in a systematic IoT security protection, which is undoubtedly a very worry-free choice.
In addition, Microsoft has proposed a more worry-free solution for existing devices that do not have IoT security capabilities or are not even connected to the IoT. They can access the Azure Sphere security platform and obtain comprehensive protection through a device based on an Azure Sphere certified chip called
the Guardian
Module.
Figure 5: Existing devices are connected to the Azure Sphere security cloud service through the Guardian module (Image source: Microsoft)
This shows that cloud platform vendors are also relying on their own influence to integrate the resources of the ecological chain to provide an end-to-end solution for edge device security protection.
In the era of the Internet of Things, unless you are completely "off the Internet", you will definitely face security threats. Therefore, security must become the foundation of the Internet of Things and become the consensus of IoT technology and service providers. Protecting the security of tens of billions of edge devices is not an easy task, but through the joint efforts of people, I believe it will become easier and easier.
This article is an exclusive original article. Please indicate the source when reprinting it. We reserve the right to pursue legal liability for unauthorized copying and non-compliant reprinting.
Mouser Electronics is a global authorized distributor of semiconductors and electronic components, serving the global electronic design community. Mouser Electronics is an authorized distributor of more than 800 well-known brands, with more than 5 million online products available for order, providing a one-stop purchasing platform for customers. Welcome to follow us to get first-hand design and industry information!
京公网安备 11010802033920号