prpl Foundation Reveals Vision for a Secure Internet of Things

Report Describes Hardware-Enforced Approach to Enabling High-Grade, Scalable, Interoperable Security for IoT Devices

SANTA CLARA, CA--(Marketwired - January 07, 2016) - The prpl Foundation[1] today announces availability of a new document describing a scalable, interoperable and high quality approach to improved security for devices and information in a rapidly connecting world. The new publication, Security Guidance for Critical Areas of Embedded Computing[2], outlines an easy-to-implement approach and is available at http://prpl.works/security-guidance/[3].

"The Internet of Things is rapidly connecting our world in ways not anticipated even a decade ago. This connectivity finds its way into everything from light bulbs and home appliances to critical systems including cars, airlines and even hospitals. Security, despite its huge and increasing importance, has so far been addressed in piecemeal and often proprietary ways. Given ubiquitous connectivity and the rapid emergence of IoT, the need for a well-designed, structured and comprehensive security architecture has never been greater," said Art Swift, president of the prpl Foundation.

Embedded systems and connected devices are already deeply woven into the fabric of our lives, and their footprint is expanding at a staggering rate. Gartner estimates that 4.9 billion connected things were in use by the end of 2015, a 30% increase from 2014.(1) This will rise to 25 billion by 2020 as consumer-facing applications drive volume growth, while enterprise sales account for the majority of revenue.

Security is a core need for manufacturers, developers, service providers and other stakeholders who produce and use connected devices. Most of these -- especially those used on the "Internet of Things" -- rely on a complex web of embedded systems. Securing these systems is a major challenge, and failure to do so can result in significant harm to individuals, businesses and to nations.

"Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach," added Cesare Garlati, prpl's chief security strategist.

The new Security Guidance Document lays out a vision for a new hardware-led approach based on open source and interoperable standards. It proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as stakeholders begin addressing security in earnest.

These areas include:

Addressing fundamental controls for securing devices. The core requirement, according to the document, is a trusted operating environment enabled via a secure boot process that is impervious to attack. This requires a root of trust forged in hardware, which establishes a chain of trust for all subsystems.

Using a Security by Separation approach. Security by Separation is a classic, time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as paravirtualization, hybrid virtualization and other methods.

Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.

By embracing these initial areas of focus, stakeholders can take action to create secure operating environments in embedded devices by means of secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. Open, secure APIs thus are at the center of securing newer multi-tenant devices. In the document, the prpl Foundation offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.

Supporting Quotes:

"Great paper, very well laid out and easy to read and comprehend. Focus is around constructing the hardware and virtual layers of the endpoints to be designed properly to limit exposure should they come under attack. The four types of IoT systems mentioned in this paper (auto, medical, weapons, and airlines) can all have very personal ramifications to an individual's health if something should go wrong."

-- David Lingenfelter, Information Security Officer, IBM Security Systems and Co-Chair Mobile Group at Cloud Security Alliance

"Imagination welcomes prpl's efforts in addressing the critical security needs in embedded devices with a well-designed, open and standards-based approach. We agree that a structured solution starting with a clear root-of-trust and building comprehensive hardware separation and a robust development and test infrastructure is critical. In fact, we developed OmniShield-ready hardware and software IP driven by the same fundamental considerations, providing root-of-trust and hardware virtualization across all the processors in an SoC including CPUs and GPUs to build a truly secure and reliable system."

-- Majid Bemanian, Director of Marketing, Imagination Technologies

"I read the document with great interest. It is a very good and comprehensive report which we do support. Our security expertise is mainly on network security and user authentication: device security is new to us but I see a lot common approaches with the network security."

-- Rahim Tafazolli, Director of Institute for Communication Systems and 5G Innovation Centre at University of Surrey

"I like the [document] approach as well as the flow of information. The security topics covered are appropriate

Read more