One of the main problems facing industrial internet of things deployments is that perennial issue: security. When you’re deploying and managing hundreds or thousands of devices around an organization, how can you ensure that your devices are running the right firmware, are running the right software, or even that they’re communicating with the right servers? You have only to browse Shodan, a search engine for unsecured IoT hardware endpoints, to see how insecure the devices used to build our future on have become.
It’s no surprise then that Microsoft is talking about its latest updates to Azure’s IoT tools, focusing on securing and managing devices. More important, it’s testing a novel approach to IoT security that could change the game enough to remove the brakes from IoT deployments.
As we’ve seen with a rise in attacks on IoT devices via easy-to-build botnets like Mirai, there are still very basic questions to be answered: How can you ensure the integrity of IoT devices, and how can you keep them up to date?
IoT microcontroller vendors need to build identity and security into their silicon. If they do, devices can automatically be identified and added to a network via tools like Microsoft’s Azure IoT Hub Device Provisioning Service. Azure IoT’s support for hardware security modules and the emerging Device Identity Composition Engine standard should help reduce the risk of device compromise.
Project Sopris tries a novel approach to IoT security
Microsoft Research is also thinking about this problem, with its Project Sopris hardware. Project Sopris aims to deliver both secure hardware and a secure communication channel, with a focus on microcontrollers such as the maker-focused Arduino or the programmable logic controllers (PLCs) that control much industrial machinery. Project Sopris’ intended result is a mix of secure hardware and software that brings many of the trusted computing models used in Windows to IoT devices.
Project Sopris has a sensibly secure IoT stack. It starts with a hardware root of trust, similar to the one developed by the Trusted Computing Group for its Trusted Platform Module. A separate, secured computing environment, this layer creates and manages the keys needed to cryptographically secure connections between devices and servers. It also stores and manages device firmware and software.
Building software for Project Sopris devices is much like building code anywhere: What’s important is how the code is stored and managed. Compartmentalizing code so that a failure in one section doesn’t compromise the rest of your software helps prevent exploits from escalating, while building security tools in every layer can reduce the risk of attacks spreading throughout the device stack. Similarly, by mandating code and device signatures, you are operating devices that can be identified and managed without having to resort to hard-coded passwords that can easily be breached (that’s what Mirai took advantage of).
Perhaps most interesting about Microsoft Research’s device philosophy is the concept of “renewable security.” If a device built using these principles has been breached, it can be refreshed automatically, revoking all the cryptographic keys employed by the device and its software. Once refreshed, a device can be automatically updated with the latest software, with new keys and a new trusted connection to your IoT network.
Giving IoT a bug bounty
Of course, Project Sopris is a new way of thinking about IoT, so it needs to be validated. To do that, Microsoft Research has challenged the security community to disprove the Project Sopris approach. It distributed custom hardware to 150 security professionals, assigning specific bug bounties to secrets hidden in the Project Sopris software. Penetrating the secure silicon at the heart of the device getting the highest reward.
If Project Sopris proves to be as promising as the initial papers suggest, it would be an excellent fit for the Azure IoT device management model and its new SaaS-based IoT Central.
Microsoft already has a cryptographically secured update channel in the shape of Windows Update, one that’s regularly stress-tested by Patch Tuesdays and managed by Microsoft’s own security teams. Using it to deliver updates to secured IoT devices via Azure’s tools could be key to simplifying device management at scale. After all, what’s an extra few thousand devices to a system that’s already working with hundreds of millions?