Heartbleed challenges the Internet of Thing

Heartbleed challenges the Internet of Thing

Interviews |
By eeNews Europe

“The Heartbleed SSL hack is a prime example, it’s almost a daily occurrence,” said Chris Smith, vice president of marketing for Europe for Green Hills Software. “The challenge is, what we are going to do about it? How do we secure all these internet connected devices and do all these companies developing products understand how they will be interacting with other products and making sure they are not inadvertently building in insecurities?”
Green Hills Software last week launched a programme of IoT security consultants to tackle embedded security and the Internet of Things. The IoT Security Advisors group uses security experts from all of Green Hills Software’s business units to provide security services

“In Europe we have technical people that go in and do a high level assessment and depending on the areas of specialisation we would bring in the right resources,” said Smith. “The technical people looking at the opportunities in this sector, it’s most of them – it’s a company focus across the whole company as we are engaging with regular customers and new opportunities.”

“It’s more than software,” he said. “You can’t talk about security by saying you can fix it with this product or that product. It’s a combination of the right products and how you design your software to be secure. If you are looking to connect devices you need to secure each and every one of those and every network point, otherwise there is a weakness that someone will exploit. Target in the US is a prime example of how things can go badly wrong when there is a weakness in the security, that’s been a big story. They didn’t go after the well protected datacenters, they went after the weak connections in the network.”

“With the rapid increase o f connected devices, it’s getting massive. If someone can break into the home network through a router or even a refrigerator and setting up botnets of connected devices. It’s all part of a growing problem that Green Hills has been addressing for a number of years. There are customers that get it – government, avionics or automotive – there’s a lot in common between safety and security.”

“As an area IoT has expanded and for us it’s a logical next step. For years since we’ve had INTEGRITY and doing the Common Criteria security certification at the highest level," he said. “If you really want to solve these types of problems, everything from desktops and servers to mobile phones and smart meters, then we see ourselves as very well positioned to come in and look at the overall system and provide advice, consulting and whatever would be needed to solve those security challenges. It’s a lot more than just a product. It’s about people skills, it’s about the way you architect the product and following the right procedures.”

The move brings together several themes in the company. “We’ve got INTEGRITY-178 team that are avionics team, then INTEGRITY global security in desktop and servers following the Joint Strike Fighter development and then there’s the mobile team solving these problems in tablets and smart phones. Then we have the INTEGRITY Security Solutions team that really looks at encryption and other solutions that are operating system and processor agnostic.”

“It’s a big education process that’s needed and componentization is key,” he said. “For example we have the µ-velOSity microkernel for the devices that don’t support MMUs and that has an upward compatible API with INTEGRITY. Also, why put a full TCP/IP stack in something when you don’t need all of that, you just need a number of services. Often people pull a whole lot of middleware into a project, and it often goes in for the right reasons but can provide a vulnerability.

The IoT Security Advisors group has experts that have successfully achieved certification to IEC 15408 (Common Criteria) Evaluation Assurance Level 6+, High Robustness for “high-valued information” against “sophisticated threat agents.” The group has supported certification for NIST FIPS 140-2 (cryptography), DIA DCID 6/3 (classified intelligence information systems), NSA Type-1 (crypto devices), FAA/EASA DO-178B/C (avionics), FDA Class II/III (medical), IEC 61508 (industrial), ISO 26262 (automotive), EN 50128 (railway), and others.

Related stories:

Internet of Things spin out avoids mobile operators
Free Windows leaps to IoT: OS battle takes new angle
European Cybersecurity to standardize under ETSI 

German sensor industry provides positive outlook


If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News


Linked Articles