Industrial Internet Security Framework v 1.0 | Page 65

Security Framework

8: Protecting Endpoints

Often, hardware implementations are not upgradable, so the performance and battery life
increases may come at the cost of a rigid and static implementation of the security functionality.
If a vulnerability in the algorithm is found, it is more difficult to make the needed changes to the
device. Architects must weigh these conflicting requirements when determining the balance
between hardware- and software-enabled solutions. Field-programmable gate array (FPGA)
chips provide both accelerated hardware benefits as well as reprogramability.
Hardware security modules (HSM) offer hardened and isolated hardware components for
security operations. Common functions include strong tamper resistance, cryptographic key
storage and lifecycle management, such as key generation and strong authentication. An HSM
may also be leveraged for providing security during the upgrade process. Other applications of
an HSM include secured remote communication establishment to a remote device and execution
of firmware image flashing using cryptographic keys.
A common implementation of an HSM is the Trusted Platform Module (TPM) 1. The TPM is
sometimes difficult to qualify because it is simultaneously a standard, an implementation, and in
some cases a discrete hardware chip on the endpoint. The standard describes a hardware
container that performs crypto operations separate from the CPU. This container is generally
used for key generation, key storage, signing and sealing of data and similar operations. The
implementation takes place in a separate discrete hardware chip, or in a dedicated hardware
container that may be co-located on the same physical die as the CPU, but in an isolated region.
Often working in conjunction with an HSM is another element, which may be hardware- or
software-based: the Trusted Execution Environment (TEE). The TEE is an isolated area on the
device platform providing security functionality for integrity and confidentiality. The TEE offers a
higher level of security by separating the security functionality from the operational functionality
on the main CPU. Common security functions include isolated execution of security operations,
integrity of code loaded and data stored, and confidentiality for data stored in the TEE. It protects
data-at-rest and data-in-use within the TEE. A software-based TEE could be a virtual gateway
running on a hypervisor, isolating the security functionality from the operational applications
running in a separate virtual instance. Other examples of software TEE include Docker containers
and Trusty TEE for Android OS 2. Examples of hardware TEEs include the GlobalPlatform TEE, Intel
Converged Security and Manageability Engine (CSME), and ARM TrustZone 3. There are also
hybrid hardware-backed software-defined TEE implementations such as Intel Software Guard
Extensions (SGX). 4
8.2.3 BROWNFIELD ENDPOINT CONSIDERATIONS
In brownfield deployments, the endpoints are deployed for long periods of time, sometimes for
decades, but they should be upgraded to safe levels. The primary consideration is not to disrupt

See [TCG-TPM]
See [Docker] and [Andr-Trusty]
3
See [GloP-TEE], [Intel-AMT], [Ruan2014] and [ARM-TrustZ]
4
See [Intel-SGX]
1
2

IIC:PUB:G4:V1.0:PB:20160926

- 65 -