IoT Zombie Apocalypse and Post-Quantum Crypto: A Q&A with Infineon's Steve Hanna


He’s been in high tech for about 35 years, so you might say that Steve Hanna has seen it all. But one thing Infineon’s senior principal has not seen – and doesn’t want to see – is the IoT zombie apocalypse.

So he did a presentation at the IoT Security 4.0 Conference in January to help the Internet of Things industry, and its customers, avoid that kind of thing.

In addition to his work at Infineon, Hanna was formerly a distinguished engineer at Juniper Networks, a senior consulting engineer at Funk Software, a senior staff engineer at Sun Microsystems, an architect at On Technology, and has contributed his talents to many other tech businesses.

Here’s our recent interview with him.

You recently told me that IoT security mechanisms have now been monetized. And you said that Stuxnet helped make that happen. Explain.
Stuxnet showed that previously established cyber attack techniques could be used to compromise IoT systems and achieve impacts in the physical world. Further research efforts demonstrated that most IoT systems are in fact much more vulnerable to cyber attacks than IT systems. Effectively, Stuxnet opened an entire field of cyber attacks that had previously been largely unexplored.

Attackers are always looking for ways to monetize their work – how to make money by attacking systems. Established monetization techniques include selling newly discovered vulnerabilities, building and selling attack toolkits, renting time on botnets, launching attacks for hire, stealing data that can be resold (e.g. credit card numbers), and holding systems and data for ransom. These techniques are typically considered criminal under European and U.S.A. law, so attackers must hide themselves from law enforcement.

In recent years, attackers have learned how to monetize attacks on IoT systems. One major example of this trend was the Mirai toolkit, which was used to compromise thousands of IoT systems and merge them into large botnets. The botnets were then used to stage the largest DDoS attacks ever seen. The controller of one of the Mirai botnets recently pled guilty to charges stemming from this attack and indicated that he performed these attacks as work for hire.

Thus we can see that Stuxnet was a groundbreaking event that really launched the field of IoT cyber attacks.

What are the three primary security approaches IoT device suppliers and their customers use today?
Authentication, secured communication, and secured updates.

The three most popular IoT security approaches today are endpoint security, network security, and cloud security. Some customers choose only one of these approaches but many customers use two or all three.

Endpoint security builds security into IoT devices so that they can operate securely in today’s hostile environment. With this approach, each endpoint has its own secured identity that can be used to communicate securely with other endpoints and with the cloud.

Network security uses a security gateway to add security to the IoT system. The security gateway generally includes at least a firewall to block attacks and a secured communications function to tunnel traffic over untrusted networks.

Cloud security uses cloud-based software to prevent, detect, and respond to attacks. Over time, this software learns which patterns are normal and which are malicious. Cloud software can also be used to manage endpoint security or gateway security features, including the ability to push down secured software updates.

Please provide an example of an application that might be a match for each of these three IoT security approaches.
Connected cars today primarily use a network security approach. Communications within the car takes place over a trusted network made up of trusted devices. The primary cyber security risk comes from outside connections. Therefore, a security gateway is placed at the external connection point, such as a radio. External communications are terminated at this gateway, which is designed to block attacks and only permit authorized communications.

Smart cities need a strong cloud security component. Endpoints such as trash cans and street lights are placed in a hostile world where they are subject to constant vandalism and tampering. Generally, they are connected over a wireless network that can be tapped and jammed. While there is some benefit to including security measures in the endpoint and networks, the cloud must be constantly on the lookout for signs of attack.

Industrial IoT requires strong endpoint security due to safety concerns. The safety of workers and of the community depends on the proper operation of industrial endpoints and of the system as a whole. No single component such as a security gateway can be counted on to protect the system as attackers have shown repeatedly their ability to bypass such controls. Therefore, a defense in depth approach must be used.

What are companies like Google doing to educate and assure consumers about IoT security?
Google and other companies that are leaders in IoT know that surveys have shown repeatedly that security is the No. 1 concern for consumers and businesses alike with respect to adopting IoT technologies. Therefore, these companies include on their websites plenty of consumer education regarding IoT security.

Equally important, leading IoT companies are working in consortia like the IoT Security Foundation and Trusted Computing Group to develop guidance for consumers and businesses on how to secure their IoT systems.

How have government entities in the U.S. and abroad attempted to address IoT security? With what results?
The U.S.A. and other governments are addressing IoT security in several ways. Technical experts in agencies are providing guidance on how to build secure IoT systems and convening public-private partnerships in this area. The U.S. National Institute for Standards and Technology has a whole program on IoT cybersecurity with activities that range from fundamental research (e.g., lightweight cryptography) through applied research and technology transfer to standards development (e.g., SCAP). The European Union Agency for Network and Information Security has published a set of Baseline Security Recommendations for IoT in the Context of Critical Information Infrastructures that aims to address some of the many challenges in this area. So we can see that governments are engaged at both a practical and a theoretical level in helping to secure IoT systems.

Securing IoT devices entails added cost. How can device makers justify that added cost, and how can they discern what the marketplace will bear in terms of these costs?
While there is a cost to including IoT security, there is also a cost to leaving it out. Except when there are regulations requiring that security be included, each manufacturer must weigh the costs on both sides to determine how much security to include in their products. The costs of including IoT security are easy to quantify: R&D costs and product costs. The costs of omitting IoT security are less certain. When an attack takes place, costs may include damage to brand and reputation as well as costs to repair the problem.

Savvy device makers are now making IoT security a product feature to be promoted, thus elevating their product above their competitors and increasing their customer’s perceived value.

What is quantum computing, and what are its implications for IoT security?
Quantum computing is the study of computing systems that employ quantum mechanics to increase the power of computers astronomically, especially for solving certain problems such as simulation of complex biochemical processes. Unfortunately these computers are also able to completely break many public-key cryptosystems such as RSA and ECC. While there are many challenges involved, quantum computing researchers have made tremendous progress in the last few years. Based on the current trajectory of progress, it seems likely that quantum computers will render the RSA and ECC cryptographic algorithms unusable within 15 to 20 years. This would be a serious problem as these algorithms are used for many purposes in IoT security as well as in many other applications.

To address this problem, NIST has issued a call for proposals of PQC algorithms as a successor of traditional asymmetric algorithms. If all goes as planned, standards for replacement algorithms should be issued in 5 to 7 years with products available shortly thereafter. This timeline is tight but should permit IoT systems to be upgraded to use the new algorithms before the old ones become obsolete.

In May Infineon announced that it has successfully demonstrated post-quantum cryptography. How does that work, and what is the status/timeline of commercial product based on PQC?
As a security leader, Infineon is constantly pushing the boundaries of security technology. For years, we have been working with other experts on developing PQC capabilities. In May 2017, our research team was able to demonstrate PQC running on a commercially available contactless smart card chip without requiring any expanded memory. Infineon is actively participating in the development and standardization process in order to enable a smooth transition to PQC and to address security challenges that may arise with the advent of quantum computers.

Tell us about Infineon.
Infineon Technologies AG was founded in 1999, when the semiconductor operations of the parent company Siemens AG were spun off. Today, we are a world leader in semiconductor solutions with about 37,500 employees worldwide. Our products are found in almost every electronic device from cars and trucks to computers or satellites. For nearly 30 years, we have been offering the industry’s broadest portfolio of security solutions including hardware, software, and services. We design, develop, manufacture, and market security solutions serving applications ranging from smartcards to new, emerging use cases in the IoT.

What does the company provide in the way of IoT security solutions today?
Infineon offers a full line of IoT security products under the OPTIGA brand. Because IoT products vary in size, cost, and function, no single security product can match their needs. For simple sensors, one-way authentication products like the OPTIGA Trust E may suffice. More sophisticated components like actuators and gateways will need advanced features like secured communications and secured updates, as supported by the OPTIGA TPM.

Edited by Ken Briodagh

Executive Editor, TMC

Related Articles

Globalstar Announces Portfolio of Satellite Asset Tracking Software and Hardware Solutions

By: Special Guest    6/29/2022

The Realm Enablement Suite is a portfolio of satellite asset tracking software and hardware solutions, featuring a powerful application enablement pla…

Read More

Kajeet Discusses Secure Connectivity at IoT Evolution Expo 2022

By: Special Guest    6/29/2022

IoT Evolution and ITEXPO brought together a compelling mix of vendors enabling the Internet of Things.

Read More

Optimizing the Edge: Challenges, Opportunities and the Future of Serverless

By: Arti Loftus    6/29/2022

The reduction in latency brought by Edge computing can make applications in IOT, IIoT, AI and ML more achievable.

Read More

The Future of Farming is Connected

By: Special Guest    6/29/2022

has seen extensive overhauls causing considerable improvements, minimizing resource expenditure while maximizing yields. Traditionally suffering from…

Read More

Sharpening the Edge II: Diving Deeper into the LF Edge Taxonomy & Projects

By: Matthew Vulpis    6/29/2022

IoT has the potential to create a "SMART" world, meaning "Self-Monitoring Analysis and Reporting Technology."

Read More