Despite popular belief, it is possible to secure legacy embedded systems properly, even if they lack today’s iron-clad cryptographic capabilities, the latest protections, or expansive computational units. In a nutshell, that’s what Veridify Security, a member of the ST Partner Program, promises with Device Ownership Management and Enrollment (DOME™) solution. The technology provides secure device-to-device communication without needing hands-on onboarding procedures, powerful microcontrollers, or access to a cloud. The video below demonstrates DOME’s capabilities in the context of ST control units for cars. Today, we’ll see how Veridify Security is tackling a new challenge: operational technology (OT) and building automation.
OT security and building automation
What is OT?
The Gartner Glossary defines operational technology as the “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.” While, as the name implies, information technology (IT) focuses on data manipulation and dissemination, OT concerns the tracking and the governance of systems with physical impacts, such as grids, manufacturing plants, transportation systems, and more. Consequently, as Adam Hahn of Washington State University explains1, “OT security focuses almost exclusively on availability and safety.” As Hahn explains, while protecting the integrity, confidentiality, and availability of data is still critical, just like in IT, OT must also guard physical processes to ensure their safety, environment, dependencies, and regulation.
Failure to properly secure OT can lead to catastrophic effects. Hahn gives the example of the explosion of a gasoline pipeline that took place in Bellingham, Washington, USA, in 1999. The supervisory control and data acquisition (SCADA) system regulating the infrastructure suddenly became unavailable, which caused the gasoline inside the pipeline to ignite, leading to a massive explosion that took the lives of three people and was responsible for massive physical and environmental damage. Moreover, there are countless attacks that receive a lot less coverage but still have catastrophic effects. For instance, in 2016, a hack took down the central heating system in two apartment buildings in Finland for more than a week in the middle of winter.
Indeed, while most in the industry understand the importance of securing major infrastructures, like pipelines, many vastly overlook residential buildings. However, attacking such infrastructure could compromise lighting, heating, cooling, security controls, and more. Put simply, the case studies above demonstrate the critical nature of OT security, which is why Veridify Security is now turning to building automation, a domain vastly overlooked due to inherently complex challenges.
What are the inherent challenges to securing building automation?
One of the biggest challenges when bringing security to building automation is to overcome ignorance by educating owners and managers. For instance, the 2020 pandemic revealed significant security flaws in many buildings’ operational technologies that had been historically ignored. Consequently, it is critical to provide solutions that help change mindsets. There are also technical challenges inherent to building automation, such as a lack of encryption. In many instances, data is transmitted in plain text. Consequently, anyone with a basic network sniffer could intercept the information and use it to hack the system, creating massive disruptions. Additionally, the lack of common certifications worldwide further complicates the creation of a standard security solution.
Veridify Security: DOME on STM32
How to protect legacy solutions?
Veridify Security explained that it created a DOME library for STM32 microcontrollers to solve this challenge. For instance, recent demos showed a DOME Sentry. In a nutshell, the product from Veridify serves as an intermediary between the network and an unsecured legacy smart thermostat to protect it from attacks. As the ST Authorized Partner explained, the large memory and development ecosystem of the STM32 microcontroller vastly helped development operations. The company used ST’s low-level libraries to create firmware that’s as close to the bare metal as possible. Moreover, to ensure DOME runs on the broadest gamut of STM32 devices, Veridify Security doesn’t rely on cryptographic accelerators or other hardware IPs.
How to create new solutions?
The same demo also showed a smart thermostat using the DOME library. The configuration is far more unusual and demonstrates how new products can adopt the technology immediately. In this instance, the thermostat application and the security system ran on an STM32H7. Traditionally, smart home systems don’t integrate extensive security mechanisms because they would require more powerful processors that would significantly increase the bill of materials. However, in this instance, Veridify is showing how an STM32 MCU can easily run the control system and the DOME library for far greater security. Additionally, developers don’t have to worry about cloud access or onboarding mechanisms since DOME doesn’t require any of them, thus reducing overall costs.
- Hahn, A. (2016). Operational Technology and Information Technology in Industrial Control Systems. In: Colbert, E., Kott, A. (eds) Cyber-security of SCADA and Other Industrial Control Systems. Advances in Information Security, vol 66. Springer, Cham. https://doi.org/10.1007/978-3-319-32125-7_4 ↩