Description of the Workshop

Be prepared for upcoming cybersecurity regulatory requirements.

Learn what it takes to secure connected embedded devices. Starting with the big picture, you will be introduced into security best practices as well as technical challenges like managing secrets or the integrity on an embedded platform on a productive scale.

Concepts like security by design, as well as security aspects for all phases of the product’s lifecycle (design, develop, production, maintenance, decommissioning) are explained using lot’s of examples and best practices. You will learn the essentials about commonly used cryptography – Why do you need which crypto primitives to reach your security goals.

We specially will focus on aspects of embedded devices and derive answers for many questions like:

• Where should I start with security in my project?
• What are current regulations demanding in respect of cybersecurity?
• What standards can be taken as reference?
• How to protect keys, IP or firmware on an embedded device?
• What are attackers capable of?
• Why should anyone hack my YouNameIt®?
• How is key provisioning and onboarding done in practice?
• How to deal with post quantum cryptography issues?
• What are good ways to keep embedded systems updated?
• And many more

There is room for questions throughout the training. Contents and focus may be tailored on customer request.

Many aspects will be discussed and explained using an embedded linux device that sends data to an IoT Backend.

If requested, a focus on certain branches like Automotive, Agriculture, Industrial Automation, Energy (Solar Inverters, Batteries, Energy Management Systems) can be achieved.

Target Group

The main target groups are written below. If you are not a part of one of these groups and anyway interested in this topic you are still welcome.

• Product Managers
• Embedded Developers
• System Architects
• Connectivity Architects
• IoT System Administrators

Prerequisites

There are no special tools or programming skills needed for this workshop. A background of embedded systems or security topics would be helpful. A notebook with network card can be used to interact with our demonstrators, but is not essential (this can be agreed upfront).

Training Content

Here are shown the main topics and in the following sections are more details to every point.

• How to secure any Thing?
• Standards and Regulations
• Cryptographic Toolbox
• Trust and Crypto in Embedded Hardware
• Safe and Secure Software Update Concepts for Embedded devices
• Key and Device Provisioning and Onboarding

How to secure any Thing?

1. Security Introduction, Assets, Security Goals:
   This section introduces fundamental security concepts, identifies assets, and establishes security goals to protect those assets.
2. Hacker: Motivation, Classification, Tools, Real Life Examples:
   Explore the realm of hackers, from their motivations and classifications to the tools they employ. Real-life examples illustrate the diverse threats they pose.
3. Security Engineering – Security in the Product Lifecycle:
   This segment sheds light on incorporating security into the product lifecycle. From conception to decommissioning, security aspects are considered.
4. Introduction to Risk Assessment:
   An introduction to risk assessment provides insight into identifying and evaluating potential threats and selecting appropriate countermeasures.
5. Security Best Practices:
   This part presents proven security practices that can be applied across various domains to mitigate risks and ensure protection.

Also watch our video about this specific topic. Note here that it is in German.

Standards and Regulations

1. Ongoing regulatory activities in the EU:
   This section covers the continuous regulatory initiatives within the European Union, addressing evolving legal frameworks and requirements.
2. Overview of available standards and regulations with a focus on embedded systems and IoT:
   Gain an understanding of the existing standards and regulations, particularly centered around embedded systems and the Internet of Things (IoT).
3. Practical deep dive into EN 303645 Cybersecurity for Consumer IoT:
   Delve into practical details of the EN 303645 standard, specifically focusing on cybersecurity aspects for consumer IoT devices.
4. Deriving and explaining security requirements:
   This segment involves the process of deducing and elucidating the security requirements that are essential for creating robust and secure systems.

Cryptographic Toolbox

1. WHY we need crypto, not how it works:
   In this module, we delve into the reasons behind the necessity of cryptography, focusing on its purpose rather than its technical details.
2. Learn why we need which cryptographic functions:
   Explore the specific cryptographic functions we require and understand the rationale behind their utilization.
3. Security Hash Functions:
   Study the significance of security hash functions, gaining insight into their role in ensuring data integrity and authentication.
4. Symmetric cryptography:
   Delve into the realm of symmetric cryptography, comprehending how it enables secure communication through shared keys.
5. Asymmetric cryptography:
   Gain an understanding of asymmetric cryptography and how it facilitates secure key exchange and digital signatures.
6. Attack Options:
   Explore the various attack options that malicious actors might employ to compromise cryptographic systems and the methods to counteract them.
7. Certificates and PKIs:
   Dive into the world of certificates and Public Key Infrastructures (PKIs), discovering how they enable secure communication and digital identity verification.

Trust and Crypto in Embedded Hardware

1. Crypto Accelerators:
   Explore the concept of crypto accelerators, specialized hardware designed to enhance the efficiency and performance of cryptographic operations.
2. Trusted Execution Environment:
   Delve into the notion of a trusted execution environment, an isolated and secure environment within a system that ensures the confidentiality and integrity of critical operations.
3. Secure Key Storage (SE, HSM, TPM, …):
   Understand the significance of secure key storage methods such as Secure Elements (SE), Hardware Security Modules (HSM), and Trusted Platform Modules (TPM), which safeguard cryptographic keys from unauthorized access.
4. Secure Boot:
   Discover the importance of secure boot mechanisms, which guarantee the integrity of a system’s software during startup by verifying its authenticity and preventing unauthorized code execution.

Safe and Secure Software Update Concepts for Embedded devices

1. Local and OTA:
   Explore the concepts of local (on-premises) and Over-The-Air (OTA) updates, highlighting how these methods enable efficient and secure software updates for devices.
2. Update System Requirements:
   Understand the essential requirements that an effective update system must meet to ensure seamless and secure software updates.
3. Update types for embedded Linux devices:
   Dive into the various types of updates available for embedded Linux devices, from security patches to feature enhancements, and how they contribute to device performance and security.
4. Software Signing and Validation:
   Learn about the practice of software signing and validation, which ensures the authenticity and integrity of updates, preventing unauthorized modifications.
5. Open Source Update System examples:
   Discover examples of open-source update systems, exploring how these systems provide reliable and customizable solutions for managing software updates in embedded environments.

Also watch our webinar about this topic.

Key and Device Provisioning and Onboarding

1. Key Provisioning Challenges:
   Examine the complex challenges associated with secure key provisioning, addressing the hurdles of generating, distributing, and managing cryptographic keys within a secure ecosystem.
2. Provisioning Options (JITR, JITP, Batch Provisioning):
   Explore various provisioning options, including Just-In-Time Registration (JITR), Just-In-Time Provisioning (JITP), and Batch Provisioning, each offering unique approaches to efficiently and securely onboarding devices.
3. Zero Touch – Automated Device Registration and Onboarding:
   Learn about the concept of zero-touch provisioning, a streamlined process that automates device registration and onboarding, reducing manual intervention and enhancing security during initial setup.

Also watch our webinar about this topic.

Duration of the workshop

2 days

Price

4.000 € + Traveltime and expenses

Contact

If you want to know more about this workshop “Embedded & IoT Security Training – Full Lifecycle“ get in contact with our Senior Security Expert and Trainer Roland Marx roland.marx@osb-connagtive.com.

Or if you are already sure about it send a request to sales@osb-connagtive.com.

If you want more interesting videos about IoT and Embedded Security, subscribe to our YouTube channel.

And also follow us on LinkedIn to be up to date.