Wibu-Systems Blog https://www.wibu.com/jp/blog.html Mon, 18 Nov 2019 22:21:13 +0100 Mon, 18 Nov 2019 22:21:13 +0100 t3extblog extension for TYPO3 Security by Default for the Global Economy Wed, 13 Nov 2019 14:50:00 +0100 https://www.wibu.com/jp/blog/article/security-by-default-for-the-global-economy.html post-130 https://www.wibu.com/jp/blog/article/security-by-default-for-the-global-economy.html Daniela Previtali Encouraging manufacturers to ensure they ship their devices in a secure state is the key objective of the UK government. Security by Default for the Global Economy by Daniela Previtali 13-11-19

The UK government recently launched an initiative to make “Secure by Default and Design” a key element for technological innovation, announcing its intent to make the UK a world leader in eliminating cyber threats to businesses and consumers by developing more resilient IT hardware. The initiative was boosted by the Secure by Default standard that was introduced by the UK Surveillance Camera Commissioner.

The goal of “Secure by Default” standards, in this case, is to provide a guarantee for users that network video security products are as secure as possible in their default settings out of the box. The result of the initiative is a standard that has been written by manufacturers for manufacturers. It includes requirements such as ensuring that passwords must be changed from the manufacturer by default at start-up and have sufficient complexity, and it defines controls about how and when remote access should be given.

Encouraging manufacturers to ensure they ship their devices in a secure state is the key objective for the minimum requirements set forth in the standard. There is much to applaud about the hardware initiative and hopefully similar efforts will catch on globally.

In the software engineering world, Secure by Design is increasingly becoming the mainstream development approach to ensure security and privacy of software systems. In this concept, security is built into the system from the ground up and addresses the cyber protection considerations throughout a system’s lifecycle. This includes security design for the identification, protection, detection, response and recovery capabilities to strengthen the cyber resiliency of the system.

A number of global industry associations and security vendors, like Wibu-Systems, have proposed security standards and software development frameworks, all based on the core security by design foundation. Here are three examples of recent reference security frameworks:

Wibu-Systems will continue to work closely with organization like the IIC and others to share our expertise and develop best security practices for protecting connected devices around the globe. You can read more about our collaborations with several organizations to develop innovative security solutions in this brochure, Security 4.0 By Default and Growth 4.0 By Design

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Cybersecurity and Trustworthiness in IT/OT Wed, 30 Oct 2019 10:34:00 +0100 https://www.wibu.com/jp/blog/article/cybersecurity-trustworthiness-and-itot-convergence.html post-129 https://www.wibu.com/jp/blog/article/cybersecurity-trustworthiness-and-itot-convergence.html Marcellus Buchheit Nearly 80% of industry professionals regard the growing interconnectedness of OT and IT as a cybersecurity challenge. Cybersecurity and Trustworthiness in IT/OT by Marcellus Buchheit 30-10-19

Earlier this year, ARC Advisory Group, in conjunction with Kaspersky Labs, conducted a survey on the State of Cybersecurity of Industrial Control Systems (ICS) as well as the priorities, concerns, and challenges it brings for industrial organizations. Survey participants were nearly split equally between Operation Technology (OT) and Information Technology (IT) professionals.

Not surprisingly, nearly 80% of the companies surveyed stated that OT/ICS cybersecurity was a high priority and felt the need to invest in more resources, in both systems and ICS staff experts, to adequately address the necessary protection mechanisms. When asked to rank their concerns around an ICS cybersecurity incident, respondents primarily cited the health and safety of their employees (78%), as well as possible damage to the quality of their products or services (77%) as major worries, should the worst happen. The loss of customer confidence (63%) and possible damage to equipment (52%) were also rated as significant concerns.

While there was much data to absorb in the report, one particular point of interest for me was the relationship between OT and IT. Nearly 80% of companies surveyed regarded the growing interconnectedness of OT and IT as a challenge, mainly as a result of the digitalization of OT (industrial networks in particular), which can expose industrial systems and devices that might not be adequately protected to cyberthreats. IT and OT teams often have different security priorities and different goals for maintenance and improvement of their systems. In addition, cultural differences and the lack of communication between departments can exacerbate the problem.

In just the past few years, the convergence of IT and OT has become a well-worn topic of discussion, as there have been a few bumps in the road along the way. Let’s take a brief historical perspective and introduce the notion of “trustworthiness” and how it can serve to smooth the path towards convergence.

OT has been used for many years to implement complex technical processes in industries such as energy generation and delivery, oil/gas, production, transportation and others. OT systems were rarely connected to the Internet as their security capabilities were unable to withstand hacker attacks. As a result, OT systems were unable to take advantage of the benefits of cyber connected systems, such as remote access and administration, centralized data collection and analysis, or cloud-based access to information for process automation e.g. automatic access to weather forecasts to optimize commercial energy usage.   

In the past 20 years, IT learned how to safely connect to the Internet, but only after experiencing frequently increasing security issues and cyber-attacks. Today, we have IT systems capable of remotely accessing all types of private or public information and executing complex operations, such as Software as a Service (SaaS). However, IT systems are still not ready to handle the high security demands of OT systems.

The convergence of IT and OT is required to successfully implement Industrial IoT systems, but the challenges for such a confluence are high, as noted in the ARC survey: Both sides have significantly different priorities, system models, and terminology.

Let’s look at the term Trustworthiness – a paradigm put forth by the National Institute of Standards and Technology (NIST) and the Industrial Internet Consortium (IIC) to address the key system characteristics of cyber-connected IIoT systems. The IIC defines trustworthiness as the degree of confidence one has that a system performs as expected, characterized by 5 key elements: the degree of safety, security, privacy, reliability, and resilience in the face of environmental disruptions, human errors, system faults and attacks.

Trustworthiness is a trait used for years to define the characteristics of both IT and OT systems. For IT, trustworthiness mainly addresses security, reliability, privacy and resiliency, while safety is a lower priority. On the other hand, trustworthiness for OT mainly addresses safety, reliability and resilience. Security is only marginally addressed and privacy is out of any OT scope. Addressing the missing key system characteristics in both IT and OT systems and focusing on the five key characteristics of the IIoT trustworthiness paradigm will solve many IT/OT convergence problems, especially concerning security, safety, and privacy.

If you are interested in taking a more in-depth look at the characteristics of Trustworthiness in regards to the IIoT, the September 2018 edition of the IIC’s Journal of Innovation features nine articles highlighting different aspects of Trustworthiness, including a short introduction and an article on Trustworthiness in Industrial System Design by me.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

]]>
Twice the Growth, 2 Times the Protection Tue, 15 Oct 2019 00:33:00 +0200 https://www.wibu.com/jp/blog/article/twice-the-growth-2-times-the-protection.html post-128 https://www.wibu.com/jp/blog/article/twice-the-growth-2-times-the-protection.html Daniela Previtali The U.S. software market grew twice as fast as the overall economy supporting 1 in every 10 jobs and will rise even further. Twice the Growth, 2 Times the Protection by Daniela Previtali 15-10-19

“U.S. Software Jobs Grow Twice as Fast as Overall U.S. Jobs.”

That’s a key takeaway from the latest report, Software: Growing US Jobs and the GDP, released in September 2019 by Software.org: the BSA Foundation. The growth number is startling, particularly given the strength of the U.S. economy in the past two years.

In addition to job growth in the software industry, the U.S. software industry economy expanded by 19 percent since 2016, contributing $1.6 trillion to the total U.S. value-added GDP in 2018.

Key findings reported by BSA in the report are:

  • Software supports one in every 10 jobs in the United States. The software industry supports 14.4 million total US jobs across every economic sector, and the software industry directly employs 3.1 million people.
  • Software’s impact on jobs grew twice as fast as the overall economy. Jobs supported by the software industry increased 7.3 percent from 2016 to 2018. By contrast, US jobs grew by three percent over the same period.
  • Software’s economic impact grew by double digits in most US states. In 2018, 39 of the 50 states (plus Washington, DC) experienced double-digit growth. Additionally, software’s economic impact in four states—Nevada, South Dakota, Washington and Wyoming—grew by more than 30 percent from 2016 to 2018.
  • Software jobs are growing quickly beyond traditional tech hubs. The ten states that experienced the fastest software job growth from 2016 to 2018 include Nevada, South Dakota, Wyoming, New Hampshire, South Carolina, and Montana.
  • New innovations are around the corner. The software industry invested more than $82 billion in research and development (R&D) in 2018, accounting for more than 22 percent of all domestic business R&D in the country.

The double-digit growth in the U.S. software industry is great news and we expect similar trends to be realized around the globe as software strengthens its relevance as a key enabling technology across all economic sectors.

For a software security company like Wibu-Systems, the reported industry growth is exciting, but it also means we have to work twice as hard to protect the industry from software piracy and continue to innovate secure licensing technologies that assure ISVs fully gain the software revenues in which they are entitled to.

You can see our latest software security technology innovations and how we protect global software publishers from revenue losses caused by illegal software copying, both intentional and unintentional.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Main Prio: Improving Customer Relationships Tue, 24 Sep 2019 16:06:00 +0200 https://www.wibu.com/jp/blog/article/main-prio-improving-customer-relationships.html post-127 https://www.wibu.com/jp/blog/article/main-prio-improving-customer-relationships.html Marcel Hartgerink Embracing the shift in customer preferences led by Industry 4.0 and radically transforming the entire business strategy. Main Prio: Improving Customer Relationships by Marcel Hartgerink 24-09-19

Digital transformation is disrupting industry on a global scale and drastically changing existing business processes, company culture, and customer experiences. Under this impetus, companies are reimagining their business practices to excel in the digital age.

For manufacturers, digital transformation is critical for success. New technologies like artificial intelligence, machine learning, and cloud computing are driving the Industry 4.0 digital revolution (Forbes). According to a 2018 study, Industry 4.0: Global Digital Operations, conducted by global consultancy PWC, “out of 2,000 manufacturers, 86% expected to see cost reductions and revenue gains from their digitization efforts over the next five years.”

The integration of these new technologies via Industry 4.0 is enabling manufacturers to deliver a unique product to their consumers vs. the traditional mass-produced clones, causing a dramatic shift in consumer expectations towards personalized goods and services. Automotive manufacturers, in particular, have leveraged digital transformation to offer their customers a truly customized purchasing experience beyond simply being satisfied with a vehicle available on the dealer’s lot. Now, auto buyers can customize their vehicle with a seemingly endless number of options, from interior and exterior colors, Bluetooth connections, cameras, sensors and the like.

A good example of one company who re-invented its business processes to better serve their customers is Desoutter Industrial Tools, a French manufacturer of advanced electric and pneumatic assembly tools for the aerospace and automotive industries. Recognizing the shift in customer preferences in the context of Industry 4.0, Desoutter engaged in what they called a “radical transformation”, incorporating a high level of flexibility in the way their customers could deploy and repurpose their tools as their needs changed.

One important element of the transformation involved the introduction of more software-driven functions into their product portfolio. This move allowed Desoutter to implement a novel solution that would enable their customers to quickly repurpose their tools as needed without having to discard unused equipment or incur additional costs to acquire new capabilities. At the core of the new process is the concept of Unit Values (UVs). With the purchase of UVs, customers can dynamically draw from their UVs to access only the products’ features and services they need at any time. If they no longer require certain services, they can recover the UVs and convert them into a different service or even redeploy them on another tool. The approach gives their customers a way to immediately reconfigure a workstation, for instance, for another purpose using their available UVs.

One critical aspect of the process was license security. It was essential that UVs could be purchased electronically and protected against hacking or counterfeiting to ensure the appropriate monetization of their software. Integration of Wibu-Systems’ CodeMeter security and licensing technology provided protection for the UVs and the management flexibility necessary to efficiently create and deliver the UVs. As a result, Desoutter’s customers can use an online configurator to select the features they want on a specific tool and then order the UVs they need via an e-wallet in the form of a CodeMeter USB dongle. The customer can activate the service by simply connecting the dongle to a controller.

For Desoutter, the concept was not just about selling as many licenses as possible, but rather providing a solution that met the versatility required by their customers. By embracing digital transformation and re-engineering their business practices, Desoutter has strengthened their customer relationships and given themselves a significant edge over their competition.

I invite you can read the complete case study here.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

]]>
The Complex Software Licensing Landscape Tue, 03 Sep 2019 09:43:00 +0200 https://www.wibu.com/jp/blog/article/the-complex-software-licensing-landscape.html post-126 https://www.wibu.com/jp/blog/article/the-complex-software-licensing-landscape.html Rüdiger Kügler The software licensing tools must be readily adaptable to the new purchasing and delivery models of the connected age. The Complex Software Licensing Landscape by Rüdiger Kügler 03-09-19

The digital transformations occurring across all segments of society are unfolding at breakneck speed. From autonomous vehicles and smart cities to digitized healthcare delivery, all facets of our connected world are evolving in ways seemingly unimaginable just a few years ago. With smart technologies built into phones, wearables, home appliances, and just about any other device, consumers are assimilating new technologies into their daily lives as fast as they are introduced.

Digital transformations are also driving cultural change. Consumer preferences are evolving dramatically, particularly in the way products are purchased, delivered, and updated. As a result, tried and true business models are no longer the norm and only those companies who possess the foresight and ability to alter their business practices to cater to the digitized consumer will succeed.

Let’s take a look at the effects these changes are having on the software industry and software licensing in particular. For an ISV, the days of the traditional perpetual license with maintenance contracts are long gone. Software users now expect to pay only for what they use and for the frequency in which they use it, and payment might take the form of a monthly subscription vs. a one-time upfront payment. Software updates and feature upgrades can be delivered via the Internet, and in some cases, users may want to try the software prior to purchasing. And, some consumers may be more comfortable with on premise software applications while others may prefer cloud application deployments.

The scene is just as complex, or perhaps more, for embedded software developers who need to be capable of delivering their software across multiple development platforms, architectures, and operating systems. They also need to be able to deliver updates in a secure fashion, particularly in the IoT and Industry 4.0 world where cybersecurity is paramount.

The bottom line for ISVs and embedded system developers is that the software licensing tools they use must be readily adaptable to the new purchasing and delivery models that are required to address the expectations of the next generation consumers.

Take, for example, the case of Vector, a German developer of advanced software tools and embedded components across a wide range of industries. They sell thousands of product licenses annually for products such as electric car charging, automotive safety and security concepts, Advanced Driver-Assistance Systems (ADAS), autonomous vehicles, AUTOSAR adaptive platform, and an array of other electronic systems. With such a diverse customer base, the company was facing several challenges in managing their license entitlements. First, they wanted to protect their invaluable Intellectual Property from piracy with a secure license delivery mechanism. Secondly, each of the industries that they served had unique licensing preferences and requirements and they were using disparate tools to address their needs. Ultimately, they wanted one integrated solution that would fit into their existing SAP back-office environment.

While their requirements for a modern licensing management system are not uncommon in today’s connected landscape, their array of such highly complex products for so many diverse use cases represented an interesting challenge. Wibu-Systems, in conjunction with our SAP integration partner, Informatics Holdings, provided a flexible license and entitlement solution that met all their requirements.

At the heart of the solution was CodeMeter License Central for the creation, delivery, and management of licenses. With the integration of CodeMeter License Central into Vector’s SAP system, Vector is now able to manage all its licenses centrally with ease, making for leaner support and more efficient sales processes. Depending upon customer requirements, licenses can be delivered securely via software-based binding technology or hardware-based dongles. It is an interesting story with an innovative solution and I invite you to read the entire case study.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

]]>
What Might MedTech Look Like in 2030? Tue, 20 Aug 2019 12:14:00 +0200 https://www.wibu.com/jp/blog/article/what-might-medtech-look-like-in-2030.html post-125 https://www.wibu.com/jp/blog/article/what-might-medtech-look-like-in-2030.html Daniela Previtali AI, IoT, and predictive analytics are transforming the healthcare sector and shifting the focus from products to services. What Might MedTech Look Like in 2030? by Daniela Previtali 20-08-19

Digital transformation is changing the healthcare landscape as more and more medical devices come online, both next generation systems and legacy equipment, with many allowing remote access. Digital patient data continues to proliferate beyond the confines of the medical facility as well.

Deloitte recently published a report that took a predictive “Glimpse into the future of connected care with MedTechs”. In particular, the report took a holistic view of what they believe to be the key trends and drivers that will shape the connected care landscape and the uncertainties that will have an impact on the industry by 2030.

There was general consensus that medical device technology is a vital component of the healthcare sector, while the market transforms itself from a focus on products towards a focus on connectivity and integration, based on evolving technologies like AI, IoT, and predictive analytics.

Deloitte envisioned 4 different scenarios where connected care could create and sustain value through 2030.

  • Scenario 1 – Ahead of Diseases: In a world where both MedTech players and the tech players find their niche within the healthcare ecosystem, society will benefit from predictive diagnoses and position itself ahead of diseases.
  • Scenario 2 – Trust vs. Convenience: In the Trust vs. Convenience scenario, MedTech and tech players offer fragmented product and service portfolios that are fighting for every inch of market share.
  • Scenario 3 – Everyone Doing Everything: In the Everyone Doing Everything scenario, newcomers have given up on entering the healthcare market. MedTech players are now trying to build up their own data platforms fed by their various medical devices.
  • Scenario 4 – All About the Patient: In the All about the Patient world, health-related data is regarded as a commodity, but exclusively for MedTech companies. Attempts by outsiders to gain access fail due to high regulatory requirements. Patients benefit from user-friendly devices and advanced predictive diagnosis.

Within these potential scenarios, Deloitte laid out some of the uncertainties that will play a role in how these predictions take shape. One of those uncertainties pertained to the competitive landscape, with question marks as to how far tech giants will be able to enter the MedTech market and whether smaller startups with novel technologies will be able to gain entry and at what success rate? The second uncertainty is the accessibility of standard healthcare data as restrictive data privacy standards, issues with cybersecurity and the lack of standards for interoperability may limit the potential to utilize artificial intelligence and therefore prohibit predictive diagnosis.

While cybersecurity was not an emphasis in the report, at Wibu-Systems, we believe that security of patient data, healthcare software, and connected medical devices in what is becoming known as the Medical Internet of Things will have a huge impact on the MedTech industry between now and 2030 and beyond. Will manufacturers adopt a security by design approach for product development? How stringent will government regulators be in forcing manufacturers to adopt security best practices? How will interoperability, or lack thereof, impact the integration of legacy medical systems? These are just a few of the security-related uncertainties that can be added to the list.

A few years ago, we published an article on Protecting End Point Security of Medical Systems which highlighted many of the vulnerabilities inherent in connected medical systems and how several of our medical device customers are addressing these threats to their systems, software and data with advanced protection, licensing and security mechanisms. The points covered in the article ring as true today as they will in 2030.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Advice for IoT Device Manufacturers Thu, 08 Aug 2019 16:48:00 +0200 https://www.wibu.com/jp/blog/article/advice-for-iot-device-manufacturers.html post-124 https://www.wibu.com/jp/blog/article/advice-for-iot-device-manufacturers.html Terry Gaul In its latest publication, the NIST addresses the many cybersecurity risks inherent in IoT device manufacturing. Advice for IoT Device Manufacturers by Terry Gaul 08-08-19

With its many promises and great prospects, the Internet of Things (IoT) warrants much stronger protection then the closed systems of the past. IoT systems rely on public networks, which by definition, are unsafe environments. Hackers are always looking for backdoors and exploits while trying to tamper with data to cause untold damage.

The U.S. National Institute of Standards and Technology (NIST) recently released a draft of security recommendations for IoT devices. Titled Core Cybersecurity Feature Baseline for Securable IoT Devices:  A Starting Point for IoT Device Manufacturers (NISTIR 8259), the draft defines a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce.

The publication is intended to help IoT device manufacturers understand the many cybersecurity risks inherent in IoT devices and help them provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. The publication also provides information on how manufacturers can identify features beyond the core baseline most appropriate for their customers and implement those features to further improve device security. NIST says this approach can help lessen the cybersecurity-related efforts needed by IoT device customers, which in turn should reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices.

The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices:

  • Device Identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
  • Device Configuration: Similarly, an authorized user should be able to change the device’s software and firmware configuration. For example, many IoT devices have a way to change their functionality or manage security features.
  • Data Protection: It should be clear how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces. For example, the IoT device and its supporting software should gather and authenticate the identity of users attempting to access the device, such as through a username and password.
  • Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. These logs can help users and developers identify vulnerabilities in devices to secure or fix them.

For a more in-depth analysis of the nature of IoT security threats and the technical measures designed to protect these connected devices from malicious hackers, you can download our white paper, Licensing and Security for the Internet of Things.

This whitepaper explores the various trends emerging in the IoT and the key strategies for success, which depends not only on superior products, creative marketing, and aggressive sales activities, but security, integrity and reliable licensing as well.

It also outlines the standards that must be addressed and long-term considerations that will impact security, like integration in devices and software, upgrades and updates, secure boot, licensing models tailored to the IoT, license management, access rights and certificates, scalable safeguards and data integrity protection

Terry Gaul

Vice President Sales USA

Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.

]]>
AI in the IIoT is a Matter of Trust Tue, 02 Jul 2019 16:47:00 +0200 https://www.wibu.com/jp/blog/article/ai-in-the-iiot-is-a-matter-of-trust.html post-123 https://www.wibu.com/jp/blog/article/ai-in-the-iiot-is-a-matter-of-trust.html Marcellus Buchheit What are the challenges, risks, and benefits of AI as it enhances efficiency, reliability, and effectiveness of IIoT processes? AI in the IIoT is a Matter of Trust by Marcellus Buchheit 02-07-19

Artificial Intelligence is a hot commodity in the technology world these days. But what does it mean in the context of the Industrial IoT?

An early definition of artificial intelligence was one of “thinking machines” that could make decisions like humans, and with some people, elicited a fear that these thinking machines could actually replace humans in the manufacturing world. Today’s perception of AI, however, is geared more towards machines that exhibit human reasoning as a “guide to provide better services or create better products rather than trying to achieve a perfect replica of the human mind”, as noted in a Forbes article by Bernard Marr. He added that “It’s no longer a primary objective for most to get to AI that operates just like a human brain, but to use its unique capabilities to enhance our world.”

When applied to Industrial Internet of Things (IIoT) systems, AI has been demonstrated to offer business and technology advancements, such as cost reduction and better performance. Examples include the benefits of predictive maintenance leading to reduced outages, better resource management and scheduling and enhanced insights into system usage. AI has also been used to design physical structures, electronic components, and to perform quality assurance testing of complex systems.

Of course, with disruptive technology advancements like AI comes an entirely new set of challenges and risks for the users of such technology, including IIoT systems. Some of those risks were presented in an article published by the Industrial Internet Consortium (IIC) in their Journal of Innovation (JOI), entitled AI Trustworthiness Challenges and Opportunities Related to IIoT.

At the crux of the JOI article was the notion of trust – trust in that systems operate correctly based on evidence that can be understood. IoT Trustworthiness is defined in the IIC Vocabulary as the “degree of confidence one has that the system performs as expected with characteristics including safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”

If the AI system makes it hard or impossible to understand how a decision was made, trust in the system is reduced. The article goes on to describe the various risks and challenges AI can pose to the trustworthiness of an IIoT system.

One example illustrated how AI can be used to probe a system for vulnerabilities by attempting to attack the system itself. The AI system was connected to a video game and subsequently learned how to defeat the game in novel ways. A benign example for sure, but imagine, however, if the system was not a harmless video game but rather an air traffic control system, city traffic light system or nuclear power plant. The dire implications of uncontrolled AI are clear. 

While the technology might expose vulnerabilities to malicious manipulation in IoT systems, AI can also be used to enhance the trustworthiness of a system. The JOI article points out two categories in particular where AI in IIoT is emerging:

  • The use of AI to improve the efficiency, reliability, and effectiveness of processes and tasks that can be fully automated with little risk. These are processes and tasks that are generally mundane, repeatable, static with few variations, or tasks that are very specific and/or localized to specific components in system.
  • The use of AI in processes that are critical, consequential and non-mundane. When the level of risk is high enough, humans must maintain the ultimate decision-making capacity – this is referred to as the “human-in-the-loop” approach or HIL.

The article discusses the challenges, risks, and benefits of AI in IIoT environments in much more detail. You can read the full article here.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

]]>
Security by Obscurity and the Right to Repair Tue, 25 Jun 2019 14:35:00 +0200 https://www.wibu.com/jp/blog/article/security-by-obscurity-and-the-right-to-repair.html post-122 https://www.wibu.com/jp/blog/article/security-by-obscurity-and-the-right-to-repair.html Terry Gaul Is the "right-to-repair" concept an essential service for customers or a violation of manufacturers' intellectual property? Security by Obscurity and the Right to Repair by Terry Gaul 25-06-19

The right-to-repair movement is gaining traction in the U.S. as many states are considering legislation that would allow consumers and third parties to repair electronic equipment without voiding manufacturer’s warranties. The issue has even crept into presidential politics, as several candidates are taking up the cause, and organizations like securepairs.org are gaining grassroot followers.

The right-to-repair idea itself is pretty simple. Legislation under consideration would require manufacturers to make repair resources — that is, the same manuals and components that authorized service and maintenance partners receive —available to consumers. This would in turn give them the ability to fix their property – be it through parts, software or a network of third-party resources, not just designated manufacturer partners.

Opponents, on the other hand, argue that opening up this proprietary information to the public is an attack on the manufacturers’ Intellectual Property rights and makes them vulnerable to counterfeiting and reverse engineering. They also argue that third-party repairs could be unsafe for consumers and technicians—for example, with respect to repairing electronics that use lithium-ion batteries.

The right to repair legislation "would force all electronics manufacturers to reveal sensitive technical information about thousands of Internet-connected products including security cameras, computers, smart home devices, video game platforms, smartphones and more -- putting consumers and their data at risk," wrote Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin. He added that manufacturers "would have to share codes, tools, and supply chain access to anyone who purchases a product."

Opponents also argue that giving the “keys to the kingdom” to the public opens the door for malicious actors who would then have the ability to tamper with these devices for any number of nefarious purposes.

Securepairs.org refutes that argument by dismissing the notion of security through obscurity, an assumption that obscurity equates or enhances security. A robust system, they say, will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group further argues that right-to-repair laws would make devices safer by allowing consumers to quickly replace failing parts or update buggy software.

Their argument against security by obscurity, of course, is based on the core principle of modern information security, first articulated by the Dutch cryptographer Auguste Kerckhoffs. He stated that a “cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Kerckhoffs’ Principle). Verifiable security is the product of secure design and thorough testing and improvement, not secrecy. Systems that rely on secrecy rather than provable security are destined to fail.

Kerkhoffs’ Principle is well known to Wibu-Systems, as it is the foundation upon which our award-winning Blurry Box cryptography was built to protect software from hackers. The basic principles of Blurry Box cryptography are the use of one or more secure keys in a dongle and the fact that software is typically complex. Its goal is to make the effort required to illicitly copy software higher than the effort needed to completely rewrite the same software. Blurry Box cryptography uses seven published methods that greatly increase the complexity and time required for an attack to be successful. In the end, it would be easier and less expensive for the would-be attacker to develop similar software from scratch.

We don’t know how the Right to Repair movement will progress, but if you would like to know more about Kerckhoffs’ Principle and how it is used to protect software, visit our website or download a white paper, Blurry Box Encryption Scheme and why it Matters to Industrial IoT.

Terry Gaul

Vice President Sales USA

Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.

]]>
Cybersecurity enables Industry 4.0 Wed, 12 Jun 2019 14:03:00 +0200 https://www.wibu.com/jp/blog/article/industry-40-cybersecurity.html post-121 https://www.wibu.com/jp/blog/article/industry-40-cybersecurity.html Daniela Previtali Only the enhancement of Industry 4.0 cybersecurity will lay a solid foundation for future security technology developments. Cybersecurity enables Industry 4.0 by Daniela Previtali 12-06-19

Governments, industry organizations, and industrial leaders keep focusing their attention on cybersecurity in light of the advances driven by Industry 4.0 and Smart Manufacturing that continue to shape our future. 

The European Union Agency for Network and Information Security (ENISA), a center of network and information security expertise for the EU, its member states, the private sector and EU citizens, recently published a high-level summary report on the state of cybersecurity, Industry 4.0 Cybersecurity: Challenges and Recommendations.

ENISA hopes that the adoption of the high-level recommendations will contribute to the enhancement of Industry 4.0 cybersecurity across the European Union and lay a solid foundation for future security technology developments.

The challenges identified in the report tackle issues around people, processes, and technology while the recommendations are addressed to different key stakeholder groups, namely regulators, Industry 4.0 security experts, Industry 4.0 operators, standardization community, academia and research, and development bodies.

Following is a brief summary of the key challenges and recommendations outlined in the report:

People

Challenge: Need to Foster and Align IT/OT Security Expertise and Awareness – People involved in deployments of new solutions usually have only knowledge of either IT or OT security, while Industry 4.0 and Smart Manufacturing require expertise over several areas.
Recommendation: Promote Cross-Functional Knowledge on IT and OT Security – People responsible for security within Industry 4.0 organizations should invest in state-of-the-art dedicated cybersecurity trainings that cover all necessary aspects specific to IT/OT convergence and Smart Manufacturing.

Challenge: Incomplete Organizational Policies and Reluctance to Fund Security – Traditionally, cybersecurity was not perceived as a Board-level topic, since its impact on increasing revenue or optimizing costs remains generally unclear.
Recommendation: Foster Economic and Administrative Incentives for Industry 4.0 Security – Economic and administrative stimuli are required to incentivize investments in Industry 4.0 security, given that maturity and mentality of organizations and businesses needs to grow further when it comes to identifying the role and importance of security.

Processes

Challenge: Liability Over Industry 4.0 Products’ Lifecycle is Poorly Defined – Liability for Industry 4.0 cybersecurity is an open issue (a gap also identified for most of emerging technologies) as accountability for Industry 4.0 cybersecurity incidents remains unclear.
Recommendation: Clarify Liability Among Industry 4.0 Actors – Address liability concerns not only to protect end-users and consumers of such products and services, but also to stimulate corresponding investments through a comprehensive and stable legal framework.

Challenge: Fragmentation of Industry 4.0 Security Technical Standards – The lack of uniform standardization efforts at a global level results in a situation when sites that belong to one organization cannot collaborate and share security expertise and solutions with each other, as they are subject to different schemes.
Recommendation: Harmonize Efforts on Industry 4.0 Security Standards – It is beneficial to explore initiatives and guidelines that map security standards from many different sources to provide a complete point of reference and thus ensure all necessary security controls are considered.

Challenge: Supply Chain Management Complexity – The situation has become even more complicated as Smart Manufacturing introduced new capabilities (end-to-end visibility, predictive analysis, automation and data-driven decision-making) that have an additional impact on the supply chain.
Recommendation: Secure Supply Chain Management Processes – Trust is the root of a secure supply chain, since the amount of trust that an organization places on another will eventually feed into the risk assessment process and the introduction of appropriate security controls.

Technology

Challenge: Interoperability of Industry 4.0 Devices, Platforms and Frameworks – With the introduction and integration of Industry 4.0 devices, platforms, and frameworks to existing systems comes the issue of interoperability. In industrial environments, securing interconnectivity between diverse devices is often challenging, especially when considering devices that are long out of support.
Recommendation: Establish Industry 4.0 Baselines for Security Interoperability – Encourage the use of interoperability frameworks that promote a common security language and use of protocols for Industry 4.0 components.

Challenge: Technical Constraints Hampering Security in Industry 4.0 and Smart Manufacturing – Difficulties in ensuring security in Industry 4.0 result also from lack of technical capabilities of connected industrial devices and systems, especially considering integration with legacy infrastructures.
Recommendation: Apply Technical Measures to Ensure Industry 4.0 Security – Identifying baseline security recommendations for Industry 4.0 components, services, and processes based on risk analysis is a first step to approach a solution to the challenging technical constraints of this domain.

You can download the complete report here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>