Wibu-Systems Blog https://www.wibu.com/za/blog.html Wed, 24 Jan 2018 12:48:14 +0100 Wed, 24 Jan 2018 12:48:14 +0100 t3extblog extension for TYPO3 Monetizing the Medical Device Industry Fri, 19 Jan 2018 07:42:00 +0100 https://www.wibu.com/za/blog/article/monetizing-the-medical-device-industry.html post-82 https://www.wibu.com/za/blog/article/monetizing-the-medical-device-industry.html Terry Gaul Medical device manufacturers can leverage software licensing to unlock unique business models that generate new revenue streams. Monetizing the Medical Device Industry by Terry Gaul 19-01-18

Modern day medicine is increasingly dependent upon sophisticated technology that is rapidly changing the landscape of healthcare delivery and demonstrating that its use can make a dramatic improvement in patient outcomes. However, the new generation of medical instrumentation is expensive and a major contributing factor to the upward spiraling cost of healthcare. The Hastings Center, a not-for-profit organization geared towards addressing fundamental ethics issues in healthcare, life sciences, and other areas, estimates that “new or increased use of medical technology contributes 40 – 50% to annual cost increases.”

Medical technology is advancing rapidly as manufacturers develop new and improved software based models with more features and functionality. As a result, product life cycles are much shorter, meaning that equipment purchased 3 or 4 years ago can be outdated in a hurry. To keep abreast of the rapidly evolving technologies, providers need to replace equipment much more frequently than in the past. With such a rapid turnover of equipment, providers are hard pressed to gain an adequate return on their purchase investment and justify the expense. The problem is even more acute for smaller hospitals and medical centers who simply can’t afford the high-priced capital expenditures for new equipment with short life cycles.

With the global spotlight on the high cost of healthcare, pressure is mounting for healthcare organizations to keep capital expenditures low while maintaining and continuing their mission to deliver high quality patient care. This of course is the conundrum: how can healthcare providers utilize and pass on the benefits of advanced medical technology to their patients while maintaining an acute eye towards cost containment?

Software monetization is a key area of focus for medical device manufacturers. Much can be learned from the new software licensing models being successfully deployed in many other markets. The days of the conventional perpetual license, with the large upfront cost, are gone and being replaced by more creative monetization models, such as subscription licensing, that make it more affordable and accessible to larger target groups.

For medical device manufacturers, software is key because many of the rapid advances in equipment features and functionality occur because software is relatively easy to develop (vs. hardware modifications), deploy, and update in the field. Software not only controls the equipment, acquires data, and monitors events, but it can be programmed to simply turn features and functionality on an off as requested or as needed.

Medical device manufacturers can leverage software licensing to not only reduce the upfront costs for healthcare providers, but also to unlock unique business models that generate new revenue streams and open up markets that were previously unreachable. Let’s take a closer look at modern licensing models that can be adapted to medical devices:

Subscription Licensing: The software is licensed for a limited time (Expiration Time), a limited period (Usage Period) or on an annual basis (Subscription). To minimize the upfront capital cost for providers, the equipment can be leased and software licensed only for the specified time requested. For manufacturers, this provides a predictable, recurring revenue stream.

Pay-Per-Use Licensing: Use of the product is metered and providers are charged only when they use the equipment. In this case, users are charged on the basis of the real consumption of licenses per period. This model is similar to “Pay-per-view TV” or online journals who charge on a per use basis. Pay Per Use presents significant cost-saving benefits and allows manufacturers to penetrate untapped markets with an affordable offering.

Feature on demand: The medical device is delivered with the most important basic functionalities at an entry level cost. The system can be upgraded by additional licenses that are used to activate specific product features and models and charged accordingly. Features can be turned on and off as needed, giving customers greater control over their expenditure and allowing them to more readily address the unique needs of individual patients.

Trial: The user can access and try additional features of the software for a limited time, so that customers can test additional features while using the device in real-world conditions. This removes financial risk for the customers and allows them great flexibility.

Let’s take a look at a few real-world use cases.

Agfa HealthCare
Agfa HealthCare is a leading provider of diagnostic imaging and healthcare IT solutions for hospitals and care centers around the world. In the digital healthcare market, computed radiography is an important driver in making medical imaging more accessible, especially for smaller healthcare facilities in emerging countries. However, the upfront capital investment in equipment and software remains an important hurdle for healthcare providers with a relatively modest need for medical imaging.

To address this issue, Agfa HealthCare developed a computed radiography solution that offered a complete digital imaging package, including equipment and software, without upfront investment. They implemented a solution for time-based licensing that allows the healthcare providers to use the computed radiography package in a pay-per-use scenario. Their customers pay as they go, with a fixed down-payment followed by equal and regular installments, thus keeping upfront capital investment low and cost management easy. In turn, the flexible business model made new markets accessible to the company.

Fritz Stephan
Fritz Stephan is a developer of highly specialized technical solutions in ventilation, anesthesiology and oxygen supply. Fritz Stephan’s EVE ventilation systems were developed for a very sensitive group of patients that require gentle and non-invasive ventilation therapy. The ventilation family consists of three models: EVETR is mainly used in emergencies and during transport; EVEIN is a fully-fledged intensive care respirator for patients in the hospital environment; and EVENEO is an intensive care ventilator for the neonatal unit.

The company was looking for a modular licensing solution that would allow them to implement feature-based licensing and enable easy online updates. A scalable licensing model would also allow them to upsell new licenses to their global customer base and conveniently modify the set of features of their devices over the Internet.

To address their need, they structured a scalable licensing model where they can remotely activate features on-demand. This allows them to create new post-sales revenues and deliver responsive pricing models for their customers. Essentially, the device that was initially purchased by the customer stays the same, but it can be upgraded in the field, no matter where it was sold. With EVENEO, the adult features can be easily enabled at a later stage, or the neonatal mode can be activated for EVEIN at any time.

If you plan to attend MD&M West on Feb. 6-8 in Anaheim, stop by Wibu-Systems booth #976 and we can continue the discussion on medical software monetization strategies.

]]>
Protecting Medical Devices Fri, 12 Jan 2018 08:00:00 +0100 https://www.wibu.com/za/blog/article/protecting-medical-devices.html post-80 https://www.wibu.com/za/blog/article/protecting-medical-devices.html Terry Gaul Since the IP of today’s of most medical equipment is encapsulated in embedded software, the industry is ripe for attack. Protecting Medical Devices by Terry Gaul 12-01-18

Intellectual property theft is rampant around the globe. In a 2016 study, VDMA, the German Mechanical Engineering Industry Association, reported that nine of out ten manufacturers were victims of piracy, and that in 70% of all cases, reverse engineering was the main trigger. Components, industrial designs, and even entire systems are being counterfeited across all sectors of industry.

The medical device manufacturing community is a prime target for counterfeiting. Take for example the case of an Irvine, CA engineer who in 2016 was charged with stealing and possessing trade secrets from his two former employers, both of whom manufactured medical devices used to treat cardiac and vascular ailments. During his employment, the engineer was found to have travelled to the People’s Republic of China (PRC) multiple times – sometimes soon after allegedly downloading trade secrets from the employer’s computer and emailing information to his personal email account. According to the FBI, the engineer appeared to be in the process of setting up a company with other individuals in the PRC to manufacture medical devices.

In many cases, counterfeiting of the equipment starts with the theft of the intellectual property contained in the software and embedded in the equipment. That was the case when a leading global manufacturer of gambling slot machines found out that their proprietary gaming software was being used on counterfeit slot machines across Europe and Asia. Once the software was stolen, the perpetrator was able to reverse engineer the machine itself and build a functioning slot machine that closely mimicked the original equipment.

Because the intellectual property of today’s surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, patient monitors and most other medical equipment is encapsulated in embedded software, the industry is ripe for attack.

Modern encryption technology, however, is a strong antidote that software developers can use to protect medical device software from theft. Encryption is the process of encoding data in such a way that only authorized parties can access it. Encryption denies the intelligible data to a would-be interceptor. In an encryption scheme, the intended data is encrypted using a special algorithm–a cipher–generating ciphertext that can only be read if decrypted. An encryption scheme usually uses a random encryption key, generated by the algorithm. It is theoretically possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. The data can only be decrypted with the key provided by the originator and the key is kept in a secure location.

During the encryption process, the software developer can encrypt the entire executable code, just specific tagged functions, or a combination of both. The encrypted code is then decrypted at runtime with the appropriate key.

Medical device manufacturing companies like Dentsply Sirona, Fritz Stephan GmbH, Agfa HealthCare, and custo med are prime examples of companies who have taken necessary steps to protect their intellectual property with modern embedded software protection mechanisms.

 

If you would like to learn more about encryption mechanisms and IP protection for medical device IP, stop by our booth #976 at MD&M West on February 6 – 8 in Anaheim.

]]>
What Meltdown and Spectre Mean Wed, 10 Jan 2018 08:42:00 +0100 https://www.wibu.com/za/blog/article/what-meltdown-and-spectre-mean.html post-78 https://www.wibu.com/za/blog/article/what-meltdown-and-spectre-mean.html Andreas Schaad CodeMeter products are not affected by Meltdown and Spectre, even if a would-be attacker should manage to access the application memory. What Meltdown and Spectre Mean by Andreas Schaad 10-01-18

The recent news about security vulnerabilities in common microprocessors and, by implication, popular operating systems and applications have left many users rightly concerned about their IT security.

What we can say at this point in time is that there are three new vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754), which have become known under the monikers “Meltdown” and “Spectre”.

The possible attacks exploit common performance boosting technology, such as the speculative execution of instructions, combined with side channel attacks to access data in volatile memory. As far as we can tell, this can be done in user mode, making it possible for external attackers to combine this with other common strategies (e.g. phishing). The exact details and proofs of concept were released simultaneously by Google’s Project Zero.

The vulnerabilities have, so far, only be demonstrated under “sanitized” laboratory conditions, and no real-life attacks are known. Despite this, the potential implications seem disastrous: Memory could be accessed at will by processes without the privileges to do so. This could be particularly catastrophic in cases where multiple users share the same hardware (multi-tenancy).

The affected makers of microprocessors and software developers are aware of the issue and have begun to release first patches. There are suggestions that certain trends in chip design will have to be reconsidered in the medium term.

It is not yet known whether code can be manipulated by exploiting these vulnerabilities. We will continue to monitor and proactively evaluate the patches provided in response by the industry (using CVE databases). Where required, we will notify our clients about updates they should install.

To our current knowledge, the functions and capabilities of Wibu-Systems’ CodeMeter products are not affected by the threat and will continue to offer optimum protection for applications against manipulation and illicit use.

As the keys used for software protection never needs to leave the CmDongle, our CodeMeter products will not be affected by Meltdown and Spectre, even if a would-be attacker should manage to access the entire application memory. Our IxProtector technology also supports highly granular encryption, making data available in unencrypted form only when and where it is genuinely needed. This will reduce the potential effects of an attack using Meltdown or Spectre to a minimum. Combined with our Blurry Box technology, this gives us good reason to consider Wibu-Systems the unbeaten leader in the field of software protection and licensing.

]]>
Crossing the Licensing Migration Chasm Mon, 04 Dec 2017 12:59:00 +0100 https://www.wibu.com/za/blog/article/crossing-the-licensing-migration-chasm.html post-77 https://www.wibu.com/za/blog/article/crossing-the-licensing-migration-chasm.html Terry Gaul Established due diligence best practices provide a roadmap to ensure a successful migration to a modern, flexible and robust licensing system. Crossing the Licensing Migration Chasm by Terry Gaul 04-12-17

Cloud initiatives, SaaS, subscriptions, pay-per-use, and a bevy of new, customer-centric licensing models are wreaking havoc with some ISVs who are struggling to keep up with their own antiquated licensing engine or are unsure as to how to adapt one of these new models and best satisfy their customers. One thing is for sure - when the dust settles, the most competitive ISVs will be those who have employed a flexible license management system that enables them to easily evaluate, implement, and tweak their licensing model to keep pace with ever changing consumer preferences, while at the same time, profiting from creative software monetization strategies that are optimal for their business.

What’s holding back some ISVs is the perception that the migration process from their existing “build your own” licensing system or legacy 3rd party system entails a prolific, resource-intensive and costly effort. And the most efficient migration path is not always crystal clear. Hence, the chasm. Among the many challenges ISVs face is the migration of existing data, especially if they still have to support an existing customer base while undertaking the migration. In most cases, there will be two licensing systems running in parallel for a defined period during the transition.

It has been our experience that the most important factor in a successful migration is for the ISV to be most diligent upfront to gain a thorough understanding of the short term migration issues and the market dynamics and associated licensing requirements that will support long term business objectives.

There are many questions that need to be considered during the due diligence phase of the migration effort: 

  • Make vs. buy: What are the pros and cons of implementing a home-grown solution vs. buying an off-the-shelf licensing system? Are there enough resources and internal expertise to perform the transition most efficiently?
  • Migration scenarios: Patch an existing system or convert to an entirely new system? Run the old and new systems in parallel for a transitory period? For how long?
  • Protection: How should license protection be built into the process to protect against IP theft, reverse engineering, and software piracy?
  • Licensing: Are different licensing models required? Is the licensing process and activations the same for all products? Will there be hardware or software activations, or both? Is there need to create new licenses for older versions of your products? Is there a long term strategic product development plan that includes a roadmap for entering new markets?

As confusing and daunting as the migration process may seem, it should be comforting to know that there are established best practices available that provide a roadmap to efficiently cross the chasm and ensure a successful migration to a modern, flexible and robust licensing system.

For starters, you can read an article that appeared in our KEYnote magazine that describes in detail several different paths that have proven successful in real-world migrations to our CodeMeter protection and licensing platform, or spend an hour in our upcoming Webinar, Streamlining Licensing Migration from 3rd Party Systems, to be held on December 13, 2017 at 6:00 pm CET/9:00 am PST, and see a live demonstration.

]]>
Pay-Per-Use licensing: its time has come Tue, 07 Nov 2017 10:59:00 +0100 https://www.wibu.com/za/blog/article/pay-per-use-licensing-its-time-has-come.html post-76 https://www.wibu.com/za/blog/article/pay-per-use-licensing-its-time-has-come.html Terry Gaul The pay-per-use model is widely embraced by consumers, has tangible benefits for ISVs and embedded system developers, and is industry-agnostic. Pay-Per-Use licensing: its time has come by Terry Gaul 07-11-17

Pay-per-use software licensing is not a new concept. In fact, as discovered in a recent Google search, the business model was under consideration as far back as 1993 (Host Users Seek License Details, Computerworld, May 24, 1993), when visionaries at companies like IBM perceived potential value in the novel concept. The idea was well before its time, perhaps, particularly given that the commercialization of the Internet and the realization of its powerful impact was just underway and the build out of enterprise IP networks was still in its infancy.

Today, however, the rise in cloud-based computing is driving market demand away from conventional perpetual licensing and toward next generation consumption based services in the form of software-as-a-service, infrastructure-as-a-service, and other subscription models that base pricing on actual service usage. The pay-per-use model has come of age and is being widely embraced by consumers, particularly those with low volume needs or those whose usage fluctuates in and out of peak periods.

The pay-per-use model is relatively straightforward: use of the product is metered and customers pay only for service they use, much like pay-per-view TV or publishers and research firms who sell access to high value content on per-use or per-download basis.

The pay-per-use model has tangible benefits for ISVs and embedded system developers as well as end users.

Benefits to customers include low start-up costs, month-to-month affordability, and convenience. In low usage scenarios, the model makes expensive, specialized software more affordable and accessible to smaller businesses. It is also beneficial to customers in environments where usage fluctuates over time, so when the software is not being used, the customer is not paying for it.

Software vendors, on the other hand, benefit from enhanced customer relationships. The pay-per-use model also provides valuable market information, as vendors gain greater feedback as to product usage and can retool and refine their pricing models and packaging to better serve their customer demands and improve revenues.

As consumers become more sophisticated and selective in their licensing preferences, it is incumbent upon the ISV to be capable of deploying new business models that satisfy their customers, particularly in a highly competitive market. Software licensing now is a mechanism by which vendors can differentiate themselves in the marketplace while enriching their customer relationships and building trust and loyalty for the future.

In the industrial realm, pay-per-use licensing has become more relevant as well, driven by recent developments in machine connectivity, the globalization of manufacturing processes, and the interest in customized manufacturing for production runs of maybe even only single pieces. Pay-per-use allows them to pay on the go for the machine lease, the consumables, the raw material, or the software package they specifically requested, at the time they really need it.

The most successful ISVs will be those who have the tools to roll out a pay-per-use licensing model as easily as they would for conventional permanent or subscription licenses, with automated billing and integration of the process into ERP, CRM, e-commerce and other back office business platforms.

If you are considering adopting pay-per-use licensing, you will be interested in attending our upcoming webinar, Monetizing Software, Machines, and Materials with New Business Models, on Thursday, November 16, 2017 at 9:00 am PST / 6:00 pm CET. The webinar will review different application scenarios for pay-per-use licensing and demonstrate the technical implementation using our CodeMeter License Central platform. You can view the agenda and register here.

]]>
Cybersecurity for Government and Industry Thu, 19 Oct 2017 09:52:00 +0200 https://www.wibu.com/za/blog/article/cybersecurity-for-government-and-industry.html post-75 https://www.wibu.com/za/blog/article/cybersecurity-for-government-and-industry.html Terry Gaul Cybercrime will cost up to $6 trillion by 2021 - nearly half of today’s US GDP and more profitable than the global trade of all major illegal drugs combined. Cybersecurity for Government and Industry by Terry Gaul 19-10-17

Cybercrime will cost up to $6 trillion by 2021, according to a report recently released by Cybersecurity Ventures. This colossal number is equivalent to nearly half of today’s US Gross Domestic Product (GDP) and more profitable than the global trade of all major illegal drugs combined.

The report links cybercrime costs to damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

Beyond the financial consequences, cybercrimes jeopardize the trustworthiness of the connected economy, disrupt global commerce, and threaten critical infrastructure, ultimately putting lives at risk.

BSA | The Software Alliance, a leading advocate for the global software industry, has been an ongoing industry champion of software innovation, anti-piracy, and security and recently released their cybersecurity agenda, Security in the Connected Age. The agenda defines elements of cybersecurity that government policymakers can evaluate and help them to prioritize legislation that will most effectively strengthen policies to protect citizens from cyber threats.  The agenda urges the US government to expand its role in improving cybersecurity, both domestically and abroad, and to work closely with industry to:

  • Promote a secure software ecosystem by creating industry benchmarks, developing tools to understand critical information, and strengthening security research and vulnerability disclosure;
  • Strengthen government’s approach to cybersecurity by modernizing government IT, harmonizing federal cybersecurity regulations, and incentivizing adoption of the National Institute of Standards and Technology’s framework;
  • Pursue international consensus for cybersecurity action by supporting international standards development, as well as adopting and streamlining international security laws;
  • Develop a 21st century cybersecurity workforce by increasing access to computer science education and opening new paths to cybersecurity careers; and
  • Advance cybersecurity by embracing digital transformation, leveraging the potential of emerging technologies and forging innovative partnerships to combat emerging risks.

One key area of emphasis in the agenda is the need to drive IoT cybersecurity through adoption of proven software security best practices. Organizations are encouraged to integrate security-by-design principles into IoT standards and guidance, and develop frameworks for assessing risk and identifying security measures. This is where industry can play a major role through participating in global organizations like the Industrial Internet Consortium, Trusted Computing Group, and the Silicon Trust whose members are working diligently towards developing standards and best practices that address cybersecurity among other important industrial initiatives.

A good example of such an initiative is the IIC Industrial Internet Security Framework (IISF), a technical report developed by members from 25 different organizations. The IISF is the most in-depth cross-industry-focused security framework comprising expert vision, experience and security best practices. It reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments.

]]>
Creative Software Monetization Strategies Wed, 13 Sep 2017 09:45:00 +0200 https://www.wibu.com/za/blog/article/creative-software-monetization-strategies.html post-74 https://www.wibu.com/za/blog/article/creative-software-monetization-strategies.html Terry Gaul The next generation of software monetization is about enabling business models that provide additional opportunity for monetization to drive growth. Creative Software Monetization Strategies by Terry Gaul 13-09-17

“The next generation of software monetization is not just about IP protection nor limited to licensing alternatives (perpetual versus term), but rather about enabling business models that provide additional opportunity for monetization to drive growth.”

I found this statement to be a key takeaway from a recent Gartner report, Disruption in Software Business Models Creates New Opportunities for Monetization. This notion is based on several recent trends in the industry:

  • The transformation of software licensing models from upfront cost with an add-on maintenance contract to more recurring revenue models, like time-based or feature-based subscriptions.
  • The enablement of new pricing scenarios that are more end-user friendly and easier for the publisher to manage entitlements.
  • The granular ability to track application usage, which paves the way for attractive consumption-based pricing models and provides developers with valuable analytics and insights for next generation products.

Gartner highlighted several assumptions that will drive these future transformations:

  • By 2018, 50% of independent software vendors (ISVs) will use concurrent licensing (based on users) as the primary licensing strategy compared with the majority using node-lock models today.
  • By 2019, 80% of ISVs will use multiple licensing models (such as consumption/metered services, capacity, node lock and concurrent) for software monetization.

It’s interesting to note that similar dynamics are driving transformations in the embedded system market segment as well. According to Gartner, embedded developers should consider that: 

  • By 2019, 20% of intelligent device manufacturers (IDMs) will move from no protection for embedded software to a node-lock model as the primary software licensing strategy for monetization beyond the hardware.
  • By 2020, 15% of Intelligent Device Manufacturers will be exploring/piloting concurrent (based on users) and consumption (metered services) software licensing strategies in order to further monetize on embedded software.

With these industry shifts occurring, embedded device developers are realizing the potential benefits of recurring revenue models for themselves as well. Gartner points out that, for example, a medical device manufacturer, can offer hospitals and medical centers with flexible pricing options that alleviate the high upfront capital equipment cost with a subscription-based model that is more manageable. As a result more customers can access the medical equipment they otherwise could not afford.

Agfa HealthCare, a leading provider of diagnostic imaging and healthcare IT solutions, is a good case in point. The company’s digital computed radiography system encompasses the most cutting-edge technology in clinical research, but many small laboratories, orthopedic doctors, and other facilities were hard pressed to afford the upfront investment for hardware and software. To accommodate the needs of the vast low-end market, the company rolled out a time-based licensing model that allows the user to only pay according to the imaging volume they needed, which made the solution more affordable for providers and their patients who could benefit from the state-of-the-art technology while opening up new markets for the company.

As these transformations continue to alter the software licensing and monetization landscape, the next question is what tools are needed and how best to implement these new business models. Do the software publishers and embedded device manufacturers develop and rely upon their own expertise to manage the process or partner with an expert in the field to help them commercialize these models? In the case of Agfa Healthcare, they chose to utilize CodeMeter, Wibu-Systems’ proven software security and licensing solution, to help them fulfill their business vision. You can read the full story here.

]]>
Time to Speak a Common Language in the IIoT Thu, 31 Aug 2017 14:07:00 +0200 https://www.wibu.com/za/blog/article/time-to-speak-a-common-language-in-the-iiot.html post-72 https://www.wibu.com/za/blog/article/time-to-speak-a-common-language-in-the-iiot.html Marcellus Buchheit Do we all share a common understanding of IIoT terms? Most likely not, and that’s why the IIC continues to update its IIoT Vocabulary Report. Time to Speak a Common Language in the IIoT by Marcellus Buchheit 31-08-17

In our daily lives, how frequently have we heard someone say “let’s make sure we are on the same page”, whether it be during a personal interaction or a business communication? Pretty often I would say, because it is very easy to get caught up in our comfortable jargon and buzzwords that are prevalent in our particular environments, but not be so readily understandable by people outside of our close circles.

With the rapid growth of the Industrial IIoT and the wide diversity of stakeholders and industries involved, “getting on the same page” has become more difficult, yet more important than ever. For example, do we all share a common understanding of terms and concepts like authentication, operational technology, root of trust, vulnerability and other similar terms that are frequently mentioned in articles, technical documents, and other presentations and publications? Most likely not, and that’s why the Industrial Internet Consortium (IIC) continues to update its IIoT Vocabulary Report.

The second version of the report (v2.0) was developed by members of the IIC Vocabulary Task Group which is comprised of software architects, business experts, and security experts and released on July 24. The report contains vocabulary terms and definitions considered relevant to the IIoT. The goal of the document is to enable all stakeholders in the IIoT ecosystem – system architects, IT managers, plant managers, and business decision makers – to communicate with each other effectively. Many of the terms were updated from the first report originally released in 2016 and new terms introduced to keep pace with the rapidly evolving IIoT nomenclature.

Anish Karmarkar, IIC Vocabulary Task Group Chair, and Director, Standards Strategy & Architecture at Oracle, said in an IIC news release: “The Industrial Internet comprises a diverse set of industries and people with various skill sets and expertise. Often, concepts and terminology in one field will have different meanings in another, leading to confusion. Industrial Internet projects succeed when participants can communicate using common vocabulary terms and definitions. The IIC Industrial Internet Vocabulary Technical Report v2.0 ensures all IIoT stakeholders are speaking the same language, avoiding what would otherwise be an IIoT ‘Tower of Babel.’”

Many people think that working on a vocabulary document would be quite boring. In actuality, the opposite is true. The weekly meetings are more emotionally driven than any other industrial internet meetings that I have attended. By contrast, other meetings may have 20 attendees, but the moderator is content to generate just a few responses from the attendees. At a vocabulary meeting, however, we may sometimes have just five attendees but the moderator needs to queue the speakers because people get excited and respond to a comment at the same time! As a result, the meeting requires one’s full attention (unwise to attempt to read your unrelated emails during the discussion, for example). And the content is intellectually challenging. Sometimes people will spend a long time discussing a simple phrase or even a single word, but in the end most decisions are agreed upon unanimously.

Working on the industrial internet vocabulary report is also quite stimulating. IoT continues to be over hyped in the information and industrial world and many words and phrases are “misused”. By presenting a modern vocabulary with a strong logical model behind different words and combinations of words gives the Industrial Internet Consortium a more structured approach to leading the IoT world down the proper path, at least in the communication about IoT.

In all, the report provides a standard definition for more than 140 terms commonly used in IIC reference and architectural documents. The full report, including terms, definitions and sources, can be downloaded here on the IIC website.

]]>
U.S. Introduces New Cybersecurity Legislation Tue, 15 Aug 2017 11:57:00 +0200 https://www.wibu.com/za/blog/article/us-introduces-new-cybersecurity-legislation.html post-73 https://www.wibu.com/za/blog/article/us-introduces-new-cybersecurity-legislation.html Terry Gaul Will this legislation remedy the market failure that has occurred and encourage device manufacturers to compete on the security of their IoT products? U.S. Introduces New Cybersecurity Legislation by Terry Gaul 15-08-17

U.S. Senators recently introduced legislation intended to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require that devices purchased by the U.S. government meet certain minimum security requirements. The main points of the bill are aimed at vendors who supply the U.S. government with IoT devices who would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities.

Senator Mark Warner, a co-author of the bill, stated: “My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

The recent spate of malware attacks and the public exposure of IoT device vulnerabilities in so many sectors have elevated the visibility of cybersecurity and it is encouraging to see that these issues are being addressed at the highest levels. And while this legislation is a positive step forward, the effort begs the question, Is it Enough? And if the answer is no, then the responsibility is on the device developers (where it should be) to step up their efforts to use technologies that are available today to ensure that the devices that are proliferating in the commercial markets are safe, ensure privacy, and maintain data security.

The many facets of security that need to be addressed with Internet-connected devices go well beyond the security requirements put forth in the IoT Cybersecurity bill. For example, developers need to consider authentication or licensing of components based on their unique identity, monitoring and securing system integrity, protection of data and communication, and secure updates and upgrades, and that’s just to name a few.

Oliver Winzenried, CEO and Founder of Wibu-Systems AG, outlined key areas that should be addressed in developing a security framework to protect IoT vulnerabilities. In each of these areas, mechanisms exist that can be implemented today:

  • IP Protection: the actual assets – the IP in the code – can be encrypted with lightweight symmetric encryption and only decrypted on the fly.
  • Product Protection: protect against counterfeiting products by encrypting data and decrypting only on licensed machines.
  • Flexible Licensing: provide variable licensing options like pay-per-use, renting, subscription, etc. for software features. Vendors decide how licenses are deployed, either in app stores or user license portals.
  • Tamper Protection: application code is digitally signed using asymmetric cryptography, with root public keys as securely stored anchors of trust. The devices validate authenticity and integrity themselves.
  • Device identity: Connected devices authenticate themselves with tamper-proof private keys for example. Open standards like OPC UA are excellent solutions for trusted devices of different manufacturers to operate together.

You can read Oliver’s full comments in his article, Security Frameworks to Set the IoT and IIoT in Motion.

]]>
Strengthening Encryption Protections Wed, 19 Jul 2017 15:09:00 +0200 https://www.wibu.com/za/blog/article/strengthening-encryption-protections.html post-71 https://www.wibu.com/za/blog/article/strengthening-encryption-protections.html Terry Gaul Unlike the often used obfuscation approach, Blurry Box cryptography offers software protection that is completely based on publicly available methods. Strengthening Encryption Protections by Terry Gaul 19-07-17

It seems like every day we hear about damaging and costly cyberattacks resulting from pirated software, theft of digital Intellectual Property, stolen personal, financial and medical data, or malicious tampering of consumer IoT devices and connected industrial machine systems in the IIoT. What’s most alarming about these attacks is that many times hackers were able to exploit a vulnerability in the very protection mechanisms designed to secure them.

For centuries now, encryption schemes, from simple ciphers to complex symmetric and asymmetric cryptography, have been used as a formidable defense against hackers to protect data, communications, devices and systems. But just as encryption techniques have evolved and become more sophisticated, so have the abilities of cyber criminals to identify and attack vulnerabilities in code, cryptographic protocols or key management in even the most clever protection schemes. Encryption alone is not the end-all solution. For example, use of a weak algorithm for encryption and decryption may be insufficient to prevent a brute force attack. On the other hand, use of a strong encryption algorithm, but with an insecure implementation that may expose the decryption key, can render the application vulnerable to attack.

The fact is that there is no 100% secure solution in software protection. That’s why companies like Wibu-Systems are dedicated to the continuing development of novel technology-driven security solutions – staying steps ahead of the would-be hackers. Often times it is a collaboration that results in a breakthrough technology, as is the case of Wibu-Systems’ Blurry Box encryption that was developed in conjunction with the Karlsruhe Institute of Technology and the research center FZI. Blurry Box encryption technology was recently proven unbreakable in a global hacking contest.

Blurry Box is built upon the axiom known as Kerckhoffs’ Principle that states that the strength of the encryption system should depend upon the key being used, not the secrecy of the system. This approach is contrary to the often used obfuscation approach, which is otherwise known as  “security by obscurity”. Blurry Box cryptography offers software protection that is completely based on publicly available methods. The basic principle of Blurry Box cryptography is the use of one or more secure keys in a dongle and the fact that software is typically complex. Blurry Box cryptography uses seven published methods that greatly increase the complexity and time required for an attack to be successful.

As described in a recent article by Silicon Trust, Blurry Box splits each function block into several variants, which return the correct output of the original unencrypted function only for a specific input set. A wrapper function maps these inputs to the variants, which are encrypted with separate keys stored on a dongle. When the software is executed, the system only decrypts those variants that match the given input. Hackers will only ever see that part of the code that matches the previous input.

In traditional encryption, hackers could work their way through the function blocks in what is called a “copy-and-paste” attack. However, even if a hacker captures individual variants, the protected program is so complex that no hacker can derive additional variants from a specific subset that may become known to him. In essence, Blurry Box does not depend on making copy-and- paste attacks on individual variants impossible, but on making the attack strategy as a whole unfeasible.

The bottom line is that it would be easier and less expensive for a would-be attacker to develop similar software from scratch vs. attempting to crack an application protected by Blurry Box encryption.

Blurry Box can be employed to protect any software however it is deployed. In today’s smart factories, for example, Blurry Box can provide dramatic benefits, particularly in protecting sensitive information such as the technology or configuration data used in manufacturing processes. This invaluable data needs to be safeguarded against know-how theft, counterfeiting, and tampering. Applying Kerckhoffs’ Principle provides encryption methods associated with hardware anchors of trust to ensure IP confidentiality and the integrity and authenticity of digital signatures. You can read more technical details about Blurry Box, including use cases, in an article, Blurry Box Encryption Scheme and Why It Matters to Industrial IoT, published in the Industrial Internet Consortium’s Journal of Innovation.

You can also watch a brief animated description of Blurry Box and how it is integrated into Wibu-Systems’ CodeMeter Protection Suite.

 

]]>