Strategies for comprehensive cyber resilience and recovery are quickly becoming a requirement. Modern, embedded connected devices are an attractive target for cyber attacks, which can open opportunities for ransom demands and result in the shutdown of entire factories. Recovery of compromised devices is challenging because malware can override the original software and often requires manual intervention. Furthermore, many embedded devices do not implement remote recovery procedures.
Cyber Resilience
Cyber Resilience
Evolution of Embedded Security
Multi-Layered Defense Strategy
In order to achieve good system and device security, it is of utmost importance to have a multi-layered defense strategy. As a guideline for cyber-resilient systems, the National Institute of Standards and Technology (NIST) defines three key layers (NIST SP800-193 ).
While today's systems commonly rely mostly on prevention, cyber-resilient devices of the future require integration of all layers to survive in an ever-changing hostile environment.
Prevention
Preventing the attacker from entering a system
Detection
Monitoring and detecting that an attacker has entered a system
Recovery
Expelling the attacker and automatically recovering to a trusted state
Detection
Detection mechanisms can be built in the hardware root of trust of a system-on-chip (SoC). The SoC detects anomalies (such as malware) during the runtime execution of the application, but does not interfere with its normal behavior. This enables the system to trigger recovery actions before the attack can spread to a considerable number of connected devices.
Local
A local detection module relies on the data collected inside the SoC; this data represents the state of the device. This state is analyzed at regular intervals to infer if it corresponds to a normal state. The local analytics module runs on the device without interfering with its main application and can send a warning message to the recovery module if an anomaly is detected. Optionally, it can send its results to the cloud for further analysis. This process is depicted in the corresponding figure.
Global
Cloud-based inference is used for attack detection.
Data of an entire fleet can be used to perform clustering analysis outlier detection.
Recovery
Recovery mechanisms can be built in the hardware root of trust of a system-on-chip (SoC). An SoC recovery module can remotely manage devices even when their OS is unresponsive or completely erased. This enables the remote administrator to quickly and reliably recover all devices back to a trusted working state without requiring any local human intervention.
Enforced Connections
Watchdog timers, which are regularly deferred by the cloud, allow the owner to always regain control over corrupted devices by rebooting.
In the figure, the numbers indicate the order of exchanged messages:
- #1 and #2: watchdog timer deferral ticket request
- #3 and #4: wigned ticket reply
- #5: Recovery action: reset
Recovery States
The write-latch protected recovery image allows it to return to a trusted state after a reboot. The recovery image is write-latched in an early boot phase before the network is enabled by a trusted entity. Write-latches are software-enabled hardware write protection mechanisms. They can only be disabled through a reset of the whole SoC. The recovery image allows to boot into the recovery mode which contains only basic functionality allowing connection to the trusted services. From the recovery mode, it is possible to bootstrap the device and restore a persistently corrupted device to a functional state.
NXP Showroom: Anomaly Detection and Cyber-Resilence for SoCs
A hypervisor-based demo can be found at our technology showroom. Other possible instantiations, including hardware-based isolation, are described in the full paper "Cyber Resilience for Self-Monitoring IoT Devices".
Standardization
The Trusted Computing Group (TCG) drives the definition of new cyber resilience specifications in their Cyber Resilient Technologies (CyRes) workgroup NXP is a member of this workgroup to ensure that the specification mirrors our own high standards for security and resilience. Learn more
Additional Documents
Cyber Resilience for Self-Monitoring IoT Devices
Read up on cyber resilience systems in this IEEE-CSR award-winning paper that was published at the 2021 IEEE International Conference on Cyber Security and Resilience (CSR).
Sign in to read the whitepaperContact Us
For more information about cyber resilience, contact us at cyres@nxp.com.