SecureG, Fujitsu and others partner to Develop Supply Chain Traceability for Open Radio Units (O-RU); Device Identity and Centralized Registry
VIENNA, VA, UNITED STATES, January 10, 2025 /EINPresswire.com/ — SecureG, the world’s most secure root of trust provider, today announced it has been selected by the National Telecommunications and Information Administration (NTIA) to receive a $6M grant from the Public Wireless Supply Chain Innovation Fund’s second Notice of Funding Opportunity. SecureG is partnering with Fujitsu, Rhythmic Technologies, and other industry leaders to research and develop a novel architecture that promises to reduce implementation costs and integration hurdles for O-RU suppliers and enhance the overall security posture of the entire O-RAN ecosystem.
“Open Radio Access Networks offer greater efficiency and innovation; however, the individual implementations of the O-RAN systems can lead to interoperability issues and security risks when vendors take contrasting approaches,” said Todd Warble, CTO of SecureG. “Together, SecureG and its partners will unlock interoperability and expedite onboarding of new vendors to benefit the larger O-RAN ecosystem.”
3GPP, the Open RAN Alliance, and government entities such as the National Institute of Standards and Technology (NIST) have published extensive guidelines, standards and frameworks, but rely on each O-RAN ecosystem participant to interpret and implement them individually. Individual interpretations can become a source of security risks, as well as hindering scalability and interoperability.
SecureG and its partners are researching and analyzing existing standards, protocols, and best practices to document how digital identities can be assigned, documented, and made available to partners to produce a trustworthy network built upon a validated supply chain.
SecureG is developing a Supply Chain Traceability (SCT) Registry platform that provides these key components:
• Reliance on “Zero Touch Provisioning.”
• Ability to integrate device identities with credentials.
• A high-trust key management infrastructure to provide an objective “authority” for secure credentialing and validation.
• The necessary security operations to create a commercially viable and practical solution for chipset manufacturers, vendors, and MNOs.
“This registry will provide O-RU component providers and manufacturers with a simple approach to build credentials directly into their chipsets without requiring extensive and costly security implementations each time,” said Mr. Warble. “At the same time, network operators can be assured that their providers are providing trusted components compliant with security standards that can be easily integrated into their networks.”
About SecureG
SecureG was conceived by MITRE Engenuity™ and CTIA™ to establish and maintain trust for 5G networks, machine-to-machine communication, and Zero Trust Architecture. SecureG’s Public Key Infrastructure (PKI) services can be customized to meet the security posture and scaling requirements of any network, device manufacturer, or software service.
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
The Internet of Things (IoT) has revolutionized industries and transformed the way we interact with technology. From smart homes to industrial automation, IoT devices have become ubiquitous, collecting and transmitting valuable data. However, this connectivity also exposes them to security risks. As IoT device makers, it is crucial to prioritize security and build trust among users.
Recent events have highlighted the importance of digital certificates in securing IoT communication. The Starlink outage caused by an expired digital certificate is a prime example of how a single weakness can severely compromise an entire system. This incident showcased the need for constant vigilance and monitoring of every component’s “key” and related certificate to prevent unauthorized access and data breaches.
Digital certificates, also known as “machine identities,” enable devices to trust each other and recognize their authenticity. They play a pivotal role in establishing and maintaining trust in IoT communication channels. By leveraging asymmetric encryption, digital certificates, and strong authentication mechanisms, Public Key Infrastructure (PKI) provides a robust framework for securing IoT communication channels.
Secure bootstrapping and device provisioning are critical challenges for IoT device makers. With unique device identities and verified credentials, the devices can securely connect to IoT networks, preventing unauthorized access and tampering.
Maintaining the security of IoT devices over their lifespan is a significant concern. PKI allows for secure over-the-air (OTA) updates, ensuring that devices receive necessary patches and firmware upgrades. By utilizing digital signatures and certificate-based authentication, IoT device makers can verify the integrity and authenticity of updates, mitigating the risk of unauthorized modifications or malware injection.
Secure IoT systems need certificates, and they also need a reliable system for managing their lifecycles. Designers need to carefully think through how they design, deploy and enable customers to maintain their certificate systems. By leveraging the power of PKI, IoT device makers can establish trust, enhance security, and protect user privacy.
Contact us at SecureG to learn more about how our innovative PKI solutions can help secure your IoT devices and drive the success of your IoT deployments.
The Internet of Things (IoT) is rapidly expanding, with billions of devices connected to the internet. While this connectivity has the potential to revolutionize industries, it also presents significant security challenges. The use of Silicon Root of Trust (RoT) and Public Key Infrastructure (PKI) can help address these challenges and provide a secure environment for IoT devices and networks.
Introduction to IoT and Its Security Challenges
IoT refers to the connection of everyday devices to the internet, such as smart home appliances, wearables, and industrial sensors. These devices often collect sensitive data and perform critical functions, making them a target for cyber attacks. The sheer number of devices and the lack of standardized security protocols make securing IoT a significant challenge.
Definition of Silicon RoT and PKI in the Context of IoT
Silicon RoT is a hardware-based security mechanism that provides a trusted foundation for the device’s security. It ensures the integrity of the device’s firmware and software and is a tamper-proof and isolated environment. PKI is a system that uses public and private keys to secure communications over the internet. It consists of a certificate authority (CA), a registration authority (RA), and a certificate repository.
How These Technologies Can Help Secure IoT Devices and Networks
Silicon RoT and PKI can help secure IoT devices and networks by providing end-to-end security. Silicon RoT ensures the integrity of the device’s firmware and software, while PKI provides secure communication between devices. Together, they can authenticate devices, protect data, and prevent unauthorized access to the network.
Use Cases and Examples of IoT Applications that Rely on Silicon RoT and PKI
Industries that rely on IoT, such as healthcare and transportation, use Silicon RoT and PKI to secure their systems and protect sensitive information. For example, in healthcare, IoT devices, such as wearables and medical sensors, collect patient data and transmit it to healthcare providers. Silicon RoT and PKI ensure the authenticity, confidentiality, and integrity of this data.
Challenges and Limitations of Using These Technologies in IoT
One of the main challenges is the lack of standardization in IoT security protocols. This can make it difficult to implement security measures across different devices and networks. Another challenge is the cost of implementing and maintaining these technologies, which can be significant for organizations with large IoT deployments.
Future Developments and Trends in IoT Security
As IoT continues to expand, we can expect to see further developments in IoT security. One trend is the use of blockchain technology to secure IoT devices and networks. Blockchain provides a decentralized and tamper-proof ledger that can be used to authenticate devices and secure data. Another trend is the use of artificial intelligence and machine learning to detect and respond to security threats in real-time.
Conclusion and Recommendations for Securing IoT Devices and Networks
Silicon RoT and PKI are essential technologies for securing IoT devices and networks. They provide end-to-end security and ensure the authenticity, confidentiality, and integrity of data and communications. To effectively secure IoT, organizations should prioritize security, implement standardized security protocols, and invest in technologies such as Silicon RoT and PKI. As IoT continues to evolve, organizations should stay up-to-date with the latest security developments and trends to ensure the security of their devices and networks. Contact SecureG for more information on adding PKI to your IoT solutions.
Silicon Root of Trust (RoT) and Public Key Infrastructure (PKI) are essential technologies for ensuring the security of devices and networks. When building a public key infrastructure (PKI) technology into a semiconductor hardware root of trust (RoT) device, there are several important considerations that should be taken into account. Here are some of the key considerations:
- Secure Key Management: Since the RoT device is responsible for generating and storing private keys for the PKI, it is important to ensure that the key management is secure. The system must think through the entire device lifecycle and plan appropriately for certificate renewal and decommissioning events.
- Physical Security: The RoT device should be designed with physical security in mind. This includes measures such as tamper-resistant packaging, secure boot, and secure storage of sensitive data. These devices will likely be subject to physical control by adversaries at some point, so the physical security architecture must be designed to account for this risk.
- Compliance: The PKI technology should be designed to comply with relevant standards and regulations, such as FIPS 140-2, Common Criteria, and GDPR.
- Interoperability: The PKI technology should be designed to work with other PKI systems and applications, to ensure interoperability across different environments. PKI is a well-established technology and many standards exist for it. Choose the standards appropriate for your industry segment.
- Scalability: The PKI technology should be designed to scale as the number of devices and users grows. This includes ensuring that the RoT device can handle large volumes of requests for certificate issuance, validation, and revocation.
- Ease of Use: The PKI technology should be designed with ease of use in mind, to ensure that it is easy for developers and users to integrate and use the PKI system. In embedded, remote, and IoT implementations there it is rarely feasible for direct human interaction with devices, so a machine-to-machine management approach should be used.
- Resilience: The PKI technology should be designed to be resilient to attacks and failures, to ensure that the RoT device can continue to function even in the face of adversity. Consider the impact of a breach involving your trusted root keys, and plan appropriately to balance cost and risk.
Building a PKI technology into a semiconductor hardware RoT device requires careful consideration of security, compliance, interoperability, scalability, ease of use, and resilience. SecureG can help you build a PKI system that is secure, trustworthy, and scalable for your semiconductor devices. Contact us today to discuss how SecureG’s PKI solution can secure your products.
Open-source software has become an integral part of many organizations’ software development processes due to its cost-effectiveness and flexibility. However, a reliance on open-source can lead to security risks. In this blog post, we will explore the dangers of using outdated open-source software and ways to mitigate these risks.
One of the biggest benefits of open-source software is the ability to leverage the work of others for your own projects. This can save time and money, while also providing the flexibility to customize the software to meet your specific needs. However, the use of open-source software also brings with it the potential risk of using software components that may contain vulnerabilities. For instance, a vulnerability in the commonly used Java logging library, Log4j, forced thousands of developers to patch affected code after it was found that hackers had been actively exploiting it.
Repeat Offenders
Component exploits help attackers gain access to sensitive data and systems, which can have devastating consequences. For instance, the 2017 Equifax data breach was caused by an unpatched vulnerability in the open-source Apache Struts framework, which allowed attackers to gain access to the personal information of over 143 million people. In 2020, Solarwinds suffered a near-fatal setback when it was discovered that attackers had inserted the so-called Sunburst malware into the software build, giving attackers broad access to thousands of customers’ entire networks.
It is not uncommon for malicious actors to subtly manipulate code packages. One effective attack is to change the stated version in the header while leaving known prior vulnerabilities in the package. Unfortunately, the use of a simple Software Bill of Materials (SBOM) would not be sufficient to catch this technique.
What is needed is a ‘suspicious’ SBOM solution that scans the actual packages and categorizes them according to their true contents.
A ‘suspicious’ SBOM solution needs advanced scanning tools and machine learning algorithms that can detect anomalies in the software’s components. This way, it can identify components that have been modified, substituted or tampered with, providing a more accurate representation of the software’s reality. Also, this process can help in identifying any hidden dependencies that might not be listed in the software manifest or any potential vulnerabilities that might have been introduced through the use of outdated components. By doing so, we can ensure that software developers and users alike can trust the integrity of the SBOM, making it a valuable tool in promoting trustworthy software applications.
A ‘suspicious’ SBOM also needs a strong and trustworthy PKI to sign and validate its outputs. If you’re developing solutions for IoT devices for critical infrastructure, talk to us at SecureG about how you can have your own hosted PKI for certificates.
