Sequitur Labs’ IoT security checklist

Philip Attfield of Sequitur Labs Inc. wrote an article for IoT Agenda on IoT Security; excerpting a checklist from the article:

* Devices must implement a “root of trust” as a trustworthy measure of integrity and authenticity. A root of trust, once established, is unchangeable and is therefore always reliable and trustworthy.
* Secure interaction between devices on a network is necessary. Implement mechanisms enabling mutual device authentication.
* Isolation and separation are well-accepted principles of security. Isolating sensitive information such as encryption keys, proprietary algorithms or other information raises the difficulty level for an attacker and minimizes the impact of a breach.
* Separate application functions critical to security. Execute such functions in isolated and secured memory regions to prevent compromise.
* Choose hardware platforms that include tamper resistance features. Such features protect against physical device tampering by destroying critical information such as encryption keys before hackers are able to access them.

http://internetofthingsagenda.techtarget.com/blog/IoT-Agenda/IoT-security-is-not-a-check-box

Open Trust Protocol (OTrP) created

There’s a new IoT security-centric informational IETF Internet Draft out, called OTrP, Open Trust Protocol. Their spec is released as an informational IETF Internet Draft, the companies of the 5 authors are from: Symantec, Interce, Solacia, and ARM. One of the news sites mentions the full list of companies backing this protocol are: Intercede, Solacia, Symantec, Beanpod, Sequitur Labs, Sprint, Thundersoft, Trustkernel, Verimatrix and ARM. I can’t find any web site for this group.

“This document specifies the Open Trust Protocol (OTrP), a protocol to install, update, and delete applications and to manage security configuration in a Trusted Execution Environment (TEE).TEEs are used in environments where security services should be isolated from a regular operating system (often called rich OS). This form of compartmentlization grants a smaller codebase access to security sensitive services and restricts communication from the rich OS to those security services via mediated access. […]”

https://www.ietf.org/id/draft-pei-opentrustprotocol-01.txt
https://tools.ietf.org/html/draft-pei-opentrustprotocol-01
https://www.arm.com/about/newsroom/connected-devices-need-e-commerce-standard-security-say-cyber-security-experts.php

PS: A bit off-topic, but IETF- and IoT- related, found when looking for above URLs:
https://www.internetsociety.org/publications/ietf-journal-april-2016/internet-things-standards-and-guidance-ietf