Wibu-Systems Blog https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A.html Mon, 16 Sep 2019 03:44:47 +0200 Mon, 16 Sep 2019 03:44:47 +0200 t3extblog extension for TYPO3 The Complex Software Licensing Landscape Tue, 03 Sep 2019 09:43:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-complex-software-licensing-landscape.html post-126 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-complex-software-licensing-landscape.html Rüdiger Kügler The software licensing tools must be readily adaptable to the new purchasing and delivery models of the connected age. The Complex Software Licensing Landscape by Rüdiger Kügler 03-09-19

The digital transformations occurring across all segments of society are unfolding at breakneck speed. From autonomous vehicles and smart cities to digitized healthcare delivery, all facets of our connected world are evolving in ways seemingly unimaginable just a few years ago. With smart technologies built into phones, wearables, home appliances, and just about any other device, consumers are assimilating new technologies into their daily lives as fast as they are introduced.

Digital transformations are also driving cultural change. Consumer preferences are evolving dramatically, particularly in the way products are purchased, delivered, and updated. As a result, tried and true business models are no longer the norm and only those companies who possess the foresight and ability to alter their business practices to cater to the digitized consumer will succeed.

Let’s take a look at the effects these changes are having on the software industry and software licensing in particular. For an ISV, the days of the traditional perpetual license with maintenance contracts are long gone. Software users now expect to pay only for what they use and for the frequency in which they use it, and payment might take the form of a monthly subscription vs. a one-time upfront payment. Software updates and feature upgrades can be delivered via the Internet, and in some cases, users may want to try the software prior to purchasing. And, some consumers may be more comfortable with on premise software applications while others may prefer cloud application deployments.

The scene is just as complex, or perhaps more, for embedded software developers who need to be capable of delivering their software across multiple development platforms, architectures, and operating systems. They also need to be able to deliver updates in a secure fashion, particularly in the IoT and Industry 4.0 world where cybersecurity is paramount.

The bottom line for ISVs and embedded system developers is that the software licensing tools they use must be readily adaptable to the new purchasing and delivery models that are required to address the expectations of the next generation consumers.

Take, for example, the case of Vector, a German developer of advanced software tools and embedded components across a wide range of industries. They sell thousands of product licenses annually for products such as electric car charging, automotive safety and security concepts, Advanced Driver-Assistance Systems (ADAS), autonomous vehicles, AUTOSAR adaptive platform, and an array of other electronic systems. With such a diverse customer base, the company was facing several challenges in managing their license entitlements. First, they wanted to protect their invaluable Intellectual Property from piracy with a secure license delivery mechanism. Secondly, each of the industries that they served had unique licensing preferences and requirements and they were using disparate tools to address their needs. Ultimately, they wanted one integrated solution that would fit into their existing SAP back-office environment.

While their requirements for a modern licensing management system are not uncommon in today’s connected landscape, their array of such highly complex products for so many diverse use cases represented an interesting challenge. Wibu-Systems, in conjunction with our SAP integration partner, Informatics Holdings, provided a flexible license and entitlement solution that met all their requirements.

At the heart of the solution was CodeMeter License Central for the creation, delivery, and management of licenses. With the integration of CodeMeter License Central into Vector’s SAP system, Vector is now able to manage all its licenses centrally with ease, making for leaner support and more efficient sales processes. Depending upon customer requirements, licenses can be delivered securely via software-based binding technology or hardware-based dongles. It is an interesting story with an innovative solution and I invite you to read the entire case study.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

What Might MedTech Look Like in 2030? Tue, 20 Aug 2019 12:14:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/what-might-medtech-look-like-in-2030.html post-125 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/what-might-medtech-look-like-in-2030.html Daniela Previtali AI, IoT, and predictive analytics are transforming the healthcare sector and shifting the focus from products to services. What Might MedTech Look Like in 2030? by Daniela Previtali 20-08-19

Digital transformation is changing the healthcare landscape as more and more medical devices come online, both next generation systems and legacy equipment, with many allowing remote access. Digital patient data continues to proliferate beyond the confines of the medical facility as well.

Deloitte recently published a report that took a predictive “Glimpse into the future of connected care with MedTechs”. In particular, the report took a holistic view of what they believe to be the key trends and drivers that will shape the connected care landscape and the uncertainties that will have an impact on the industry by 2030.

There was general consensus that medical device technology is a vital component of the healthcare sector, while the market transforms itself from a focus on products towards a focus on connectivity and integration, based on evolving technologies like AI, IoT, and predictive analytics.

Deloitte envisioned 4 different scenarios where connected care could create and sustain value through 2030.

  • Scenario 1 – Ahead of Diseases: In a world where both MedTech players and the tech players find their niche within the healthcare ecosystem, society will benefit from predictive diagnoses and position itself ahead of diseases.
  • Scenario 2 – Trust vs. Convenience: In the Trust vs. Convenience scenario, MedTech and tech players offer fragmented product and service portfolios that are fighting for every inch of market share.
  • Scenario 3 – Everyone Doing Everything: In the Everyone Doing Everything scenario, newcomers have given up on entering the healthcare market. MedTech players are now trying to build up their own data platforms fed by their various medical devices.
  • Scenario 4 – All About the Patient: In the All about the Patient world, health-related data is regarded as a commodity, but exclusively for MedTech companies. Attempts by outsiders to gain access fail due to high regulatory requirements. Patients benefit from user-friendly devices and advanced predictive diagnosis.

Within these potential scenarios, Deloitte laid out some of the uncertainties that will play a role in how these predictions take shape. One of those uncertainties pertained to the competitive landscape, with question marks as to how far tech giants will be able to enter the MedTech market and whether smaller startups with novel technologies will be able to gain entry and at what success rate? The second uncertainty is the accessibility of standard healthcare data as restrictive data privacy standards, issues with cybersecurity and the lack of standards for interoperability may limit the potential to utilize artificial intelligence and therefore prohibit predictive diagnosis.

While cybersecurity was not an emphasis in the report, at Wibu-Systems, we believe that security of patient data, healthcare software, and connected medical devices in what is becoming known as the Medical Internet of Things will have a huge impact on the MedTech industry between now and 2030 and beyond. Will manufacturers adopt a security by design approach for product development? How stringent will government regulators be in forcing manufacturers to adopt security best practices? How will interoperability, or lack thereof, impact the integration of legacy medical systems? These are just a few of the security-related uncertainties that can be added to the list.

A few years ago, we published an article on Protecting End Point Security of Medical Systems which highlighted many of the vulnerabilities inherent in connected medical systems and how several of our medical device customers are addressing these threats to their systems, software and data with advanced protection, licensing and security mechanisms. The points covered in the article ring as true today as they will in 2030.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

Advice for IoT Device Manufacturers Thu, 08 Aug 2019 16:48:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/advice-for-iot-device-manufacturers.html post-124 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/advice-for-iot-device-manufacturers.html Terry Gaul In its latest publication, the NIST addresses the many cybersecurity risks inherent in IoT device manufacturing. Advice for IoT Device Manufacturers by Terry Gaul 08-08-19

With its many promises and great prospects, the Internet of Things (IoT) warrants much stronger protection then the closed systems of the past. IoT systems rely on public networks, which by definition, are unsafe environments. Hackers are always looking for backdoors and exploits while trying to tamper with data to cause untold damage.

The U.S. National Institute of Standards and Technology (NIST) recently released a draft of security recommendations for IoT devices. Titled Core Cybersecurity Feature Baseline for Securable IoT Devices:  A Starting Point for IoT Device Manufacturers (NISTIR 8259), the draft defines a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce.

The publication is intended to help IoT device manufacturers understand the many cybersecurity risks inherent in IoT devices and help them provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. The publication also provides information on how manufacturers can identify features beyond the core baseline most appropriate for their customers and implement those features to further improve device security. NIST says this approach can help lessen the cybersecurity-related efforts needed by IoT device customers, which in turn should reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices.

The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices:

  • Device Identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
  • Device Configuration: Similarly, an authorized user should be able to change the device’s software and firmware configuration. For example, many IoT devices have a way to change their functionality or manage security features.
  • Data Protection: It should be clear how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces. For example, the IoT device and its supporting software should gather and authenticate the identity of users attempting to access the device, such as through a username and password.
  • Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. These logs can help users and developers identify vulnerabilities in devices to secure or fix them.

For a more in-depth analysis of the nature of IoT security threats and the technical measures designed to protect these connected devices from malicious hackers, you can download our white paper, Licensing and Security for the Internet of Things.

This whitepaper explores the various trends emerging in the IoT and the key strategies for success, which depends not only on superior products, creative marketing, and aggressive sales activities, but security, integrity and reliable licensing as well.

It also outlines the standards that must be addressed and long-term considerations that will impact security, like integration in devices and software, upgrades and updates, secure boot, licensing models tailored to the IoT, license management, access rights and certificates, scalable safeguards and data integrity protection

Terry Gaul

Vice President Sales USA

Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.

AI in the IIoT is a Matter of Trust Tue, 02 Jul 2019 16:47:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/ai-in-the-iiot-is-a-matter-of-trust.html post-123 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/ai-in-the-iiot-is-a-matter-of-trust.html Marcellus Buchheit What are the challenges, risks, and benefits of AI as it enhances efficiency, reliability, and effectiveness of IIoT processes? AI in the IIoT is a Matter of Trust by Marcellus Buchheit 02-07-19

Artificial Intelligence is a hot commodity in the technology world these days. But what does it mean in the context of the Industrial IoT?

An early definition of artificial intelligence was one of “thinking machines” that could make decisions like humans, and with some people, elicited a fear that these thinking machines could actually replace humans in the manufacturing world. Today’s perception of AI, however, is geared more towards machines that exhibit human reasoning as a “guide to provide better services or create better products rather than trying to achieve a perfect replica of the human mind”, as noted in a Forbes article by Bernard Marr. He added that “It’s no longer a primary objective for most to get to AI that operates just like a human brain, but to use its unique capabilities to enhance our world.”

When applied to Industrial Internet of Things (IIoT) systems, AI has been demonstrated to offer business and technology advancements, such as cost reduction and better performance. Examples include the benefits of predictive maintenance leading to reduced outages, better resource management and scheduling and enhanced insights into system usage. AI has also been used to design physical structures, electronic components, and to perform quality assurance testing of complex systems.

Of course, with disruptive technology advancements like AI comes an entirely new set of challenges and risks for the users of such technology, including IIoT systems. Some of those risks were presented in an article published by the Industrial Internet Consortium (IIC) in their Journal of Innovation (JOI), entitled AI Trustworthiness Challenges and Opportunities Related to IIoT.

At the crux of the JOI article was the notion of trust – trust in that systems operate correctly based on evidence that can be understood. IoT Trustworthiness is defined in the IIC Vocabulary as the “degree of confidence one has that the system performs as expected with characteristics including safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”

If the AI system makes it hard or impossible to understand how a decision was made, trust in the system is reduced. The article goes on to describe the various risks and challenges AI can pose to the trustworthiness of an IIoT system.

One example illustrated how AI can be used to probe a system for vulnerabilities by attempting to attack the system itself. The AI system was connected to a video game and subsequently learned how to defeat the game in novel ways. A benign example for sure, but imagine, however, if the system was not a harmless video game but rather an air traffic control system, city traffic light system or nuclear power plant. The dire implications of uncontrolled AI are clear. 

While the technology might expose vulnerabilities to malicious manipulation in IoT systems, AI can also be used to enhance the trustworthiness of a system. The JOI article points out two categories in particular where AI in IIoT is emerging:

  • The use of AI to improve the efficiency, reliability, and effectiveness of processes and tasks that can be fully automated with little risk. These are processes and tasks that are generally mundane, repeatable, static with few variations, or tasks that are very specific and/or localized to specific components in system.
  • The use of AI in processes that are critical, consequential and non-mundane. When the level of risk is high enough, humans must maintain the ultimate decision-making capacity – this is referred to as the “human-in-the-loop” approach or HIL.

The article discusses the challenges, risks, and benefits of AI in IIoT environments in much more detail. You can read the full article here.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

Security by Obscurity and the Right to Repair Tue, 25 Jun 2019 14:35:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/security-by-obscurity-and-the-right-to-repair.html post-122 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/security-by-obscurity-and-the-right-to-repair.html Terry Gaul Is the "right-to-repair" concept an essential service for customers or a violation of manufacturers' intellectual property? Security by Obscurity and the Right to Repair by Terry Gaul 25-06-19

The right-to-repair movement is gaining traction in the U.S. as many states are considering legislation that would allow consumers and third parties to repair electronic equipment without voiding manufacturer’s warranties. The issue has even crept into presidential politics, as several candidates are taking up the cause, and organizations like securepairs.org are gaining grassroot followers.

The right-to-repair idea itself is pretty simple. Legislation under consideration would require manufacturers to make repair resources — that is, the same manuals and components that authorized service and maintenance partners receive —available to consumers. This would in turn give them the ability to fix their property – be it through parts, software or a network of third-party resources, not just designated manufacturer partners.

Opponents, on the other hand, argue that opening up this proprietary information to the public is an attack on the manufacturers’ Intellectual Property rights and makes them vulnerable to counterfeiting and reverse engineering. They also argue that third-party repairs could be unsafe for consumers and technicians—for example, with respect to repairing electronics that use lithium-ion batteries.

The right to repair legislation "would force all electronics manufacturers to reveal sensitive technical information about thousands of Internet-connected products including security cameras, computers, smart home devices, video game platforms, smartphones and more -- putting consumers and their data at risk," wrote Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin. He added that manufacturers "would have to share codes, tools, and supply chain access to anyone who purchases a product."

Opponents also argue that giving the “keys to the kingdom” to the public opens the door for malicious actors who would then have the ability to tamper with these devices for any number of nefarious purposes.

Securepairs.org refutes that argument by dismissing the notion of security through obscurity, an assumption that obscurity equates or enhances security. A robust system, they say, will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group further argues that right-to-repair laws would make devices safer by allowing consumers to quickly replace failing parts or update buggy software.

Their argument against security by obscurity, of course, is based on the core principle of modern information security, first articulated by the Dutch cryptographer Auguste Kerckhoffs. He stated that a “cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Kerckhoffs’ Principle). Verifiable security is the product of secure design and thorough testing and improvement, not secrecy. Systems that rely on secrecy rather than provable security are destined to fail.

Kerkhoffs’ Principle is well known to Wibu-Systems, as it is the foundation upon which our award-winning Blurry Box cryptography was built to protect software from hackers. The basic principles of Blurry Box cryptography are the use of one or more secure keys in a dongle and the fact that software is typically complex. Its goal is to make the effort required to illicitly copy software higher than the effort needed to completely rewrite the same software. Blurry Box cryptography uses seven published methods that greatly increase the complexity and time required for an attack to be successful. In the end, it would be easier and less expensive for the would-be attacker to develop similar software from scratch.

We don’t know how the Right to Repair movement will progress, but if you would like to know more about Kerckhoffs’ Principle and how it is used to protect software, visit our website or download a white paper, Blurry Box Encryption Scheme and why it Matters to Industrial IoT.

Terry Gaul

Vice President Sales USA

Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.

Cybersecurity enables Industry 4.0 Wed, 12 Jun 2019 14:03:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/cybersecurity-enables-industry-40.html post-121 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/cybersecurity-enables-industry-40.html Daniela Previtali Only the enhancement of Industry 4.0 cybersecurity will lay a solid foundation for future security technology developments. Cybersecurity enables Industry 4.0 by Daniela Previtali 12-06-19

Governments, industry organizations, and industrial leaders keep focusing their attention on cybersecurity in light of the advances driven by Industry 4.0 and Smart Manufacturing that continue to shape our future. 

The European Union Agency for Network and Information Security (ENISA), a center of network and information security expertise for the EU, its member states, the private sector and EU citizens, recently published a high-level summary report on the state of cybersecurity, Industry 4.0 Cybersecurity: Challenges and Recommendations.

ENISA hopes that the adoption of the high-level recommendations will contribute to the enhancement of Industry 4.0 cybersecurity across the European Union and lay a solid foundation for future security technology developments.

The challenges identified in the report tackle issues around people, processes, and technology while the recommendations are addressed to different key stakeholder groups, namely regulators, Industry 4.0 security experts, Industry 4.0 operators, standardization community, academia and research, and development bodies.

Following is a brief summary of the key challenges and recommendations outlined in the report:


Challenge: Need to Foster and Align IT/OT Security Expertise and Awareness – People involved in deployments of new solutions usually have only knowledge of either IT or OT security, while Industry 4.0 and Smart Manufacturing require expertise over several areas.
Recommendation: Promote Cross-Functional Knowledge on IT and OT Security – People responsible for security within Industry 4.0 organizations should invest in state-of-the-art dedicated cybersecurity trainings that cover all necessary aspects specific to IT/OT convergence and Smart Manufacturing.

Challenge: Incomplete Organizational Policies and Reluctance to Fund Security – Traditionally, cybersecurity was not perceived as a Board-level topic, since its impact on increasing revenue or optimizing costs remains generally unclear.
Recommendation: Foster Economic and Administrative Incentives for Industry 4.0 Security – Economic and administrative stimuli are required to incentivize investments in Industry 4.0 security, given that maturity and mentality of organizations and businesses needs to grow further when it comes to identifying the role and importance of security.


Challenge: Liability Over Industry 4.0 Products’ Lifecycle is Poorly Defined – Liability for Industry 4.0 cybersecurity is an open issue (a gap also identified for most of emerging technologies) as accountability for Industry 4.0 cybersecurity incidents remains unclear.
Recommendation: Clarify Liability Among Industry 4.0 Actors – Address liability concerns not only to protect end-users and consumers of such products and services, but also to stimulate corresponding investments through a comprehensive and stable legal framework.

Challenge: Fragmentation of Industry 4.0 Security Technical Standards – The lack of uniform standardization efforts at a global level results in a situation when sites that belong to one organization cannot collaborate and share security expertise and solutions with each other, as they are subject to different schemes.
Recommendation: Harmonize Efforts on Industry 4.0 Security Standards – It is beneficial to explore initiatives and guidelines that map security standards from many different sources to provide a complete point of reference and thus ensure all necessary security controls are considered.

Challenge: Supply Chain Management Complexity – The situation has become even more complicated as Smart Manufacturing introduced new capabilities (end-to-end visibility, predictive analysis, automation and data-driven decision-making) that have an additional impact on the supply chain.
Recommendation: Secure Supply Chain Management Processes – Trust is the root of a secure supply chain, since the amount of trust that an organization places on another will eventually feed into the risk assessment process and the introduction of appropriate security controls.


Challenge: Interoperability of Industry 4.0 Devices, Platforms and Frameworks – With the introduction and integration of Industry 4.0 devices, platforms, and frameworks to existing systems comes the issue of interoperability. In industrial environments, securing interconnectivity between diverse devices is often challenging, especially when considering devices that are long out of support.
Recommendation: Establish Industry 4.0 Baselines for Security Interoperability – Encourage the use of interoperability frameworks that promote a common security language and use of protocols for Industry 4.0 components.

Challenge: Technical Constraints Hampering Security in Industry 4.0 and Smart Manufacturing – Difficulties in ensuring security in Industry 4.0 result also from lack of technical capabilities of connected industrial devices and systems, especially considering integration with legacy infrastructures.
Recommendation: Apply Technical Measures to Ensure Industry 4.0 Security – Identifying baseline security recommendations for Industry 4.0 components, services, and processes based on risk analysis is a first step to approach a solution to the challenging technical constraints of this domain.

You can download the complete report here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

Defense in Depth Security Tue, 04 Jun 2019 08:54:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/defense-in-depth-security.html post-120 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/defense-in-depth-security.html Daniela Previtali A novel license-based protection solution that far surpasses the password authentication still typical of modern PACs.. Defense in Depth Security by Daniela Previtali 04-06-19

As has been written in this space many times before, the risks to modern, connected industrial control systems are quite real, from loss of system control and destruction to stealing machine designs and intellectual property (IP).

Vulnerabilities exist in both development software and Programmable Logic Controller (PLC) hardware. Rockwell Automation pointed out some of those vulnerabilities in a recently published white paper, License-based Protection Versus a Software Solution.

In development software, Rockwell noted that legacy Operating Systems and software packages typically included few embedded security features, and if the OS or software vendor stopped updating their products, existing security vulnerabilities would eventually compromise the system. More recently, password authentication was introduced to protect IP, but as we know now, password protection alone does not guarantee security.

With PLC hardware, Rockwell noted that legacy controllers were typically built with default backdoor passwords for emergency access to the PLC, but that in itself posed security risks. More modern Programmable Automation Controllers (PACs) have eliminated the backdoor threat, but continue to maintain password authentication capabilities.

The commonality in both software and hardware vulnerabilities was the use of password authentication, and the difficulty in maintaining the process, particularly in the modern social engineering environment where there are many ways unscrupulous hackers can get access to the passwords – e.g. social media, phishing email schemes, etc.

In their white paper, Rockwell offered a novel license-based protection solution that they believe far surpasses the password authentication of the past. The solution is based on the concept of Root of Trust espoused by the Trusted Computing Group (TCG). As defined by the National Institute of Standards and Technology (NIST), Roots of trust are “are highly reliable hardware, firmware, and software components that perform specific, critical security functions. Because roots of trust are inherently trusted, they must be secure by design. As such, many roots of trust are implemented in hardware so that malware cannot tamper with the functions they provide. Roots of trust provide a firm foundation from which to build security and trust.”

Rockwell’s license-based protection solution, which is part of the Rockwell Software Studio 5000 Logix Designer v30 software, was developed in collaboration with Wibu-Systems and based on our CodeMeter technology. Several years ago, we joined the Trusted Computing Group and expanded our hardware compatibility family of secure hardware elements to include support for TCG’s Trusted Platform Modules (TPMs).

The comprehensive Rockwell protection solution includes elements of CodeMeter encryption, access control, and secure hardware elements, all working together to protect source and execution code without the use of passwords and the vulnerabilities that come with them. Rockwell refers to it as a Defense in Depth strategy.

The new License-based Protection feature is available for the Rockwell ControlLogix 5580 and CompactLogix 5380, 5380S and 5480 PAC controllers.

You can read a more detailed description of CodeMeter and License-based Protection in Rockwell’s white paper.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

Should You Protect Your Embedded Code? Tue, 21 May 2019 14:12:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/should-you-protect-your-embedded-code.html post-119 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/should-you-protect-your-embedded-code.html Daniela Previtali Preventing embedded systems vulnerabilities related to physical access, lack of monitoring, and software updates. Should You Protect Your Embedded Code? by Daniela Previtali 21-05-19

Embedded device hacking is the exploitation of vulnerabilities in embedded software to gain control of the device. Why does it happen? Some hackers attack embedded systems to spy on the devices, take control of them, or simply disable them and render them dysfunctional. As more and more embedded systems are exposed to the Internet via the IoT, remotely-controlled industrial systems, and other connected applications, the embedded system attack surface is expanding.

One blogger pointed out the sources of inherent vulnerabilities in the embedded systems environment:

Physical access – Physical attacks are likely because the embedded devices are typically built in mass, making it easy for potential attackers to obtain the device, take time to study it, and ultimately break or repurpose the device for malicious intent.

Lack of monitoring – Embedded environments generally have no means of monitoring for tampering or illegitimate access. They reside and operate on their own in the field, whether it be in an industrial or consumer environment, with no ongoing or periodic monitoring of operational status.

Software updates – The majority of legacy embedded devices will never be updated, so whatever security holes or bugs exist in the first release live on throughout the lifecycle of the device. Allowing access to the device for remote updates can address the issue, yet expose the device to another vulnerability – a malicious actor replacing the code on the device with nefarious code.

Consider these potential simple scenarios where a hacker can infiltrate an embedded system:

  • Attackers develop a “fake device” that closely resembles the original but whose functions have been altered for malicious purposes and could be installed, for example, as a replacement part during equipment service.
  • Attackers develop their own software and run it by replacing the memory card in the embedded system.
  • Attackers extract the memory card out of the embedded system, manipulate the software, and plug the card back into the system.
  • Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
  • Attackers monitor an embedded system while in use by the application in order to analyze it and to develop avenues of attack.

Recent attacks have become more sophisticated and viral in the number of devices that can be impacted in a single attack. Just look at the damages caused by the STUXNET computer worm, The WannaCry and NotPetya ransomware and malware attacks, and The Misfortune Cookie exploit to medical devices.  

How to Protect Your Code

The question today is not whether you should take steps to protect your embedded software code, but rather how best to protect your code. There are many approaches. Wibu-Systems’ CodeMeter technology encrypts and digitally signs the executable code, protects the booting and loading process of the embedded device, and ensures the integrity of the complete system. Download our whitepaper, Software Integrity Protection for Embedded Systems, and learn about the most modern technologies available to protect embedded systems from cyberattacks.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

A Fresh Look at Secure Software Development Thu, 09 May 2019 17:01:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-fresh-look-at-secure-software-development.html post-118 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-fresh-look-at-secure-software-development.html Daniela Previtali The approach to software security should be flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable. A Fresh Look at Secure Software Development by Daniela Previtali 09-05-19

Software-driven innovations are being fueled by the emergence of smart things - devices, automobiles, factories, cities - all of which impact nearly every aspect of our personal lives and businesses. The connected economy offers tremendous economic and social benefits. However, it also introduces an unprecedented level of security risks, from theft of personal data to threats to human lives. While software itself is becoming increasingly complex, the onus is on software developers to build secure applications that can withstand ubiquitous hacking attempts and ensure that it can be securely maintained throughout its lifecycle.

The dangers that lurk within the realm of software security have received global attention, yet it has been difficult for the industry to agree upon a set of best practices and common development standards. Several organizations, including, BSIMM, OWASP, and National Institute of Standards and Technology, have put forth documents outlining their proposals for development standards. On the industrial side, the Industrial Internet Consortium published the Industrial Internet Security Framework, a common security outline and an approach to assess cybersecurity in Industrial Internet of Things systems.

Just recently, BSA | The Software Alliance published their own viewpoint with The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle. Before diving into the report, it is helpful to understand their definition of software security:

Software security encompasses what a software development organization does to protect a software product and the associated critical data from vulnerabilities, internal and external threats, critical errors, or misconfigurations that can affect performance or expose data.

The organization says that the Framework is intended to establish an approach to software security that is flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable. The document provides a common organization and structure to capture multiple approaches to software security by identifying standards, guidelines, and practices that can help software development organizations achieve desired security outcomes while accounting for the wide spectrum of intended uses, risk profiles, and technological solutions among software products.

The guidelines are applicable to the entire spectrum of (1) software development organizations and vendors, from the individual entrepreneur to large-scale, multi-national businesses; (2) software development methods, from traditional to DevOps; and (3) software products, from simple IoT sensors to complex Artificial Intelligence algorithms.

Specifically, the BSA states that the goals of the Framework are to help software development organizations:

  1. Describe the current state of software security in individual software products.
  2. Describe the target state of software security in individual software products.
  3. Identify and prioritize opportunities for improvement in development and lifecycle management processes.
  4. Assess progress toward the target state.
  5. Communicate among internal and external stakeholders about software security and security risks.

The Framework identifies best practices relating to both organizational processes and product capabilities across the entire software lifecycle. It is organized into six columns: Functions, Categories, Subcategories, Diagnostic Statements, Implementation Notes, and Informative References.

If you are a software developer, you will find the 40-page document to be a good read and a mechanism for assessing your own software security practices.

You might also be interested in our upcoming Webinar on May 15, The Fastest Way to Protect Your Know-How, which will provide an overview of our complete family of IP protection tools that you can integrate easily into your software

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

Digital Security in Connected Healthcare Fri, 03 May 2019 12:06:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/digital-security-in-connected-healthcare.html post-117 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/digital-security-in-connected-healthcare.html Oliver Winzenried A critical shift in focus onto digital security solutions is required for the expanding digital footprint of the healthcare landscape. Digital Security in Connected Healthcare by Oliver Winzenried 03-05-19

The digital footprint of the healthcare landscape continues to expand as more and more medical devices come online, both next generation systems and legacy equipment, with many allowing remote access. Digital patient data continues to proliferate beyond the confines of the medical facility as well. This evolution necessitates a critical shift in focus onto digital security solutions that involve collaboration between device manufacturers and healthcare CIOs.

A recent report published by Gartner, Focus Now on Digital Security Opportunities Within Connected Medical Devices, shines a spotlight on three critical areas of impact on the digitalized healthcare industry:

  • Impact of healthcare data breaches on bottom line and brand equity is now creating the need for dedicated digital security services
  • Fuzzy regulations on digital security as a “Shared Responsibility” necessitate targeting medical device firms and healthcare providers
  • Connecting “Legacy” medical devices designed for the siloed IT age is creating a need for dedicated digital security solutions

Much recent attention has been focused on the vulnerabilities and security threats that have been exposed in medical device endpoints. From the standpoint of Wibu-Systems, we consider medical device endpoints to represent the greatest vulnerabilities for hackers. These endpoints can include any type of connected medical system, such as surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, and patient monitors. 

Attacks on these endpoints can result in compromised device functionality, loss of data (medical or personal) availability, or integrity, or exposure of other connected devices or networks to security threats. These security breaches have the potential for catastrophic consequences resulting in patient illness, injury or even death.

We’ve worked with many companies on various aspects of medical device security, particularly on protecting medical device endpoints. Areas of focus include:

  • physical security to prevent uncontrolled changes to or the removal of the endpoint root of trust to provide confidence on the endpoint identity
  • integrity protection to ensure that the endpoint is in the configuration that enables it to perform its functions predictably
  • access control to ensure that proper identification, authentication and authorization protocols are performed
  • secure configuration and management to control updates of security policies and settings
  • monitoring and analysis for integrity checking, detecting malicious usage patterns or denial of service activities, and enforcing security policies and analytics
  • data protection to control data integrity, confidentiality and availability
  • security model and policy for governing the implementation of security functions

If you are planning to attend the T4M Medical Technology Meeting in Stuttgart, Germany, May 7 – 9, 2019, I will present a talk on how the increasing network of connected medical devices makes security critical to prevent tampering with configuration data and secure the confidentiality and integrity of patients’ records. I will also discuss the potential for new business models that will benefit device manufacturers, operators, and patients.

You can also learn more about medical device security mechanism and monetization opportunities in our customer case studies from Agfa HealthCare, CUSTO MED, Dentsply Sirona, and Fritz Stephan.

Oliver Winzenried

Co-founder and CEO

Oliver Winzenried began his entrepreneurial career immediately after completing his electrical engineering degree and, in 1989, he founded Wibu-Systems together with Marcellus Buchheit. His passion for software protection has resulted in a wide range of patents covering areas from secure license management and anti-tampering solutions to dongle feature innovations. He is also a director of the VDMA regional association in the state of Baden-Wuerttemberg, Germany, and serves on the board of directors of the Medical Technology working group of VDMA, the board of directors of bitkom, and the managing board of FZI.