Wibu-Systems Blog https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A.html Tue, 16 Jul 2019 10:07:24 +0200 Tue, 16 Jul 2019 10:07:24 +0200 t3extblog extension for TYPO3 AI in the IIoT is a Matter of Trust Tue, 02 Jul 2019 16:47:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/ai-in-the-iiot-is-a-matter-of-trust.html post-123 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/ai-in-the-iiot-is-a-matter-of-trust.html Marcellus Buchheit What are the challenges, risks, and benefits of AI as it enhances efficiency, reliability, and effectiveness of IIoT processes? AI in the IIoT is a Matter of Trust by Marcellus Buchheit 02-07-19

Artificial Intelligence is a hot commodity in the technology world these days. But what does it mean in the context of the Industrial IoT?

An early definition of artificial intelligence was one of “thinking machines” that could make decisions like humans, and with some people, elicited a fear that these thinking machines could actually replace humans in the manufacturing world. Today’s perception of AI, however, is geared more towards machines that exhibit human reasoning as a “guide to provide better services or create better products rather than trying to achieve a perfect replica of the human mind”, as noted in a Forbes article by Bernard Marr. He added that “It’s no longer a primary objective for most to get to AI that operates just like a human brain, but to use its unique capabilities to enhance our world.”

When applied to Industrial Internet of Things (IIoT) systems, AI has been demonstrated to offer business and technology advancements, such as cost reduction and better performance. Examples include the benefits of predictive maintenance leading to reduced outages, better resource management and scheduling and enhanced insights into system usage. AI has also been used to design physical structures, electronic components, and to perform quality assurance testing of complex systems.

Of course, with disruptive technology advancements like AI comes an entirely new set of challenges and risks for the users of such technology, including IIoT systems. Some of those risks were presented in an article published by the Industrial Internet Consortium (IIC) in their Journal of Innovation (JOI), entitled AI Trustworthiness Challenges and Opportunities Related to IIoT.

At the crux of the JOI article was the notion of trust – trust in that systems operate correctly based on evidence that can be understood. IoT Trustworthiness is defined in the IIC Vocabulary as the “degree of confidence one has that the system performs as expected with characteristics including safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”

If the AI system makes it hard or impossible to understand how a decision was made, trust in the system is reduced. The article goes on to describe the various risks and challenges AI can pose to the trustworthiness of an IIoT system.

One example illustrated how AI can be used to probe a system for vulnerabilities by attempting to attack the system itself. The AI system was connected to a video game and subsequently learned how to defeat the game in novel ways. A benign example for sure, but imagine, however, if the system was not a harmless video game but rather an air traffic control system, city traffic light system or nuclear power plant. The dire implications of uncontrolled AI are clear. 

While the technology might expose vulnerabilities to malicious manipulation in IoT systems, AI can also be used to enhance the trustworthiness of a system. The JOI article points out two categories in particular where AI in IIoT is emerging:

  • The use of AI to improve the efficiency, reliability, and effectiveness of processes and tasks that can be fully automated with little risk. These are processes and tasks that are generally mundane, repeatable, static with few variations, or tasks that are very specific and/or localized to specific components in system.
  • The use of AI in processes that are critical, consequential and non-mundane. When the level of risk is high enough, humans must maintain the ultimate decision-making capacity – this is referred to as the “human-in-the-loop” approach or HIL.

The article discusses the challenges, risks, and benefits of AI in IIoT environments in much more detail. You can read the full article here.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

]]>
Security by Obscurity and the Right to Repair Tue, 25 Jun 2019 14:35:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/security-by-obscurity-and-the-right-to-repair.html post-122 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/security-by-obscurity-and-the-right-to-repair.html Terry Gaul Is the "right-to-repair" concept an essential service for customers or a violation of manufacturers' intellectual property? Security by Obscurity and the Right to Repair by Terry Gaul 25-06-19

The right-to-repair movement is gaining traction in the U.S. as many states are considering legislation that would allow consumers and third parties to repair electronic equipment without voiding manufacturer’s warranties. The issue has even crept into presidential politics, as several candidates are taking up the cause, and organizations like securepairs.org are gaining grassroot followers.

The right-to-repair idea itself is pretty simple. Legislation under consideration would require manufacturers to make repair resources — that is, the same manuals and components that authorized service and maintenance partners receive —available to consumers. This would in turn give them the ability to fix their property – be it through parts, software or a network of third-party resources, not just designated manufacturer partners.

Opponents, on the other hand, argue that opening up this proprietary information to the public is an attack on the manufacturers’ Intellectual Property rights and makes them vulnerable to counterfeiting and reverse engineering. They also argue that third-party repairs could be unsafe for consumers and technicians—for example, with respect to repairing electronics that use lithium-ion batteries.

The right to repair legislation "would force all electronics manufacturers to reveal sensitive technical information about thousands of Internet-connected products including security cameras, computers, smart home devices, video game platforms, smartphones and more -- putting consumers and their data at risk," wrote Earl Crane, a senior cybersecurity fellow at the University of Texas, Austin. He added that manufacturers "would have to share codes, tools, and supply chain access to anyone who purchases a product."

Opponents also argue that giving the “keys to the kingdom” to the public opens the door for malicious actors who would then have the ability to tamper with these devices for any number of nefarious purposes.

Securepairs.org refutes that argument by dismissing the notion of security through obscurity, an assumption that obscurity equates or enhances security. A robust system, they say, will still be secure even if people know how it works. Releasing repair manuals and spare parts shouldn’t undermine an already sound smartphone. The group further argues that right-to-repair laws would make devices safer by allowing consumers to quickly replace failing parts or update buggy software.

Their argument against security by obscurity, of course, is based on the core principle of modern information security, first articulated by the Dutch cryptographer Auguste Kerckhoffs. He stated that a “cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Kerckhoffs’ Principle). Verifiable security is the product of secure design and thorough testing and improvement, not secrecy. Systems that rely on secrecy rather than provable security are destined to fail.

Kerkhoffs’ Principle is well known to Wibu-Systems, as it is the foundation upon which our award-winning Blurry Box cryptography was built to protect software from hackers. The basic principles of Blurry Box cryptography are the use of one or more secure keys in a dongle and the fact that software is typically complex. Its goal is to make the effort required to illicitly copy software higher than the effort needed to completely rewrite the same software. Blurry Box cryptography uses seven published methods that greatly increase the complexity and time required for an attack to be successful. In the end, it would be easier and less expensive for the would-be attacker to develop similar software from scratch.

We don’t know how the Right to Repair movement will progress, but if you would like to know more about Kerckhoffs’ Principle and how it is used to protect software, visit our website or download a white paper, Blurry Box Encryption Scheme and why it Matters to Industrial IoT.

Terry Gaul

Vice President Sales USA

Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.

]]>
Cybersecurity enables Industry 4.0 Wed, 12 Jun 2019 14:03:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/cybersecurity-enables-industry-40.html post-121 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/cybersecurity-enables-industry-40.html Daniela Previtali Only the enhancement of Industry 4.0 cybersecurity will lay a solid foundation for future security technology developments. Cybersecurity enables Industry 4.0 by Daniela Previtali 12-06-19

Governments, industry organizations, and industrial leaders keep focusing their attention on cybersecurity in light of the advances driven by Industry 4.0 and Smart Manufacturing that continue to shape our future. 

The European Union Agency for Network and Information Security (ENISA), a center of network and information security expertise for the EU, its member states, the private sector and EU citizens, recently published a high-level summary report on the state of cybersecurity, Industry 4.0 Cybersecurity: Challenges and Recommendations.

ENISA hopes that the adoption of the high-level recommendations will contribute to the enhancement of Industry 4.0 cybersecurity across the European Union and lay a solid foundation for future security technology developments.

The challenges identified in the report tackle issues around people, processes, and technology while the recommendations are addressed to different key stakeholder groups, namely regulators, Industry 4.0 security experts, Industry 4.0 operators, standardization community, academia and research, and development bodies.

Following is a brief summary of the key challenges and recommendations outlined in the report:

People

Challenge: Need to Foster and Align IT/OT Security Expertise and Awareness – People involved in deployments of new solutions usually have only knowledge of either IT or OT security, while Industry 4.0 and Smart Manufacturing require expertise over several areas.
Recommendation: Promote Cross-Functional Knowledge on IT and OT Security – People responsible for security within Industry 4.0 organizations should invest in state-of-the-art dedicated cybersecurity trainings that cover all necessary aspects specific to IT/OT convergence and Smart Manufacturing.

Challenge: Incomplete Organizational Policies and Reluctance to Fund Security – Traditionally, cybersecurity was not perceived as a Board-level topic, since its impact on increasing revenue or optimizing costs remains generally unclear.
Recommendation: Foster Economic and Administrative Incentives for Industry 4.0 Security – Economic and administrative stimuli are required to incentivize investments in Industry 4.0 security, given that maturity and mentality of organizations and businesses needs to grow further when it comes to identifying the role and importance of security.

Processes

Challenge: Liability Over Industry 4.0 Products’ Lifecycle is Poorly Defined – Liability for Industry 4.0 cybersecurity is an open issue (a gap also identified for most of emerging technologies) as accountability for Industry 4.0 cybersecurity incidents remains unclear.
Recommendation: Clarify Liability Among Industry 4.0 Actors – Address liability concerns not only to protect end-users and consumers of such products and services, but also to stimulate corresponding investments through a comprehensive and stable legal framework.

Challenge: Fragmentation of Industry 4.0 Security Technical Standards – The lack of uniform standardization efforts at a global level results in a situation when sites that belong to one organization cannot collaborate and share security expertise and solutions with each other, as they are subject to different schemes.
Recommendation: Harmonize Efforts on Industry 4.0 Security Standards – It is beneficial to explore initiatives and guidelines that map security standards from many different sources to provide a complete point of reference and thus ensure all necessary security controls are considered.

Challenge: Supply Chain Management Complexity – The situation has become even more complicated as Smart Manufacturing introduced new capabilities (end-to-end visibility, predictive analysis, automation and data-driven decision-making) that have an additional impact on the supply chain.
Recommendation: Secure Supply Chain Management Processes – Trust is the root of a secure supply chain, since the amount of trust that an organization places on another will eventually feed into the risk assessment process and the introduction of appropriate security controls.

Technology

Challenge: Interoperability of Industry 4.0 Devices, Platforms and Frameworks – With the introduction and integration of Industry 4.0 devices, platforms, and frameworks to existing systems comes the issue of interoperability. In industrial environments, securing interconnectivity between diverse devices is often challenging, especially when considering devices that are long out of support.
Recommendation: Establish Industry 4.0 Baselines for Security Interoperability – Encourage the use of interoperability frameworks that promote a common security language and use of protocols for Industry 4.0 components.

Challenge: Technical Constraints Hampering Security in Industry 4.0 and Smart Manufacturing – Difficulties in ensuring security in Industry 4.0 result also from lack of technical capabilities of connected industrial devices and systems, especially considering integration with legacy infrastructures.
Recommendation: Apply Technical Measures to Ensure Industry 4.0 Security – Identifying baseline security recommendations for Industry 4.0 components, services, and processes based on risk analysis is a first step to approach a solution to the challenging technical constraints of this domain.

You can download the complete report here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Defense in Depth Security Tue, 04 Jun 2019 08:54:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/defense-in-depth-security.html post-120 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/defense-in-depth-security.html Daniela Previtali A novel license-based protection solution that far surpasses the password authentication still typical of modern PACs.. Defense in Depth Security by Daniela Previtali 04-06-19

As has been written in this space many times before, the risks to modern, connected industrial control systems are quite real, from loss of system control and destruction to stealing machine designs and intellectual property (IP).

Vulnerabilities exist in both development software and Programmable Logic Controller (PLC) hardware. Rockwell Automation pointed out some of those vulnerabilities in a recently published white paper, License-based Protection Versus a Software Solution.

In development software, Rockwell noted that legacy Operating Systems and software packages typically included few embedded security features, and if the OS or software vendor stopped updating their products, existing security vulnerabilities would eventually compromise the system. More recently, password authentication was introduced to protect IP, but as we know now, password protection alone does not guarantee security.

With PLC hardware, Rockwell noted that legacy controllers were typically built with default backdoor passwords for emergency access to the PLC, but that in itself posed security risks. More modern Programmable Automation Controllers (PACs) have eliminated the backdoor threat, but continue to maintain password authentication capabilities.

The commonality in both software and hardware vulnerabilities was the use of password authentication, and the difficulty in maintaining the process, particularly in the modern social engineering environment where there are many ways unscrupulous hackers can get access to the passwords – e.g. social media, phishing email schemes, etc.

In their white paper, Rockwell offered a novel license-based protection solution that they believe far surpasses the password authentication of the past. The solution is based on the concept of Root of Trust espoused by the Trusted Computing Group (TCG). As defined by the National Institute of Standards and Technology (NIST), Roots of trust are “are highly reliable hardware, firmware, and software components that perform specific, critical security functions. Because roots of trust are inherently trusted, they must be secure by design. As such, many roots of trust are implemented in hardware so that malware cannot tamper with the functions they provide. Roots of trust provide a firm foundation from which to build security and trust.”

Rockwell’s license-based protection solution, which is part of the Rockwell Software Studio 5000 Logix Designer v30 software, was developed in collaboration with Wibu-Systems and based on our CodeMeter technology. Several years ago, we joined the Trusted Computing Group and expanded our hardware compatibility family of secure hardware elements to include support for TCG’s Trusted Platform Modules (TPMs).

The comprehensive Rockwell protection solution includes elements of CodeMeter encryption, access control, and secure hardware elements, all working together to protect source and execution code without the use of passwords and the vulnerabilities that come with them. Rockwell refers to it as a Defense in Depth strategy.

The new License-based Protection feature is available for the Rockwell ControlLogix 5580 and CompactLogix 5380, 5380S and 5480 PAC controllers.

You can read a more detailed description of CodeMeter and License-based Protection in Rockwell’s white paper.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Should You Protect Your Embedded Code? Tue, 21 May 2019 14:12:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/should-you-protect-your-embedded-code.html post-119 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/should-you-protect-your-embedded-code.html Daniela Previtali Preventing embedded systems vulnerabilities related to physical access, lack of monitoring, and software updates. Should You Protect Your Embedded Code? by Daniela Previtali 21-05-19

Embedded device hacking is the exploitation of vulnerabilities in embedded software to gain control of the device. Why does it happen? Some hackers attack embedded systems to spy on the devices, take control of them, or simply disable them and render them dysfunctional. As more and more embedded systems are exposed to the Internet via the IoT, remotely-controlled industrial systems, and other connected applications, the embedded system attack surface is expanding.

One blogger pointed out the sources of inherent vulnerabilities in the embedded systems environment:

Physical access – Physical attacks are likely because the embedded devices are typically built in mass, making it easy for potential attackers to obtain the device, take time to study it, and ultimately break or repurpose the device for malicious intent.

Lack of monitoring – Embedded environments generally have no means of monitoring for tampering or illegitimate access. They reside and operate on their own in the field, whether it be in an industrial or consumer environment, with no ongoing or periodic monitoring of operational status.

Software updates – The majority of legacy embedded devices will never be updated, so whatever security holes or bugs exist in the first release live on throughout the lifecycle of the device. Allowing access to the device for remote updates can address the issue, yet expose the device to another vulnerability – a malicious actor replacing the code on the device with nefarious code.

Consider these potential simple scenarios where a hacker can infiltrate an embedded system:

  • Attackers develop a “fake device” that closely resembles the original but whose functions have been altered for malicious purposes and could be installed, for example, as a replacement part during equipment service.
  • Attackers develop their own software and run it by replacing the memory card in the embedded system.
  • Attackers extract the memory card out of the embedded system, manipulate the software, and plug the card back into the system.
  • Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
  • Attackers monitor an embedded system while in use by the application in order to analyze it and to develop avenues of attack.

Recent attacks have become more sophisticated and viral in the number of devices that can be impacted in a single attack. Just look at the damages caused by the STUXNET computer worm, The WannaCry and NotPetya ransomware and malware attacks, and The Misfortune Cookie exploit to medical devices.  

How to Protect Your Code

The question today is not whether you should take steps to protect your embedded software code, but rather how best to protect your code. There are many approaches. Wibu-Systems’ CodeMeter technology encrypts and digitally signs the executable code, protects the booting and loading process of the embedded device, and ensures the integrity of the complete system. Download our whitepaper, Software Integrity Protection for Embedded Systems, and learn about the most modern technologies available to protect embedded systems from cyberattacks.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Fresh Look at Secure Software Development Thu, 09 May 2019 17:01:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-fresh-look-at-secure-software-development.html post-118 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-fresh-look-at-secure-software-development.html Daniela Previtali The approach to software security should be flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable. A Fresh Look at Secure Software Development by Daniela Previtali 09-05-19

Software-driven innovations are being fueled by the emergence of smart things - devices, automobiles, factories, cities - all of which impact nearly every aspect of our personal lives and businesses. The connected economy offers tremendous economic and social benefits. However, it also introduces an unprecedented level of security risks, from theft of personal data to threats to human lives. While software itself is becoming increasingly complex, the onus is on software developers to build secure applications that can withstand ubiquitous hacking attempts and ensure that it can be securely maintained throughout its lifecycle.

The dangers that lurk within the realm of software security have received global attention, yet it has been difficult for the industry to agree upon a set of best practices and common development standards. Several organizations, including, BSIMM, OWASP, and National Institute of Standards and Technology, have put forth documents outlining their proposals for development standards. On the industrial side, the Industrial Internet Consortium published the Industrial Internet Security Framework, a common security outline and an approach to assess cybersecurity in Industrial Internet of Things systems.

Just recently, BSA | The Software Alliance published their own viewpoint with The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle. Before diving into the report, it is helpful to understand their definition of software security:

Software security encompasses what a software development organization does to protect a software product and the associated critical data from vulnerabilities, internal and external threats, critical errors, or misconfigurations that can affect performance or expose data.

The organization says that the Framework is intended to establish an approach to software security that is flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable. The document provides a common organization and structure to capture multiple approaches to software security by identifying standards, guidelines, and practices that can help software development organizations achieve desired security outcomes while accounting for the wide spectrum of intended uses, risk profiles, and technological solutions among software products.

The guidelines are applicable to the entire spectrum of (1) software development organizations and vendors, from the individual entrepreneur to large-scale, multi-national businesses; (2) software development methods, from traditional to DevOps; and (3) software products, from simple IoT sensors to complex Artificial Intelligence algorithms.

Specifically, the BSA states that the goals of the Framework are to help software development organizations:

  1. Describe the current state of software security in individual software products.
  2. Describe the target state of software security in individual software products.
  3. Identify and prioritize opportunities for improvement in development and lifecycle management processes.
  4. Assess progress toward the target state.
  5. Communicate among internal and external stakeholders about software security and security risks.

The Framework identifies best practices relating to both organizational processes and product capabilities across the entire software lifecycle. It is organized into six columns: Functions, Categories, Subcategories, Diagnostic Statements, Implementation Notes, and Informative References.

If you are a software developer, you will find the 40-page document to be a good read and a mechanism for assessing your own software security practices.

You might also be interested in our upcoming Webinar on May 15, The Fastest Way to Protect Your Know-How, which will provide an overview of our complete family of IP protection tools that you can integrate easily into your software

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Digital Security in Connected Healthcare Fri, 03 May 2019 12:06:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/digital-security-in-connected-healthcare.html post-117 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/digital-security-in-connected-healthcare.html Oliver Winzenried A critical shift in focus onto digital security solutions is required for the expanding digital footprint of the healthcare landscape. Digital Security in Connected Healthcare by Oliver Winzenried 03-05-19

The digital footprint of the healthcare landscape continues to expand as more and more medical devices come online, both next generation systems and legacy equipment, with many allowing remote access. Digital patient data continues to proliferate beyond the confines of the medical facility as well. This evolution necessitates a critical shift in focus onto digital security solutions that involve collaboration between device manufacturers and healthcare CIOs.

A recent report published by Gartner, Focus Now on Digital Security Opportunities Within Connected Medical Devices, shines a spotlight on three critical areas of impact on the digitalized healthcare industry:

  • Impact of healthcare data breaches on bottom line and brand equity is now creating the need for dedicated digital security services
  • Fuzzy regulations on digital security as a “Shared Responsibility” necessitate targeting medical device firms and healthcare providers
  • Connecting “Legacy” medical devices designed for the siloed IT age is creating a need for dedicated digital security solutions

Much recent attention has been focused on the vulnerabilities and security threats that have been exposed in medical device endpoints. From the standpoint of Wibu-Systems, we consider medical device endpoints to represent the greatest vulnerabilities for hackers. These endpoints can include any type of connected medical system, such as surgery robots, X-ray machines, MRI scanners, dental devices, infusion pumps, and patient monitors. 

Attacks on these endpoints can result in compromised device functionality, loss of data (medical or personal) availability, or integrity, or exposure of other connected devices or networks to security threats. These security breaches have the potential for catastrophic consequences resulting in patient illness, injury or even death.

We’ve worked with many companies on various aspects of medical device security, particularly on protecting medical device endpoints. Areas of focus include:

  • physical security to prevent uncontrolled changes to or the removal of the endpoint root of trust to provide confidence on the endpoint identity
  • integrity protection to ensure that the endpoint is in the configuration that enables it to perform its functions predictably
  • access control to ensure that proper identification, authentication and authorization protocols are performed
  • secure configuration and management to control updates of security policies and settings
  • monitoring and analysis for integrity checking, detecting malicious usage patterns or denial of service activities, and enforcing security policies and analytics
  • data protection to control data integrity, confidentiality and availability
  • security model and policy for governing the implementation of security functions

If you are planning to attend the T4M Medical Technology Meeting in Stuttgart, Germany, May 7 – 9, 2019, I will present a talk on how the increasing network of connected medical devices makes security critical to prevent tampering with configuration data and secure the confidentiality and integrity of patients’ records. I will also discuss the potential for new business models that will benefit device manufacturers, operators, and patients.

You can also learn more about medical device security mechanism and monetization opportunities in our customer case studies from Agfa HealthCare, CUSTO MED, Dentsply Sirona, and Fritz Stephan.

Oliver Winzenried

Co-founder and CEO

Oliver Winzenried began his entrepreneurial career immediately after completing his electrical engineering degree and, in 1989, he founded Wibu-Systems together with Marcellus Buchheit. His passion for software protection has resulted in a wide range of patents covering areas from secure license management and anti-tampering solutions to dongle feature innovations. He is also a director of the VDMA regional association in the state of Baden-Wuerttemberg, Germany, and serves on the board of directors of the Medical Technology working group of VDMA, the board of directors of bitkom, and the managing board of FZI.

]]>
Added Value by Software Wed, 24 Apr 2019 13:38:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/added-value-by-software.html post-116 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/added-value-by-software.html Daniela Previtali Digitalization places high demands on security technology and leads to far-reaching changes in production facilities. Added Value by Software by Daniela Previtali 24-04-19

Software solutions and services will continue to become increasingly significant in 2019 as digitalization makes further inroads into the engineering sector, while opening the door for new innovations and business practices. So says the Software and Digitalization Association of the VDMA, Germany’s leading mechanical and plant engineering industry advocacy, in the 20th anniversary edition of its annual industry directory, Added Value by Software.

Digitalization touches nearly all aspects of the industrial economy and has created an entirely new vocabulary in the process – terms like smart factories, neural networks, augmented reality, pull-oriented supply chains, machine learning, platform economy and the like have become commonplace. At the core of the digitalization movement and Industrie 4.0 is the availability of massive amounts of relevant information in real time that enable highly flexible, customer-specific manufacturing processes with high resource efficiency and short lead times.

In production facilities, for example, digitalization means that companies interconnect their machines, logistics systems and products. In doing so, they can reduce costs, become more competitive and shorten their lead times. Data collected by a myriad of sensors throughout the production process enable companies to identify and prevent disruptions in production at a very early point while providing valuable information for process optimization. Data analytics is an invaluable source for insights into important questions such as what condition are the machines in, when would be the best time for maintenance, which workflows need further improvement? Digitalization and the data handling that goes with it, however, also places high demands on security technology and leads to far-reaching changes in the company and its processes.

VDMA points out that companies must not lose sight of data security. That everything is interconnected is both a benefit and a threat. The more devices and plants are connected, the more important the topic of security becomes. Vulnerabilities can be readily exploited and hackers may gain access to important production data or upload malware, thus causing production downtimes and machine failure.

To make use of the benefits for production, security aspects must be considered with the planning and operation of production facilities. Especially relevant is the security of data in a company and in the way they handle it.

In the context of Industrie 4.0, IT security is essential for the safe operation of cross-company production processes. It must be possible to design an automated data exchange of inter-connected production systems in a secure, reliable and sustainable manner. Controlling the identification of process actors and protecting the know-how of products, machines and plants is crucial. The earlier that companies integrate knowledge about potential threats, necessary measures and useful sources of information into the product life cycle, the more reproducible and reliable the implementation measures will be. To reap the full advantages of Industrie 4.0, organizations will need to make substantial investment into IT security to protect the excessive amounts of data and IP that will be stored in the cloud and block potential nefarious infiltrators. Following security-by-design principles for systems and processes will be critical as well to ensure that industry can operate safely and reliably.

VDMA offers a wealth of resources and documentation to advise industry on ways to address the emerging challenges brought on by Industrie 4.0 and a digitalized society. The Added Value by Software Directory provides an overview of the various solutions by members of the VDMA Software and Digitalization Association along with company profiles. Other relevant studies and papers are available that address Product Piracy, Product and Know-how Protection, and Industrie 4.0 in Practice. All can be downloaded here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Security Policy Agenda for the Global Economy Tue, 09 Apr 2019 10:00:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-security-policy-agenda-for-the-global-economy.html post-113 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-security-policy-agenda-for-the-global-economy.html Daniela Previtali Given the significant impact of the software industry, it is critical to create new policies that generate economic opportunity. A Security Policy Agenda for the Global Economy by Daniela Previtali 09-04-19

BSA |The Software Alliance) released its 2019 Policy Agenda in early February to facilitate discussion and debate around what they believe to be some of the most pressing issues impacting the global economy. As a leading advocate for the global software industry, BSA points out that the software industry supports 10.5 million jobs and adds over $1 trillion to the U.S. economy alone, and because of its significant impact, it is critical to modernize outdated laws and create new policies that generate economic opportunity.

In their Policy Agenda, BSA emphasized 7 core policy areas where their organization was ready to collaborate with the U.S. Congress and Administration:

  • Consumer Data Privacy
  • Smart and Strong Cybersecurity
  • International Data Agreements and Digital Trade
  • Law Enforcement Access to Data
  • Realizing the Potential of Artificial Intelligence
  • Modern Workforce for the Digital Economy
  • Intellectual Property Protection

While we support all of these important policy areas, Wibu-Systems is, of course, particularly interested in intellectual property protection where we have focused our technology efforts for 30 years, and more recently, on industrial cybersecurity in the connected environment of the IoT and Industry 4.0. 

IP protections enable the research and development that drives innovation. As noted by BSA, software accounts for nearly 20% of all business. R&D and strict policies geared to protecting IP are critical to maintaining this investment. However, BSA’s 2018 Global Software Survey study found that the use of unlicensed software is still widespread, estimating that 37% of software installed on personal computers worldwide is unlicensed. Furthermore, use of unlicensed software greatly increases the opportunities for malware infections, making the cost impact of unlicensed software even greater. Thus, a global awareness and effort to address the issue continues to be of the utmost importance.

The evolution of connected IoT devices is creating a world of smart homes, smart factories, and smart cities. While this connectivity is serving to fuel our economy and improve our quality of life, it has broadened the attack surface for cybersecurity threats to our connected industries, workplaces, and homes. BSA’s cybersecurity recommendations to protect against these threats include:

  • Establishing risk-based standards for the IoT
  • Ensuring effective and secure supply chain management
  • Strengthening smart cities cybersecurity

For our part, we are actively working with organizations like the Industrial Internet Consortium (IIC) to make our security technologies and expertise available for the greater good. We have played an active role in creating the IIC’s Industrial Internet Security Framework and contributed to the fundamental tenets of Trustworthiness in Industrial System Design

We are also involved with industry collaborations with companies like Wind River, Infineon, and the Trusted Computing Group to integrate our security technologies into their industry wide solutions. We demonstrated several of these cooperative efforts and use cases at the recent Embedded World and Hannover Messe trade shows in Germany, and will do so again at the upcoming Embedded Technologies Expo & Conference in the USA in June.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Aligning the Technology with Customer’s Needs Thu, 04 Apr 2019 13:46:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/is-your-license-technology-aligned-with-your-customers-needs.html post-115 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/is-your-license-technology-aligned-with-your-customers-needs.html Daniela Previtali Whether your decision is driven by technology or market reasons, the migration to CodeMeter is smoother than you may think. Aligning the Technology with Customer’s Needs by Daniela Previtali 04-04-19

Over the past 30 years, we’ve helped hundreds of companies migrate from their homegrown or vendor-supplied licensing solution to our CodeMeter licensing and protection platform. While there are many reasons why ISVs and embedded systems engineers have evaluated CodeMeter and chosen to migrate, a common thread has emerged: Their current technology is lacking and does not enable them to keep up with the changing business complexities and the protection and licensing needs of their customers. In turn, this struggle has harmed their competitiveness in the market and potentially damaged their long-term customer relationships.

Here is a sampling of conversations we’ve had with our customers that led them to consider migrating their licensing solution to CodeMeter:

“We acquired a couple of companies in the last few years and now we find ourselves with three different licensing solutions in place. Can you please help us run an analysis of which features are crucial to us and consolidate the whole ecosystem?”

“When we started our business, we went for a simple copy protection solution. Now that we have a stable stream of income and even more ambitious plans for the future, we would like to use a more sophisticated license management system. Can you assist us?”

“Our current protection solution focused mostly on code obfuscation. However, we have come to realize that an approach which includes scrambled encryption algorithms and cutting-edge encryption methods is the way to go. What can Wibu-Systems offer in this direction?”

“The IoT is such an exciting opportunity that we decided to extend our portfolio. We would like a single technology for IP protection and license lifecycle management that works with computers, mobile devices, embedded systems, and PLCs. Is CodeMeter the right choice?”

“We are using a world leading IDE for PLCs to develop our IEC 61131 applications, but we feel like more stringent security policies could safeguard our know-how even better. Do you have a module that fully integrates and adds secure key storage, associated with a secure hardware element?”

“If the future is the cloud, we don’t want to miss it. So far, we have been using software and hardware-based license containers, but being able to move our applications as SaaS to the cloud would represent a pivotal business advantage. Is your cloud solution mature enough?”

“With our current licensing system, deploying licenses takes up too much of our valuable time. We want to be able to streamline the complete process in a way that our ERP system does automatically the heavy lifting for us. Which back office platforms do you support?”

“The VARs buying our CodeMeter-secured PLCs have expressed a strong interest in a similar solution that may protect and license the software they sell along with our units. Does your technology provide multivendor capabilities? How can you serve the entire supply chain with the lowest impact possible for all parties involved?”

Beyond these technology and market discussions, we’ve had customers contact us more recently with concerns about their chosen DRM vendor’s commitment to their investment in new technology and ongoing support. Amidst the confusion of mergers and acquisitions and other varied business interests of their suppliers, some ISVs have questioned whether their vendor is truly focused on their licensing technology needs.

If you are thinking about upgrading your current licensing solution, or perhaps you might be considering a new licensing vendor, you have a great opportunity to evaluate CodeMeter and learn more about Wibu-Systems at our upcoming Webinar, Your Migration Map to a Comprehensive Protection and Licensing System, to be held on Wednesday, April 10. You can learn more and register here.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>