scispace - formally typeset
Search or ask a question
Author

Christian Lesjak

Bio: Christian Lesjak is an academic researcher from Infineon Technologies. The author has contributed to research in topics: Authentication & Hardware security module. The author has an hindex of 8, co-authored 13 publications receiving 180 citations.

Papers
More filters
Proceedings ArticleDOI
01 Nov 2015
TL;DR: This work investigates and compares two security technologies that provide isolation and a secured execution environment: ARM TrustZone and a Security Controller and proposes a hybrid approach that maximizes security for high-security industrial applications.
Abstract: The transition from product-centric to service-centric business models presents a major challenge to industrial automation and manufacturing systems. This transition increases Machine-to-Machine connectivity among industrial devices, industrial controls systems, and factory floor devices. While initiatives like Industry 4.0 or the Industrial Internet Consortium motivate this transition, the emergence of the Internet of Things and Cyber Physical Systems are key enablers. However, automated and autonomous processes require trust in the communication entities and transferred data. Therefore, we study how to secure a smart service use case for industrial maintenance scenarios. In this use case, equipment needs to securely transmit its status information to local and remote recipients. We investigate and compare two security technologies that provide isolation and a secured execution environment: ARM TrustZone and a Security Controller. To compare these technologies we design and implement a device snapshot authentication system. Our results indicate that the TrustZone based approach promises greater flexibility and performance, but only the Security Controller strongly protects against physical attacks. We argue that the best technology actually depends on the use case and propose a hybrid approach that maximizes security for high-security industrial applications. We believe that the insights we gained will help introducing advanced security mechanisms into the future Industrial Internet of Things.

51 citations

Proceedings ArticleDOI
22 Jul 2015
TL;DR: This paper proposes a system architecture incorporating a hardware security controller that processes the Transport Layer Security (TLS) client authentication step and proves the feasibility of the concept by means of a prototype implementation, and confirms the advanced security of the system.
Abstract: Increasing the efficiency of production and manufacturing processes is a key goal of initiatives like Industry 4.0. Within the context of the European research project ARROWHEAD, we enable and secure smart maintenance services. An overall goal is to proactively predict and optimize the Maintenance, Repair and Operations (MRO) processes carried out by a device maintainer, for industrial devices deployed at the customer. Therefore it is necessary to centrally acquire maintenance relevant equipment status data from remotely located devices over the Internet. Consequently, security and privacy issues arise from connecting devices to the Internet, and sending data from customer sites to the maintainer's back-end. In this paper we consider an exemplary automotive use case with an AVL Particle Counter (APC) as device. The APC transmits its status information by means of a fingerprint via the publish-subscribe protocol Message Queue Telemetry Transport (MQTT) to an MQTT Information Broker in the remotely located AVL back-end. In a threat analysis we focus on the MQTT routing information asset and identify two elementary security goals in regard to client authentication. Consequently we propose a system architecture incorporating a hardware security controller that processes the Transport Layer Security (TLS) client authentication step. We validate the feasibility of the concept by means of a prototype implementation. Experimental results indicate that no significant performance impact is imposed by the hardware security element. The security evaluation confirms the advanced security of our system, which we believe lays the foundation for security and privacy in future smart service infrastructures.

45 citations

Proceedings ArticleDOI
16 Sep 2014
TL;DR: A comprehensive overview of security issues and features in existing WLAN, NFC and ZigBee standards is presented, investigating the usage characteristics of these standards in industrial environments and applying standard risk assessment methods to identify vulnerabilities with the highest risk across multiple technologies.
Abstract: Due to its availability and low cost, the use of wireless communication technologies increases in domains beyond the originally intended usage areas, e.g. M2M communication in industrial applications. Such industrial applications often have specific security requirements. Hence, it is important to understand the characteristics of such applications and evaluate the vulnerabilities bearing the highest risk in this context. We present a comprehensive overview of security issues and features in existing WLAN, NFC and ZigBee standards, investigating the usage characteristics of these standards in industrial environments. We apply standard risk assessment methods to identify vulnerabilities with the highest risk across multiple technologies. We present a threat catalogue, conclude in which direction new mitigation methods should progress and how security analysis methods should be extended to meet requirements in the M2M domain.

25 citations

Proceedings ArticleDOI
01 Sep 2014
TL;DR: A secure NFC-enabled hardware module for industrial embedded systems with a secure identity is presented, enabling local identification by means of the proximity based contact-less technology Near Field Communication (NFC), and remote identification via a contact-based interface, thus helping to prevent device impersonation attacks, device clones and human errors on device identification.
Abstract: Smart maintenance constitutes an essential concept in Industry 40, where industrial devices report their maintenance status to remote back end systems and thus predictive maintenance can be intelligently scheduled and carried out locally at the affected device This status data must be securely assignable to the claimed device identities when transmitted remotely Furthermore, during the actual maintenance task, the service technician must be able to trustworthily identify the correct target device Unfortunately, current systems typically lack cryptographic authentication and a secure storage for the required credentials, causing identity impersonation as a major threat In this paper we present a secure NFC-enabled hardware module for industrial embedded systems with a secure identity, enabling local identification by means of the proximity based contact-less technology Near Field Communication (NFC), and remote identification via a contact-based interface, thus helping to prevent device impersonation attacks, device clones and human errors on device identification A proof of concept utilizing an Infineon security controller capable of elliptic curve cryptography demonstrates the concepts feasibility

18 citations

Proceedings ArticleDOI
01 Jul 2016
TL;DR: This work shows a hardware-rooted snapshot protection system that utilizes a Broker-based messaging infrastructure, hybrid encryption and a single-pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) scheme that can serve as a template for a multitude of Industrial Internet of Things applications, which by their very nature call for strong security.
Abstract: Authentic and confidential, but at the same time traceable and transparent, data exchange among multiple stakeholders is a key challenge in Industrial Internet of Things (IIoT) applications. Specifically, smart service connectivity requires the secure and transparent acquisition of equipment status information, which we call snapshots, from globally distributed equipment instances at customer sites by the equipment vendor. Related work has proposed to use a Message Queue Telemetry Transport (MQTT) Broker and hardware-secured Transport Layer Security (TLS) with client authentication. However, this approach lacks strong cryptographic end-to-end protection of snapshots. Here we show a hardware-rooted snapshot protection system that utilizes a Broker-based messaging infrastructure, hybrid encryption and a single-pass Elliptic Curve Menezes-Qu-Vanstone (ECMQV) scheme. We evaluate our concept by means of a prototype implementation and discuss security and performance implications. Our approach provides strong end-to-end data protection, while at the same time enabling customers to trace what data has been transferred off their equipment. We believe that our concept can serve as a template for a multitude of Industrial Internet of Things applications, which by their very nature call for strong security.

16 citations


Cited by
More filters
Journal ArticleDOI
TL;DR: This paper focuses on security considerations for IoT from the perspectives of cloud tenants, end-users, and cloud providers, in the context of wide-scale IoT proliferation, working across the range of IoT technologies.
Abstract: To realize the broad vision of pervasive computing, underpinned by the “Internet of Things” (IoT), it is essential to break down application and technology-based silos and support broad connectivity and data sharing; the cloud being a natural enabler. Work in IoT tends toward the subsystem, often focusing on particular technical concerns or application domains, before offloading data to the cloud. As such, there has been little regard given to the security, privacy, and personal safety risks that arise beyond these subsystems; i.e., from the wide-scale, cross-platform openness that cloud services bring to IoT. In this paper, we focus on security considerations for IoT from the perspectives of cloud tenants, end-users, and cloud providers, in the context of wide-scale IoT proliferation, working across the range of IoT technologies (be they things or entire IoT subsystems). Our contribution is to analyze the current state of cloud-supported IoT to make explicit the security considerations that require further work.

264 citations

Journal ArticleDOI
TL;DR: In this article, a survey of application layer communication protocols to fulfill the IoT communication requirements, and their potential for implementation in fog-and cloud-based IoT systems is presented, including request-reply and publish-subscribe protocols.
Abstract: The fast increment in the number of IoT (Internet of Things) devices is accelerating the research on new solutions to make cloud services scalable. In this context, the novel concept of fog computing as well as the combined fog-to-cloud computing paradigm is becoming essential to decentralize the cloud, while bringing the services closer to the end-system. This article surveys e application layer communication protocols to fulfill the IoT communication requirements, and their potential for implementation in fog- and cloud-based IoT systems. To this end, the article first briefly presents potential protocol candidates, including request-reply and publish-subscribe protocols. After that, the article surveys these protocols based on their main characteristics, as well as the main performance issues, including latency, energy consumption, and network throughput. These findings are thereafter used to place the protocols in each segment of the system (IoT, fog, cloud), and thus opens up the discussion on their choice, interoperability, and wider system integration. The survey is expected to be useful to system architects and protocol designers when choosing the communication protocols in an integrated IoT-to-fog-to-cloud system architecture.

256 citations

Journal ArticleDOI
TL;DR: This paper consists of two contributions: the primary contribution is a systematic review of the literature over the period 2011–2019 on IIoT Security, focusing on how the relatively new paradigm of Fog computing can be leveraged to address these requirements, and thus improve the security of the IIeT.
Abstract: A key application of the Internet of Things (IoT) paradigm lies within industrial contexts. Indeed, the emerging Industrial Internet of Things (IIoT), commonly referred to as Industry 4.0, promises to revolutionize production and manufacturing through the use of large numbers of networked embedded sensing devices, and the combination of emerging computing technologies, such as Fog/Cloud Computing and Artificial Intelligence. The IIoT is characterized by an increased degree of inter-connectivity, which not only creates opportunities for the industries that adopt it, but also for cyber-criminals. Indeed, IoT security currently represents one of the major obstacles that prevent the widespread adoption of IIoT technology. Unsurprisingly, such concerns led to an exponential growth of published research over the last few years. To get an overview of the field, we deem it important to systematically survey the academic literature so far, and distill from it various security requirements as well as their popularity. This paper consists of two contributions: our primary contribution is a systematic review of the literature over the period 2011–2019 on IIoT Security, focusing in particular on the security requirements of the IIoT. Our secondary contribution is a reflection on how the relatively new paradigm of Fog computing can be leveraged to address these requirements, and thus improve the security of the IIoT.

173 citations

Journal ArticleDOI
TL;DR: In this article, the authors present a comparative analysis of the main characteristics of IoT communication protocols, including request-reply and publish-subscribe protocols, and review the main performance issues, including latency, energy consumption and network throughput.
Abstract: The fast increment in the number of IoT (Internet of Things) devices is accelerating the research on new solutions to make cloud services scalable. In this context, the novel concept of fog computing as well as the combined fog-to-cloud computing paradigm is becoming essential to decentralize the cloud, while bringing the services closer to the end-system. This paper surveys on the application layer communication protocols to fulfil the IoT communication requirements, and their potential for implementation in fog- and cloud-based IoT systems. To this end, the paper first presents a comparative analysis of the main characteristics of IoT communication protocols, including request-reply and publish-subscribe protocols. After that, the paper surveys the protocols that are widely adopted and implemented in each segment of the system (IoT, fog, cloud), and thus opens up the discussion on their interoperability and wider system integration. Finally, the paper reviews the main performance issues, including latency, energy consumption and network throughput. The survey is expected to be useful to system architects and protocol designers when choosing the communication protocols in an integrated IoT-to-fog-to-cloud system architecture.

168 citations