 Hello everybody, so during this session welcome and during a session I will try to introduce that some basic concept of the security and How is it really simple to implement some security in IoT system? so So before to enter in the security I suggest that you get a nice around you and in your life That's today. We are in the connecting world and even I'm absolutely sure that in your home You have some gateway. You are probably on gateway. This is really deployed in the US Where do you can manage in a remote control your display your display your solar panel? Your appliance and a lot of things the second area which else use the connected thing The deployment of the smart grid by using the smart meters But you have also that's a lot of connected things in the core and even in your body with the deployment of no Wherever and the lots environment that we could have some Connected things is The city with the management of the traffic light or even the management of the camera then we are now in the connected And then we have some vulnerability and then we have to protect our data and we have to put in place some security This is the basement We have a lot of Example on the press and on the field on the attacks one really simple examples is Yes, is an example done in December 2003 2013 where some people receive a lot of spam coming from a client's Home appliance coming from the fridge coming from the machine. This is really funny for the hacker But not really funny for the user a second example is really well known list thermostat attacks where the behavior of the thermostat has been completely locked The third one has been done in a last summer in the Smith smart metering system where the Smart meter has been a hack and the bill has been completely locked and the last one is a really simple By a scientific in Atlanta We have really simply used a radio and the laptop to have the traffic light you can imagine the disturbance in the City then the really simple attacks and we can have this one in your home and around you and Today, there are no security implement in a test system and it will be a really Really a problem for your life in the future Then Before to enter in the solution we have to understand what is really the security and The most thing and the most important thing is to understand what is the security is the degree of importance or protection from harm and it supplies to all your asset and this asset could be your person Or be your data could be anything or you would like to protect and you have at least two main reasons To implement the security the first one is to protect your privacy data And the second one that you have a social responsibility is a video network when you connect anything on a network To design a secure system You are forced to think about you cannot start telling that I will use such component of such component It's not a right way The best way is to first define who is the owner and this owner has to define the asset He would like to protect and he has to evaluate the risk and based on the risk is We know the level of security. He would like to implement. This is the first step to do the second step The second step is to evaluate the straight the stress the objective of the stress is to attack your assets based on that the assets will exploit the attacks to Recover your data and based on these three elements Define your assets evaluate the risk and the level of security you would like to put Evaluate the straights and define the right attack. You are able to define the right content measure If you start to implement content measure without this analysis You are absolutely sure that your system will be not secure at all Whatever the system, whatever the IoT system, whatever the smart grid system, whatever what you would like to implement That way I will detail more in detail on each stage The first one that's the owner protect the assets and there are four words to keep in mind It's really simple and first the sender and the receiver of the asset has to be authenticated That's the first words that you have to keep in mind in authentication Then afterwards the information has to stay As to stay trusted it means that you have to ensure the integrity of your data the second one is Your data has to keep privates. You have to ensure the confidentiality of your data And the last one is your data has to be available Anywhere and at any time that you have to ensure that the service perform to protect your data and to give your data Are running well and are not corrected then only four words Four step to define four words to keep in mind authentication confidentiality integrity and availability This is the first step the second step you have you evaluate the straights a typical example is a smart metering system You have several Several steps that you have a data center which administrates the complete system. You have the cloud You have a gateway or a concentrator with managing a graph of meter for example And you have at the end and end point which could be a meter It could be an appliance if it could be anything else and at each step of the system You have to provide some security to prevent such traits like Like a fixie room that one of the middle for example an eversdropper and data collection that are corruption the fake devices the denier services or Maybe any corruption of data during the transit. It's always the same straights whatever the system Is the second step to have to analyze? Then you have to identify the attacks The attacks is the friends of the straights. What is the kind of attacks? You have three kind of attacks The first one is the non-invasive attacks. What it is is the attack performed by computer That's I think that anybody here on this room can perform this attack using a computer or Earring in the signal to decrypt in fact the key and the only well known is the whole blood attack performance is cell That's it's the experience is not sure you to do that You don't need to have your device in front of you that you care from that through the network Is the month commands attack done on the system? The second one a bit more complex because you need to have the device in front of you. You have to unpack the The the chip and you have to perform maybe some attack like laser or UV or Any fault injection and you have to correct the services on the software running on the system You need a bit more experience on how the chip run and the software which is embedded in this chip The last one is the invasive attack and this is performed only by experienced experience By laboratory external laboratory with machine which is costs This is really expensive like probing and rivers and generic This is typically the attack which is the pair formed by common criteria during common criteria certification penetration testing With these three kind of attack you can Define the level of security you would like to apply to your devices and the cost you would like to apply to perform this attack This is the Steps now you have all the elements to define your system and your security in your system When you speak about security, you don't speak on not only a trusted component It's a global environment. You cannot define a trusted component and put on the table your Components and say, okay, you can't open it and play with it. No, it's not like that You have to define a complete infrastructure and trusted infrastructure by Implemented some rules some process for the development to the supply chain The second safe for sure is to develop trusted components at the device properly at the network and in data center and The last step is to be sure that the people involved in the security play their own role and Knows exactly what they have to do If you protect the key that the people keep the key and put it on the website the security is lost That is the something that All the people working on the security have to keep in mind Then we will focus next in the trusted component as the rest is the rules The solution in trusted component is what is the cryptography? All the data will be Protected with cryptography You are absolutely you remember you remind the forwards needed to do some security Do you remind that just forwards? No You don't tell me you sleep you are sleeping now just forward You don't remember authentication Availability integrity confidentiality Don't forget that This is the basement of the security That's to implement that That's the solution a cryptography and what is the cryptography? Algorithm and the algorithm is performed with key then to apply some authentication What it is its implementation of mutual authentication Mutual authentication is just a get challenge or in the TLS authentication which authentication is really simple The second one is to perform the confidentiality is using data encryption using symmetric or isometric Algorithm I will not in doing the detail of all that have a really crypto Colleagues on the boost and I engage you to visit our booth here is a training detail of the process how to use Prevac key secret key public key out to generate and to verify the signature and so on I don't spend a time like that the third one to perform The integrity is to generate a signature and verify the signature Mainly this is performed with a public key and a private key You generate the signature with a private key and you verify the signature with a public key And the last one is the data availability And this is performed by implementing the secure boot and the secure firmware upgrade All these four functions and the attacks are demonstrated in our booths with a small demo by combining STM32 and a secure element And you can play with it and you can shake the balls and you can see that we are either in the good Else it is working well or always in the baddler's if you correct the system This is funny, but in the real life. It's not funny at all Now after these four words, I don't like you to repeat the four words because okay the cryptography Algorithm of the key Yes ECC RSA and so on but which is key is the security level Depends on the crypto key protection level That today we see we heard that security is implemented by software by memory By standard MCU by anything else and so on and we don't know what we have to use To implement in our system But in fact, it's really simple is dependent of your analysis of the risk level all this chip provide the same crypto algorithm but This chip does not Provide the same protection for the keys and the force and the strength of your system will depend of the strengths of the protection of your kids It's really simple to attack a trick crypto memory is really difficult to attack a secure MCU And the cost you will invest to attack a secure MCU with semi-invasive invasive and non-invasive attack is different Between all this chip That's why when you have defined your security level you have also defined the solution will implement in your system ST is since a Long time ago involved in the deployment of the security that we are developing since at least 20 20 years ago Secure chip for mobile is implementation of NFC and two MN cores, but also Developing traditional market of the smart card for your banking cards your SIM cards or your identity And also now implementing the turnkey solution for it's not emerging market This is the market that is coming really fast This is for IoT for smart metering for automation for brand prediction and for TPM for the computer With this market are over by ST chip ST secure chip As different of STM 32 and the difference of both products is the level of protection We have implemented by hardware and software on the chip then We have a long experience on the security and we have sat in At least 20 years ago by implementing security function and to prove that we have every year's obliged to Certified our product by SNR laboratory and to have certificate. There are plenty of certificate The most constraints is the common criteria security Certification the common criteria assure the robustness of our chip and assure that you Methods to develop your chip are well and it's the only certificate you protect You complete process and your chip There are also a plenty of other certificate dedicated for banking for ID and so on and this year the France has Defined a new certificate dedicated for the severe security and we are received these awards Begin of January Lighting that the ST secure product ST so T3 and ST so T1 products are Dedicated for the security for the computer and for the network and for the IOT Then we have the change to have it generally enough our company Some experts dedicated on a crypto algorithm then for example, you and them and has defined it in the 2000s the AES Algorithm and that has provided last year the K check is the shift dash 3 new algorithm and with this experience and the Security expert we have in the company. We are able to provide to you That's all the state and all the advice to build your system then The complete portfolio allows to ST to be engaged in all the markets We haven't just for your example the Kierke product which has been introduced one year ago to meet The expectation to reach the expectation of the smart mentoring system This is now deployed in France and in Germany for the smart grid system and the rollout is coming We have also the opportunity to address now the high OT system is the same scheme We we will put the same rules and we will define a new product for this new market I will engage to see and to visit our booth and to discuss with my colleague We will demonstrate to you our similarities to embed security in such system But keep in mind the first step before implementing anything and keep in mind the four words Needed to secure your system