SPRACO8 October 2019 AM3351 , AM3352 , AM3354 , AM3356 , AM3357 , AM3358 , AM3358-EP , AM3359 , AM4372 , AM4376 , AM4377 , AM4378 , AM4379 , AM5746 , AM5748 , AM5749 , AM6546 , AM6548
Texas Instruments (TI) has defined its security framework in Building your application with security in mind to provide an overview of why security matters, how to evaluate which security measures you need and how to implement these measures to protect against threats. The TI security framework also includes the main security enablers that TI offers to assist you in furthering your security objectives.
Table 2 maps the customer asset to TI security enablers.
| Threat | Customer Asset | Counter Measures | Device Asset | Exposure Point | TI Security Enabler(s) | TI Security Enabler Usage |
|---|---|---|---|---|---|---|
| PLC takeover | Customer booting software images | • Trusted booting images and trusted over-the-air updates.
• Closed debugging ports. |
Code, identity and keys | Storage, run time | • Secure boot
• Secure firmware updates • Debugging security |
• Device validates the image digital signature every boot and rejects the image if the authentication fails.
• Secure over-the-air update for images using device stored keys. • The device, before updating software, checks the authenticity via digital certificates attached to images using keys stored in the device. Only if the authentication is a success, the updated images are accepted. |
| Spoofing | Data sent to host for further action | Encrypt and sign the messages to the host | Data, identity and keys | Run time, transfer | • Cryptographic acceleration
• Secure storage • Networking security |
• Use negotiated or pre-shared keys in secure storage to encrypt and sign messages meant for the host.
• Offer cryptographic cores like Advanced Encryption Standard (AES), Secure Hash Algorithm (SHA) and Public Key Algorithms (PKA) to encrypt/sign messages, thereby achieving the required performance. |
| Man-in-the-middle attacks | Data as received by the PLC | Check the authenticity of messages before acting on the message | Data, identity and keys | Run time, transfer | • Cryptographic acceleration
• Secure storage • Networking security |
• Use negotiated or pre-shared keys in secure storage to verify and decrypt messages meant for the host.
• Offer cryptographic cores like AES/SHA/PKA to decrypt/verify messages, thereby achieving the required performance. |
| Rogue PLC joining the network | Device identity | Secure onboarding procedure to install new devices on factory networks | Device identity and keys | Storage | • Device identity/keys
• Initial secure programming |
• Device identity and keys to authenticate the device are part of factory floor onboarding procedures.
• In this scenario, the PLC must prove its authenticity cryptographically to the host to be part of the factory network. |
| Denial-of-service attacks | The PLC is unable to respond to legitimate requests.
The PLC starts flooding the network targeting a victim (a remote I/O node or another PLC). |
Software running on the PLC must be trusted. Attempts to override device through the debugging ports must be countered. | Code | Storage, run time | • Secure boot
• Device identity • Debugging security |
• Device forces authentication of software images during secure boot and also during secure over-the-air updates.
• Debugging ports are closed by default and can be only opened by signed certificates/software. |
| Remote device management services exploits | PLC configuration change or illegal software update. | Remote device management allowed after authentication | Code | Run time | • Secure boot
• Device identity • Keys • Debugging security • Secure storage |
• Device uses secure boot to allow only trusted software that restricts use of the remote device management port to authorized users after checking credentials.
• Device software uses keys from secure storage to authenticate requests for device management services. |