At a press and analyst event in San Francisco on December 9, Intel announced its “IoT Platform” reference model. The model is horizontal in scope, encompassing numerous technologies applicable to everything from edge devices to gateways to the cloud. In addition, it is intended to be a modular approach, such that Intel’s hardware and software components (including those from subsidiaries Wind River and McAfee) can be mixed with those of other vendors. For example, a customer could deploy its preferred gateway devices not limited to those based on Intel’s Moon Island design, while remaining compatible with Intel’s reference model. We won’t attempt to describe the entire Intel IoT Platform in this blog post, but we’ll focus on a couple of security aspects announced. (Readers can find the full Intel press release here.)
Intel executives discuss IoT Platform security: (left to right) Lorie Wigle, VP of IoT Security Solutions; Steve Grobman, Intel Fellow and CTO for Security Platforms and Solutions; and Luis Blando, SVP of Intel Security Group [McAfee].
As part of the latest announcement, McAfee’s ePolicy Orchestrator (ePO) is being extended into IoT gateways. ePO is software for security management, enabling centralized deployment and control of security policies, as well as monitoring of endpoint security status. Previously, ePO was intended for enterprise IT networks, but the announcement means that it can now encompass a much wider range of industrial and commercial IoT networks. In VDC’s opinion, this could help ease integration between IT and OT (operational technology) departments when transitioning standalone OT systems into IoT systems. OT could maintain functional control over the gateways and edge devices, while IT institutes improved access control between the gateways and enterprise network assets.
A second notable security announcement was that Intel Security will now license its Enhanced Privacy Identity (EPID) technology to other silicon vendors. EPID is a form of remote anonymous attestation using asymmetric (public key and private key) cryptography, through which central systems can confirm the integrity and authentication credentials of remote devices, without those devices having to reveal their identities or those of their owners. (One common use for anonymous attestation is digital rights management for content protection.) Anonymous attestation requires security hardware, such as a CPU with a Trusted Platform Module (TPM) or Trusted Execution Environment (TEE), for which Intel of course is a prime supplier.
EPID can create groups of devices, where a single public key can work with multiple private keys, i.e. one assigned to each device within the group. The mathematics behind EPID is complex, but for those interested, we suggest checking out the article, “Enhanced Privacy ID: A Remote Anonymous Attestation Scheme for Hardware Devices,” by Intel’s Ernie Brickell and Jiangtao Li (Intel Technology Journal, Volume 13, Issue 2, 2009, pp. 96-111). The chart below from that article summarizes how EPID differs from other attestation technologies, including Direct Anonymous Attestation (DAA).
Chart source: Intel Technology Journal
Intel has not yet disclosed licensing terms for other chip makers to use EPID, and onerous or expensive terms could limit its acceptance. However, VDC believes that EPID could be applicable to many IoT scenarios where a central system needs to trust remote devices owned or operated by others. This type of function will become increasingly important as interested parties seek to extract shared or publicly provided data from private IoT devices.
Although numerous security technologies from many vendors are taking hold in the IoT, Intel is uniquely positioned in this market by virtue of its presence at both the network/system level (McAfee, Intel Server Systems) and the device level (Intel CPU hardware, Wind River software). Intel says, for example, that its existing McAfee Embedded Control software for application whitelisting is used by about 200 device manufacturers. Intel’s IoT Platform is the latest evidence that the company will remain a force to be reckoned with in IoT security.