This year’s #ManuSec USA summit explores solutions to the widening array of cyber threats jeopardising American manufactures as they increasingly embrace technological innovations. A senior delegation, comprising of 100’s of manufacturing security leaders from across the country, explore policy frameworks, best practice guides, and enterprise-wide engagement strategies to establish the practical steps needed to protect their assets from cyber threats.
Cybersecurity has always been an element of concern but with the increasing dependence on technology for society and the growing sophistication of cyber attacks, the industry faces greater risk than ever before – pushing cybersecurity to the forefront. Every product put into service has the potential to be attacked throughout its product lifecycle, especially from remote threats.
As newer threats advance and emerge, global stakeholders need affordable solutions they can trust to provide security benefits while maintaining privacy protections. Driven by market requirements, and with implementation in billions of devices already, the use of the Trusted Platform Module (TPM) on Trusted Computing platforms is increasing, as security scenarios gain more prominence within the information and communications technology industry. But where did it all begin?
Introducing the first TPM
Businesses of all sizes, institutions, government agencies and consumers rely on millions of digital transactions every day and the volume and importance of these transactions are rapidly increasing. Being able to trust the identities of the participants, the authenticity of the contents and the integrity of systems involved in digital events is crucial. Before the TPM, security was generally based in software and whichever software ran first on a system was the one in control of it. With this in mind, the Trusted Computing Group (TCG) developed the TPM, to provide a hardware root of trust for software which is essentially a foundational bridge between hardware and software that helps software protect secrets from attackers and provide evidence about the integrity of a system. The TPM is a dedicated component designed to be built into a variety of platforms, to enable strong user authentication and machine attestation – essential to prevent unwarranted access to confidential and sensitive information and to protect against compromised networks.
Following the version published by the TCG in 2003 – the TPM Main Specification Version 1.2 – was widely implemented and successfully deployed in the global marketplace. Recognizing the worldwide significance of the TPM 1.2 specification, the TCG established several relationships underneath Joint Technical Committee 1 (JTC 1) of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC). The first was a liaison relationship with the security evaluation, testing and specification subcommittee (better known as ISO/IEC JTC 1/SC 27/WG 3) in 2007 and then later as a publicly available specification (PAS) submitter in 2008. As a PAS submitter, TCG succeeded in publishing its TPM 1.2 specification in four parts through ISO/IEC JTC 1 in May 2009 as the International Standard ISO/IEC 11889:2009 Information Technology – TPM Library (ISO/IEC 11889:2009-x).
As a PAS Submitter, TCG retains the responsibility to maintain ISO/IEC 11889. Over subsequent years, research and investments have been made to apply the standard to numerous use cases across a variety of platform types, such as personal computers, mobile and embedded devices, with important scenarios spanning traditional applications such as critical infrastructure to rapidly changing areas like consumer products.
The work and feedback from participants in ISO/IEC (including JTC 1 and SC 27) and in TCG helped identify the strengths and shortcomings of ISO/IEC 11889:2009-x and a revised edition, in the format of the TPM 2.0 Library specification, was submitted and eventually published by ISO/IEC in December 2015 as ISO/IEC 11889:2015-x. This revised specification retained the key benefits of its predecessor alongside additional enhancements to meet current and future market requirements.
The TPM today
The TPM that exists today is different to that which was submitted to ISO in 2015, simply because times have moved on and we now live in a more connected world which in turn opens up more potential vulnerabilities.
This latest version of the TPM 2.0 specification takes into consideration feedback received from the previous editions and introduces additional features to the TPM family. For example, the TPM 2.0 structure and interface defines support for a wide range of hash and asymmetric algorithms, including the elliptic curve (ECC) family, along with limited support for use of various block, symmetric ciphers.
It also provides a uniform framework for using authorization capabilities, so they can be combined in unique ways to provide more flexibility. It allows authorization with a clear-text password or a Hash Message Authentication Code (HMAC), plus the construction of a complex authorization policies using multiple authorization qualifiers.
With dedicated BIOS support, the TPM 2.0 specification has a platform storage hierarchy controlled by platform firmware, letting manufacturers benefit from the cryptographic capabilities of the TPM, regardless of the support provided by the operating system. No special provisioning process is required with the latest version. Although objects on which the TPM operates may have limitations, all implemented commands are available the whole time – allowing application developers to rely on TPM capabilities being available whenever a TPM is present.
Addressing feedback received during the ISO/IEC 11889:2015-x publication process and a solution based on a proposal from TCG Greater China regional forum members, the latest TPM 2.0 draft version 1.62 (which just completed a public review period through July 7, 2020) also implements support for SM2 encryption and decryption functions. TCG intends to use the most current draft as the basis to start the PAS Submission process near the end of 2020 to again revise ISO/IEC 11889.
By publishing the specification in a library format, manufacturers and designers can pick and choose the applications and functionalities that are most relevant to them, ensuring the specification addresses their own individual needs.
Collaboration is key for the future of cybersecurity
When it comes to ensuring that developers and manufacturers have the necessary tools in their fight against cyber attacks, to safeguard devices not just from conception of the product but throughout their lifecycle, collaboration is critical.
Over the years, TCG has gained a wealth of experience from the marketplace and experts around the globe. This has helped to identify the strengths and shortcomings of the TPM specification and allowed for enhancements to be made in order to meet current and future market demands. The TCG is grateful for its relationship with ISO/IEC as a PAS submitter because the process gives TCG a much wider array of feedback on its standards from international experts than from inside TCG alone. In turn, this will ensure for a more secure future in an ever-connected world.
For any other information please contact me.