More than 25 billion connected devices were in active use around the world in 2019 and that number is expected to reach 75 billion in the next five years. But the cost of our workplaces and homes becoming smarter and more connected is that they are more vulnerable to cyber attacks than ever before as the threat surface expands.
Gone are the days when we only had to worry about protecting our computers and smartphones. Nowadays we have to be aware of the risks that refrigerators, thermostats, industrial machines and other systems pose to network security.
The ISO/IEC 11889 standard, commonly referred to as Trusted Platform Module (TPM), is a hardware-level security solution that can play an important part in protecting connected devices. A TPM chip provides a crypto processor, which secures hardware through integrated cryptographic keys.
A TPM chip has a unique public-key cryptosystem. It works by giving users two keys: a public key, shared with everyone, as well as a private key.
The keys are large numbers that form part of an intricate mathematical algorithm that scrambles a user’s messages. The sender encrypts a message by using the receiver’s public key in order that only the intended recipient can unlock it with her or his private key.
Even though the public key is freely available, the numbers involved are sufficiently large to make it very difficult to reverse the encryption process with only the public key.
In IACS (industrial automation and control) environments, TPM chips can be built into network firewalls, as well as into control systems. TPM firmware is available for lower risk devices.
The chips ensure that only authorized users can gain access to data. This makes them especially important in industrial, medical and business environments, which store highly sensitive information.
Although ISO/IEC 11889 is a very important and highly effective tool, technology can only ever be part of the solution. TPMs work best in the framework of a holistic cyber security strategy that also covers people and processes.
Implementing international standards such as IEC 62443 and the ISO/IEC 27000 family is the best way to create a successful cyber security programme, especially when combined with testing and certification (conformity assessment). Such an approach increases the confidence of stakeholders by demonstrating not only the use of security measures based on best practices, but also that an organization has implemented the measures efficiently and effectively.