Securing Over-the-Air Firmware Updates (FOTA) for Industrial Internet of Things (IIOT) Devices

Industrial Internet of Things (IIOT) is increasingly relying on over-the-air firmware updates (FOTA) to deliver tailored analytics to control systems for critical infrastructure. Connected IIOT with FOTA can deliver significant value by decreasing capital investments, enabling customizable functionalities, or improving operational efficiencies. FOTA also increases exposure to threats targeting critical infrastructure, which could lead to safety or mission damage (i.e., failures could result in loss of life or loss of critical functions). This paper presents a security baseline for FOTA by creating a secure "pipeline" for IIOT firmware. It first provides a generic reference architecture that defines connections between the IIOT device, a gateway for communication outside the control network, cloud storage and configuration logic, and the device- vendor's development environment. It describes attacks against various aspects of the reference architecture and explains the security controls that the device-vendor should implement to ensure that the benefits of FOTA for continuous upgradable security and efficiency outweigh the risks from additional exposure. It also provides some follow-on recommendations that utilities should consider before installing IIOT with FOTA capabilities, including: securing the device with secure boot and chain of trust, securing all communication channels with unique endpoint identification and encryption, taking the human out of the build and update processes, and hardening components involved in FOTA for continuous monitoring. This paper emphasizes that these types of connected devices promote a need for a shared responsibility model of cybersecurity.