230 likes | 352 Views
Securing Your Products and Profits Counterfeits, Knockoffs and Grey Markets. Presenters. Peter DiToro, Vice President, Advanced Solutions Group, Thales
E N D
Securing Your Products and ProfitsCounterfeits, Knockoffs and Grey Markets
Presenters • Peter DiToro, Vice President, Advanced Solutions Group, Thales Peterhas extensive experience developing solutions, sales and delivery vehicles for complex security problems. At Thales, he is responsible for custom cryptographic applications development, security reviews, training, and post sales support for global Fortune 1000 customers. He joined Thales in 2008 as part of the nCipher acquisition where he served as vice president, North American Sales. • Sebastian Knoop-Troullier, IT Security Manager, Polycom Sebastian is an IT Network and Security specialist with more than 20 years experience in Information Technology. Currently the IT Security Manager for Polycom, Inc., Sebastian is responsible for a globally distributed security infrastructure including firewalls, VPN and PKI. Prior to joining Polycom, Sebastian held positions at Fujitsu Consulting and POB, now a division of Lufthansa. Over the years, Sebastian has acquired a wealth of network and security experience and actively shares his knowledge via blogs and security forums.
Topics • The problem • Who has it • The solution • Technology • Process • Case study: Polycom • Conclusions
Counterfeiting – Theft of IP “Illicit phones comprise a staggering 40% of Chinese firms’ production, and 13% of the world’s, according to iSupli, a research firm. It reckons China will produce $145M of them this year, up by almost half since 2008. Some fake iPhones in China, for example, can take two SIM cards, and thus handle two different numbers through the same handset. Chinese grey marketers have secured half the Ghanaian market …” The Economist, November 21, 2009
Challenges facing manufacturersGrey markets KPMG, Grey Market Study Update, 2008
IP Theft Threatens Customers Too “Operation Cisco Raider uncovered 3,500 counterfeit Cisco network components, with an estimated value of $3.5 million. According to the FBI’s briefing of the Office of Management and Budget, the counterfeit equipment could allow the remote jamming of networks thought to be secure and possibly could allow access to networks remotely.” The FBI is understandably concerned that counterfeit components would allow unwanted users to access secure networks. http://hothardware.com/News/3500_Fake_Cisco_Products_In_US_Gov_Networks/
The High Tech Manufacturer • Produces a product executes firmware or an embedded operating system • Products that can be “chipped” – modified to carry a simple chip as in ePassports, EMV credit cards • Incorporates high levels of brand equity • Derives substantial ROI from intellectual property (artificial hearts versus hammers) • Global manufacturing and distribution • Consumable components a core part of the product and business model • Derives revenue and competitive advantage from upgrades and feature enablement
Intellectual Property is Vulnerable • Design and business models reside in First World, manufacturing shifting to developing countries • Remote manufacturing centers are not trusted by senior executives • Vietnam, China, and Ukraine all had piracy rates in excess of 90% in 2005 (The Economist) • Savings in manufacturing costs can be lost to piracy, brand erosion, loss of channel control, loss of after market sales
Taking Action • Work with the government of China (and others) to institute the rule of law • In the interim, you can deploy a “manufacturer’s survival kit” • Technology – the Public Key Infrastructure (PKI), a technology based on public key cryptography • Process – use the PKI to support a process characterized by separation of duties, compartmentalization of information, strong post manufacture audit • You have a technology advantage, use it to protect your IP and your customers
Technology and process Technology • Stand up a Public Key Infrastructure • Digital certificates – embed unique identity in each product • Utilize Thales Secure Execution Engine (SEE) technology to securely “project” control to untrusted sites Process • Generate manufacturing command and control data at a trusted site • Use crypto to communicate IP via secure pipe to untrusted sites, enforce separation of duties • SEE secured end points execute manufacturing instructions
A quick tech review Digital certificates and the PKI • Uniquely identify person or device • X.509 standards for using RSA (or other) encryption key pairs • The PKI is the collection of soft and hardware necessary to generate, track, and validate digital certificates • Issued to • Issuer • Valid from/to • Attributes • Public key • Digital signature
Hardware security modules (HSM) • HSM is a “best practices” sales argument in a basic PKI • There is nothing in God’s law that says every PKI MUST have one • In the High Tech Manufacturing application, all that changes • Secure Execution Engine – the HSM becomes a trusted computing platform • The HSM is a delivery vehicle for the application logic, the thing that makes the solution possible Direct attached Network attached
The Secure Execution Engine Without CodeSafe With CodeSafe Application code (not security sensitive) Application code (not security sensitive) Host computer Security-sensitive code Protected from malwareand internal attacks Attack here! CodeSafe HSM Standard HSM Tamper proof signed code Security-sensitive code Security device Crypto & Key Management Crypto & Key Management FIPS 140-2 HSM FIPS 140-2 HSM
A Typical Architecture • “Permission to manufacture” generated in USA • Machine device certificates (MDC) • MFG content delivered to contract manufacturer (CM) • SEE anchored secure “pipe” • SEE enables secure repository • If the CM system is stolen, or the chassis compromised, they get nothing • Instructions and keys in HSM, all data encrypted • Multi factor required to activate • CM system resets to 0 if not activated
Use Case: Polycom Voice over IP Telephones Polycom, Inc. is the global leader in telepresence, video, and voice solutions and a visionary in unified communications (UC) solutions that empower people to connect and collaborate everywhere. In today’s economy, Polycom solutions offer a rapid ROI and help customers reduce costs, increase productivity and lower their carbon footprint. To learn more about Polycom UC solutions, visit http://www.polycom.com. “Our VoIP devices can authenticate themselves on a network using digital certificates,” says Marek Dutkiewicz, director of product management for Polycom. “Because the certificates are issued as part of the manufacturing process, it’s easy for our customers and partners to authenticate themselves while also stopping potential counterfeiters or ‘spoofers.’ Our success is built on Thales HSMs deployed by Thales Professional Services.”
The Polycom Solution • Device MAC address list comprises production run • Machine device certificates (MDC) for each phone MAC address • MFG content delivered to contract manufacturer (CM) • SEE anchored secure “pipe” • System at CM also SEE protected • Permit and counter “flags” never accessible to local sysadmin • Separation of duties at contract manufacturer implemented via smart cards • SEE protected software decrypts each certificate and injects it into phone • Phones come off the line with a standard X.509 “ID Card”
Solution Review • Could be any “smart” device or any device that can be “chipped” • Laptops, cell phones, VOIP phones, printers, routers, automotive parts, etc. • For each device, create a unique ID, a “permission slip” • Use the PKI to secure it, do this in the first world • Place a trusted device in your CM operations to decrypt and inject these “permission to manufacture” slips • Encrypt transmissions so that the “man in the middle” is eliminated • Tune your process to require separation of duties in support of your crypto “survival tool kit” • Results: greater control over manufacturing process, post manufacturing audit trail, all encrypted
Architecture and process • Where do I need to protect my product/process? • Manufacturing, distribution, channel, in-use? • What capabilities are in products? Can be added? • What capabilities are in manufacturing? Can be added? • How could the system be compromised? From process analysis through solution design and deployment, Thales offers products and services appropriate to your specific requirements.
Summary • Consumer and B2B products are increasingly “intelligent” • As China becomes the world’s manufacturer, the risk of piracy, brand erosion, and loss of after market sales will only increase • The PKI and HSMs are enabling technologies within the most commonly deployed mitigation strategies • Microsoft, Apple, Polycom, Scientific Atlanta, Sirius Satellite radio, Guidant and lots more do it this way • The SEE is the key technology advantage for our HSM as a delivery platform • The experience of our deployment team is a key enabler for customers who want to focus on their core business, not on crypto
Afterword - Progress in China “But in China, where 80% of the world’s fake goods are thought to be produced, officials are loth to crack down on a thriving local business. China is not expected to sign ACTA (Anti-Counterfeiting Trade Agreement) — undermining it before it has even been unveiled. Perhaps China could make a just-as-good fake treaty instead.” The Economist, March 16, 2010
Questions: please e-mail manufacturing@thalesesec.comThank You