As industry experts project a continued explosion in the number of IoT devices connected globally, security remains a hot topic — at least partly because of the significant challenges it brings. Despite IoT being a relatively new industry, there have already been many high-profile security breaches. Perhaps the biggest example to date is the Mirai botnet in 2016, where thousands of devices, such as cameras and DVR players, were infected and a massive denial-of-service attack was launched. The attack affected major services on the internet, including many leading brands like Twitter, The Guardian, Netflix, Reddit and CNN.
Given the severity of this and other breaches, unsurprisingly security remains one of the top technical barriers to IoT implementation success according to a survey published by Gartner in 2018. Undoubtedly, insecure devices and related breaches can result in lost revenue, brand impact and liability for manufacturers and distributors. And, for some IoT applications in areas like healthcare, critical infrastructure and automotive, even human safety can be at risk.
Identity is key to security
IoT brings a new and intricate scale to securing devices as deployments can be large and distributed, and often include mobile devices. Although security remains at the forefront, the industry is still largely grappling with how best to secure IoT deployments. Deployments often undergo a complex manufacturing process with multiple steps and potentially many production lines. Because of these complexities, security is perceived to be difficult, often falling low on the agenda. And as manufacturers are driven to get products to market quickly to maintain a competitive edge, security is often deprioritized instead of ideally being built in from the start.
As a result, the IoT security discussion takes many forms, involves many possible components and still includes a fair amount of confusion. However, underpinning all IoT security schemes is one fundamental requirement: the essential ability to identify devices and services and ensure that they are, in fact, who or what they say they are. This seems simple, but can be detrimental to the protection and governance of an IoT ecosystem if overlooked.
A device identity can take a number of forms; sometimes developers use a piece of information that already resides in one of the existing components, for example, a network MAC address or serial number burned into a microprocessor, or even worse, a hardcoded password compiled into the firmware. These sorts of identities aren’t very secure, are easy to spoof and can’t be used to either guarantee the identity of a device or to secure communications between the device and a service.
Managing IoT complexity with a PKI
To enable a truly trusted ecosystem, each device must be authenticated with an embedded and cryptographically provable identity. If you can’t trust the identity of the device, then you can’t trust the data you receive from the device. This is where public key infrastructure (PKI) comes in. The main purpose of a PKI is to manage keys and certificates that are used to enable trusted infrastructures by enabling parties to mutually authenticate, to transmit data securely between each other and to prove that specific data genuinely came from the party that it claims to have come from. The same elements of trust are required to secure IoT. We need to trust that each device is the one it claims to be and that the device is talking to the appropriate service — both components want to know the communications between them are secure and that there has been no data tampering.
Once a device has a trusted identity, then all the other services and communications from it can be protected. For example, on a medical device, the personal health data being transmitted is sensitive, so it is important to encrypt the communications such that only the authorized healthcare provider can decrypt it. Those encryption keys can be delivered as part of the device’s identity.
Options for implementing a PKI
Fortunately, there are several options for including this critical element of the IoT security puzzle. Many traditional PKI services are available or you may decide to build your own.
Many traditional PKIs were designed to support the delivery of certificates for websites to secure SSL or to deliver employee credentials enabling access to certain services — for example, only managers can access payroll data — to enable VPNs providing secured communications or managing building access control. PKI providers typically haven’t needed to design their infrastructure to scale to the levels required for delivery into IoT. IoT deployments can scale to tens or hundreds of thousands of devices at a time, such as CCTV cameras covering a large metropolitan area. Traditional PKIs also may not support the delivery of custom secured payloads, like secure applications, XML files or other data structures as per your security model. To be sure to choose the right provider, look for one that specializes in delivering device identities.
What about running it yourself? It’s possible, but it’s hard to get right and you are better off leaving it to the experts. There are complexities around running a PKI that require careful consideration. It not only requires a lot of infrastructure, including servers and hardware security modules, but also physically secure data centers with access control and policies. People need to be vetted and processes need to be put in place to ensure no single person can gain access to the keys.
So, now that you know the secret, the most important aspect of any IoT security scheme is that it’s built on the concept of a trusted identity. As identity underpins everything else, it needs to be included in the design from the start, and it should be built on proven trusted technology.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.