Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Owner-controlled PKI: The next step in securing the future of IoT

Mark Weiser, known to many as the father of ubiquitous computing, stated in an article he wrote for Scientific American in 1991 that, “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” The internet of things is quickly achieving this status as we barely recognize all the devices that are both connected to the internet and part of our lives.

But securing these IoT devices is not an easy task, and is one topic of discussion that must remain prominent because the ramifications from a security breach could be severe. Connected devices need to have strong identity attestation, authenticate all connections, and data must be encrypted to protect system integrity.

Public key infrastructure (PKI) is an established technology and one solution that can solve the challenge in securing IoT devices. Through thoughtful security design, manufacturers can embed PKI security onto IoT devices during development, and should monitor the security of those devices after deployment. But with the influx of connected devices in recent years, and the projected growth to come, manufacturer-based PKI infrastructure is not enough anymore as security management for connected devices has become even more complicated. Security teams need to take ownership of their PKI in order for their devices to ensure proper security.

PKI in IoT

The versatility of PKI enables trust in IoT through identity authentication, data encryption, and data and system integrity. This allows device users to trust how they are receiving information and what that information is coming from. The question then, is one of control; who is controlling the PKI infrastructure behind this trifecta of authentication, encryption and integrity?

The FDA addressed this question of control in the release of its “Postmarket Management of Cybersecurity in Medical Devices” last August (and while the document was written specifically for medical device manufacturers and owners, the guidance can be applied to the rest of IoT). The FDA addresses the idea of adopting a proactive approach to post-market cybersecurity, and includes manufacturers as part of the extended security plan for the connected devices they put to market by stating, “Manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.” This implies the beginnings of device security implementations during design and development. It also means that manufacturers need to provide methods for updating devices after deployment, including secure updates and patch management.

Manufacturers play a crucial role in provisioning IoT device security from design, and maintaining security protocols throughout device lifetimes. We saw this role in action last October, when Johnson & Johnson warned patients of a cyberbug infecting one of its insulin pumps. According to Reuters, experts “believe it was the first time a manufacturer had issued such a warning to patients about a cybervulnerability.” However, while the warning may indicate progress from past security glitches in IoT devices, like when vulnerabilities were exposed in connected cardiac devices from St. Jude Medical earlier in 2016, if a connected device were to fall victim to breach at the expense of manufacturer-based PKI security, device owners need to at least have some control over their PKI infrastructure to fend off hackers. In the case of Johnson & Johnson, the breach of one insulin pump could have caused physical harm to diabetic patients if a hacker had chosen to tamper with their insulin levels.

In 2015, the SEC presented a “House of Keys” report that stated of 3.2 million internet-connected devices, device manufacturers were only using 580 unique private keys to secure their traffic. There are a number of reasons to explain the cause of this problem, but ultimately the risks expose device users to potential man-in-the-middle attacks, passive decryption attacks or impersonation, and are directly attributed to the design and manufacturer processes used to create these devices. Over time, this issue has only gotten worse as the number of IoT devices connected to the web has continued to grow substantially, making it hard for manufacturers to keep up.

Manufacturer-based PKI infrastructure often lacks control over credential quality and remediation processes in the event of breach. Because of this, organizations need to advance their PKI security deployments by adopting an owner-controlled security posture instead of depending upon their IoT device manufacturers.

Owner-controlled PKI security

IoT requires owner-controlled PKI security posture to provide independent security control over connected devices. Independent security control allows for a stronger framework of trust built upon better identity authentication, data encryption, and data and system integrity. Owner-controlled PKI security is centered around five principles:

  1. Secure device registration
  2. Reducing common or macro-level threat surfaces through policy-driven authorization
  3. Combining device authentication with policy-driven authorization to control when and where devices come online and the rules that guide that process
  4. Eliminating static credentials to turn IoT devices into moving targets for hackers
  5. Addressing IoT scale through automation

These five principles establish trust anchors for connected devices and promote stronger PKI infrastructures for IoT.

However, this does not take device manufacturers out of the security equation.

The FDA’s post-market guidance details the shared responsibility for better security in connected devices between device manufacturers and device owners. So while organizations should enforce an owner-controlled security posture, device manufacturers are still responsible for implementing security during the design and development of IoT devices, and must also monitor, identify and address cybersecurity vulnerabilities and exploits as part of their post-market management plan.

Further, companies can take part in this shared responsibility by asserting owner-controlled PKI, giving them control over their security posture and releasing their dependency on device manufacturer practices.

Talk to an expert for PKI done right

Manufacturers cannot always be relied upon to implement PKI onto IoT devices, or to do it correctly. PKI done wrong may even be worse than not having any PKI at all, and gives owners a false sense of security. To ensure that connected devices are adequately secured with PKI, companies can turn to an expert third party, like a trusted TLS/SSL certificate solution provider, who has experience with implementing PKI onto connected devices and may even offer options for cloud-based PKI hosting.

The sheer scale of IoT — projected by IDC to reach 200 billion objects by 2020 — requires the scalability of a PKI infrastructure to meet the needs of connected devices. But as the number of these devices on the market continues to grow, so do the risks for breach. Organizations can look to experts for help with evolving their PKI infrastructures from manufacturer-based PKI to owner-controlled PKI while maintaining a shared responsibility with device manufacturers for better security control and maintenance over their IoT devices.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.