By 2020, over 25 billion devices, by conservative estimates, will be connected to the internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.
To give you an idea of challenge this presents, consider that 10 years ago, DigiCert and other certificate authorities issued approximately 10 million certificates that verify a digital entity’s identity on the internet worldwide. Today, just one of our customers may request 10 million certificates for its realm of devices and services. The ability to authenticate hundreds of millions of IoT devices requires device manufacturers to consider security during the design stage. Yet, too often, security is an afterthought, and that forces manufacturers to retrofit their devices — creating additional complexity and cost. That is why security built into design is the superior approach.
Connected devices include smart heart monitoring devices, wireless insulin pumps, biochip implants for plants and animals, built-in sensors for automobiles and smart home appliances. As the number of networked devices continues to grow, the capabilities of IoT systems will diversify the type of networked devices, requiring better security as more smart transportation systems, energy infrastructure grids and healthcare monitors come online. Despite the various specifications and capabilities of these systems and devices, the underlying need for critical security and authentication is shared.
Consider the mundane, everyday experience of commuting to work. When you leave the house, you may use your phone to arm the security system and trigger smart locks on the doors. You get into your car and connect the phone to the car’s infotainment system to listen to music, take phone calls and send text messages hands-free. When you get to work, your chip-embedded key card lets you open the front door, operate the elevator and even enter the restroom.
You don’t have time to manage all of these connections individually, but you should expect with 100% certainty that the devices you’re using, and the networks they’re connecting to, are all secure. A hacker who is able to connect a rogue device has access to all of your devices and confidential information as it moves across the network. That risk multiplies as you adopt more IoT devices.
Correctly implemented, secure IoT deployments ensure that the basic security requirements for data confidentiality, data integrity and data accessibility are properly configured. This is where the incorporation of public key infrastructure (PKI) certificates play such an important role in the development of a secure IoT device.
PKI supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks, such as the internet, and verify the identity of the other party. PKI is not required to encrypt sensitive information, but there can be no assurance of the identity of the other party. That is why, despite common misconceptions, PKI is a perfect match for the exploding IoT sector, providing trust and control. PKIs enable authentication at scale as more devices come online by encrypting confidential data and maintaining data and system integrity.
Some of our early IoT customers were producers of commercial hardware, like routers and switches, and they built those devices with security as a default component. That let users simply turn on their devices knowing that they could interact with them securely. All IoT device manufacturers should adopt this “secure by default” model.
That can be easier said than done, as equipment and chip makers typically work on a two-year (or longer) lifecycle. That can make anticipating security requirements challenging. Yet, manufacturers would prefer to act responsibly themselves rather than be subject to government regulations or legal actions that force them to retrofit devices to meet laws and regulatory requirements.
Fortunately, they do not have to work alone on an island. Government agencies, certificate authorities and technology vendors are creating coalitions and alliances to establish device security standards that are industry-specific.
For example, infusion pumps are medical devices that were once standalone instruments that interacted only with the patient or medical provider. They were stationed next to a patient’s bed or chair to control the delivery of fluids such as insulin or other hormones, antibiotics, chemotherapy drugs and pain relievers. But today, technology has advanced to enable patients to wear tiny infusion pumps wherever they go, and transmit data over the internet to their healthcare providers and caretakers in real time.
This raises the quality of patient care and reduces healthcare costs. Yet, it also increases the security risk. According to the Association for the Advancement of Medical Instrumentation, the wireless infusion pump ecosystem (i.e., the pump, the network and the data the pump collects, stores and transmits) opens the patient to a range of threats, including unauthorized access to protected health information, changes to prescribed drug doses and interference with a pump’s function.
To help manufacturers mitigate these security risks, the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence convened a coalition of technology companies to establish standards to help manufacturers and healthcare providers strengthen the security of the wireless infusion pump ecosystem. The resulting document, “Special Publication 1800-8: Securing Wireless Infusion Pumps Securing Wireless Infusion Pumps In Healthcare Delivery Organizations” provides guidance on how to incorporate technology considerations, including cybersecurity controls, during the device design and FDA review processes.
This guidance enables infusion pump manufacturers and healthcare professionals that deploy the devices to provide patients with the treatments they require without being tethered to a hospital bed. This scenario perfectly illustrates the point that scaling the authentication of IoT devices should not come at the expense of a good user experience. In fact, just the opposite — security can actually enhance the user experience.
Consider how you add a new device to your home Wi-Fi network. You likely have to dig out the Wi-Fi password and enter it into your device. What if you only have to simply answer a challenge question on that device? Not only is that easier, but it’s more secure than managing and updating your long list of passwords.
PKI enables safe authentication of users, systems and devices without the need for tokens, password policies or other cumbersome user-initiated factors. This protects all of your devices and networks from malicious actors, even if a data stream or data source were captured or compromised. Modern-day PKI provides strong assurances when using modern-day cryptography, and should serve as the foundation for security providers’ efforts to scale the authentication of the ever-growing ecosystem of IoT devices.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.