As connected devices become common throughout a wide range of industries, it should come as no surprise that we are reading about the increasing frequency of attacks targeting IoT devices and systems. Particularly alarming are the facts that many of these attacks are now targeting devices linked to safety rather than to fraud, which has typically been the case against traditional IT systems. And while the headlines might suggest that the attacks are random, employing complex and varied techniques, what is often overlooked is the fact that these attacks nearly always exploit weak or nonexistent security measures.
Upon close examination, it becomes clear that these attacks have something in common. If the connected IoT device had been able to verify the origin of the instructions it executed, and had also been able to protect the code which executed those instructions, the attacker’s path to success would have been severely limited. Identity-based security is the key to solving this problem. Public key infrastructure (PKI) has been around a long time, and is able to establish identity-based security measures in the most effective way possible.
A connected computer does not automatically know the origin of the instructions it will enact. The Stuxnet attack, which famously targeted an Iranian nuclear enrichment plant, took advantage of the fact that, when asked, the industrial controllers in the plant would change their control logic without question. This is a weakness exploited by almost all attacks against industrial systems. The research attacks against Tesla took advantage of the fact that the electronic control units allowed their firmware to be changed.
When the Mirai botnet first appeared, infecting cameras, televisions, routers and any other connected devices, the headlines did not make it clear that these connected devices allowed authentication through very weak controls. An attacker able to find or guess the static credential values — username/password or token value — was able to control millions of these devices, highlighting the danger posed by these ineffective security measures.
The shortcomings of overreliance on attack detection
For many cybersecurity teams, the answer to this problem is to protect their devices by detecting and rooting out anomalies that might indicate that the device has been compromised by a hostile botnet or other intruder. Putting code on these devices to help identify potential warning signs is one way to address the issue, but many enterprise IT providers have found that blacklisting anomalies in this manner is extremely difficult and often ineffective.
The fact remains that if someone can authenticate into a device due to weak authentication controls, it is hard to discern that a root-level user might actually be an intruder. Any activity that occurs after an attacker is already within the system will be nearly impossible to identify as anything other than legitimate.
Regulation is coming — but slowly
A recently tabled federal regulation calls for NIST to provide guidance on IoT security, including secure identity management, firmware patching and configuration management. The fact that the federal government seems to agree with us, recognizing the importance of securing device identities and firmware, is a very positive sign — though the NIST’s guidance will not likely be prescriptive in nature.
California is currently the state with the strongest IoT protections, and those regulations put much of the onus on device manufacturers, requiring them to assign unique credentials to each device they produce. Unfortunately, many still do not, and less-discerning buyers may be unaware of the vulnerabilities that these unsecured devices create.
Other regulations are coming, but the rollouts will be slow, and it is important for organizations to independently take the steps necessary to protect themselves.
Securing connected devices with PKI
So, what are organizations to do? The truth is that we have known PKI is the answer to this question for a long time. PKI is a set of roles and policies for creating, managing and distributing (or revoking) digital certificates and public key encryption. Its procedures extend far beyond simple username and password credentials. The digital certificates are issued and validated by a separate certificate authority and incoming requests are verified by a registration authority, creating a chain of trust that is extremely difficult to compromise.
In order to provide effective communications security, these certificates use TLS cryptographic protocols, which are capable of supporting many different methods for encrypting data and authenticating the integrity of a message. PKI is the only authentication approach that can deliver a single strong digital identity for the person or device for every use case and all platforms.
IoT is an area in which PKI particularly thrives. While botnets like Mirai are often able to infiltrate devices secured by simple username and password combinations, PKI presents an identity-based security mechanism that cannot be easily compromised. By turning to a trusted PKI provider, organizations can also enjoy interoperability with other and verified third parties. Enabling interoperability without compromising information security is a major benefit for those who choose PKI — particularly as emerging and highly interactive frontiers like IoT continue to grow at an exponential rate.
This is not your grandfather’s PKI
If that all sounds great — and it should — why aren’t more companies adopting PKI? At a time when insufficient authentication is a frequent cause of breaches and botnet takeovers, you might expect organizations to be rushing to adopt PKI as quickly as possible.
Unfortunately, the term PKI carries baggage. As surprising as it sounds, the technology’s origins date all the way back to the 1970s, and while the basic idea behind PKI has remained consistent, its implementation was not always so simple. Years ago, PKI took too long to implement. It was risky. It was costly. It required a high level of expertise to operate. Even though PKI has long been the best available mechanism from a security standpoint, the term itself carries negative connotations that have proven difficult to exorcise.
Some industries have been quicker to recognize the improvements in PKI than others. The automotive industry began to recognize that hacked devices posed a particular danger to them as far back as 2009. If a phone or a router becomes infected, nobody dies — but if a vehicle on the road is infiltrated with malware, real human lives may be in danger. As a result, many automotive companies now use PKI to ensure communications between vehicles, phones, servers and other connected devices are as secure as possible. The industry serves as an excellent proof point for the changing face of PKI.
Today’s PKI is not your grandfather’s PKI. Purpose-built certificate authorities and PKI management systems have driven costs down, and implementation has been massively streamlined. User friendliness and programmatic capability, including the use of protocols such as EST and REST, are now in place. But one thing remains the same: PKI is simply the best technology available for authenticating communication between devices. In today’s increasingly interconnected world, there has never been a better time to stop focusing on detection and start emphasizing prevention.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.