As we look at the evolving IoT space, one bet I’m willing to make is that privacy and security of IoT products will continue to become more distinguished in its features and differentiators. IoT developers and architects are under more pressure to keep device security a top priority before a product reaches the market.
I want to go deeper and talk about:
- How products can be built to achieve these goals through ‘security by design’
- Leveraging past successes
- The nuances and requirements of implementing within the manufacturing process
The Current State of IoT Security
IoT is still at its infancy. We're just starting to see a bit of phase transition from strategy to implementation, but regardless the field of IoT is still at peak hype.
Widespread implementations haven't fully deployed into the market environment and as such there is a lack of quality use cases.
We've also yet to see winning architectures for ecosystems. However, we do observe and recognize a bit of standardization within specific verticals like automotive and energy. There's also no lack of industry and technology consortiums and standards bodies working to drive technology standards.
Traditionally physical product production is a very distinct skill set from software development and in this context, we observe that in numerous cases new entrants in the smart connected product space do lack information security expertise.
Why Should You Invest in Security for Your Product or Ecosystem?
Of course I would be remiss if I didn’t cover some of the benefits of investing in security for your IoT/IoE Ecosystem.
Evolving from reducing risks toward value added drivers
I think many can appreciate the existing drivers of risk reduction from traditional InfoSec, including protecting the corporate network from attacks. But in addition to the traditional drivers, some important considerations extend into fraud prevention needs of connected products to combat counterfeiting and piracy.
When you reduce risk you are also inadvertently adding value and helping products to differentiate amongst competition, so that they might gain certifications that help their positioning.
All these components definitely have their nuances in priorities across separate vertical and horizontal perspectives of the ecosystem. For example, the consumer side may be more focused on the privacy supporting security features, whereas the industrial segment is more concerned with reducing the safety risk of the implementation. When implementing strong security elements in your IoT ecosystem you will be expected to understand your market’s need and manage this within your security framework.
How Organizations Can Successfully Build Secure and Safe Connected Products
‘Security by design’ thinking affords organizations much greater return on their security investments, as changes are much easier and cost effective to make early in the product lifecycle, especially as appropriate security and privacy features are rarely ever bolt on.
The “how” of this approach is much more variable and is generally based on the organization and operating environment. First you must think like a bad actor and identify the core targets in the system. From there, assess the probability and magnitude of a breach in that asset area and then finally you can move to an evaluation of technology to mitigate the risk.
One of the core takeaways here is also the dimension that security is never going to be a single person's responsibility since no one person will truly understand the full scope of the environment. It's a team game and must be played as such to succeed.
The next tactical point we'd like to address for achieving security in your products is as we call here to "stand on the shoulders of giants". By this I mean, use the tools and information that already exists and you already know work.
- InfoSec principles and best practices have matured over the years. We should not ignore the internet success we've had to date and recognize that information security principles and best practices have matured.
- It’s not just about the “things”. While the hype is around the “things” in the solution, they're only one component of the ecosystem and we still will have users, services and organizations that will be core and essential actors.
- Solutions already exists which have been tried and tested. While there are undeniably new considerations that devices bring to the table, there are existing solutions and standards that succeed and can be applied into device environments which enable distributed and trusted identity assurance. And these solutions have the benefit of being battle tested and improved over the past decade in the existing internet.
As a recap, some of the core information security concepts that we'll talk about for building into your IoT product include authentication, in the sense of authenticating devices to cloud services, between users and devices and from thing to thing. Next is encryption which affords privacy and secrecy of communications between two entities. And finally we are also going to want to address the integrity of data and communications so that messages can be trusted not altered in transit.
How Does an IoT Product Architect or Developer Address These Concerns?
One of the proven technology solutions we have today for device identity is Public Key Infrastructure (PKI). As well as its application in a variety of protocols and standards like TLS, PKI is really an InfoSec Swiss army knife and allows you to enable a whole range of information security principles, including those three we just mentioned.
PKI is perfect for beefing up the assurance around the integrity and uniqueness of device identity. This is because of security focused crypto-processors, like TPMs, which provide strong hardware based protection of the device's private keys from compromise and unauthorized export. But also PKI can reduce the threat of overproduction or counterfeiting with mechanisms to enable auditable history and tracking.
There are technologies and solutions you can deploy that allow you to limit the amount of trust you put in the manufacturing environment, while still building trustable products and reducing risks of overproduction. The approach I'm covering combines TPM hardware with PKI enrolment techniques during the device and platform build process.
Leveraging these technologies can help you arrive at a built product situation where you have assurance about the integrity of the hardware protection, assurance that credentials you issue to the device are protected by the hardware and that the enrollment process has verified these components and assumptions prior to the issuance of an identity from a trusted hierarchy.
Generalized Architecture
We can imagine devices proceeding through a manufacturing line, at some point, usually in the final stage of the build process where the devices enter a configuration and initialization stage. In this case, this is where we prescribe for the device identity provisioning to occur. A provisioning system on the manufacturing line interfaces with the device, potentially over probes or network connections and will facilitate the device to create keys, the extraction of a device ID number and proxy an identity issuance request to GlobalSign's High Volume Certificate services.
The High Volume Certificate services will issue a credential and install it back on the device. After this stage, you have a provisioned device with an identity credential from a trusted issuance process, protected from compromise by secure hardware. The credential can be used in the operational phase of the device lifecycle for authentication and other security needs.
These technologies have a very vertical agnostic range of applications and use cases. However, there are some that we have been involved with in the near term, which are particularly suited toward the application of PKI and IoT for strong device identity.
These include:
- Network or server appliances for feature licensing.
- Device identity for home appliances to authenticate and encrypt communications providing privacy.
- Connected diagnostic equipment running embedded servers which need to provide a trusted SSL connection for administrators.
- Connected car use case leveraging strong device identity for secure communications, as well as for trusted and secure firmware updates.
Benefits of Leveraging the Cloud for Your Identity
Many of these concepts are familiar to consumers of SaaS solutions, but are sometimes newer concepts to operational technology experts who may not have as broad or deep experience consuming cloud services in their solutions.
First by looking toward the cloud, it really enables simplified infrastructure requirements and costs for on-premise hardware setup and configuration, as well as the ability to bring additional manufacturing sites online with marginal incremental cost. Echoing this is the elasticity that SaaS models provide, allowing OEMs (Original Equipment Manufacturers) to better tie expenses and revenues in operational expenditures, as well as with the ability to scale the system dynamically meeting the needs of the business growth. And finally there's the added functionality that a platform can provide for auditability, access control and reporting that often are more difficult to maintain across a multi-site on-premise deployment. Combining lightweight cloud service APIs with modern network fail-over hardware solutions provides mitigation of risks of manufacturing downtime due to network connectivity.
New Considerations for IoT Security
As with any assessment of the IoT, the number of devices, users and systems we expect to operate in each ecosystem is magnifying and you truly need to understand the impact. The nature of IoT devices are much more diverse than the existing internet environment, which will cause and drive new approaches as to how the solutions are architected and built.
Trust models are evolving as well, where the public trust model that traditional web PKI is built upon might not be required for all solutions. And finally there is a time dimension of solutions where you must consider the products and devices from build, provisioning, operation, through sun setting.
What is the answer to enabling robust identity and security in your IoT solution?
- Consider security throughout the lifecycle of the product, starting as early as possible.
- When working with 3rd party service and solution providers, ensure that they are capable of maintaining the integrity of the services.
- Look and leverage existing proven solutions where possible, especially as far as security is concerned, rather than novel or proprietary standards and approaches.
- Recognize the diversity of these ecosystems is massive and each will have its own key needs, therefore leveraging solutions that are flexible are also key.
GlobalSign has been focused on understanding IoT security considerations and have invested in a flexible, scalable and purpose built PKI platform which addresses these needs of the IoT. First is the scalability to address a massive number of identities and endpoints in each customer ecosystem, along with the dynamic and fast operational requirements. Then we enable support for the complexities and nuances of the variety of device environments, as well affording variations in usage and lifecycle models. GlobalSign is also able to provide all these in a customizable and business focused deployment models to enable success in the solution.
