The number of IoT connected devices is growing exponentially. Statista estimates roughly 35.82 billion devices will be installed this year alone. And while most of those devices will eventually connect to the cloud, only a portion of them will be secure. A 2020 Palo Alto Unit 42 IoT Threat Report indicates that 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.” Another 2020 study by Ponemon Research study reports that “known data breaches caused by unsecure devices have doubled since 2017”. Quite simply, unsecure devices introduce undue risk into IoT ecosystems.
IoT device manufacturers face many challenges in securely launching their products in the market. First and foremost is the ability to provision device identities, protect those identities and do it all at scale. That’s why GlobalSign and Eurotech, an internationally recognized and prominent manufacturer of IIoT devices and IoT software, are joining forces to deliver secure options to Eurotech customers and partners.
Best Practices for Secure IoT Device Identity
Eurotech realized that the concern about IIoT device security was best addressed at device inception, when they manufactured their intelligent, multi-service gateways for industrial, light rail automotive, and rolling stock industries. They introduced embedded device identities on their ReliaGATE, DynaGATE and BoltGATE gateway devices. By embedding a device identity during manufacturing, the device identity would then move with the device throughout its entire lifecycle, providing trustworthy authentication as it went. It is a textbook example of incorporating security-by-design best practices into their IoT gateway device production.
Eurotech and GlobalSign collaborated to integrate GlobalSign’s IoT Edge Enroll device identity provisioning service as part of the Eurotech manufacturing process. IoT Edge Enroll provisions device certificates through our PKI-based, IoT Identity Platform, powered by GlobalSign’s Atlas infrastructure.
Because Eurotech gateways are often used in high-value asset settings, it was also important to consider advanced protection of the device identity credentials themselves. Due to their cryptographic and secure storage capabilities, TPMs offer the best hardware-based protection of identity credentials. Eurotech elected to integrate the Infineon OPTIGA Trusted Platform Module (TPM) to protect GlobalSign issued certificate-based credentials in their IoT gateways. The choice was a wise one since Infineon and GlobalSign share a long history of collaboration including a previously proven integration of Infineon’s OPTIGA TPMs and GlobalSign’s IoT Edge Enroll certificate enrollment service.
Strong, unique, and protected device identities enable smooth enrollment to cloud services, which are the go-to platform for large scale device deployment. Eurotech and GlobalSign implemented a secure Device Identifier (DevID) certificate architecture based on the 802.1AR standard. Initial device identities (IDevIDs) represent the identities that were provisioned during manufacturing. Those can then be used as authentication when the device requires a local, more operational identity (LDevID). Either IDevIDs or LDevIDs can be used for authentication during cloud enrollment, paving the way for secure device enrollment to the cloud at scale.
Eurotech addresses many of the challenges associated with a solid security approach at the edge by creating an offering that consists of proven, application optimised TPM equipped hardware (Boards, Gateways, Edge Servers) and a software stack, that includes a managed Linux operating system and a powerful IoT device software, Everyware Software Framework (ESF). This modular but highly integrated set of building blocks reduces the complexities and efforts for developing an edge solution significantly. It is this hardware & software integrated approach and the close partnership with GlobaSign that is the basis for encapsulating the complexities and reducing the efforts for implementing a solid IoT security solution based on X.509 Certificates, that extends form the world of IT to the far edge of the OT infrastructure.
Eurotech Customers and Partners Gain a New Roadmap
The Eurotech and GlobalSign collaboration has resulted in key gains for Eurotech customers and partners. Previously, incorporating device identities during manufacturing was problematic with no accepted or proven industry-wide roadmap to get it done. Now, there is a clear plan – a proven methodology that addresses top concerns, while easing implementation challenges. Industrial IoT businesses can now deploy their IoT instances, knowing that all the critical boxes are checked:
- Standards-based
- Interoperable
- Secure hardware
- Trusted PKI
- Cloud compatible
- Scalable
- Low touch & low friction
Eurotech can now offer customers a device that is innately secure and cloud enabled without the usual costly and time-intensive integrations. Based on industry standards and principals of interoperability, it incorporates cost-effective, discrete hardware protection of certificate-based PKI identities for Industrial IoT deployment. It is cloud compatible and scalable, delivering frictionless, zero-touch cloud onboarding, while maintaining best-in-class IoT security.
Any and All IoT Device Manufacturers Can Benefit
The advantage of this collaborative solution is that it is adoptable. Any IoT device manufacturer can benefit from incorporating this roadmap into their own manufacturing processes. It provides the IoT device identity blueprint which removes design and operational overhead, saving time and cost, while also achieving best-in-class security. Whether your business is leveraging Microsoft Azure IoT, AWS IoT, or a custom IoT cloud, this solution is natively compatible with a wide range of infrastructures.
We’re honored to be partnering with Eurotech to deliver the best IoT device security possible. Connect with a member of the GlobalSign IoT Solutions Group to learn how you can incorporate Eurotech’s security enabled, industrial IoT gateway devices or how to take advantage of the architectural certificate model they are based on.
