We’ve all heard of consumer IoT device breaches leading to unnerving situations and events. But when breaches happen to industrially connected IoT devices and systems, the consequences are magnified. A breach has the potential to impact more than one individual, family or home. It can have long-term and far reaching consequences to businesses serving large customer bases or even entire communities, as in the case of a potentially hacked utility.
Securing the identity, integrity, and privacy of all IoT devices/endpoints, data, and communication is vital to the continued safety of consumer and industrial connected devices alike. So when GlobalSign and Carnegie Technologies met to discuss how to best secure their in-development Longview IoT Platform for Industrial Asset Management, we knew it would be a progressive collaboration.
Longview, as a Carnegie Technologies company, shares GlobalSign’s position on the need to secure IIoT assets. They’re a newly launched industrial IoT asset management solution that addresses this very issue. Longview IoT packaged together the right IoT technologies to provide their customers with a single, secure, and optimized solution to monitor and manage industrial assets. It delivers end-to-end IoT solutions, pre-configured for various industries and designed to work right out-of-the-box.
Their IoT Platform development team took a very considered approach that included four key areas: security by design, multiple layers of security, securing the supply chain and partnering for success.
Security by Design
There is a growing awareness among IoT software developers of the need for security by design – to include security measures from the outset of their projects as a core functional component.
The development of the Longview IoT Platform was a textbook case of security by design. As a startup employing Long Range Wide Area Network (LoRaWAN) network architecture on Amazon Web Services (AWS) cloud services, Longview was uniquely positioned to employ best practices when it came to incorporating security into their software development process. Longview considered security issues for the new platform from the beginning to ensure they were baked into the solution, not bolted-on as an afterthought. The security framework was built from the ground up with security as an integral and integrated component.
Multiple Layers of Security
One layer of security is good start, but more is better. Longview’s triple-layer security framework, a key selling feature for the company, consists of their LoRaWAN’s native 128-bit encryption, Static Access Random Memory - Physical Unclonable Function (SRAM PUF) technology for device specific key generation, and the GlobalSign Certificate Authority (CA) backed certificate provisioning to protect each device identity in the supply chain as well as the data transmitted on the network.
LoRa technology secures the low-power wide-area network (LPWAN) and provided the first layer of encryption for their system, securing the communication of the sensors within their mesh network.
Each sensor needed a unique identity. GlobalSign collaborated with our partner, Intrinsic ID to identify each constrained sensor in the Longview IoT platform using SRAM PUF technology. Intrinsic ID’s PUF technology allows the generation of device-specific keys based on minuscule anomalies of each semiconductor, similar to a human fingerprint, to uniquely identify each of Longview’s sensors. This provided the second layer of protection, allowing each sensor to be uniquely identified and produce a distinctive key pair that could be used to generate a digital certificate.
As a third layer of secure protection to their system, Longview integrated GlobalSign’s IoT Identity Platform, delivering public and custom private Certificate Authority capability through a full featured Registration Authority (GlobalSign IoT Edge Enroll). The GlobalSign IoT Identity Platform, built on a secure Public Key Infrastructure (PKI) foundation secures individual device identities, as well as the integrity and privacy of data (and data transmission) through encryption, authentication, and authorization.
The GlobalSign IoT solution unified all three layers of Longview’s security architecture under one security platform.
Securing the Supply Chain
Because Longview is keenly aware of the critical role security plays in their IoT IIoT Asset Platform, they wanted the ability to secure each gateway device along its supply chain, not just at any one point during its lifecycle. To secure the supply chain of the gateway devices during manufacturing, through deployment, and during their deployed life, digital certificates were needed.
IoT Edge Enroll delivered full device identity lifecycle management, enabling Longview to:
- Provision initial device identities during manufacturing of the gateway devices (IDevID certificates)
- Provision local device identities at gateway deployment (LDevID certificates)
- Manage device identities throughout their lifecycle (certificate lifecycle management)
Longview gateway devices are manufactured by an electronics manufacturing service (EMS). The Longview Private CA set up by GlobalSign allows Longview IoT to issue initial certificates (aka Birth certificates/shelf certificates/IDevIDs) for each IoT gateway device at the EMS manufacturer’s facility.
They also use IoT Edge Enroll to provision local, operational device identities (LDevIDs) at device deployment and can automate operational certificate provisioning at that time. IoT Edge Enroll also allows them to manage/renew device identities (aka digital certificates) for full device identity lifecycle management.
Longview uses GlobalSign’s IoT Edge Enroll integration on our IoT Identity Platform to provision digital certificates and manage their Private CA and secure connectivity to their Amazon Web Services (AWS) cloud.
Partnering for Success
Carnegie/Longview’s challenge was finding the right partner with a suitable IoT security platform to build out their three-layer security framework and secure their device supply chain. They sought a scalable, automated platform that would minimize manual management of CA and RA services. They were looking for an easy-to-use API that would lessen the integration burden on their development team. They wanted in-field sensor identification agility and they needed a flexible company that could collaborate to deliver a comprehensive solution. They found all those components in the GlobalSign IoT Solution and our partners.
Carnegie and their spinoff Longview followed best development practices, and their success is a direct reflection of that. They have best-in-class security, protecting a best-in-class IoT Industrial asset management Platform and are now working with key verticals and companies to safely connect industrial assets to the Internet of Things.