March 21, 2019
Public Key Infrastructure Security supporting the full IoT eco system
In typical IoT solutions, devices collect and send data to the IoT platform and back-end applications for analysis, in some cases after local processing. The data is used for both real time decisions/actions and long-term business development. This is the basic drive and DNA of most IoT solutions. This DNA is then supplemented with the need for agility and speed, both considered to be very important aspects of many IoT initiatives. In real life, that means that most IoT initiatives start small, tries the concept and then grows fast with the success of the use case. Infrastructure investments are added step by step and there is no time to restart or pause to rethink. Continuous feedback drives the evolution of the solution and refinement is an on-going process built into the development process. Small pilots can in just a few months grow from just a few to millions of devices.
The fast-growing world of IoT devices is unfortunately not only positive, having a large number of devices connected over open networks will inevitably also be followed by a number of cyber security issues. Data breaches including lost/compromised personal or business information are obvious risks that most recognize. These can, and have in many cases, lead to significant financial and reputational damage. Another unfortunate scenario, that too many are exposed to, is that their solution and devices are being recruited to botnets and used to launch DDoS attacks. The evolutionary development of IoT devices combined with the severe threat that they face makes Trust a central component for any IoT solution. Trust in IoT solutions means that you can have confidence in that your IoT solution will behave as you expect over time. Although there can be many tempting business opportunities in connecting your devices, it is important to understand how to protect your business before embracing the technological advantages. So what is my recommendation for you who’s looking in to IoT? Security in IoT should be deployed from the start and not applied afterwards, especially as adding security at a later stage often means higher costs and a less flexible security solution. Do not reinvent the wheel - there are already standards, industry regulations and legal frameworks available that will support you in applying a security framework for your IoT solution.
IoT security frameworks and PKI
Some action you can take to greatly reduce the risks in IoT are:
- Apply security frameworks that mandates regular software and firmware updates
- Secure authentication for devices, applications and administrators managing the solution
- Protect the integrity of the data and the device
- Encrypt the data
As I said, you don’t have to reinvent the wheel to do this. Public Key Infrastructure (PKI), certificates and electronic signing are already de-facto standards for authentication, integrity and confidentiality on the Internet. PKI has proven to be scalable and flexible and it is now being specified and proven also in IoT.
End-to-End security for all stakeholders in the IoT solution
Some IoT eco systems are more complex than others and there can be multiple stakeholders. Maintaining security over time can be challenging. Each stakeholder has its interest in the data being generated by the solution and end-to-end encryption and data integrity is a pre-requisite to assure that business assets are secured not only from external attackers but also between the stakeholders within the eco system. With the scalability and flexibility of PKI it is the most cost-efficient and secure solution to manage electronic certificates and electronic signing in more complex and larger IoT eco systems.
As you can see, a PKI solution for IoT must support a multi-layer infrastructure as well as external sources for certificates and identities that allows each stakeholder to communicate securely and manage secure updates in the solution over time. For each device, one or several identities and their lifecycles need to be managed. These identity lifecycles start during manufacturing and software development, continues during deployment and operation and finally ends when the identities are revoked, and the device is discontinued or reset. The corresponding lifecycle management applies for users, software as well as for the devices themselves. Examples of users are administrators, business analysts and maintenance personnel. They are all a part of the trust chain. Finally, trust cannot be established by technology alone. It requires policies and procedures and that the roles and responsibilities of the different stakeholders in the IoT eco system solution is set. Again, there is no need to re-invent the wheel as there are already widely adopted policies and procedure frameworks for different business cases and markets. And if there is not, an experienced PKI vendor such as PrimeKey or our partners can advise on existing frameworks that can be reused to cater for the management and agreements that need to be established to enable a trusted IoT solution over time.
Determining the best security software deployment options is an important decision that must be researched, reviewed, and resolved during the software evaluation process. Each organization has unique business challenges, including security requirements, budgets and the availability of internal resources. The PKI deployment choices are of course affected by this and therefore PrimeKey gives you the choice of, and the choice to combine, software, hardware Appliance and cloud deployments for your PKI solution. This means the PKI infrastructure can be deployed in the manner best suited to your business needs and that it can grow flexibly and expand over time.
In conclusion: If you are looking into IoT, remember to think about security from the start and consider all the stakeholders in the eco systems. And if you need any help, don’t hesitate to contact us. We’ve done this before and know how to help.