IoT Security Best Practices in the Digital Transformation Age
January 31, 2020
The digital transformation is a powerful business that improves productivity, enhances customer experience, and increases global revenue. It is revolutionizing how we do business in the global world.
The digital transformation is a powerful business construct that improves productivity, enhances customer experience, and increases global revenue. It is revolutionizing how we do business in the global world. Unfortunately, it’s not always safe.
Malware, viruses, data breaches, and other nefarious attacks on all types of IoT devices from equipment sensors and video cameras to critical controls for power grids are exposed to online assaults that can compromise personal, and more impactfully, vital manufacturing and infrastructure. There is much at stake. What has become clear is that responsibility for protecting IoT devices has fallen mainly to device manufacturers. Standards, guidelines and regulations target manufacturers, which seem to be best positioned to address security issues in the earliest stages of production in order to protect data, devices, communication and entire IoT ecosystems.
So how do IoT device manufacturers and even operators secure their devices so they are protected when put into service? Let’s take a look at some of the best and most common ways all types of IoT devices can embrace IoT security to protect our connected future (Editor's note: Embedded Computing Design is hosting the third-annual IoT Device Security Conference on March 26 in Santa Clara, CA).
IoT Security Starts with PKI
Some time ago there was concern as to whether or not Public Key Infrastructure (PKI) was the best option for IoT security. That concern has long been resolved, and PKI has become the de facto credential for IoT devices.
PKI adds real value. Built as a closed, secure system, its core function is to identify and authenticate, encrypt and decode, and safely communicate to those who are part of its trust network. The backbone of a PKI system is digital certificates, which provide authenticated identity to each device. Supported by X.509 certificates that authenticate identity across platforms and networks, it can be used to managed trusted identities from the point of manufacture, through the supply chain to deployment in the field.
Leveraging the proven technology of PKI to identify devices, encrypt communications and ensure data integrity ensures the issuance of strong, unique device identities that become the key to securing data, devices, networks and entire ecosystems.
Security by Design
Security as an integral part of product design solves security issues before they become troublesome in the field. Addressing how IoT devices will be identified, how they’ll connect, what type of communication will be used and what type of data needs to be protected are serious considerations. Bolting-on security after the product has shipped inevitably leaves unforeseen gaps in protection. Including security as part of the design phase of IoT product design and development addresses issues head-on where they can be adequately considered.
Have a Strategy
A Ponemon Institute study sponsored by Shared Assessments recently reported that only 43% of companies take comprehensive steps to protect IoT data and assets. 43%! And with estimates of up to 77.5 billion connected devices by 2025, that means upwards of 43 billion devices will have insufficient protection. Further research by Bain & Company revealed that inevitably, ad hoc cybersecurity results in measurable protection gaps. The best recommendation then is to draft and apply an inclusive cybersecurity plan, make it comprehensive, and assign responsibility for its implementation. This ensures there is advance consideration of protection methods, a means of measurement and accountability for implementation and follow through. Reacting to data breaches after the fact will cost far more than the money spent on preventative planning and management.
Get Professional Assistance
Not every IoT device manufacturer or operator has the in-house resources necessary to successfully implement PKI and device identity protocols. It can be a complicated topic. Not surprisingly, improper implementation can be as compromising as not having it at all. Poorly defined, commissioned, and managed PKIs offer little in the way of reliable security. Shortages of qualified PKI experts can also make on-premise implementations a challenge. Commercial grade device identity platforms and the assistance of PKI professionals can ease set up and management, reduce implementation costs and facilitate integration, accelerating your time to market, which could give you a competitive advantage. Be sure however, that the company you work with is specifically focused on IoT device identity and are knowledgeable in all aspect of IoT specific digital certificates, Certificate Authorities, device enrollment (Registration Authorities), device identity lifecycle management, and certificate revocation (Validation Authorities).
Policy Definition and Enforcement
The security impact of Registration Authorities (RAs) shouldn’t be overlooked. One key success factor of PKI for IoT security is the ability to establish device authentication policies that are enforced through an RA upon device enrollment. By setting stringent enrollment policies, the network is protected from attacks, enrolling only authenticated devices with strong, unique identities. Forward looking IoT identity providers and Certificate Authorities are starting to offer Registration Authority as a service as part of their identity platforms. These RAs feature administration rich functionality enabling users to custom configure certificate profiles, define, set, manage, and store device verification rules and otherwise manage the device identity throughout its lifecycle. Managed RA services can simplify, optimize and further harden how companies enroll, secure and manage their PKI-based device identities.
A Layered Approach to IoT Security
IoT security is all about protecting identities, data and communication at multiple touch points; Setting device authentication polices and enforcing those policies during enrollment; Creating strong unique digital identities and managing those identities throughout their lifecycle; Protecting data integrity and communication with secure encryption. It means incorporating security in the initial design of the device, using the proper tools to secure it, having a cohesive cybersecurity strategy, and tapping into professional expertise when needed.
In the end, it’s not one specific tip, tool, or technology that will ensure IoT security during each company’s respective digital transformation. Rather, IoT security success lies in the approach we adopt at every step, every point of connection, integration and communication. It lives in our product planning, our cybersecurity strategies and our adherence to them, and our meticulous attention to integration detail. It is the responsibility of all IoT related developers, designers, manufacturers, operators, integrators and technology platforms to understand the unique challenges IoT brings and find ways to protect all participants so we all can thrive in a connected world.