If an IoT device can be trusted, it can be used for critical applications, its data is more valuable and its users and owners can be assured of a safe experience. Trust relies on device certification to assure the device’s identity and to enable security approaches such as public key infrastructure (PKI). Martin Lowry, IoT product manager at GlobalSign, tells Jim Morrish, a founding partner of Transforma Insights, how, as IoT becomes more critical to business operations, device certification is providing the foundation for trusted identity in IoT.
Jim Morrish: It has been a difficult few years and the world has changed a lot. What do you think are the most significant challenges that we now face?
Ofer Yatziv-Green: We face continuing headwinds with the unstable global economy and supply chain challenges. From a technology standpoint there are continuing chip shortages that impact both consumer and business products. Many electronic products use the same chips and components so everything from a dishwasher to an industrial IoT gateway is affected. Experts predict that the global economy will continue to be unstable and is greatly affected by regional conflict and the trickle down negative effect this has on manufacturing resources and transportation.
JM: Many of these dynamics seem to result in IoT-enabled solutions becoming more critical than they have been in the past. Would you agree?
OY-G: IoT is likely the fastest growing market today. Some say that it’s the fourth Industrial Revolution and is forecast to surpass the most recent technology revolution, the smartphone. The global pandemic drastically changed how companies operate. Many organisations now operate with employees working remotely which increases the requirement for stronger device and infrastructure security. For many years security for IoT solutions was somewhat of an afterthought, securing devices with a username and password was likely most commonly used. In today’s world, manufacturers of IoT solutions are now focusing their efforts to employ best of breed security for their devices. Many governments have established, or are developing, laws to govern security for IoT devices and it is now becoming imperative that solution builders use these security practices to remain competitive and relevant.
JM: As IoT becomes more critical to business operations, so it becomes more important to know that data received from devices can be trusted. How can this be done?
OY-G: For many IoT device manufacturers public key infrastructure (PKI) is or has become the de facto standard for securing devices. However, PKI has traditionally been used for user, browser and server security and was not envisioned to secure IoT device identities and data. In recent years GlobalSign has developed an IoT Identity Platform that specifically addresses PKI for devices using x.509 certificates. An X.509 certificate binds an identity to a public key using a digital signature.
A certificate contains an identity, a hostname, or an organisation, or an individual, and a public key such as RSA, DSA, ECDSA, ed25519, and is either signed by a certificate authority or is self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can use the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key. With the use of device-based PKI and x.509 certificates, fleets of devices can be securely enrolled, and issued certificates which enables these devices to securely authenticate and transmit encrypted data to their host systems.
JM: How can you ensure that a security solution is to some extent homogenous across all device types, including legacy devices and technologies?
OY-G: In many IoT use cases, devices include a software stack and processing capabilities which may allow them to participate in a PKI-based security solution. If the device can send a certificate signing request (CSR) to our Certificate Authority URL then, based on the information passed in the CSR, we can issue a certificate to the device. There are many ways that a device could include information in the CSR to attest to its identity, some examples are: device common name like model name or number, serial number, shared secret and so on. This flexibility allows devices designed for varying use cases to participate in a PKI-based security solution.
JM: Is trusted identity the key to all of this?
OY-G: Trusted identity is key to securing IoT devices and use cases. As discussed, devices must be able to attest to their identity before allowing them to participate in a customer’s use case. Many device manufacturers are now implementing PKI early in the manufacturing process, allowing devices to be secured through the supply chain and when deployed in the field. Managing the device certificate lifecycle after deployment is also a critical capability, allowing devices to automatically re-enroll and be issued with a new certificate when their current certificates expire thus ensuring the device is secure as possible.
Comment on this article below or via Twitter: @IoTNow_