The Internet of Things (IoT) is rapidly growing and expected to affect all industry verticals as well as our private lives. It is no secret that security plays a very important part in the successful deployment and management of this technology, and its applications are set to transform the way we live and do business. In this blog, we reached out to our technology partner Nexus to better understand the challenges that the industry faces to ensure safe deployment and management of IoT technologies.
What is the biggest security challenge facing the growing IoT?
Weak authentication. For Secure IoT, all connected devices and services must have trusted identities. To get reliable security for devices and services, it is a must to provide a ”transport identity” at production stage and then when deploying solutions on the field, update the identities securely, e.g. OTA (over the air). To do this at scale, a public key infrastructure (PKI) is required. A PKI provides cryptographically secure, unforgeable, theft-safe identities, and is the best available security technology for large-scale distributed systems.
With IoT PKI, Secure IoT can be accomplished by enabling strong authentication and encryption of communication to ensure the integrity of transactions and data.
We often hear IoT devices (things) as being “resource constrained.” Can you elaborate on what is meant by this?
IoT devices typically have a small memory and a rudimentary operating system with no real user interface, and that presents a challenge as they have limited power, communication, and computing capabilities. These characteristics have led to the development of new concepts and standards to provide these devices with well-functioning and reliable identities, and the capability to automatically enroll when deployed. An example of some of the protocols that cover this are Enrollment over Secure Transport (EST) and Certificate Enrollment for Billions of Things (CEBOT).
What are the main challenges in giving things trusted identities?
This is not really a technical issue. It is more a challenge in connecting how IoT projects are started and driven. Thinking about it from the project workbench, devices are designed to manage certificates, implementing a straightforward process where an initial transport certificate is issued in the production line. But that is only the first step. When devices are deployed, that transport certificate has to be updated, managed and maintained. IoT projects need to allocate a budget for this. I actually wrote a separate blog about this here.
Can you differentiate between the process of factory bootstrapping and enrollment of things into a trusted ecosystem?
An important and challenging part of the product lifecycle is to maintain a device’ trusted identity. Take for example the supply chain involving the production of a piece of electronic circuitry, embedding it in an elevator, installing it in a smart building, and subsequently commissioning it to the facility operator.
Factory bootstrapping takes place in the trusted factory environment by injecting firmware, generating keys, and issuing initial "factory certificate" with a factory Certificate Authority (CA). Commissioning of devices in the trusted ecosystem may require issuing a new digital identity in the form of an operator certificate to the device, which is already "in the field," (i.e., located in a potentially insecure environment). When requesting the operator certificate from the operator’s CA, the device in the field can authenticate with the help of the factory certificate. The authentication of the device is based on the operator CA trusting the factory CA. In this way, the trusted identity of the device can be maintained along a supply chain and in a complex ecosystem’s multiple products, services and operators.
How is Nexus involved in ensuring a more secure credentialing and enrollment process?
We have been in the identity and security market for a long time and have been creating products and services to meet changing and challenging market needs, as well as, respective requirements and industry standards. Solutions need to be secure but also a well-integrated part of an ecosystem. They need to protect the central system, as well as the mobile identities of individuals interacting with the system. Nexus has a unique proven experience and position within the market. Many of our customers, for example, in the automotive industry, put great demands on us when it comes to both capacity, security, and compliance. Nexus provide IoT PKI on site and as a cloud service is engaged in new standards projects like ECSEL SECREDAS, Secure IoT, and V2X to ensure that our customers and partners can get access to the latest services for IoT devices for seamless credentialing and enrollment processes.
For secure IoT, a root of trust is required to underpin the issuance and management of certificates used to establish device IDs. Cryptographic keys used to sign these certificates must be given the utmost protection. Hardware security modules (HSMs) act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device. To cover new protocols and new crypto algorithms for Secure IoT, and to ensure a high transaction rate, Nexus relies on our HSMs to empower its CM for Secure IoT. For any IoT application, it is crucial to protect data, user privacy and safety. Breaches can harm production continuity and business processes, customers’ trust, and – worst of all – human health and life. Nexus provides the solutions to secure your IoT.
Nexus is a leading provider of identity and access management security solutions. Its solutions focus on securing society by enabling trusted identities. Nexus offers a flexible and scalable CA software, which enables customers to register, issue and manage electronic identities for devices and services in any type of IoT use case. Combined with nShield, Nexus delivers solutions and services to help secure IoT.
It is all about Identity of Things (IDoT); all connected devices and services must have trusted identities and a PKI with an HSM root of trust delivers the best security technology for large-scale distributed IoT systems. To learn more visit https://www.nexusgroup.com/solutions/public-key-infrastructure-pki/internet-of-things-iot-security https://www.nexusgroup.com/solutions/public-key-infrastructure-pki/internet-of-things-iot-security/ and our website, and be sure to view webinar “Identity and Access Management in IoT Manufacturing.”