Resolving the issue of Internet of Things (IoT) security has been a complex problem to address. The reason the problem remains is that people have been trying to address it within the limited scope of their own market position and place in the value chain.
The importance of IoT security spans multiple interrelated but very different market constituents. Before we can understand how to solve the overall problem, we need to understand each part of the IoT value chain and the respective concerns and issues surrounding cybersecurity implementation.
IoT device makers need a security solution that is inexpensive on a per-unit basis, uses minimal computational resources in the device and doesn’t require a cybersecurity specialist to implement. Most of the IoT devices hitting the market are small embedded systems (e.g., temperature sensors, light switches, cameras) that have microcontroller-class processors with far more limited compute power and resources available to them.
Device manufacturers face some significant challenges when it comes to securing their IoT devices, including securing access to the networks and ecosystems those devices connect to, maintaining access to cybersecurity specialists, and installing IoT devices at scale. Also, device authentication to services needs to move beyond the username-and-password paradigm. In addition to being a weak form of security, usernames and passwords are not scalable. They work adequately for 10 devices, but they do not work for a company that requires stronger cybersecurity and will ship 10 million devices to a global sales and installation channel.
Download our white paper on ‘Internet of Things Security: How to Implement a Strong, Simple and Massively Scalable Solution’:
The use of secure element chips is becoming more prevalent in the market. These application-optimized cryptographic chips provide a pre-packaged solution for securely storing private keys and they also provide crypto-math acceleration. However, an issue arises when promoting these chips to the embedded systems companies that design and manufacture the devices. When the time comes to complete the sale, the companies face the issue of setting up Public Key Infrastructure (PKI), which can add complexity and friction to the sales and design processes for a secure chip manufacturer.
Chip manufacturers need a security infrastructure that is well integrated into their production flow and abstracts from their customers all of the technical complexities behind establishing a certificate chain. Their customers need something that is as simple as adding a component to their bill of materials (BOM).
Cloud Service Providers
Due to the massive scale of device management for IoT product lines, most device vendors will use some form of IoT cloud-based management service (e.g., Microsoft Azure, Google Cloud, Amazon Web Services IoT). However, cloud service providers need a scalable provisioning process so that devices authenticate with the cloud provider’s servers and so that devices are automatically assigned to the proper company accounts.
Cloud service providers have a similar problem as chip manufacturers because their customers are device manufacturers that need a simple, scalable way to strongly authenticate devices from many different manufacturers to their online services.
Security Infrastructure Providers
PKI is the cornerstone of most enterprise cybersecurity plans, but for IoT, security infrastructure providers need to repackage PKI so that it fits seamlessly into the IoT hardware supply chain. The packaging needs to make PKI simple enough for implementation by device manufacturers who may have limited cryptography knowledge. For all of its benefits, PKI’s main weakness is the cost and complexity of its deployment.
Also, in most web browser applications of the past, there was no need to authenticate the computer/device itself; users needed only to authenticate the server. As a result, most network sessions were only authenticated one way because the device didn’t matter. It was the user that mattered. So, users authenticated themselves in the web application using their username and password to verify their identity. For IoT, the identity of the device matters and the deployment model needs to adapt to that.
Internet of Things Device Security Requires a Practical, Economical Solution
The challenge is that for IoT, typically no active user is behind the device, unlike with PCs and mobile phones. The device logs in on its own and sends data on its own. For all intents and purposes, today an IoT device is a user on the network and now the task of authenticating the device itself becomes a concern.
The situation demands a practical and economical way to deliver private keys and certificates that belong to hundreds of PKI domains and thousands of manufacturers making billions of devices.