IoT Day serves as an international opportunity to foster discussions about the implications of the internet of things in everyday life. With several recent breaches and new legislation, the issue of IoT security has gained more attention. This IoT Day, we are sharing a few tips on IoT security from our decades of experience in the industry.
Just recently, a hacker gained access to 150,000 live surveillance cameras at Verkada Inc. Reportedly, the hackers targeted user credentials to move through the network, even bypassing Verkada’s two-factor authentication. And not long ago SolarWinds was targeted in what Microsoft’s president called “the largest and most sophisticated attack the world has ever seen.”
These attacks show that two-factor authentication is a minimum requirement but should preferably be accompanied by a digital certificate. Additionally, connected security cameras have long been a target in IoT and many of them contain vulnerabilities from lack of security planning during design and development. Manufacturers need to do better, and consumers need more education about the security implications of the devices they purchase.
Understanding this, the U.S. government set out to create more requirements for device manufacturers. In December 2020, the Internet of Things (IoT) Cybersecurity Improvement Act was signed into law to develop federal government standards for private IoT device manufacturing companies. With the act, Congress intended to push IoT manufacturers to incorporate security during the development and manufacturing of IoT devices. Since it became law, NIST is responsible for developing guidelines with minimum security requirements for all devices used by the U.S. federal government. However, the hope is that as manufacturers strive to meet these standards in order to sell to the U.S. government, devices sold to the private sector will also contain these security best practices. Thus the act will hopefully promote greater security in all IoT devices manufactured.
In this environment, manufacturers need to prepare by looking at how to incorporate security, from product development to device manufacturing. Public key infrastructure (PKI) can help maintain integrity, authenticity and confidentiality through a device lifecycle.
Authentication, encryption, integrity and identity should be considered as a part of every IoT security standard or guideline that exists. As manufacturers begin to think about their approach to addressing the NIST requirements, a good starting point is to find a solution that addresses multiple requirements within the standard guidelines. Public key infrastructure (PKI), and the use of digital certificates, is a proven security approach that addresses the common security challenges of authentication and access, confidentiality of data, and ensuring the integrity of data and device operations.
PKI can enable the following security approaches:
Since PKI addresses multiple security requirements, it's a good place to start.
IoT manufacturers adopting PKI gain security with greater flexibility when deploying, provisioning and creating certificates. Manufacturers have different environments and needs when deploying PKI. Some manufacturers may need an on-premises solution if there is no network available during manufacturing. Others may want a cloud solution for lower cost and easier set up. Provisioning flexibility means that manufacturers can provision components or devices pre-manufacturing, in the supply chain or during manufacturing, or can even provision devices in the field.
Lastly, manufacturers may require varying certificate profiles, templates or protocol requirements for their specific solutions or environments. Since every IoT device is unique, with different computational power, communication protocols and shelf life, manufacturers will need a flexible, secure PKI solution. With the right platform, manufacturers can create customer certificate profiles to meet the need of any type of IoT device.
One way PKI can help IoT manufacturers is to identify their own genuine products through the identity built into the device. IoT manufacturers will periodically need to update software on these devices, ensuring that the latest security software or proprietary configuration changes are made to their own genuinely manufactured devices. Once the identification is made between the system and the device, PKI is used again to encrypt the updated software targeted for the device and only the manufacturer’s device can decrypt the software update, ensuring secure and tamper-free communication between the network and the IoT device.
Another use of PKI is the authentication of a device to cloud services, where IoT manufacturers can monitor the state of their security. It is important to the manufacturer to be able to identify that a genuine device is connected to their cloud service to eliminate any malicious actors that may masquerade as the device or infiltrate the service. Once the identification is secured, the manufacturer can safely continue to maintain the device through their service.
DigiCert offers PKI solutions to help manufacturers conform to the IoT Cybersecurity Improvement Act. DigiCert® IoT Device Manager and DigiCert® Secure Software Manager help manufacturers meet these guidelines developed by NIST through device identity and authentication, confidentiality and integrity.
Both managers reside on DigiCert ONE™, a PKI platform built on a modern, cloud-native, container-based architecture, which is easy to stand up and highly scalable, with multiple deployment options, such as in cloud, on-prem, hybrid or air-gapped.