Using PKI to Secure the IoT

DigiCert hosted a webinar and discussed the importance of PKI to secure the Internet of Things (IoT). The discussion, led by DigiCert’s Chief Security Officer, Jasin Sabin, and Leidos Chief Engineer, Brian Russell, and moderated by DigiCert’s Jeff Chandler, talked about the necessity of securing connected devices in the IoT, and how smart companies are using PKI for large-scale identity and data protection needs.

Why PKI?

The rapid growth in the IoT is exciting because nearly all systems devices and objects are being connected to the Internet to automate, provide convenience, and collect and share data. However, this growth is leading many companies to struggle as they look for large-scale, reliable security to protect their IP and investments, as well as earn consumer trust using the IoT. To solve this challenge, PKI is the strongest and best solution for securing the IoT.

Simply put, PKI is a proven technology that enables large-scale authorization and reliable encryption for ultimate trust—yet, companies and customers still assume that PKI is too complex or too difficult and try to “invent something themselves to protect their IoT infrastructure” instead. The scalable and flexible attributes of a PKI solution make it the right choice for securing connected devices. PKI ensures the integrity of data through the following:

Encryption: Coding of data in transit.

Authentication: Identifying trust amongst users in network information exchanges.

Signing: The verification of untampered configuration settings, software, firmware, etc. during startup, and verification that device updates come from a trusted source.

As companies begin to think about securing their IoT ecosystems with PKI, Sabin and Russell discuss a few primary considerations, such as CA functions, provisioning, and deployment for building a PKI infrastructure to match their specific use-case.

Security Advantages in Certificate-Based Methods

PKI, using digital certificates, is being used on a number of interesting devices, like window blinds, air fresheners, and garbage cans. Experts recommend certificate-based methods to secure IoT devices because certificates support proper security measures like the implementation of multi-factor authentication. More specifically, TLS supports two-way certificate-based authentication (e.g. device-to-server, or device-to-device authentication).

Those familiar with the IoT space will recognize messaging protocols: MQTT, CoAP, XMPP, DDS, and HTTP/REST. Some organizations, like Amazon (who uses MQTT and REST protocols for their IoT service), may require TLS certificates as an added layer of protection. For MQTT protocols specifically, an added TLS layer is critical because MQTT machine-to-machine authentication options are sent in the clear using username/password methods. Overall, Russell makes it clear that, whether it be through “native protocols or a wrap-around approach,” certificate-based methods are recommended for security in the IoT. These methods avoid the weaknesses of a typical symmetric key management approach by offering greater scalability and methodical management of these certificates and the key pairs associated with them.

Advantages in Certificate Lifecycle Management

Digital certificates within a PKI infrastructure are flexible and fit many use-cases. Generally, certificates pass through a lifecycle that includes discovery, analysis, procurement, provisioning, management, monitoring, and remediation. But because there is diversity amongst devices and certificate use-cases in the IoT, certificate management lifecycles in the IoT may differ greatly from traditional uses.

To customize PKI to meet specific use-case(s), many companies choose to work with commercial Certificate Authorities, like DigiCert, who can lend expertise and provide platforms to manage certificate lifecycles. Provisioning, revocation, and proper configuration of certificates requires smart automation and maintenance—tasks that a trusted CA can provide for you.

Utilizing Security Best Practices

It is critical organizations take responsibility for their own systems and understand where their keys and certificates are being deployed. Five best practices (among several that Sabin and Russell discussed) for key and certificate management are as follows:

  1. Enterprise-level control and monitoring: Monitoring platforms allows meticulous tracking for keys and certificates and rotations based on certificate expirations.
  2. Discovery: Allows for quick identification of any rogue implementations in company infrastructure.
  3. Reporting: Industry-specific compliance reports need to be conducive to regulatory and legislative requirements.
  4. Auditing: Integrate standardized audit recording and output into standard security information event management systems (SIEMS). Auditing is crucial for managing and monitoring such a large number of devices in one enterprise.
  5. Access Control: Strict access control features allow specification of flexible privileges to objects within the system.

Takeaways

Sabin and Russell conclude the webinar by discussing a few deployment use cases in IoT PKI, using PKI with your cloud IoT service, and outlining a few privacy considerations. But the overall takeaways for using PKI in the IoT from our discussion are as follows:

  • Prioritize authentication for your IoT deployments
  • Consult with PKI experts to assess your specific needs
  • Do not wait for standardization; act today to protect your investments
  • Educate your executive team and board, including updating policies if needed
  • Find a partner to guide you in your IoT security efforts
  • Join an industry collaboration (CSA IoT WG)

Watch the Webinar: Using PKI to Secure the IoT to learn more about the flexible and scalable nature of PKI. IoT providers and manufacturers must take steps today to protect IoT investments.