How to Future-Proof IoT Security

“[A] connected device has the ability to cause more disruption, which could cause actual physical injury or even death,” warns Merritt Maxim, an analyst with Forester. We are surrounded by Internet of Things (IoT) in our everyday work and lives: temperature sensors, implantable insulin pumps, industrial water pumps, navigation systems, security cameras, commercial airliners. The problem is, most IoT devices have poor security in place. Twenty-five percent of cyber attacks will target IoT devices, according to Aberdeen. Attackers see IoT as a soft entry point whereby they can destroy or wipe a device to steal credentials and data. With 20.6 billion connected devices by 2020 and 5.8 billion IoT endpoints, projects Gartner, the situation is dire. Companies need to manage and amplify their IoT security now, to prepare for the future.

Many organizations are using Public Key Infrastructure (PKI), but doing so without thinking beyond the next couple of years. The rise of the IoT is driving the deployment of applications using PKI, with 43 percent of IoT devices expected to rely primarily on digital certificates in the next two years, according to the 2018 Global PKI Trends Study. A well-designed PKI combines roles, policies, software, and hardware elements to enable secure electronic transfer of information — far more securely than what is possible with simple password authentication.

IoT Security is Not a One-Size-Fits-All Approach

Security needs for devices are different. Devices have lifespan issues as iterative and evolutionary changes are made to the product line. When factoring in security, developers of IoT devices need to consider the longevity of the key exchange and consider the lifetime of the device. For example, if a device has a 10-year lifecycle (thermostat) or a 100-year lifecycle (water pump), etc. The longevity of the information and privacy both need to be considered and addressed by the PKI in its design, operations, and management. This includes the longevity of the identity keys, ensuring that the product is useful and supported, device end of life stated, and cross-generational support and interoperability. Manufacturers have to think years down the road and forecast how their devices today will interoperate with their device security for things they haven’t even developed yet. Securing devices over their lifetimes is critical to the safety and use of these devices.

A single approach to security and device lifetime can’t work for all devices. Many commercial solutions and cloud providers that provide cloud-based identities consider 40 years to be “long enough.” Certificate Authorities (CAs) that issue certificates will renew and be replaced. Devices need to have the ability to upgrade and roll identities from one PKI to the next as keys are replaced at the CAs.

Devices need to be built to interoperate with each other. A device sold today that is expected to be used for 10 years is likely to encounter a newer release from the manufacturer and that old and new model may need to interoperate cohesively during the supported lifetime. Devices must accommodate rolling and renewing identities and identities and keys must be cryptographically useful for the intended lifetime.

Future-proofing is a must. I will present “How to Future-Proof IoT Security” on November 14, 2019 at Nordic IT Security 2019 in Stockholm, Sweden — as well as participate on two panels: Information Systems and Smart Grid Security and Critical Infrastructure Security.