IoT devices continue to expand in utility and reach, with a projected 75 billion of them around the world by 2025. Whether it’s healthcare, home assistants, or cars, the potential for IoT devices to improve our lives is immense.
One major issue threatening to stifle that potential, however, is IoT device security. For many in the field, it is precisely those security concerns that are preventing them from moving forward with IoT device based initiatives. CISOs are concerned, too. 80% of them believe that their organizations will suffer a cyber attack or data breach in the future due to insecure IoT devices.
Creating a secure IoT device environment is a complex task that involves continuous oversight and vigilance over key storage and usage once provisioned. Unfortunately, much IoT device security seems to be focused on talking a good game rather than playing one.
Hackers only need one breach to get what they need, so the best IoT device security isn’t flashy, it’s rigorous and relentless. It’s built into process and informs choices so that IoT device security becomes the norm rather than an afterthought.
How IoT device security can “be secure” rather than just “sound secure”
1. Keep private keys protected at all times
For asymmetric cryptography, such as RSA, the private part of the key pair is extremely sensitive and must be protected carefully. Ideally, a private key would never appear in the clear in ANY system. For small scale deployments, having a simple password protected private key is usually fine. But for enterprise applications, hardware security modules (HSMs) should be used to protect private keys at all times. HSMs are specialized appliances or peripheral cards and can do all of the necessary cryptographic operations in hardware without the key ever having to be exposed in the clear.
2. Use HSMs and a secured room
Hardware security modules (HSMs) are typically used on servers and ss such an essential element of key protection, they need to be kept securely, both physically and logically. This can be ensured by creating an environment that is as physically secure as possible, and by ensuring there are policies and processes in place to ensure no one person alone has full access to perform sensitive operations. The physical security may entail having a security presence for checking entries and exits, biometric authentication to ascertain identities and levels of clearance for authorized individuals, and video surveillance to monitor activity within the facility. The logical security includes many processes to require a number of specified people to be present to perform sensitive keying operations.
3. Test your disaster recovery plan
As the saying goes: those who fail to plan, plan to fail, and this is especially evident in IoT device security. Risk assessment, penetration testing, and a disaster recovery plan are all vital for strong key security.
When an attack or breach happens, there won’t be time to think—only to execute a plan that has already been created. Make sure your plan addresses these key protection issues
- Are your keys being backed up, off premise?
- How are those off premise sites secured?
- How do you protect the keys that protect the keys?
- How do you restore service in case of downtime?
4. Protect against internal attacks, not only outside threats
The keys that protect your data, identify devices and servers, and create the environment necessary to ensure revenue security for your company are valuable to you, but also to others. For corporate competitors, they can give insight into intellectual property and a vital edge on the market. For state actors, they can be used for international manipulation or attacks. Finally, for unscrupulous employees, they can be a source of easy money by stealing and selling them.
Guarding against internal theft of keys requires vigilance both in terms of physical and personnel security. Conduct periodic background checks on your employees who manage keys and train them to understand operational processes and security awareness. For really sensitive operations, institute multiple-custody protocols, such as those employed during the Seacert private key generation process, which require two or more people using individually authenticated smart cards to authorize a multiple-step process inside a secure room..
5. Revoke compromised keys and certificates
Ensuring a secure PKI is not just about issuing certificates and provisioning keys and identities. It is also necessary to maintain the integrity of this infrastructure. This involves revoking keys and certificates when they have been compromised or their users are found to be breaching terms. This can be accomplished using various key revocation mechanisms including Certificate Revocation Lists (CRLs) or protocols such as Online Certificate Status Protocol (OCSP). Certificate Authorities then share these lists with other list users.
For example, an IoT device using a certificate that is no longer authorized will not be able to gain access to a server. These reactive measures must be taken if a key is compromised.
Trust the experts
As can be seen, keeping IoT devices secure requires care, attention, and expertise in multiple areas, and the bigger the operation, the more complicated it is to secure it. For device manufacturers and related software developers, this can create a huge burden, not only during the development phase but throughout the lifecycle of the device.
Intertrust specializes in partnering with device manufacturers to create trusted environments for IoT devices through PKI infrastructures. This can be done right from the beginning through factory floor provisioning, or later, through updates from cloud-based servers.
Intertrust is an industry leader in IoT device security, and our Seacert solution has already provisioned more than 1.5 billion device identities around the world. To find out more about securing IoT devices and how Intertrust can help, download a free white paper on the subject.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ and device identity solutions.