By Nils Gerhardt, Chief Technology Officer for Utimaco
The ‘Internet of Things’ (or IoT) is far more than smart speakers and app-connected lightbulbs: in less than a decade it has gone from a buzzword to a vital part of tens of thousands of businesses, and by 2030 the industry could be worth $12.6 globally.
Its value proposition is clear: ‘data’ is being created everywhere, whether it is traffic and footfall flows or CO2 emissions, and a vast network of sensors can capture that data. Once collected it can be analysed – something that is much easier now that cloud computing gives anyone access to the capabilities of a supercomputer. Devices can then make changes as needed.
This is already powering ‘smart cities’, though we are only just beginning to utilise its full potential, and is a key component in Industry 4.0, a term for the ‘fourth industrial revolution’ in manufacturing in which every component in a production line exists as much in the digital as the physical world, with 5G networks constantly exchanging data to make factories more efficient and proactively address maintenance problems. Combined with robotics, autonomous systems and 3D printing, a factory or warehouse could potentially run without the need for humans.
Of course, anywhere that data is being exchanged through internet-connected components is a potential vector for attack. We have already seen how ransomware can have devastating consequences in industrial settings, but imagine what could be done if bad actors gained access to a factory, oil refinery or energy production facility’s IoT network. By just increasing the amount of torque a robotic screwdriver uses they could ruin whole batches of products, or by turning off heatsinks they could start a fire. More worrying, IoT systems have already been hijacked and turned into huge botnets. This could mean that tens of thousands of smart devices could be turned into spam email servers, or they could flood targets with traffic in Distributed Denial of Service (DDoS) attacks.
Does network always mean vulnerability?
In a business ‘campus’ in which everything is connected to everything else, one wireless thermostat with an unpatched vulnerability could theoretically provide access to an entire network, but because of cryptographic keys this is rarely so simple. Imagine this in terms of physical security: if a thief wanted to enter a high-security building they might find an unlocked door or window, but they could quickly be identified by the lack of a unique security pass. ‘Unique’ is an important term here: if everyone in the building carried the same ID badge our thief could just take one, but if they are unique to each person, by having a photograph for instance, this becomes much harder. A similar principle applies in IoT security.
There may be 38.6 billion IoT devices in the world by 2025, and every single one needs a unique ID in the form of a serial number from its manufacturer. Returning to our analogy of a thief in a building, if they knew that somebody authorised to be in the building was named John Smith, they could easily claim to be him if confronted unless there was another way to verify who is and isn’t John Smith. Clearly, serial numbers could be counterfeited in much the same way, so much as with logging into sensitive accounts there needs to be a second form of identification that is much more difficult to determine in order to guarantee that each IoT device is unique.
Public Key Infrastructure (PKI) is already used across the internet to create a ‘root of trust’ between devices, applications and people, and it can be used to secure IoT. Key injection is a technique used to place a private key known only to the manufacturer into each device and generate a public key that everyone in the supply chain can use to check the identity, and therefore the authenticity of each device.
Public keys in the supply chain
The IoT devices that companies use are made up of dozens of components and given problems in supply chains and global shortages of microchip components it can be difficult to confirm the authenticity of products. Potentially, a counterfeit component could expose an entire network to hacking, and this could be a major problem in applications like networked vehicles. Therefore, components need to be constantly exchanging, checking and re-checking private keys, and manufacturers need to have the hardware in place to make this possible. Hardware security modules (HSMs) are where key injection and thereby supply chain security starts: these are secured and hardened and certified components that protect the most valuable data – the keys. They are also far more efficient than software solutions when it comes to creating random numbers – true randomness in computing is a more difficult process than you might realise.
With these keys in place IoT security becomes much less fraught. These same principles can help to secure data in transit between devices, preventing ‘eavesdropping’, and secure cloud-based systems that are increasingly part of IoT solutions. Each component can identify itself as authentic and unique, and as PKI encryption is extremely difficult to crack, particularly when it is secured by HSMs, it becomes much harder for bad actors to establish a foothold in an IoT network.
Creating a holistic security infrastructure for IoT isn’t just business critical – in a world where everything is communicating with everything else it is vital that everything from smart city networks down to individual smart devices is secure.
To learn more, visit: https://utimaco.com/solutions/industries/manufacturing-iot
About the Author
Nils Gerhardt is the Chief Technology Officer for Utimaco, a leading provider of cyber security solutions, and board member of the IoT M2M Council. Before joining Utimaco, Nils worked at Giesecke + Devrient in various executive management roles with regional and global responsibilities in Germany, Canada and the USA. As Chairman of the Board of GlobalPlatform, a global industry organization, Nils brought major companies together to define the standards for secure digital services and devices.
Nils can be reached online at @Nils Gerhardt on LinkedIn and at our company website https://utimaco.com/