Rising Above Complexity to Secure IoT Devices

The internet of things (IoT) has truly come of age, and innovative new use cases are emerging all around us. Each day, we’re seeing the IoT in businesses and factories, cities, vehicles and transportation systems—and in our daily lives. Studies show that in consumer markets like fitness, healthcare, automobiles, and the home, the IoT market is expected to register a CAGR of 17.52% during the forecast period of 2021-2026.

For commercial environments, 40% of participants in an Eclipse Foundation survey said that their organizations are using IoT solutions today, and 22% more plan to deploy IoT in the next two years.

However, if we take a closer look at the internet of things, some hidden threats emerge. It’s evident that many manufacturers rushing to get their products to market are bypassing the important step of security. Many are often taking shortcuts that are putting their devices at risk when they go into the field to support real-world use cases.

To complicate the issue, almost every IoT device has three key inherent vulnerabilities. The first is authentication. The IoT is all about connecting to other things, so authenticating the right users and anything the device connects to is essential. 

Confidentiality is the second common vulnerability in IoT devices. The IoT is also based on generating new data that becomes actionable. If that data is not protected, it’s useless, so ensuring confidentiality is a must.

Finally, it is important to know that the data that’s being generated and collected by these devices can be trusted. Additionally, knowing the device is operating in a state of integrity and configuration settings haven’t been manipulated is also important. Data integrity becomes the third common vulnerability amongst these devices. 

Complexity Introduces Unique Challenges

For security professionals that work with these issues all the time, authentication, encryption and data integrity may not seem particularly challenging. What makes securing the IoT different? The answer lies in its complexity. 

Although every IoT device is connected and transmitting data and each has unique attributes that require distinct approaches when solving for cybersecurity.

The first one is communication protocol. IoT devices leverage Bluetooth, Wi-Fi cellular, short-range communication protocols to communicate in many different ways. Each protocol has unique attributes and each requires a unique security approach. 

The second complexity is the environment in which these devices are deployed. For example, a satellite hovering in the atmosphere is obviously a very different environment than a smart home with distinct security needs. A hospital, with its specific medical regulatory requirements, will have security needs that are extremely different from those of a small business. The variation in environments needs to be thought through when addressing cybersecurity. 

The third complexity that has to be considered is the computation and battery power requirements of devices, which can vary wildly. IoT devices designed to monitor soil moisture in a farmer’s field may have extremely low power requirements for their limited, focused functions. Devices for more complex use cases may be connected to power sources to support sophisticated operating systems or robust computations on site. These considerations all contribute to the complexity of solving the cybersecurity challenge. 

Flexibility is Essential for IoT Cybersecurity

How can a security professional solve for these common vulnerabilities and the complexity in IoT? The answer is not about simplification, but about flexibility. 

Fortunately, there is a proven security solution that delivers this flexibility. Public key infrastructure (PKI) has been widely used for decades and has been shown to deliver the robust security that IoT needs—in a way that aligns to specific use cases. 

PKI is a dynamic solution that works well today and continues to evolve to make the encryption algorithms and the infrastructure around it secure. It uses digital certificates to facilitate security across a variety of areas in the IoT value chain. 

For example, authentication certificates can be placed on an endpoint device, as well as anything that is connecting to it, to facilitate mutual authentication. Encryption certificates can also be used to make sure that the data that’s being transmitted from the device to wherever it’s going is handled in a secure way. 

Finally, PKI can support signing certificates that can be used when data packages are sent. They could protect the integrity of a piece of firmware or any data that’s being generated from the device. The digital signature ensures that the integrity of that data is intact and that the data can be trusted. 

The flexibility of PKI extends to how and where it is used. It can work smoothly with any type of communications protocol and can also be deployed in many types of environments. Traditionally, PKI has been deployed in the cloud, but more recent use cases have pushed manufacturers to implement a zero-trust environment for greater security where PKI can also work smoothly in on-premises situations. 

Public key infrastructure is also flexible enough to work with any type of IoT device, using unique encryption algorithms like ECC and RSA. The certificates can be scaled up or scaled down to meet the specific demands of IoT devices. 

As IoT continues to mature, its complexity, use cases and security challenges will only continue to grow. The good news is that PKI provides security professionals with a versatile, scalable foundation for security that will enable them to keep pace with new challenges for years to come. 

Avatar photo

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 18 posts and counting.See all posts by mike-nelson