IoT ECOSYSTEMS ARE NOW AN INTEGRAL PART OF CORPORATE INFORMATION SYSTEMS AND BUSINESS AREAS. REQUIREMENTS relating to their environment COUPLED WITH A LACK OF STANDARDIZATION IMPACT THE INTRODUCTION OF CONTROLLED SECURITY FOR THESE ECOSYSTEMS.
In the face of these challenges, deploying a PKI (Public Key Infrastructure) – a reliable and recognized technology – to establish a trust platform and guarantee the digital identity of people, devices and things is widely considered to be the best solution.
But how do we adapt PKIs to these new forms of communication? How do we manage the risks to ensure a successful transition to the world of IoT? Who will assist users as they implement their projects?
Answers below from Guillaume Richard, Manager of IDnomic’s newly created Consulting Department.
How do you think it’s possible to secure IoT ecosystems?
Connected objects collect, record and share data from the physical world. They establish a link with the digital world, and this link must be protected. With IoT infrastructures, the stakes are made even higher by the fact that an attack can have a real impact on the physical world.
Cybersecurity is therefore one of the main challenges of any IoT project and must form the foundation of trust in this new phase of digital transformation. To create this virtuous cycle, innovation, trust and cooperation are key. Innovation that reinforces trust reassures users while structuring the market at the same time. In this context, PKIs offer an appropriate and proven solution to many issues ranging from user and object authentication to data integrity and personal data protection.
How does an IoT PKI differ from a PKI designed for companies with more “traditional” trust needs?
Some of our customers already have a PKI which fulfills a specific purpose, but have not considered its other potential uses. Others, still in the “thinking” phase, seek to benefit from personalized support in choosing the best scenarios (functional, rollout methods, etc.).
This is precisely when it makes sense to call on a specialized PKI provider like IDnomic.
For an IoT project, implementing a PKI comes with special needs which may require assistance. For instance, specific use cases, integrating the trust point into the object and automating the certificate lifecycle are aspects that must be taken into account.
IDnomic has solid expertise is this field, acquired in particular over the past four years through its work on ITS (Intelligent Transport Systems).
What are the advantages of the PKI that you developed for ITS, the vehicles of the future?
In the near future, all our vehicles will communicate not only with each other but also with the roadside, sharing data in order to regulate traffic, increase safety and lessen the environmental impact of transportation.
Identifying each device and securing data exchange without invading users’ privacy are the challenges that these intelligent transport systems must meet.
PKIs perfectly meet these needs, offering a trust domain to an ecosystem carrying strict requirements in terms of the number of users, message volumes and personal data protection. They offer the benefit of a flexible, secure environment which allows any intelligent transport entity to verify the integrity of messages received, prevent tampering and malicious activity during data exchange and reinforce access while ensuring the “pseudonymization” of personal data.
Does the Industrial Internet of Things face the same challenge?
Absolutely. If altered, data integrity and industrial object identification in the IoT infrastructure can directly impact critical decision-making.
The Industrial IoT (IIoT) has matured with regard to value-added use cases such as predictive maintenance and intelligent diagnostics. The issues have been clearly identified, especially in terms of broad-scale project implementation: increased attack surface, updating a fleet of connected objects, organizational impact, and so on.
Yet connected objects are not included in traditional industrial security models, standardization is relatively inexistent and certain technological aspects such as object authentication and end-to-end data protection are still not fully developed today. As a result, companies are unsure of how to best manage connected object security.
Convergence with company IT is crucial, because it allows objects to benefit from increasingly mature standards and tools (mobile device security, SIEM, etc.). PKIs are no exception, and will be one of the major technologies of this industrial security.
How can we increase the role attributed to cybersecurity in IoT projects?
Companies initially needed to determine the value that connected objects would generate for their different business areas. They did this by answering preliminary technical questions – Which objects and communication technologies should we use? – in order to provide initial data.
Cybersecurity was sometimes placed on the back burner because at first it was perceived as non-essential. This can be harmful for at least two reasons:
- Planning cybersecurity in the early stages of a project is not necessarily complex. Involving a person from the security team or analyzing the macro risks is a way to identify initial requirements and move forward on this topic simultaneously.
- Addressing cybersecurity later in the project can be extremely difficult, especially given the limitations of the objects and their communication infrastructure (e.g. cryptographic capacity, processing performance level, data storage, communication protocol).
For cases involving General Data Protection Regulation (GDPR) compliance or the management of ongoing compliance with security requirements, the chosen solution is adapted after the fact. But an approach known as “privacy by design” takes account of cybersecurity requirements from the outset so solutions don’t have to be adapted at a later stage.
The role of IDnomic’s Consulting Department is precisely to help our customers clarify their needs and determine whether they can be met by a PKI. Of course, a PKI is not systematically proposed. Our analysis, potentially combined with a Proof of Concept (PoC) phase, makes it easy to gain an initial understanding of existing needs.
We also work with players involved in the IoT, including industry stakeholders who use the objects as well as object manufacturers who play a key role in rolling out security solutions. Lastly, we aim to work in close collaboration with our partner integrators, who are involved from start to finish in projects in which a PKI has been deployed.
What approach would you recommend to customers seeking to secure their IoT infrastructure?
We recommend a pragmatic approach that consists in choosing a sub-set of the IoT infrastructure to assess the PKI’s ability to enhance security.
This allows customers to determine whether the solution meets their IoT need, to measure the complexity of integrating the solution into their environment for industrial purposes, and to analyze the requirements stemming from their ecosystem as well as the effort needed for successful deployment.
This type of assessment, which is simple and reassuring, makes it possible to quickly make choices that are necessary for the implementation of connected system security in compliance with industry standards.
In fact, this is the reason we set up a PoC program dedicated to IoT markets. We adapt our program to use cases, addressing both the manufacturers and users of connected objects. This attractive, exclusive offer is managed by the Consulting Department and Project Team at IDnomic.