The Internet of Things (IoT) is pushing full steam ahead through 2018, and it is already understood that the IoT is transforming businesses through Smart innovation and operational efficiencies, which extend far into our daily lives. Large organizations such as Microsoft, Amazon and PTC have already invested billions in the IoT and continue to do so with their IoT platform offerings. However, there are still a few challenges affecting project deployments, particularly in the area of security and risk. Implementing a credible IoT security approach is one thing, but of equal importance is the ongoing operational management of security credentials and operations, especially for large IoT device roll outs that may consist of hundreds of thousands of devices.
It is critical to protect the IoT application platform from malicious devices that could potentially supply polluted data, render datasets useless and compromise entire systems. Enabling security on a handful of devices is one thing but enabling security on thousands of devices can be quite another, let alone the on-going management of the security on tens of thousands of devices. An operational nightmare and a big headache for anyone if that’s in your job description!
Simply put, traditional IT security cannot be applied to IoT. For example, with HTTP/S and traditional web browsing, the server determines the authenticity of the user through incoming username and password (in simple terms), and the user (e.g. browser) determines the authenticity of the server through CA signed certificates. This is a scalable model in the sense that the server does not need to provision credentials (e.g. usernames and password) to the millions of users. Users take care of this themselves, e.g. when signing up to a service.
However, for IoT it is different as IoT devices are not humans. For example, how does an IoT platform verify the authenticity of 10,000 headless IoT devices, when the device has no associated user to enter a user name and a password?
All of a sudden, we have a provisioning challenge. The 10,000 devices must have credentials that they can present to the IoT platform to authenticate themselves, similarly to how a user signs into a webpage with username and password. The device credentials could for example be in the form of a tokens, certificates, app keys etc.
If the IoT platform (e.g. Azure IoT Hub) demands token authentication, each of the 10,000 devices need a token to authenticate to the platform. This potentially means that not only do you need a provisioning solution in place to generate and provision tokens, but also a way to rotate such tokens before they expire. If the tokens are not renewed, thousands of devices that feed critical data to the system, will simply fail to authenticate and will be denied access to the platform.
Similar provisioning challenges also apply to data confidentiality, where large system deployments or regulations demand rotation of crypto keys to keep sensitive data encrypted in motion and at rest.
The Industrial Internet of Things (IIoT), and smart factories in particular is one vertical where security becomes an increasingly important issue over traditional factories which are not smart/connected. Secure device management at IoT scale is critical to prevent system failure that results in physical damage to property or human injury/fatality.
See a real example at the European 4.0 Transformation Center (E4TC) located in Aachen University Industry Campus. PTC’s Energy Monitoring IoT Devices from different machinery on the shop floor transfer data (Details of Power, Voltage & Current) to the analytics platform over Internet.
Data confidentiality and encryption at rest is also critical to protect against industrial espionage, for example, rouge nations could read data from work cells, copying data sourced from machining centers, essentially recreating entire machining operations (Reference AMRC Milling Machine Demo).
Check out the Advanced Manufacturing Research Centre which hosts Factory 2050, the UK’s first fully reconfigurable assembly and component manufacturing facility for collaborative research. PTC leverages the AMRC to build demonstrators to showcase industrial IoT applications, with a view to shorten sales cycles. A continuous collaborative effort is being made to integrate Device Authority’s KeyScaler platform into new and existing demonstrators.
If the IoT platform demands mutual TLS (e.g. AWS IoT) for two-way authentication, there is another challenge because 10,000 unique certificates need to be generated and provisioned, not only to the device, but also to the IoT Platform. Certificate expiry, rotation, revocation are all security operations that needs to be managed, and for such a large number of devices, this is complex, time consuming and expensive.
A software-based solution that can automate security operations at scale in a secure manner will be critical to the success of IoT implementations. The sooner it is integrated/built in, the better the experience for the customer / end user.
Learn more about how Device Authority’s KeyScaler platform can solve key security challenges for IoT platforms and their customers. See how we’re already working with PTC ThingWorx to deliver robust IoT security to Enterprises.
Back in May 2017 the EU, through its Medical Device Coordination Group (MDCG) published the Medical Device Regulation (MDR) (EU) 2017/745, which came into effect on 25th May 2017. The regulation was put together to ensure high standards of quality and safety for medical devices being produced in or supplied into the EU. Manufacturers of currently approved medical devices have until May 26th, 2021 to meet the requirements of the regulations. Even if a product is Medical Devices Directive (MDD) compliant, they still need to meet these new regulations.
The Open Web Application Security Project (OWASP) recently updated its 2018 Top 10 IoT vulnerabilities list. As can be expected there are a number of lists compiled at the end of the year to capture and summarize trends, events and activities. The following updated list from OWASP of IoT vulnerabilities that caught our attention as it very nicely keeps it to a limit of 10 and more importantly, we can help do something about it!
