The massive footprint of today’s internet of things (IoT) connected devices are delivering data fidelity like never before, leading to new levels of intelligence, automation, and efficiency. Yet with this proliferation of devices, now totaling more than 14 billion, the number of endpoints they encompass is incredible. It presents a vast attack surface for hackers and has led to some disastrous IoT exploits, as a result. The DDoS, ransomware and crypto-mining capabilities of iot botnet Mirai and the IoT and Linux server exploits of Muhstik, are two recent examples.

What PKI approach and security measures should you consider for protecting these assets and defending against these and future exploits? It is probably most helpful to work backwards and examine the five key security challenges IoT devices face, then look at what approach can be used to best meet these challenges.

Five key IOT security challenges

1. Insecure authentication protocols

Insecure protocols is the number one threat Iot devices face. Field area networks and especially mesh networks often have insecure protocols that are either not up to date or the protocols themselves are not poorly designed.

2. Man-in-the-middle attacks

With man-in-the-middle attacks, the hacker can intercept traffic, change traffic, and completely change your view into your operations and become an advanced persistent threat.

3. Device hijacking

Device hijacking happens when your IoT network or ecosystem is accessed and devices are attacked and compromised. Hijacked devices represent a serious security risk and bot-based attacks, such as the Mirai botnet, have compromised hundreds of thousands of devices, now at the command and control of the botnet manager.

4. Weak encryption

Weak encryption can lead to significant security vulnerabilities and breaches. Insufficient key links and key types and compromised encryption key storage are contributing factors. But even if encryption is done properly on the server side, your level of protection is only as good as how well your devices are being protected.

5. Poor coordination between IT and OT

How well IT functions with operational technology (OT) is key in maintaining proper device protection. Attack surfaces will appear to hackers if these systems fail to work in concert. Bad or missing authentication and insecure communications are just two of the symptoms.

PKI protection best practices

So how can you best defend against these challenges and what best practices should you follow in deploying a robust public key infrastructure? Here are some considerations for building effective PKI protection.

Scope and threat models

First, you need to examine what are the types of devices you are protecting, what use cases do they represent. Knowing this upfront will help you decide the specifics around what type of keys to create, what key links to use, and what protocols to develop to ensure secure IoT. Also, you should understand the type of risks your devices will face so you can create proper counter measures to face down these potential attacks.

Knowing the attack probabilities, and what the scope of an attack will bring is also essential for your plans. What will be the result If a device or collection of devices gets attacked and compromised? What gets exposed or lost in that event? Answering these questions will help you create a portfolio of controlling mitigations and protections.

PKI operations

You need to define how to operate your public key infrastructure, its policies, and procedures, and how you document it all within a certificate practice statement.

Developing proper key creation and management is essential, such as building the route CA, the route signing ceremony to create the initial root key, and putting these into a high-security module disconnected from the internet in a secure room, with high assurance.

Next, you need sufficient availability in face of denial of service attacks as well as a full chain of custody for your keys and how they interact with other trusted systems. This means building and configuring all the infrastructure behind the scenes to support the uptime and failover requirements. Management systems and infrastructure systems need to be in place to support business continuity and disaster recovery.

Auditing

You must audit on a regular basis to provide adequate device protection. IoT security standards have to be up to date, meeting the IoT device cybersecurity capability core baseline. Developed by the National Institute of Standards Technology, their NIST cybersecurity framework is an effective way of analyzing and understanding risk.

Device configuration

One of the reasons why the Mirai botnet has been so successful is because many default configurations within IoT networks and devices are weak, with insufficient protocols or password requirements that don’t lead to strong passwords. Of course, this is an outdated authentication approach in the first place, compared to certificate-based authentication.

Data protection

Once a device is compromised, the data within it can give attackers deep insight into how a manufacturing plant operates or a smart grid operates so that they can step up an attack.
Today’s IoT devices are used more and more to automate operations with machine learning and AI capabilities, so the risk is even greater. In the hands of an attacker, the very command and control of mission critical operations are now at risk.

Software updates

Software update management is another important consideration. Software must be signed and the PKI infrastructure should be in place to check the authenticity of the software, where it came from, and its integrity–so the contents and meaning haven’t changed and they are cleared for the device software update.

How Intertrust can help

Fortunately, you can leave the difficulty and complexity of proper PKI protection to a trusted partner. Intertrust has managed enterprise-grade PKI for more than 12 years with some of the biggest chipset providers in the world. We’ve issued well over 20 billion keys to 2 billion devices and issued tens of millions of keys every month.

Our PKI service has never had a security breach or concern, and we offer a deep bench of capabilities and flexible provisioning, whether on the factory floor or as is more common today with IoT devices being deployed at scale, in the field. Our solution is WebTrust-certified with device protection that extends to secure highly vulnerable legacy devices using app shielding and secure key box technologies.

Learn more at www.intertrust.com