Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

Understanding Cybersecurity in IoT: The Power of Small Steps

Internet of Things (IoT)

In today’s digital world, the Internet of Things (IoT) is everywhere. From smart watches and televisions to connected vehicles and medical devices, it’s hard to find an aspect of our lives that’s not impacted by the IoT.

And as the IoT becomes increasingly intertwined in our day-to-day, security becomes even more important. We need to trust these devices, and the key building block to trust in the digital world is cybersecurity.

Of course, we all know that finding scalable solutions to strengthen cybersecurity and establish digital trust is quite complex. That’s why taking small steps that divide the work into more manageable parts is the best approach to building a scalable solution for cybersecurity in IoT.

This was the premise behind a recent Keyfactor webinar on understanding cybersecurity in IoT. Here are the top highlights from the discussion.

Establishing digital identities as the foundation for IoT security

Identities are the foundation of IoT security. Identities underpin everything from digital certificates that help establish a TLS connection to device authentication.

But once again, the application and design of a digital identity infrastructure is complex. This complexity often leads organizations to take shortcuts or, unknowingly, implement solutions incorrectly. For example, it’s all too common to find organizations using self-signed, unmanaged TLS certificates. The fact that these certificates are both self-signed (meaning there’s no trustworthy authority behind them) and unmanaged (meaning there’s no expiration or revocation following issues) makes them inherently insecure.

Consider how identities work for people in the real world: You likely have a passport, a driver’s license, and a social security card that all verify your identity for different purposes (traveling, driving, access to services, etc.). These are each issued by a trusted government body and, in the case of a passport and driver’s license, have expiration dates. In turn, various groups can use these forms of identification to confirm that you are who you say you are and there are no outstanding warrants against you.

Device identities work similarly, with identification methods like MAC address, SIM cards, and certificates all in use today. The strongest ID document for a device is a short-lived certificate issued by a well-controlled and hosted public key infrastructure (PKI). These certificates are the strongest form of ID because they provide the most detail, require regular updating, and trace back to multiple roots of trust. Additionally, they allow for mutual authentication, meaning that when a device is trying to connect to a server, not only can the server confirm the device’s identity, but the device can confirm it’s connecting to the appropriate server.

Building on the digital identity foundation with a zero-trust environment

While strong device identities and management create the foundation for scalable cybersecurity in IoT, they’re only the beginning. The next layer of security comes from establishing a zero-trust environment, or one in which you don’t trust any device by default and only grant access with the minimum required privileges after regular ID checks and constant monitoring.

This type of zero-trust approach stands in contrast to the more traditional perimeter approach to security, in which devices within a defined perimeter guarded by a firewall are generally trusted. In an IoT-driven world, this perimeter approach no longer provides sufficient security though.

A zero-trust approach provides tighter cybersecurity by:

  • Focusing on authenticating devices based on identities, rather than location
  • Regularly checking (and re-checking) IDs to authenticate on an ongoing basis, rather than trusting long-term based on an initial check

However, it’s important to note that certain IoT devices might not have the bandwidth to handle frequent identity checks. In these cases, it’s still possible to maintain a zero-trust approach with TLS connections, which offer a longer-term option while still maintaining a higher level of security.

Additionally, servers in a zero-trust environment are typically capable of filtering out connection requests from non-authorized devices, which can help resist certain attacks like DDoS. They can also detect abnormal device behavior and take immediate action to disconnect or quarantine the device.

And of course, it’s critical for the zero-trust approach to work both ways, as IoT applications should have TLS connection points that only grant permission or access to upload certain data from a limited database. They should also check all software updates for a code signature to ensure it comes from the correct source, periodically send reports on its health, and include remote admin capabilities as a failsafe.

Creating long-term scalability with cryptoagility

Finally, building IoT devices and establishing cybersecurity with cryptoagility in mind is essential for long-term scalability. This has recently become a big topic of discussion following Google’s announcement about shutting down its core IoT service – a move that has many companies that built around the service scrambling to plan for established devices.

In general, this situation shines a light on the fact that architecting around a single vendor without the use of open standards, especially one for whom cryptography is not core to its existence, can be risky. The most stable programs will instead rely on open standards – which many vendors follow – because using these standardized protocols makes it much easier to switch vendors as needed.

Using open standards not only allows for more vendor independence (both by choice and by necessity, in the case where vendors discontinue offerings like Google is doing), but it also supports greater cryptoagility as algorithms evolve and strengthen over time.

Maintaining high cryptoagility to be able to evolve alongside algorithms and update certificates used within devices accordingly is extremely important to building cybersecurity for your IoT program that can stand the test of time. And with some devices living in the field for decades, this longevity is essential.

Getting started with cybersecurity in IoT

Getting started with cybersecurity in IoT can be daunting: It’s a complex topic that requires serious, ongoing attention. Fortunately, breaking up what needs to be done into smaller steps can help make it easier to achieve the necessary level of security.

For more on what’s involved, click here to watch the full webinar on understanding cybersecurity in IoT.