How can Device certificates secure IoT communications?
by Anastasios Arampatzis
The proliferation of IoT in industrial settings, provides an added value, transforming manufacturing, transportation, power generation and a variety of other industries with greater automation, new services, and more efficient allocation of resources. However, Industrial IoT (IIoT) has increased the threat surface with many industries being the victim of some of the largest cyber-attacks seen to date, including the infamous Mirai botnet. These persistent and sophisticated attacks are enabled by a lack of consistent, reliable security in IoT devices.
In an unstable and changing global environment, enterprises are facing new types of security challenges every day. Remote working requirements required industries to implement overnight solutions to secure remote access for a larger number of employees and devices, increasing the need for reliable, seamless and consistent authentication and authorization approaches.
To address this new normal, security teams have relied on the use of Public Key Infrastructure (PKI)-based authentication using digital certificates. TLS cryptographic protocol is a critical technology that enables security in both IoT and remote-work environments.
PKI enables the secure electronic transfer of information for almost all digital systems. The basic mechanism that enables this security is the TLS/SSL certificate. We may define PKI as a set of roles, policies, hardware, software and procedures required to create, manage, distribute, use, store and revoke digital certificates and other public keys and to manage public key encryption.
SSL certificates are used to verify the identities of both sides of the communication, enabling encryption for people, machines, applications, websites and any internet-facing endpoint needing proof of identity. They ensure the integrity of transactions between people, machines and even different software programs.
A digital certificate is issued by a trusted entity (known as Certificate Authority), like DigiCert, contains permissions, and is used to identify the holder of the certificate. It contains a public key, which is only useful in conjunction with the associated private key, which is held by the certificate holder.
An IoT device can verify that the certificate holder is the entity specified by the certificate. These services are enabled using public/private key cryptography. The device can verify that the holder of the certificate is really who it claims to be and not an imposter.
Digital certificates can be used in various use cases to secure critical communications between ICS components.
Replace passwords with user identity certificates
Offering secure remote access to critical industrial assets starts with ensuring the identity of the individual. Passwords have long become a vulnerability since attackers have become adept at tricking employees and stealing passwords. In addition, botnets have exploited weak and default passwords in attacks against IoT devices. Certificate-based digital identities are the strongest form of identity, offering superb user experience, reducing the burden of remembering, updating, and managing passwords, and enabling higher levels of security for IoT devices.
Seamless authentication of industrial IoT devices
Phone- or token-based multi-factor authentication provides an extra layer of security beyond the use of simple passwords. While this two-step approach reduces the chance that credentials are compromised, it introduces more complexity. However, multi-factor authentication is also not an option for authenticating IoT devices as they must perform authentication without human assistance.
For remote employees and IoT devices, SSL certificates not only offer the strongest form of identity authentication, but also simplify the connection process. The certificate associated keys are stored directly in these devices providing automatic authentication without requiring any human interaction.
Automate issuance of IoT identity certificates
While it is increasingly feasible to authenticate and secure industrial IoT devices without having to use passwords or enter additional authentication codes, managing and maintaining the many digital certificates across an entire enterprise can become a challenging task. Using manual processes to manage certificates can be labor-intensive, technically demanding, and error prone. For an effective identity management, the issuance and lifecycle management of digital certificates must be automated. Automation empowers security teams to issue, revoke, and replace certificates quickly, reliably and at scale, while alleviating management burden.
Automated certificate issuance is critical for industrial IoT devices. Sound security policies require periodic key changes. This process becomes more difficult as the geographic size of the ICS increases, with extensive SCADA systems being the most severe example. Because site visits to change keys can be costly and slow, it is useful to be able to change keys remotely. The vast numbers of devices alone make manual certificate-renewal impractical. In addition, many IoT devices don’t support a user interface, or are located in remote locations, making automated management imperative.
Before deploying any encryption and authentication mechanism, industries should first determine the applicability of the solution due to the constrained nature of IIoT. The use of encryption within an ICS environment could introduce communications latency due to the additional time and computing resources required to encrypt, decrypt, and authenticate each message.
For ICS, any latency induced from the use of encryption, or any other security technique, must not degrade the operational performance of the end device or system. Before deploying encryption within an ICS environment, solutions should go through extensive performance testing. NIST SP 800-82 Revision 2 recommends that encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency.
For an ICS, encryption and authentication should be deployed as part of a comprehensive, enforced security policy. Organizations should select protection based on a risk assessment and the identified value of the information being protected and ICS operating constraints. Specifically, the cryptographic key should be long enough so that guessing it or determining it through analysis takes more effort, time, and cost than the value of the protected asset.
The encryption hardware should be protected from physical tampering and uncontrolled electronic connections. Assuming cryptography is the appropriate solution, organizations should select cryptographic protection with remote key management if the units being protected are so numerous or geographically dispersed that changing keys is difficult or expensive.
How ADACOM can help
Certificates issued and managed using PKI enable devices and systems to perform strong mutual authentication and encryption. Manufacturers building IoT devices and enterprises managing remote workers must be proactive by ensuring the proper security capabilities. PKI-based authentication is a method for ensuring strong security for both devices and users.
ADACOM has more than 20 years of experience in providing different types of certificates delivering successfully both Managed PKI and on-Premise PKI complex projects all over Europe. In addition, ADACOM in cooperation with DIGICERT is issuing large volumes of device certificates securing different sectors of the ICS market Industrial organizations may either contact ADACOM’s PKI experts to seek advice on how to secure their IoT connected devices or buy the required TLS/SSL or Device certificates from ADACOM’s e-shop.