IoT security hinges on effective device enrollment with public key infrastructure -

IoT security hinges on effective device enrollment with public key infrastructure


The number of internet of things (IoT) devices has reached critical mass. Today, roughly 27 billion connected devices inhabit our world. Statistica estimates that by 2025 there will be 38.6 billion connected devices and an estimated 50 billion by 2030. That’s a lot of devices. But connecting devices, however, is only the first challenge IoT has had to overcome. Securing them will be the next hurdle that must be conquered to continue IoT’s meteoric rise and sustainable long-term adoption.

The importance of IoT security can’t be overstated. As IoT devices connect to the internet, they share information. Protecting the integrity of the data they share and privacy of who they share it with can mean the difference between operating with security confidence or experiencing device, data or system compromise. This is especially true for high-value devices or networks like medical devices, automotive operations or for critical IoT infrastructures like smart utilities.

IoT security starts with Public Key Infrastructure (PKI)

User names and passwords are obsolete and unsecure. Dependency on them has declined according to a 2019 Ponemon Institute Global PKI and IoT Trends Study. That same study reported that PKI provides important core authentication technologies for the IoT. Many companies in the IoT industry agree.

Figure 1. PKI, as a certificate-based device authentication process, allows IoT endpoints/devices to request certificates from a Certificate Authority via an enrollment server/service to create unique, strong and secure device identities. (Source: GlobalSign)

PKI Challenges

But knowing the right technology to use, doesn’t always mean it’s easy to implement. Even with a seemingly clear and defined path to IoT security, some find PKI to be a challenge, especially device enrollment functions, which are key to provisioning unique, strong and secure device identities. PKI, is a systems that binds a unique digital certificate, issued by a Certificate Authority, with each individual device, so the device can be securely authenticated. With a unique strong device identity, IoT devices (or things) can authenticate when they come online, ensure secure communication between other devices, services and users, and prove their integrity.

GlobalSign provides IoT device identity enrollment, which is part of a broader IoT device enrollment scope. Device identity enrollment is where devices are onboarded to the PKI, typically through an enrollment server or service, sometimes referred to as a registration authority. The enrollment service is configured with policies and verification protocols to review each device, confirm it is eligible to be a part of the PKI, allowed to ask for a digital certificate, and can verify it is who it says it is.

In-house development of the hardware and software systems and protocols necessary to establish secure enrollment is tricky. A number of factors contribute to this.

There currently exists a shortage of trained PKI and enrollment specialists, making on-premise set up and management problematic. Enrollment needs to be precise. And while it may be fiscally attractive to assign PKI responsibility to a junior manager, they may not be dedicated solely to PKI management, which could result in security nuances being overlooked — rendering IoT security ineffective all together. A lack of uniform IoT security guidelines, standards, or regulations compound the uncertainty, leaving even more room for error. And finally, spinning up a PKI is no easy task. It can be cumbersome and expensive, especially if there is a need for digital identities that are globally recognized and trusted. In many instances on-premise or free PKIs don’t offer the level of assurance that is necessary to properly secure device identities in a global environment.

Figure 2. Professionally developed, globally recognized commercial enrollment services adhere to latest security standards to ensure proper PKI device enrollment, eliminate staffing issues, overcome cap-ex development challenges, and deliver management capabilities. (Source:GlobalSign)

Fortunately, many companies are finding PKI success in working with organizations such as Certificate Authorities who provide PKI platforms along with full-featured IoT device identity enrollment services. These managed services eliminate the need for on-premise teams by offering proven technology as well as the proficiency of experienced PKI experts, fluent in the most current security best practices or standards. It also converts the costly capital expenditure of on-premise PKI set up into a predictable, monthly operating expense that is more favorable to operating budgets.

Simplified, Optimized and Hardened Device Enrollment

We’ve found that both IoT device manufacturers and critical infrastructure operators alike want three main results from their identity enrollment services. They want simplified configuration, set up and device identity enrollment; optimized operation of and enrollment to a PKI; and hardened enrollment protocols and device security. Let’s take a look at each.

Simplified configuration, set up and device identity enrollment. As mentioned above, PKI and the device identity enrollment function can be challenging. Electing to use a managed PKI and an identity enrollment service eliminates costly in-house development, implementation risk and management concerns, freeing up valuable resources to focus on a company’s core competencies. And while many companies are still stitching together multiple vendors to address all the various steps of PKI and device enrollment, a consolidated platform built on an integrated framework eliminates security gaps and ensures proper set up.

Optimized operation of and identity enrollment to a PKI.A cloud-based, packaged identity enrollment solution offers the reliability, availability, and scalability of a well-designed commercial registration authority at a fraction of on-premise costs. It delivers a secure, commercial grade device identity management service at your fingertips, easing operational responsibilities and concerns. Since certificate management is becoming an increasingly important function, an identity enrollment service that enables management of certificates in some fashion is becoming a requirement. When a PKI-based IoT identity platforms is also backed by a WebTrust audited Certificate Authority, it offers the most secure and direct certificate issuance.

Hardened identity enrollment protocols and device security. Every IoT ecosystem establishes its level of assurance based on its own criteria and acceptable level of risk. The higher value the IoT device, gateway, network or ecosystem, the more stringent the identity enrollment protocol must be to maintain security assurance. A PKI and identity enrollment service that takes a layered approach to security with multiple options for identity enrollment policies and protocols and can accommodate various levels of assurance is a plus. Customizable identity verification policies enable the definition, setting, and managing of security levels based on their specific criteria. That includes anything from simple white lists up through the inclusion of Trusted Platform Module (TPM) attestation to maximize identity enrollment security. IoT security is an individualized decision, so the level of security assurance should be customizable, not cookie cutter or pre-set.

Although IoT device and semiconductor manufacturers as well as critical infrastructure operators want many of the same results from their PKI and device identity enrollment services, they also each have their own needs uniquely tied to their function and place in the supply chain.

IoT Manufacturers

IoT manufacturers may exist at the start or the middle of the supply chain. They are original equipment manufacturers (OEM), original design manufacturers (ODM), or electronics manufacturing services (EMS). They may be semiconductor manufacturers producing smart chips or TPMs that get built into device components. They may just as easily be those components themselves that in turn get built into devices, or they may be the IoT device that gets programmed for sale. At the beginning of the supply chain they’re concerned with the impacts of downstream device identity. Including chip, component or device identity at this stage is the best example of security-by-design where identity is included during design and production so it can be secured later in its lifecycle. This becomes a significant competitive advantage for manufacturers looking to provide value downstream to their distributors, sellers or even end users.

Not surprisingly, manufacturers are most concerned with functions of provisioning identities, or the very first steps of PKI device identity enrollment. For manufacturers a big concern is PKI and identity enrollment set up, which must be uniquely configured for each individual use case or production run. Automating that function, or auto identity enrollment is also an important consideration. IoT manufacturers need a faster way to do it, as well as the proper guidance or how to do it, all while maintaining their fast-paced production schedules or risk delaying a product’s market launch. This is where expert guidance in certificate profile and template configuration from a managed identity enrollment service provider can add immeasurable value. IoT device identity enrollment is also where certificate-based device authentication protocols are defined to establish appropriate levels of security assurance.

Critical IoT Infrastructure Operators

Critical IoT infrastructure operators are a bit further down the supply chain. They include any organization managing fleets of devices, offering an IoT service, or having an IoT platform or application. This can be network operators, governments (municipalities), smart grid operators, smart building operators, or transportation organizations. While IoT manufacturers provision device identities with PKI and identity enrollment, critical infrastructure operators are the power users of those identities. For them, interoperability is critical. They need assurance that any device, regardless of manufacturer, can be connected – that disparate devices can be properly identified, authenticated and safely brought online. The are concerned with data integrity, privacy and secure communications, so their networks remain locked down against outside intruders looking to capture data for corporate espionage, launch an attack to take control of devices, or find back doors to infiltrate a network. For them, securing the connected supply chain means ensuring products they received from the OEMs, ODMs and EMSs are genuine and have never been tampered with. Managing device identities that were provisioned by manufacturers is where they gain the most value from a PKI.

IoT Device Identity is the First Step in PKI and Identity enrollment

PKI is the de facto credentialing platform for IoT security, supported by most all leading IoT platforms. Semiconductor manufacturers, OEMs, ODMs, EMSs, and critical IoT infrastructure operators rely on IoT device identities and PKI to secure their devices, networks and ecosystems.

PKI experts delivering a secure, scalable and interoperable device identity service built on a single, high-performance identity cloud platform offer a proven path to device identity provisioning and management. It enables certificate identity lifecycle management, overcomes operational PKI and identity enrollment challenges, removing impediments to device identity success.

Lancen LaChance is vice president of product management, IoT solutions, and is responsible for driving overall IoT product strategy, partnerships and roadmap at GlobalSign. He joined the company in 2010 as a senior systems engineer. Prior to GlobalSign, he was an IT systems analyst for BAE Systems. He is actively involved in several IoT industry groups including the Industrial Internet Consortium.

Related Contents:

For more Embedded, subscribe to Embedded’s weekly email newsletter.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.