Public key infrastructure for the IIoT - Embedded.com

Public key infrastructure for the IIoT

The Industrial Internet of Things (IIoT) may just be the next great industrial revolution. Some analysts predict it to drive 14 trillion dollars in economic gains over the next decade. It’s not surprising companies are rushing to harness the potential of the IIoT by developing new products, services, and business systems.

An important area in which the IIoT creates value is the creation of a network of device endpoints: smart, connected sensors and controllers talking not only to each other, but also monitoring and managing a wide range of machines and industrial systems. By combining connectivity and functionality with analytics, information technologies and operational technologies, owners of industrial plants will obtain major benefits. For example, factories can be designed to adapt in real time to changes during production, and anticipate operation-degrading events. Additionally, predictive maintenance programs can be implemented to eliminate downtime or catastrophic consequences caused by unanticipated failures of critical system components. By achieving even small percentage gains in plant operations or reductions in unplanned downtimes, these upgrades will dramatically improve the profitability of manufacturing operations.

To take full advantage of the opportunities offered by the IIoT, an entire system—from sensors, actuators and motors, up through the controllers—should be connected to information and operational technology systems and beyond into the cloud. Expanded connectivity boosts efficiencies in operations and integrates the supply chain more tightly and in innovative ways. It also enables entirely new business models and revenue streams.

Unfortunately, cyber-attacks against these very same systems will continue to grow as the number of devices grows. The bottom line is that we now have a growing number of both targets and attacks, so we must put cyber-security solutions in place to protect these devices.

Just as cyber-attacks take many forms and exploit a wide range of vulnerabilities in the target device, so too is cybersecurity multi-faceted. A fundamental, but often ignored, aspect of cybersecurity for IIoT devices is strong authentication.

Authentication for the IIoT

Authentication, for machine-to-machine communication within the IIoT, is the process of one IIoT device determining the legitimacy of another device (IIoT or not). Older common authentication methods fall short of modern security requirements.

  • Many embedded devices use a simple username/password-based method for machine-to-machine based authentication. This obsolete method allows communication with any other machine providing the proper username and password.

  • Other systems utilize pre-shared security keys. Pre-shared keys are little more than long, complex passwords.

Both methods are problematic for many reasons. First, usernames and passwords can be stolen, sniffed, or otherwise discovered. Second, they are susceptible to brute-force attacks, in which all possible passwords are systematically attempted, and to dictionary attacks, in which commonly used passwords are attempted. Once a password is discovered, they can easily be used, allowing unauthorized access and providing the ability to perform operations that should not be permitted.

In simple terms, if a device sends over the correct credentials, it is granted access. There is no mechanism verifying the machine should have the password or verifying if the password has been lost or stolen. Password-based authentication is also difficult to manage. If you need to change a username or password, all devices in the network must be updated–a significant management challenge. As the number of deployed IIoT devices grows into the millions or even billions, managing passwords becomes unworkable and unlikely.

Strong authentication for IIoT devices

To be effective, any machine-to-machine authentication scheme for the IIoT must overcome the weaknesses of password-based authentication. The solution must tie credentials to an identity. Not only must it require the right information (password and username, authentication key, etc.), it must also be able to verify the information is associated with the device using the information. It must also do so in a secure fashion. The credentials must not be easy to steal or clone, and the distribution, verification, and revocation of credentials must be automated and easy to manage.

PKI for IIoT authentication

PKI (Public Key Infrastructure) is a set of technologies and services for managing authentication of computer systems. PKI is based on a digital certificate mechanism. Digital certificates are sometimes also referred to as X.509 certificates or simply as certificates. Think of a certificate as a virtual ID card.

In the real world, people use ID cards such as a driver's license, passport, or an employee ID badge to prove their identity. A certificate does the same basic thing in the electronic world, but with one big difference. Certificates are not just issued to people (users, administrators, etc.). Certificates can also be issued to computers, software packages, or just about anything else requiring verification of identity.

Certificates are extremely useful in high security situations. For example, suppose you needed to securely transmit data between two networked devices. How do you really know you are transmitting the data to the intended device and not an imposter? One way of ensuring the integrity of the transaction is to use digital certificates verifying the identities of both machines.

PKI provides the tools and methodology required to issue certificates to all IIoT devices on a network and manage those certificates throughout the device’s lifetime. A certificate is comparable to a driver’s license. It provides an identity and a set of permissions, and was issued by a trusted entity. My driver’s license identifies me, provides a picture to show I am the proper bearer of the license, and defines my permissions as a driver of a motor vehicle. I am authorized to drive any standard passenger motor vehicle, but not certain commercial vehicles. And the license was issued by a trusted entity (the government of the State of Iowa).

In many ways, a certificate is similar to the driver’s license. A certificate issued by a trusted entity (a Certificate Authority), contains permissions, and is used to identify the holder of the certificate. A driver’s license contains information allowing the holder of the license to be verified, just as a certificate contains the public key allowing it to be used only by the entity holding the associated private key.

Without deeply getting into the details of the public/private key cryptography technology making this possible, an IIoT device verifies the certificate holder is the entity specified in the certificate. These services are enabled using public/private key cryptography providing the technical underpinnings of PKI. The result, which is what really matters, is a device able to verify, with cryptographic certainty, that the holder of the PKI certificate is really who it claims to be and not an imposter.

Certificate compared to driver’s license

Building on the driver’s license analogy, PKI also provides the technology and systems to issue, renew, revoke, and manage certificates.

Limitations of existing PKI solutions

PKI is widely used within the broader Internet and as part of many IT security solutions. But PKI as a technology has drawn criticism, largely due to implementation failures and security breaches with some of the Certificate Authorities involved in the management of the system. Many legacy implementations have not properly implemented certification revocation checking, resulting in expired or revoked certificates being used. Some systems have failed to properly implement certificate chain validation, allowing usage of forged certificates.

Additionally, existing PKI solutions are designed for use with public Internet and Enterprise IT networks and not suited to meet the needs of IIoT networks. In IT networks, certificates are issued to a small number of servers, generally via a manual process. This works because these systems implement expensive “server authentication” using certificates and don’t implement “mutual authentication.” With mutual authentication both the client and server device need a certificate, requiring a much greater number of certificates.

With server authentication, a server is authenticated using a certificate. For example, if I log onto an e-commerce website, my web browser will validate the website is authentic using the digital certificate provided by the website server. The website, however, does not validate my browser using a certificate. It relies on a user name and password to validate who I claim to be. In some cases, second factor authentication or other method will be used to provide a higher level of security.

PKI Solutions for IIoT

For the IIoT, mutual authentication is mandatory, but IT’s methodology is unusable. When devices communicate, they must each validate each other using certificates. Implemented correctly, no human interaction is required and using certificates eliminates the inherent problems of password-based authentication and other weak authentication mechanisms. Digital certificates, used in this fashion, provide strong authentication. Devices reliably authenticate other legitimate devices, preventing unauthorized communication with rogue devices or other unauthorized systems.

Mutual authentication, as the name implies, requires every device to have a certificate. The manual processes of legacy PKI (IT) solutions cannot scale to the needs of the IIoT and its massive numbers.

To overcome the weaknesses of legacy PKI solutions, new approaches are emerging such as the Icon Labs PKI solution for the IIoT, which includes a compact Certificate Authority server and device-side SCEP/EST clients. This type of solution supports a fully automated process allows devices to securely request new certificates, validate certificates, and recognize when certificates are revoked. It also implements certificate chaining support to ensure all certificates are properly validated. Furthermore, this approach manages certificates over the entire lifecycle of the device. It starts with provisioning certificates into the device during manufacturing to prevent counterfeiting and cloning. When devices are purchased and installed on a network, they go through a process of provisioning. During provisioning, they are first automatically validated using the certificate installed during manufacturing, then issued a new certificate for use on the network. The certificate can later be revoked if or when the device is decommissioned.

Keys vs. Passwords vs. Certificates

Conclusion

OEMs building IIoT devices and enterprises deploying IIoT networks must be proactive by ensuring robust, hack-resistant security capabilities are built into both the devices and the networks where they operate. Certificates issued and managed using PKI allow devices to perform strong mutual authentication. Ensuring the devices involved in communication are authentic and authorized is critical for securing IIoT networks. It provides the foundation for ensuring the integrity of data used for creating new business models, increasing operational efficiencies, and truly unleashing the value of the IIoT.


David West is the Director of Engineering at Icon Labs, a leading provider of security solutions for embedded devices. You can reach him at .

1 thought on “Public key infrastructure for the IIoT

  1. “At Saturam http://www.saturam.com/, we know that greatness in a connected-era requires audacious re-interpretation of status-quo, best-in-class talent and a culture that believes in conquering together. We approach every device, data and AI challenge h

    Log in to Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.