Why we need to secure IoT connections sooner than later
By Mike Nelson
IoT products offer many conveniences but there are massive amounts of data being transferred to and from these services vulnerable to attack if left unsecured. In this podcast, Mike Nelson, Vice President of IoT Security at DigiCert, talks about the growing insecurity of IoT devices and what we should do about it. Hey everyone, it’s Mike Nelson. I’m the vice president of IoT security at DigiCert. DigiCert is the world’s leading provider of PKI products and services. And we’re here today to talk about an interesting topic and a topic of growing importance.
Here’s a transcript of the podcast for your convenience.
As most of us are aware, connectivity is growing all around us. Businesses are becoming more connected. In recent days, more and more employees of businesses are working from home and needing secure connectivity. The number of IoT devices continues to grow in mass amounts globally. Those devices are creating a lot of connectivity around us, but that connectivity also creates a lot of security risk and exposure that a lot of consumers who are going about their normal lives are not aware of.
What I’d like to talk about today is the growing need to secure that connection, whether that be within a business, whether that be with a connected device in a consumer’s home, or whether that be a consumer browsing the internet. All of that connectivity needs to be done in a way that is secure, and the importance of that is so critical. My expertise of course is in the IoT space. I’ll be focusing the majority of the discussion today around IoT. But we’ll also talk a little bit about businesses and the importance of securing the internet.
In the IoT space, it’s projected that billions and billions of devices, up to 43 billion devices will be in the market in the coming years. Those devices are collecting sensitive data, they’re providing critical business functions, they’re providing healthcare monitoring, and even performing healthcare procedures. Those devices are critical to the function of our society and they will grow in their importance. A lot of those devices are, as I mentioned, insecure, and the risk of those devices being attacked is very real and provides some scary consequences. If we think just about the volume of data that these devices are collecting, it’s estimated that nearly 80 zettabytes of data will be generated in IoT over the coming years. That’s equivalent to about 90% of the data that has been generated globally to this point. So, mass amounts of data is being generated. A lot of that data should be handled in a confidential way. Some of it is proprietary information for businesses, it’s patient health information, it’s the secret sauces of business that they want to keep confidential. And so, as that data grows, it’s incredibly important that we keep it secure.
As we look at IoT exploits that have happened up to this point, there are some common vulnerabilities that we see over and over in these attacks. And those common vulnerabilities are really a good starting point for implementing security practices. The first common vulnerability that we see with IoT is lack of proper authentication. We read a lot about bad password practices, and hard-coded credentials, and hackers being able to gain access because they go in and they are able to discover the password and the user manuals of IoT – IoT instruction manuals. Bad authentication is one of the greatest risks right now with IoT. And there’s a lot going on in that regards to improve that.
In addition to bad practice of passwords, the backend connections and making sure that anything the devices are connecting to is properly authenticated. If your device connects to a server or a piece of middleware, you want to make sure that that connection is authentic so that it doesn’t trust connections of parties that you don’t want gaining access to your device. And so authentication of both the user, but also the backend connections need to be of utmost importance. The second common vulnerability that we see is around protection of the data. Palo Alto Networks recently released a report that said 98% of IoT data traffic is unencrypted. That’s a terrifying statistic, especially considering the volume of data that I mentioned earlier and the sensitivity of that data. And we see data compromise very frequently when it comes to IoT attacks. That’s another very common vulnerability – the data not being handled in a confidential way.
The third and final one is around integrity. How do you know that the packages being sent to the device are coming from a trusted source, and that a man in the middle attack has not occurred, modifying the value or embedding malware in the package and then sending it onto your device. Integrity is so critical, especially when businesses are making decisions related to that data, or when doctors are using the data to make treatment decisions for patients. And so integrity, the importance of making sure that the values of that data have integrity associated with them, is very critical. And so what do you do? The starting point, I’m asked all the time: “So where do we start? What do we need to do as we venture down the path of IoT security?” I think public key infrastructure and the use of digital certificates is really the right starting point for good IoT security.
Public key infrastructure infrastructure facilitates security solutions around those three vulnerabilities. Through the use of digital certificates, you can authenticate connections. Through the use of a certificate, you can place one on an endpoint device and you can place one on a server that it connects to. And when that connection occurs, that session is authenticated through the use of certificates. And then, the second thing that it can do is it can then encrypt the data that’s being passed from point A to point B. Public key infrastructure and those digital certificates are what can help facilitate that for manufacturers.
The third one is public key infrastructure through the use of digital signatures and certificates. Code signing, digital signature checks are very important to ensure that there is integrity, and public key infrastructure can facilitate that as well. We’re asked all the time where do we start? What do we do? I really think that public key infrastructure is a great place. In addition to that, security by design is critical. Penetration testing is a very important element of secure IoT development. And all of those things, there’s really no silver bullet, but I think that as you’re starting down the path, those are things that are good starting points.
The current state of IoT security really is, I think, scary. I don’t think enough is being done. I’m asked frequently also who’s responsible for IoT security. I’d say that there’s three pillars of responsibility. There’s regulatory responsibility. We see governments, the US, the UK, Japan are moving to put in place regulations that will require manufacturers to act responsibly in the development of their products. The second pillar I would say would be industries. We see a lot of industries coming together to create security standards, and then holding the manufacturers in that industry accountable to those standards to make sure that they’re operating at a higher level of security.
We’ve seen that DigiCert participated in the handful of industry groups like CableLabs who represents all cable manufacturers, set-top boxes, and they created a security standard for all of their manufacturers to follow. OCF is an industry group, the Open Connectivity Foundation, that is responsible for consumer electronics and they’re building standards for that ecosystem. Industries also have a responsibility to come and try to improve the overall state of security for their industry. And then the final pillar would be manufacturers, and manufacturers doing the right thing in the product development, in the deployment, in the lifecycle management of their devices is very, very important.
As we look at public key infrastructure and the challenges, public key infrastructure is the technical solution that a lot of people know a little bit about, but they don’t know a lot about. As we have seen manufacturers approaching public key infrastructure, we’ve seen them fall into a handful of common pitfalls and challenges. I’ve had hundreds and hundreds of conversations over the last few years with manufacturers as they have looked to implement public key infrastructure, and we’ve really heard some common challenges that they run into as they’re looking to stand up a public key infrastructure. The first one is the flexibility of their platform and being able to solve the variety of challenges that are needed. And I say laughingly that every IoT deployment is just another unique IoT deployment. Every device is different, the communication protocol’s different, the computation power is different and a unique lens needs to be looked at every instance. And so having a platform that’s flexible, that allows them to solve all of their challenges instead of just particular ones, is important.
Deployment ease. We see a lot of them run into challenges in deployment configuration. We see challenges with them and complying with country requirements. Having third-party integrations with applications that they want to use as a business is another common challenge. And then finally, degradation of performance is another challenge that we see manufacturers run into. I encourage people all the time when they’re looking for a solution, to look for a solution that has that flexibility, that has the scalability, that can help them meet the in-country requirements that they’re struggling to do. And I think that if manufacturers get off to a good starting point in those areas, it sets them on a path for success.
At DigiCert we have built a custom platform that’s responsive in those areas. We just released a platform called DigiCert ONE, and it really is the most modern architecture for PKI, but it addresses those really complex challenges of flexibility and scalability, reliability. The flexibility, not just of the certificate profiles, but also in the way you deploy it. Do you need an on-premise instance of a PKI? Do you need it based on the cloud or do you need a hybrid solution? You need to be able to be flexible in the way that you deliver and stand up your public key infrastructure. I think that touches on a lot of the points that I wanted to cover today. I hope that this discussion has been helpful and insightful.
Public key infrastructure is a technology that works. It’s proven, it’s standardized and it’s been around for a long time. It still needs to be innovative, and it’s important to make sure that the solutions that you’re putting in place are modern, will meet the requirements for your team today, but also will meet the requirements for your team when you have many, many more connections that you’re trying to secure.