Strong security can unleash the promise of the industrial internet of things
Scan the headlines and you’d think IoT is all about Bluetooth toasters and refrigerators that text you when your toast is going to burn or you’re out of milk. Analysts and investors know better. The serious money in IoT is flowing to the industrial sector, for good reason. Connected consumer products may make nice Christmas presents, but using IoT connectivity to optimize oil rigs, power grids, factory floors and a thousand other industrial applications add up to trillions of dollars in economic impact.
McKinsey estimated that industrial IoT could generate more than $6 trillion in economic value by 2025. “Could” being the operative word, as there remains a significant hurdle IIoT must clear: security. According to a recent DigiCert survey of global IT leaders, 82% said security was their number one IoT concern. Ask only executives in the industrial sector, and the number is likely closer to 100%.
When consumer devices are compromised, companies can face embarrassing headlines and frustrated customers. If your installation of $10-million turbines gets hijacked, however, the stakes are much higher. As everything from transit systems to nuclear power plants get connected, security breaches can translate to massive financial losses and even physical harm to human beings.
Companies that don’t take IoT security seriously enough already face stiff consequences. Among the companies DigiCert surveyed that were struggling to master IoT security, every one of them had experienced an IoT-based security mishap in the past two years. Those companies were:
- More than 6 times more likely than companies with more mature IoT security to suffer an IoT-based denial-of-service attack
- More than 6 times more likely to see unauthorized access of their IoT devices
- Nearly 6 times as likely to have an IoT-related data breach
- About 4.5 times as likely to get hit with IoT-based malware or ransomware attacks
Those are not inexpensive mishaps. One in four of those struggling companies incurred costs of $34 million or more dealing with them.
The IoT revolution will ultimately sweep the industrial sector; the benefits are simply too great. But first, those producing IIoT systems will need to ensure the authentication, data and system integrity, and confidentiality of industrial connectivity. Fortunately, they can turn to a proven, powerful model for secure IIoT connectivity: public key infrastructure (PKI) and digital certificates.
Inside PKI
The moment a device comes online, it becomes vulnerable to a wide range of cyberthreats, from botnets to data breaches to malware that can exploit firmware and take control of devices themselves. Given the higher risk profile of industrial assets and systems, proactive security is essential. Companies that wait until after a vulnerability is discovered will find retrofitting security after the fact to be extremely expensive and time-consuming — assuming their customers are willing to continue doing business with them at all.
Building security into the basic design of IIoT devices and systems is the smarter approach, and PKI provides a scalable, user-friendly way to do it. PKI frameworks support the distribution and identification of public encryption keys that enable the secure exchange of information over networks, as well as digital certificates that authenticate the identity of each party. Millions of websites and web users rely on PKI every day for secure communication, and it’s a natural fit for IIoT.
Evaluating alternatives
PKI provides trust and control at scale and in a user-friendly way that alternative authentication methods like tokens and passwords can’t. For example, some IoT devices use symmetric privacy alternatives that don’t support bidirectional encryption. Many still rely on basic username and password mechanisms.
For instance, older IoT protocols still transmit usernames and passwords unencrypted. Additionally, the human effort required to log into a workstation with a password is inconvenient and using this method to authenticate tens of thousands of autonomous devices in the field is another matter entirely. The shortcut some companies take — using a single username and password combination for all devices in a deployment — means that a successful hack won’t just compromise a single device, but the entire industrial system. Some look to set up a PKI ecosystem, but, lacking the resources and know-how, end up doing more harm by sharing one key across all devices or using weak keys and no revocation mechanisms.
PKI done right, on the other hand, uses digital certificates alongside secure key management to enable safe authentication in the background, without requiring user interaction. It can efficiently protect every individual connected device from malicious actors and, using bidirectional encryption, ensures that even if attackers somehow intercept data, they can’t do anything with it.
Weighing tradeoffs
Like any other security mechanism, PKI does entail some tradeoffs. The most commonly cited, however — that IIoT devices don’t have enough storage or processing power for PKI encryption — can be managed. Organizations need not attempt to port web PKI to IIoT devices exactly as it’s used on the internet. For example, sensors don’t need to validate all the same certificate fields that websites do. Sensors also have plenty of memory for encryption algorithms, especially if they’re using small-footprint nano-crypto libraries designed for IoT. PKI also typically has very low computational requirements.
The more significant — and justified — concerns about PKI revolve around the costs and complexity of standing up and maintaining a PKI framework and certificate authority (CA). Deploying a trustworthy and reliable system is not a simple undertaking. It entails adhering to industry standards, establishing trusted roles, maintaining compliance and continually monitoring industry groups for changing standards and cryptographic properties, among many other requirements.
For these reasons, many organizations choose to work with a hosted PKI provider that can handle all ongoing operations and maintenance of the infrastructure — at scale. Cloud providers also offer scale and flexibility, as well as the trust that comes with a ubiquitous, publicly trusted CA. Typically, organizations building private PKI frameworks operate in heavily regulated industries that require a higher degree of local control. Even in these segments, however, organizations may be able to employ hybrid PKI models that combine on-premises appliances with cloud-scale through a trusted gateway.
Start the security conversation now
Few emerging technologies hold the potential of IIoT; it’s not every day that analysts forecast economic impact on the scale of many countries’ gross national product. But those benefits can’t be realized until industrial companies are confident the sensors and assets they’re connecting are secure. That process starts at the device manufacturer’s drawing board.
By embracing a security-by-design approach and using PKI to support secure authentication, IIoT device manufacturers can deliver the proactive protection that industry demands. And, they can begin to unleash the full transformative power of industrial connectivity.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.