The number of connected objects is expected to reach 6.4 billion this year alone. However, as we have already seen through a number of data breaches, many of these devices are improperly secured leaving them vulnerable to attack. Many groups are now working on ways to establish security standards for the Internet of Things, and several of them were on display last week at the RSA Conference.
Infineon, GlobalSign and the UNH InterOperability Lab (UNH-IOL) have recently partnered to embed security into new IoT hardware. The proof-of-concept that the group demonstrated at RSA involves embedding PKI and cloud security services into IoT devices at the device manufacturing stage rather than attempting to add-on security services after a sensor network or other device array has already been established.
PKI is a proven security technology that provides key information security capabilities, including authentication, encryption, and data integrity. According to GlobalSign, which offers a range of PKI-enabled services, the most reliable way to integrate PKI into an IoT platform is achieved using a hardware security module to securely store the private key and execute cryptographic functions such as authentication and encryption.
Infineon already provides hardware security modules that are capable of using PKI and implements the Trusted Platform Module (TPM) standard from the Trusted Computing Group (TCG), which makes the modules usable in a range of IoT environments. “The partnership addresses manufacturer concerns about provisioning strong identities within an IoT environment, which is becoming a bigger issue now that IoT is moving out of the pilot stage for many industries,” explains Lancen LaChance, Vice President of IoT Solutions at GlobalSign in an interview with CivSource.
Enabling strong identities at the hardware level will allow network managers to mitigate concerns like identity spoofing and key compromise which can endanger whole chains of devices. “The integration of security at the hardware level creates a trust model for a whole system,” LaChance says. “So, if a change occurs the entire ecosystem will know and administrators will be able to respond accordingly.”
Following the proof of concept demonstrations at RSA, the technologies will be brought together for a testbed at the UNH-IOL, an independent, third-party laboratory dedicated to broad-based testing and standards conformance services for networking industries.
The two companies consider this integration to be a foundational approach to IoT security, but adopting this technology may be a little tricky for system administrators that already have IoT projects deployed. Because the technology requires implementation at the hardware manufacturing level, it does little to help sensors or other connected devices that are already online. While adding secure hardware into a broader system will help to harden the environment, administrators and planners will need to understand the variability that comes from not replacing earlier devices and secure environments accordingly.