In today’s Internet of Things (IoT) world, every device can communicate and be connected to the Internet – from your refrigerator to your lights and cars. IoT’s glitter is often dimmed by legitimate security concerns.
Just as the power of this new technology can make our lives easier and immensely more delightful, IoT put into the wrong hands could lead to very undesirable results. Fortunately, there are principles to be applied that can mitigate risk in our highly connected world.
It seems the security spotlight has been solely focused on data breaches and the resultant loss of privacy and risk of identity theft, but what about the physical and in some cases life-threatening risks at play?
Let’s consider car break-ins in the past and in the future. For a car that isn’t connected to the Internet, its physical security is at risk and customers may bear the loss of an expensive music system or personal valuables. With a connected car, we risk a systemic cybersecurity threat with results potentially as severe as a remote car hijacking with you still in the driver’s seat.
This is just one example of where a lack of security poses life-threatening dangers. As more and more devices around us are connected to the Internet, we become more susceptible to these types of threats.
Risk goes beyond personal as recent incidents, such as the Chrysler Jeep Cherokee hack, pose a threat to customer confidence in a brand as well as financial loss. Chrysler had to physically recall 1.4 million vehicles. And, the substantial impact was felt by the IoT industry as a whole.
Although very real and potentially life-threatening, these problems can be solved and the sector should take action and prove this to skeptical consumers in order for the industry to continue advancing.
Securing the realm of IoT requires applying two basic principles of information security: strong authentication and secure communication. The current leading solution to apply these principles has existed for decades in the form of Public Key Infrastructure (PKI). PKI is a foundation of trust that enables security by providing strong authentication and encryption services.
Let’s go back to the connected car example. Communication between the car and its connected services requires strong authentication. The car system must not accept commands from a third party without properly ensuring the commands actually came from an authorized user of the car. One way to mitigate this risk is to perform mutual authentication where the car authenticates the service and the service authenticates the car.
In addition to strong mutual authentication, devices need a secure channel to communicate with the service to ensure confidentiality and data integrity. This can be implemented using high-strength encryption protocols between the device and connected services.
Digital certificate and asymmetric encryption technology enables such strong encryption when devices and services are configured to leverage them appropriately. The common technology that enables strong authentication and secure communications leverages PKI.
When you use a computer or phone to connect to an Internet service, such as your email, you normally input a username, password, and in some cases, a token for authentication. Because most IoT devices have a small form factor, they do not possess interfaces such as a keyboard. This is where PKI becomes the solution. With PKI, a device can have a digital certificate installed and managed by a secure service that allows the device to mutually authenticate without further human interaction.
PKI has a number of use cases beyond IoTs, including mutual authentication for APIs, endpoint authentication, and secure remote access to production systems. Although PKI has the potential to solve all of the above considerations, it brings about its own unique set of challenges.
The Internet of Things is a constantly evolving and growing field. The potential volume of devices presents scaling challenges never before encountered, from digital certificate provisioning to validation.
It’s clear that cyber security must unite with physical safety at the top of every IoT company’s primary considerations. The Jeep Cherokee hack wasn’t just a wake-up call for the automobile industry – it was a lesson for all companies with devices that connect to the Internet.