Only a few years ago - the IoT would have felt like something out of science fiction. The collision of the digital and ‘real’ worlds will leave computing technology woven throughout our homes, cars and perhaps most significantly, our businesses too.
The Industrial Internet of Things (IIoT) offers perhaps the greatest possibilities in an already possibility laden space. With all that excitement, it's quite easy to miss the profound security considerations we’ll need to make if we want to keep moving forward safely.
DigiCert’s new 2018 State of IoT Security revealed that not taking IoT security seriously is sure to result in security mishaps - as 100% of our low tier respondents found - and millions in lost revenue every year. And when talking about the IIoT, those failures could be so much worse.
The “things” boom
The number of global IoT devices on earth is set to go over 11 billion this year and IIoT is moving in step with it.
The IIoT is set to transform business in its own way. With connected devices in industrial spaces, enterprises will be able to collect more information, from more places, faster. It’s that seemingly simple benefit that will transform business in a whole range of areas: plants will be safer and better managed, the supply chain will be more secure and efficient, costs will be saved and intelligence will be richer and better distributed. That’s only the tip of the iceberg.
Still, it would be foolish to think that cyber criminals aren’t just as excited about this technological revolution as we are. After all, the IoT boom has also meant a boom in the opportunities available to the ill-intentioned.
When data vulnerability become public safety
Data is one thing but the stakes increase somewhat when we think about safety critical infrastructure, like the IIoT.
Suddenly, we’re no longer talking about weak Wi-Fi kettles and fitbits, which will probably leave owners largely safe from physical harm. Securing the IIoT could literally mean the difference between life and death.
From Stuxnet’s assault on the Iranian nuclear project to disgruntled employees wreaking havoc on their erstwhile employers’ paper factories there are plenty of examples of what this kind of abuse might look like, especially when combined with the power of nation states or the access of an insider. Fortunately, most of these examples have stopped short of harming human life.
Furthermore, IIoT adoption will partly mean retrofitting - sometimes decades old - legacy systems. The air gap that existed in the pre IoT age is soon to be filled in and those systems - saddled with misconfigured software and outdated hardware - were never designed to withstand a cyberattack. Retrofitting security into these systems will not necessarily fix all those problems and completely replacing them will be a long, costly and unpopular path to take.
To top that, there are as yet few security standards to govern this booming new field, potentially saddling the IIoT with the same problems as the IoT - that manufacturers rush these products to market with little thought for the notion that they might be the target of a dangerous attack.
Taking the insecurity out of innovation
Given that safety critical nature, PKIs using digital certificates are providing a way to securely innovate everywhere that stands to gain from the IIoT. Particularly, manufacturers of connected devices coming onto the market can add PKI on the factory floor before devices hit the market, as a form of a security by design approach. This can assure better security and fewer costs from retrofitting after the fact.
In fact, Public Key Infrastructures (PKIs) using certificates allow users to circumvent some of the baked-in vulnerabilities of the IIoT.
First and foremost, a strong PKI ecosystem can police the connections over vast IoT networks, filled with endpoints all talking to each other and sending data back and forth. It provides safe mutual authentication between those devices, systems and users, making sure that both ends of the transaction are trusted parties and ensuring the secure exchange of data.
A PKI infrastructure also encrypts the data between those sources, using the latest cryptography - so even if attackers do manage to steal data between connections - they’ll have a hard time actually benefiting from it.
Using code signing certificates, an infrastructure like this can ensure the integrity of data over those large networks, and with secure boot, can make sure that none of the code on those devices has been tampered with.
All of this allows for unparalleled trust within that network and makes a cyber-criminal’s job that much harder, forcing them to do better than a simple brute force, Man in the Middle, or social engineering attack on a gullible user or weak device.
Built on interoperable and standardised protocols open to all, and meant to encompass the grand worldwide web, PKI’s scalability makes it a good fit for Industrial environments that are often tasked with overseeing heaps of endpoints which are increasingly hard to monitor
Certificate-based PKI has already proved that it can operate at scale across web connected systems. It provides an authoritative security standard, which has been earnt over decades in and out of WebPKI. New technologies might always come with risk, but time-tested and always-evolving solutions like PKI will allow you to trust the IIoT all the more.
Every potential reward comes with a risk and in few places is that clearer than in the IIoT. There is so much to be gained, but a lot to be lost too. In only the last few years we’ve seen attacks take down power in the dead of a Ukrainian winter, destroy a German steel mill, and obliterate the Iranian nuclear programme. Those examples are rare but they remind us how connected systems can exploited in profound ways.
For the moment, as device manufacturers improve their practices and governments consider regulations, IoT users will need to take the initiative themselves to seize these developments in a safe manner. Companies deploying IoT implementations do not need to be alone. They should talk to experts with experience running certificate-based security at a large and global scale to help them architect the right solution. We would do well to remind ourselves how easy it is to confuse riding the train of history with lying down in front of it.