Smart internet-connected devices give us unprecedented levels of convenience, but that convenience comes at a price.
By Andreas Philipp, Business Development Manager at PrimeKey
These connected devices collect and share data, and so there needs to be a level of security in place to protect that data from falling into malicious hands. This creates a challenge: IoT and Industrial IoT solutions require digital components that know each other and trust each other. This can only be achieved if each system is given a digital identity, ideally during the production stage of individual components — hardware-based PKI security, or, essentially, birth certificates.
These digital birth certificates are necessary today to securely manage and allow for secure communication throughout the entire lifecycle of a product, from manufacturing, deployment and use, to disposal and recycling. This allows manufacturers to provide products with new software versions and patches throughout their entire life cycle. Customers can trust the data that is generated by the connected device, and this key information is used for business decision making.
The role of digital Identities
In this modern era, we’re used to identity playing a key role when it comes to protecting users, applications or services. With the rise of IoT and IIoT, this notion is now applied to smart devices, as well as the systems or frameworks where they interact.
That wasn’t always the case. Early IoT devices didn’t count security as a priority, and in some cases, these devices were breached. In one famous case, hackers stole data from a casino’s database using a vulnerability found in a fish tank. The aquarium used a smart thermometer to maintain temperature levels, and that thermometer was connected to the casino’s wi-fi network. The hackers took advantage of this and stole 10 gigabytes of data and sent it to a remote server in Finland.
That’s an extreme case, but it illustrates the importance of proper security measures in today’s smart devices. A digital identity — certificate — includes attributes such as serial numbers and more, secured with a cryptographic lock and used to identify control units of a machine tool, a smart meter, and so on. The certificate enables trusted secure communication, such as the authentication of devices and servers, confidentiality for data, and protection from malicious or unintentional manipulation of data.
Merging Information Technology (IT) and Operational Technology (OT)
Smart manufacturing is forcing the boundaries between IT and OT to become transparent, merging the two areas. Applications such as predictive maintenance require external partners to be able to read and analyze data from machines. And only then are they able to carry out maintenance work proactively.
In the past, these two separate worlds hardly communicated with each other because there was no need to provide components in manufacturing environments with a digital identity. All this has changed with the advent of things such as the Internet of Things and Industry 4.0.
Complex legacy processes have traditionally plagued the production of smart devices, but we’re now entering a new era in which new industrial PC-based modules implement PKI security and digital signing, making issuing digital identities a seamless part of device manufacturing. By implementing the required hardware and software at the production level, manufacturers can communicate with the device, pull the necessary parameters out of the device chassis and then validate the information against a manufacturing execution system, enterprise resource planning systems or something similar. If the correct rules are validated, a certificate request is generated through a centralized trust center and a birth certificate is securely transferred into the device.
Of course, different types of devices may have different requirements, meaning smart manufacturers need a level of agility that supports multiple variables. They need the ability to configure and reconfigure the validation process in an efficient manner, based on both the given workflow and the production process. To address this, modern manufacturing hardware can employ a rule-change engine that designs the entire validation process, connects to the backend, leverages crypto-graphical functions, or adds individual log-in capabilities as needed.
Security and trust are now fundamental for the new opportunities and business models being explored with today’s smart factories and IoT solutions. On-demand upgrades for temporary activation of higher speeds or consumption-based billing of machine output are just two examples. For success, the basis of these business models needs to be a unique identity of the smart machine and the sensor, combined with the end user’s confidence that no manipulation has taken place.
Andreas Philipp is Business Development Manager at PrimeKey, one of the world’s leading companies for PKI solutions. With over 10 years of experience in security software & hardware development, Andreas has become a well-known industry expert and a frequent conference speaker. Contact: PrimeKey@bocacommunications.com.