Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
PKI and Code Signing Will Make IoT Device Security a Priority in 2023 & Beyond
By Ellen Boehm, SVP of IoT Strategy and
Operations, Keyfactor
In the years ahead, IoT devices will
only grow more and more popular. In fact, a forecast from the International
Data Corporation (IDC) estimates there will be 27
billion IoT devices by the year 2025. With 13.4 billion IoT devices
today, that is a projected 101.49% increase.
While the rise of IoT devices has
introduced countless opportunities for innovation, the security of those
devices poses serious challenges across automotives and medical devices, to the
manufacturing, retail, and finance sectors. Why? Because the capabilities these
devices possess to generate positive change in the world are actually what
makes them more susceptible to security risks.
IoT devices extend internet connectivity
beyond standard devices like laptops and smart phones to everyday devices like
watches, thermostats, and home security cameras so that they can share
information and perform actions in response to that shared data. This means
that every point of connection that exists carries the risk of being hacked.
Beyond the many points of connection that inherently create risk, for many
companies who jumped on the IoT bandwagon, security was an afterthought to
innovation.
As IoT devices continue to become more
commonplace, IoT device security will be a top priority for both developers and
security professionals. If we fail to prioritize IoT security, these security
risks could interfere with the projected growth and adoption of IoT devices.
Industries
with the Most Prevalent Challenges
Industries that will continue to have a
particularly hard time securing IoT devices include automotive, medtech, and
telecommunications. These industries are complex, involve multiple vendors to
orchestrate a robust solution, and oftentimes have extremely high volumes of
devices and applications distributed globally. This complexity requires
operators and implementers to have robust security strategies in place to
establish trust and ensure data integrity. Let's examine these industries a bit
more to understand why.
Automotives:
With the rise of vehicle-to-everything
(V2X) technology, it will soon become possible for vehicles to communicate with
other vehicle, including parts of th infrastructure such as road signs and
traffic signals to create a clear picture of what is happening around the car -
ultimately enabling safer or more efficient driving. With this technology, it
will be possible for a vehicle to deliver real-time traffic information,
preemptively respond to changing road conditions, take evasive actions to avoid
a car crash, and recognize road signs and other warnings, to name a few
potentialities.
Automotives require many features and
functionality to be secured, including firmware or software updates over the
air, Infotainment app updates, diagnostic and maintenance tools, or securing
components in the supply chain. All these different features and
functionalities must all be validated and trusted to build a robust and secure
in vehicle operating system. These use
cases are complex and oftentimes involve multiple vendors collaborating to put
the pieces together with high reliability and security in mind.
Medical
Technology
According to Straits Research, IoT
medical technology is expected to grow to a $486.34 billion market by 2031.
This projected growth stems from wearables such as Apple Watches measuring
heart rate, to teletherapy options heightened by the pandemic. While IoT
medical technology brings many health benefits, IoT medical technology will be
challenging to secure in 2023 for a few reasons. For one, medical devices are a
huge target, due to the amount of sensitive data that medical technology
collects, it is a prime target for cyber criminals. Additionally, many hospitals and clinics are adopting
intelligent equipment and applications to bring efficiency and insights into
their operations. It is known that these facilities can be targets for
ransomware, where systems are compromised and the victims have no choice but to
pay up in order to continue operations.
It's critical that everything from high value robotic surgical equipment
to connected bedside sensors are secured and aren't left open to attacks that
can spread inside a facility.
Telecommunication
When it comes to telecommunication, IoT
mostly plays a role in moving beyond internet cables and mobile phone towers to
enable 5G technology. Further, IoT telecommunications makes smart home devices
possible, and that is just the beginning. In the next century or so,
telecommunications will be used to enable applications from smart cities, to waste
management, traffic management, and everything in between. IoT
telecommunications is particularly challenging to secure because the volume of
endpoints that exist within a network and the complexity of hardware that needs
to interoperate securely in order to provide robust infrastructure. Wireless
connectivity provides many benefits and ability to stand up solutions where
limitations existed based on wired or physical architecture.
With all three industry applications,
it's crucial to have the proper security infrastructure in place to ensure the
trustworthiness of communication of every message. Without it, it's impossible
to determine whether the source of the message is legitimate and whether it has
been impacted by outside interference or modification. This can have
devastating consequences. In the case of connected vehicles, tampering with V2X
communications might result in fatal accidents. Or, when it comes to medical
devices, it could lead to device failure that is critical to an individual's health.
Then there is telecommuncations. Once smart cities emerge, another country
could infiltrate its systems, taking over critical infrastructures that impact
our everyday lives.
What
We Can Learn from Matter
Thankfully, the wider IoT industry is starting
to pay more attention to this. The Connectivity Standards Alliance (CSA)
introduced the Matter standard, striking new ground with security policies and
processes. Companies that pledge to the Matter standard will be required to use
public key infrastructure (PKI) to validate device certification and provenance
within smart homes. Today, there are over 550 tech companies that have agreed
to participate in the Matter standard. This includes big names like Google
Home, Amazon Alexa, and Apple Home Kit.
PKI
& Code Signing will be Key in Securing IoT Devices
While the Matter standard only pertains
to the smart home, it will lead as a great example of security benefits
associated with requiring PKI in all IoT applications. As a trust framework composed
of hardware, software, policies, and procedures, PKI enables IoT device
manufacturers to embed a cryptographically verifiable identity through a
digital certificate into each device, ensuring that all access and data
communication remains secure.
In the year 2023, we will also see more
businesses relying on code signing for IoT device security. Code signing is a
cryptographic method used by developers to prove authentic devices. By
digitally signing IoT device software and firmware with a private key, the
proof is delivered to end-users that the code originates from a trusted and
legitimate source. This also ensures that the device's software hasn't been
tampered with since it was published.
Implementing a PKI program will allow
manufacturers to bring innovative new devices to the market while maintaining
high-security levels, which will prove a competitive advantage going forward as
it will quell consumer concerns around security.
##
ABOUT THE AUTHOR
Ellen leads the product strategy and go to market approach for the Keyfactor Control platform, focusing around digital identity security solutions for the IoT device manufacturer market. Ellen is passionate about IoT and helping customers establish strong security implementations for the lifecycle of their overall IoT systems.
Ellen has 15+ years experience leading new product development with a focus on IoT and connected products in Lighting controls, Smart Cities, Connected buildings and Smart Home technology. Ellen has held leadership roles in Product & Engineering at General Electric and Sky Technologies over her career.
Personal Highlights: Ellen lives in Cleveland, OH along with her husband Rich and children Edward & Emma. Ellen has a Bachelor of Science degree in Electrical Engineering from Rochester Institute of Technology, and a Master of Science degree in Electrical Engineering and Master of Business Administration from Case Western Reserve University. Ellen enjoys fitness, yoga, swimming, and outdoor activities around Cleveland with her family and friends.