In this podcast recorded at RSA Conference 2017, Jeremy Rowley, Executive VP of Emerging Markets at DigiCert, talks about automating PKI for IoT platform and building scalable solutions for the IoT platform.
Here’s a transcript of the podcast for your convenience.
Hi, my name is Jeremy Rowley and I’m the Executive Vice President of Emerging Markets at DigiCert. Today I’m going to be talking about automating PKI for IoT platform and building scalable solutions for the IoT platform. So we have a lot of IoT devices that are being employed throughout the Internet. You have various connected vehicles, you have connected homes, you have connected cities – heck, you have even connected watches and everything else, right? But a lot of these devices don’t deploy security, meaning they’re subject to attacks. In 2015, for example, we saw attacks on various devices that include cars and medical devices and things like that. And in 2016 we even saw insulin pump taken over through a man in the middle attack where you could actually change the dosage and thus cause harm to the patient who’s wearing that insulin pump.
The question becomes: how do we secure these devices at scale when they’ve already been deployed or are being deployed as well as in an effective manner that can support manufacturers? We figured out a way to automate provision of digital certificates and other credentials to devices in a way that is cost-effective and can be scaled to the billions of devices that need the security. And we do this by using standard protocols such as SCEP or EST as well as some software we’ve created called our DigiCert Auto-Provisioning Platform. The Auto-Provisioning Platform actually manages the entire life cycle of your certificates for you so you don’t have to have any human intervention. We’ll inject the keys for you, rollover keys as necessary, deploy digital certificate credentials, renew them, reissue them, etc. You can provision devices to your network and remove them from the network as needed.
One of the challenges in doing was just the sheer number of it. So what we’ve done is built a robust system that can scale to the billions. Companies that are using this now include healthcare companies, automotive companies, industrial companies, smart home initiatives and these are companies that are looking to secure their critical infrastructure against the attacks that are going on. At the same time we’re helping look at legacy devices and how to secure those. A lot of these devices are already deployed, but most of them end up having a secure computing environment where we can inject a credential unto that.
There are some devices out there that may not have it and we’re still working with them to develop ways to secure those devices. But with new devices, we strongly encourage manufacturers to develop at the time of design security into that framework.
One of the obstacles we’ve encountered in securing the IoT devices that are out there is that people tend to think of PKI in the traditional web sense, right? When you’ve got this digital X509 certificate that’s somewhat bulky and kind of larger that you want to deploy on the low-powered device. We’ve really been working to innovate on how we accommodate that and we’ve come up with certificate profiles that can be super small like 80 bytes and be actually used with low to no power devices. This lets us provide scale on devices that may not normally see security in a cost-effective manner. Really, we try to put security in any budget because one of our goals at DigiCert is to really see the Internet secure. We want to provision certificates everywhere as necessary to provide protection to aligned parties and end users when they’re doing transactions with their home or with their fridge or with their medical devices.
One of the areas that we’re really looking at are vehicles and the transportation departments. And in vehicles you have sensors that are deployed to monitor your oil and to monitor your tire pressure and the deployment of your air bags. And all of those communicate back to a central system, and so each of those sensors are providing information that is necessary for that car to function. Malware and attackers are now starting to target those systems and change the information that’s coming to them to actually give the car directions. So if your auto collision mechanism now has a pack expecting to say there’s something in front of me but there’s nothing to the side, you can get the car to steer. Or you can get the car to break by modifying the sensitivity of the breaking information.
What we’re doing is providing certificates to the sensors and to the control panels to provide authentication from the sensors to the control panel so that it knows that it’s a sensor that’s part of that car. We’re looking at it as encrypting that communication so that the information can’t be man in the middle then read by an attacker. And then we’re signing that information so you can’t do kind of a packet injection to modify that information and trick the car into thinking that something is happening that’s not. And it’s a pretty exciting opportunity because it’s a real-world threat and it’s potentially saving lives.
We’re happy to help with that process, we have people come to us all the time, asking us to review their designs and be part of that design process so that they’ve got security built from the ground-up.
We’re happy to help provide services related to getting board members on board and CISOs on board and things like that. So using our products, we find that people can build strong IoT platforms that will stand the test of time using strong crypto to provide authentication services, so you know where the device is connecting, who’s connecting to the device to encrypt the communication that comes to and from the device and provide integrity for that communication. The last thing you want is somebody manipulating a healthcare device’s communications and causing incorrect dosage or incorrect treatment of a patient.
Automated security is one thing we strongly believe in – it’s something that we really think people need to concentrate on and that’s what we’re concentrating on as well. And this includes both the web PKI as well as the IoT PKI. We’ve been working on various tools that will fully encrypt sites as well as provide authentication services and identity services. I know a lot of people have been ignoring lately the role of identity in security. However, what we’ve seen is that a lot of these devices are subject to duplicate attacks where they’ve got a substitute device that was duplicated at manufacturing time that is then being deployed to the network.
We’ve been working with manufacturers to find a way and we actually developed a way to provide IP protection so that when you go to China and you hand the manufacturer a set of digital cameras or a set of video cameras that are going to be on your home security network, they don’t manufacture another 2000 that are identical and sell them on the black market. If they do that, they’ll also have the same credentials as the previously manufactured devices, which then in turn can be used to compromise the home devices. So what we’ve found is that we can actually deploy a credential in a way that ensure that those duplicate devices are not being manufactured and not being deployed in networks.
We find that companies like this lobby because it provides additional revenue for them because they aren’t being undermined by the black market. Two: it’s providing and protecting their IP from being stolen in China and other places and duplicate devices being made, and three: they’re also providing their customers with security so that they know that their systems are safe and trustworthy.
I think automation is coming into all facets of security. We’re happy to be part of it and we like to be there. I think for companies looking to improve their security with their IoT devices, the first step is to perform a vulnerability scan or vulnerability assessment and ensure that they know what data is coming to and from the device, what devices are communicating with other devices, where that data is going and how it’s being encrypted. Once they can do that, they can in an economic way device how to secure it and what level of encryption or technology they need to protect their users. The third thing that they should do is definitely engage security professionals from the start, like DigiCert to talk about security needs, to talk about how we encrypt and protect devices, talk about authentication and integrity and engage us through the entire process cause we’re happy to help and you can’t do everything about security. Security is such a huge, broad, subject that you can’t do everything yourself. And we’re an important part of that and we’re happy to be a part of that.