How to manage your digital certificates in IIoT environments securely
The growth of the Internet of Things, also known as IoT, will far outpace that of other connected devices It is currently estimated that the number of tablets, smartphones and PCs is around 6 billion, while the number of IoT devices is around 26 billion, each of them being a potential entry point for an attack. As a reference, the American consultancy Gartner predicts that by 2025 the number of connected devices will be around 75 billion, and that more than a quarter of all attacks on businesses will be carried out through these devices.
Against this background, a key pillar of IoT network security is device-to-device authentication. This authentication in IoT networks can be achieved in a secure and scalable way through digital certificates. These certificates are based on public key or asymmetric cryptography, in which the combination of a public and a private key allow information to be encrypted. Thus, only the legitimate recipient of the information can read its contents, ensuring its confidentiality.
PKI platforms as a solution to IIoT device management
The management of digital certificates has two key points. The first is to ensure their legitimacy, something that must be carried out by those entities in which trust has been placed. The second point is to manage the keys: their request, creation, sending, installation, renewal and, if necessary, revocation. To achieve both objectives, public key infrastructures (PKIs) are generally the best option. PKIs enable the digital identity of devices, services or other entities, facilitating the secure transmission of information over the network. This is especially critical for certain actions that are very common today, such as e-commerce, internet banking and confidential email. This being the case, a PKI seems a natural solution for securing device deployments in IIoT (Industrial IoT) environments. Different solutions are currently available:
- Traditional PKI solutions: they generally have a very high cost and are not oriented towards IIoT environments, i.e., they do not take into account the characteristics of this type of environment, such as the limited connectivity of the devices, their computational limitations, their life cycle, etc.
Solutions as a Service: these offer advantages over the previous approach, as they allow for greater system scalability. However, in these cases, their cost is calculated taking into account the number of certificates issued, which means that, in environments where certificate rotation is frequent, it is not economically viable.
Solutions based on free software: they start with the advantage that the entry cost is low; however, given that the focus of these solutions is not generally oriented towards IIoT environments, the economic investment required to adapt these systems may be high.
Responding to the challenges of industrial IoT environments
IKERLAN advances in IoT identity management research within the framework of ÉGIDA, the first and only national network of security and privacy technologies formed by technology centres of excellence such as Gradiant, Fidesol, Vicomtech and IKERLAN (the last two belonging to the BRTA – Basque Research and Technology Alliance). Within the framework of the Cervera Programme for Technology Centres and promoted by the Ministry of Science and Innovation and the Centre for Industrial Technological Development (CDTI), ÉGIDA is the national commitment to develop market-oriented research in security and privacy technologies.
An example of the industrial application of these technologies is the LAMASSU platform. LKS Next and IKERLAN have decided to commit to creating a new solution for identity management in IoT devices. As a result, this platform was born, which has been designed to respond to the challenges posed by industrial IoT environments. In this way, LAMASSU focuses on managing the lifecycle of a device’s certificates, providing the control to enable its integration into any Industry 4.0 device environment, thanks to the architecture on which it is based.
On the other hand, to cope with the heterogeneity of devices found in an IoT environment, LAMASSU supports different encryption algorithms including from the most powerful to the lightest, allowing to cover a large number of device types, from the most powerful in terms of computation to those with low computational capabilities.