MY TAKE: Why IoT systems won’t be secure until each and every microservice is reliably authenticated

By Byron V. Acohido

Wider use of Internet of Things systems that can make daily living safer, healthier and more convenient is on the immediate horizon. However, to fully capture the benefits of an IoT-centric economy, a cauldron of privacy and security concerns must first be quelled.

Related: The promise and pitfalls of IoT

At the technology level, two fundamental things must get accomplished. First, the identities of any two digital entities – a sensor and a control server, for instance, or even a microservice and a container —  must be authenticated, and, second, the data exchanged between any two such digital instances must be encrypted.

The good news is that the technology to do this – on the fly and at the massive scale required — exists and is being reinforced. I’m referring to the Public Key Infrastructure, or PKI, and the underlying TLS/SSL authentication and encryption protocols.

The PKI framework revolves around distributing and continually managing digital certificates, issued by Certificate Authorities (CAs). PKI today appears to be in very good shape (link) and is on track to become even more robust, which it will have to be in order to function seamlessly at the massive scale required.

Consider this: just five years ago, a large enterprise was typically responsible for managing, at most, a few million digital certificates. But as IoT systems gain more and more traction, that number will climb into the hundreds of million, per company.

Setting priorities

The core IoT challenge, going forward, is not about technology —  it’s about corporate priorities. It is incumbent upon enterprises plunging forward with digital transformation to embed security and emphasize cyber hygiene – much more so than they generally do today.  IoT device manufacturers must embed basic security protocols at a granular level, and corporate captains must instill a security-first culture — to a level much deeper than is common today.

“If you’re not authenticating connections and you’re not encrypting your data, you’ll be exposed,”  says Mike Nelson, vice president of IoT security at DigiCert, a Lehi,Utah-based CA.  “And if you’re not doing integrity checks, you’ll be exposed.”

I had the chance to sit down with Nelson at DigiCert Security Summit 2020 in San Diego last month. We discussed how a confluence of external drivers is likely to play out. One driver, regulation, is already is in motion. Political leaders in the U.K., Japan and California have commenced imposing security benchmarks for IoT devices and systems.

More IoT standards are sure to come, but regulation will raise the bar only so high. Unfortunately it very likely also will take a few high-profile IoT attacks to incentivize the corporate sector to elevate cyber hygiene to a core operational tenet. For a full drill down on my interview with Mike Nelson, please give the accompanying podcast a listen. Here are excerpts, edited for clarity and length:

LW: No doubt there are many benefits to wider use of IoT systems, but the flip side is security and privacy. Can you frame where things stand?


Nelson: We’re already seeing rapid adoption of IoT systems, but most people don’t understand the risks associated with that growth. Consumers are installing security cameras, smart doorbells, smart locks, smart speakers, and they don’t realize that people with the right skill sets can now spy on them, unlock doors, open garages. It’s already happening.

Outside of the home environment, as traffic grids and traffic lights connect, and as hospitals increase their use of automated drug infusion systems, and rely more on surgeries done by robotic arms, there’s potential for mass disruption; a lot of really bad things can happen if these systems aren’t secure.

LW: Regulators are paying attention; what’s going on there?

Nelson: The Japanese government, the U.K., even regulators in the US, are creating security standards for connected devices. What we’re seeing is pretty basic things around authentication.

A lot of them are encouraging multifactor authentication, for instance. The U.K. is going live with their new rules in 2020, and the state of California has just passed IoT security regulation that talks about password management and labelling.

LW: What role does PKI  play in all of this?

Nelson: IoT at its core means connectivity. So PKI can be used to secure connections. It already does this for the Internet. When a user goes to a browser and accesses a web server, PKI  authenticates both the user and the web server; then it encrypts the data that’s being transmitted over the Internet.

With IoT, devices are connecting to servers, to other devices and to an array of services — and all of those connections need to be authenticated. With IoT, it is critical that all of those connections are properly authenticated and trusted, so you know that when your device connects to something, it’s not going to get a package of malware or get exposed to other nefarious activities. The public key infrastructure, through the use of certificates, can authenticate those connections.

LW: You’ve got an understanding of this at a very personal level; do you mind sharing?

Nelson: I’m a Type 1 diabetic. So every five minutes I get a reading on my phone transmitted from a device that I wear on my leg that monitors my blood sugar level. If a man in a middle-in-the-middle attack occurred on that data package, a hacker could modify the value and send a false value to my phone that tells me my blood sugar level is 400, instead of 100, and if I dosed myself for that level, it would be devasting for my health; it could put me in a diabetic coma.

IoT generates massive amounts of data, some of it sensitive. Businesses are using IoT to make really important, high dollar-value decisions. So the integrity of that data, knowing that the data is authentic, and hasn’t been modified, is so important. You can imagine the ramifications if that data can’t be trusted.

PKI facilitates data integrity by using digital signatures to sign those data packages. If there’s a signature associated with it, and that signature is still there when it arrives at the server, or on my mobile phone, I know that the data package is authentic and has not been manipulated.

LW: How well equipped is PKI to handle such a fundamental role, going forward?

Nelson:  It’s important to note that in the PKI space there is public trust, which is all the stuff that happens when you browse the Internet, and then there’s private trust, which is more what’s happening in the IoT space.

Public trust is covered by a lot of industry standards that need to complied with, such as two year validity periods for certificates. Private trust uses private hierarchies that have a lot more flexibility  – certificate validity periods can be much longer, like 10 years, or very short, less than a minute, for instance.

PKI is a perfect solution for IoT because it’s flexible and it’s scalable. We now have customers managing 500 million-plus certificates, the volume is so high and heading higher. The cool thing is we’re continuing to innovate and evolve our products around IoT device management . . . . and we’re continually bringing forward the tools our customers say they need to manage so many IoT  devices.

LW: What is DigiCert doing to ensure PKI is modern enough to handle today’s requirements?

Nelson: We’ve been speaking to large enterprises and the world’s leading device manufacturers to determine what they need to deploy PKI at scale and with efficiency. We’ve introduced the DigiCert Enterprise PKI Manager and DigiCert IoT Device Manager, new offerings in our DigiCert® ONE platform, to help them with fast and flexible deployment of PKI.

Using containerized technology, we can give them a highly scalable instance of our PKI managers for hosted, on-prem, private or public cloud, or in-country use. They can run our PKI wherever they need to be. It’s paying dividends. Customers like British Telecom have already been using it. They are taking what used to require weeks of setup time and reducing it to under an hour to be up and operational, able to issue certificates. This is a major breakthrough and is set to change PKI use in the IoT and enterprise (secure email, DevOps, digital signing, secure remote access, etc.) in a big way.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone