How using a PKI could save you from starting a fire

The growth of the Internet of Things (IoT) will far outstrip that of other connected devices. It is currently estimated that the number of tablets, smartphones, and PCs is around 6 billion, while the number of IoT devices is around 26 billion, and each of them is a potential entry point for an attack. For reference, the US consulting firm Gartner forecasts that by 2025 the number of connected devices will be around 75 billion and that more than a quarter of attacks on companies will be carried out through these devices.

 

But what are PKI platforms, and why are they so important?

Let’s start reading the headline of this newspaper published not so long ago: “This is how you can leave an entire neighborhood without electricity.” The news describes how, due to some insecure certificates, a group of Spanish researchers managed to turn off the electricity meters to which they had been connected. The consequences can be even worse: “We can make the electricity meter turn on and off constantly. Every time it does, the switch creates a spark, so if you do it too many times you can start a fire”.

If you don’t want to cause a fire or something worse, let’s see how using a PKI (Public Key Infrastructures) can help us. PKI revolves around the creation, distribution, and management of digital certificates, it is a way of authentication between devices.

In the authentication process, two different cryptographic keys are issued, a public key and a private key. The combination of both keys allows the information to be encrypted. Thus, only the legitimate receiver of the information can read its content, ensuring its confidentiality.

PKI platforms as a solution to IoT device management

The management of digital certificates has two key points.  The first is to ensure their legitimacy, something that must be carried out by those entities in which trust has been placed. The second point is to manage the keys: their request, creation, sending, installation, renewal, and, if necessary, revocation. Public Key Infrastructures (PKIs) are generally the best option to achieve both objectives. PKIs enable the digital identity of devices, services, or other entities, facilitating the secure transmission of information over the network. This is especially critical for certain actions that are very common today, such as e-commerce, internet banking, and confidential email. This being the case, a PKI seems a natural solution for securing device deployments in IIoT (Industrial IoT) environments. Different solutions are currently available:

  • Traditional PKI solutions: they generally have a very high cost and are not oriented toward IIoT environments, i.e., they do not consider the characteristics of this type of environment, such as the limited connectivity of the devices, their computational limitations, their life cycle, etc.
  • Solutions as a Service: these offer advantages over the previous approach, as they allow for greater system scalability. However, in these cases, their cost is calculated taking into account the number of certificates issued, which means that, in environments where certificate rotation is frequent, it is not economically viable.
  • Solutions based on free software: they start with the advantage that the entry cost is low; however, given that the focus of these solutions is not generally oriented toward IIoT environments, the economic investment required to adapt these systems may be high.

An Open Source PKI for industrial IoT

LKS Next and IKERLAN have decided to commit to creating a new solution for identity management in IoT devices: Lamassu IoT (https://www.lamassu.io/). Lamassu is an Open Source IoT-first PKI designed for industrial scenarios.

The new PKI is intended to be modular and scalable to be able to handle the requirements of high loads of devices with heterogenous characteristics and constrains. At its core, the Lamassu supports a set of standards to perform some of its key functionalities. Though at the moment there are only two fully supported and integrated standards, Lamassu envisions a wide variety of standards and protocols to be able to fulfil virtually all requirements of Industrial IoT devices.

As mentioned, the two already supported protocols are:

  • Enrolment over Secure Transport (EST): This protocol is built on top of the HTTP stack, and it is used to register new devices on the PKI and obtain a valid digital certificate as well as renewing existing one.
  • Online Certificate Status Protocol (OCSP): This protocol is also built on top of the HTTP protocol and is used to validate the status of any given certificate to determine if the certificate is Active or Revoked.

There are plans to analyse and extend to even more protocols:

  • Lightweight Certificate Management Protocol (CMP) Profile: This protocol is not yet finalized, and it is currently just a proposal, but the aim is to reduce the complexity of an already existing protocol named CMP and use any communications transfer mechanisms such as HTTP, MQTT or even in an offline environment.

Another key point for adopting Lamassu is its extension capabilities. For instance, Lamassu offers full support to integrate the digital identities managed by the PKI with both AWS IoT Core platform as well as Azure IoT Hub. This way, devices that have been provisioned with Lamassu can connect to those platforms using their already generated certificates.

There is another first-class extension component named as the Alert Service that can be enabled to obtain real-time notifications and have full control and overview of everything related with the PKI and the IoT fleet being managed and Identify connectivity problems with such devices among other things.

Managing IoT devices in the wild is no easy task. The “One certificate to rule them all” is not a valid nor cybersecure approach for any IoT deployment. By leveraging the functionalities provided by Lamassu, business can build IoT solutions that are one step closer to be resilient and secure by design.

Stay up to date with the Lamassu project by visiting our site: https://www.lamassu.io as well as the GitHub repository: https://github.com/lamassuiot where you can deploy your own IoT-first Open Source PKI.

For any inquiries, kindly contact us at hsaiz@ikerlan.es