Public key infrastructure for the IIoT
The Industrial Internet of Things (IIoT) may just be the next great industrial revolution. Some analysts predict it to drive 14 trillion dollars in economic gains over the next decade. It’s not surprising companies are rushing to harness the potential of the IIoT by developing new products, services, and business systems.
An important area in which the IIoT creates value is the creation of a network of device endpoints: smart, connected sensors and controllers talking not only to each other, but also monitoring and managing a wide range of machines and industrial systems. By combining connectivity and functionality with analytics, information technologies and operational technologies, owners of industrial plants will obtain major benefits. For example, factories can be designed to adapt in real time to changes during production, and anticipate operation-degrading events. Additionally, predictive maintenance programs can be implemented to eliminate downtime or catastrophic consequences caused by unanticipated failures of critical system components. By achieving even small percentage gains in plant operations or reductions in unplanned downtimes, these upgrades will dramatically improve the profitability of manufacturing operations.
To take full advantage of the opportunities offered by the IIoT, an entire system—from sensors, actuators and motors, up through the controllers—should be connected to information and operational technology systems and beyond into the cloud. Expanded connectivity boosts efficiencies in operations and integrates the supply chain more tightly and in innovative ways. It also enables entirely new business models and revenue streams.
Unfortunately, cyber-attacks against these very same systems will continue to grow as the number of devices grows. The bottom line is that we now have a growing number of both targets and attacks, so we must put cyber-security solutions in place to protect these devices.
Just as cyber-attacks take many forms and exploit a wide range of vulnerabilities in the target device, so too is cybersecurity multi-faceted. A fundamental, but often ignored, aspect of cybersecurity for IIoT devices is strong authentication.
Authentication for the IIoT
Authentication, for machine-to-machine communication within the IIoT, is the process of one IIoT device determining the legitimacy of another device (IIoT or not). Older common authentication methods fall short of modern security requirements.
Many embedded devices use a simple username/password-based method for machine-to-machine based authentication. This obsolete method allows communication with any other machine providing the proper username and password.
Other systems utilize pre-shared security keys. Pre-shared keys are little more than long, complex passwords.
Both methods are problematic for many reasons. First, usernames and passwords can be stolen, sniffed, or otherwise discovered. Second, they are susceptible to brute-force attacks, in which all possible passwords are systematically attempted, and to dictionary attacks, in which commonly used passwords are attempted. Once a password is discovered, they can easily be used, allowing unauthorized access and providing the ability to perform operations that should not be permitted.
In simple terms, if a device sends over the correct credentials, it is granted access. There is no mechanism verifying the machine should have the password or verifying if the password has been lost or stolen. Password-based authentication is also difficult to manage. If you need to change a username or password, all devices in the network must be updated--a significant management challenge. As the number of deployed IIoT devices grows into the millions or even billions, managing passwords becomes unworkable and unlikely.
Strong authentication for IIoT devices
To be effective, any machine-to-machine authentication scheme for the IIoT must overcome the weaknesses of password-based authentication. The solution must tie credentials to an identity. Not only must it require the right information (password and username, authentication key, etc.), it must also be able to verify the information is associated with the device using the information. It must also do so in a secure fashion. The credentials must not be easy to steal or clone, and the distribution, verification, and revocation of credentials must be automated and easy to manage.
PKI for IIoT authentication
PKI (Public Key Infrastructure) is a set of technologies and services for managing authentication of computer systems. PKI is based on a digital certificate mechanism. Digital certificates are sometimes also referred to as X.509 certificates or simply as certificates. Think of a certificate as a virtual ID card.
In the real world, people use ID cards such as a driver's license, passport, or an employee ID badge to prove their identity. A certificate does the same basic thing in the electronic world, but with one big difference. Certificates are not just issued to people (users, administrators, etc.). Certificates can also be issued to computers, software packages, or just about anything else requiring verification of identity.
Certificates are extremely useful in high security situations. For example, suppose you needed to securely transmit data between two networked devices. How do you really know you are transmitting the data to the intended device and not an imposter? One way of ensuring the integrity of the transaction is to use digital certificates verifying the identities of both machines.
PKI provides the tools and methodology required to issue certificates to all IIoT devices on a network and manage those certificates throughout the device’s lifetime. A certificate is comparable to a driver’s license. It provides an identity and a set of permissions, and was issued by a trusted entity. My driver’s license identifies me, provides a picture to show I am the proper bearer of the license, and defines my permissions as a driver of a motor vehicle. I am authorized to drive any standard passenger motor vehicle, but not certain commercial vehicles. And the license was issued by a trusted entity (the government of the State of Iowa).