You can’t just walk into a secure building and start tampering with the air conditioning or access control systems without proper authorization, such as a pre-registered ID from a trusted company. On the cyber-side of our smart buildings, however, security failings mean that hackers can virtually stroll into the building and access whichever system they choose. Like the human world, every connected device needs a digital certificate proving it is what it claims to be. Public key infrastructure (PKI) is emerging as the leading technology for device identity management in smart buildings.
PKI is a series of roles, policies, and procedures required to create, manage, distribute, use, store & revoke digital certificates, thereby managing public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for activities where simple passwords are inadequate for authentication and more rigorous proof is needed to confirm the identity of the people or devices involved in the communication, thereby validating the information being transferred. There have already been numerous examples of what happens when we do not secure our Internet of Things (IoT) devices.
The clearest example was in October 2016 when hackers used IoT enabled devices such as video surveillance cameras and printers to take Twitter, Spotify, Reddit, and other major websites offline. The Mirai Botnet used a synchronized barrage of requests from devices to overwhelm the popular DNS service Dyn, used by all the affected sites. “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” tweeted Jeff Jarmoc, head of security for global business service Salesforce, shortly after the incident.
The IoT adds a new level of vulnerability and the security needs to catch up with that before adoption is so widespread that malicious attackers could cause a major catastrophe, which may already be the case. The right technologies are maturing to create a reasonably secure information transfer system with fail-safes and so on, but the critical identity management issue is still not settled and too many stakeholders have no experience with cyber security. This is in part because of the rapid development of the IoT but also due to a fragmented technology sector that is not prioritizing security enough.
The IoT is putting connected technology into the hands of people that have no idea how vulnerable it makes them or how to protect against it. There needs to be a cultural shift in the cyber security mindset of all those involved with connected devices. You wouldn’t open your front door to a suspicious looking person so don’t open a link in a suspicious looking email. You wouldn’t let someone into your home to fix something until they didn’t first prove who they are with an ID, uniform, or information only they would know.
“Many people entering the IoT realm, however, may not have considered some of the security issues they open themselves up to when they connect a device, and they quickly discover that IoT identity management is a complex topic,” said Nisarg Desai, head of IoT product management at GlobalSign, a certificate authority and provider of identity and security technologies for IoT. "Right now, we're at the stage where people are accepting that things need unique identities, and their management will become very important within the near future."
PKI is emerging strongly as the identity management technology to protect data in the IoT age. "We're seeing PKI emerge as the de facto credential for IoT devices, and now, we're on the path toward more complex identity management and provisioning systems,” suggested Desai. It is still early days, however, the surrounding technology is starting to come together into a much more reliable system with advanced device identity management, as we have seen with smartphones for human identity using biometrics.
"IoT identity management is still nascent, in no small part, because emerging technologies are all dramatically impacting what IoT looks like and how data and interactions are processed," said Jessica Groopman, industry analyst and founding partner of Kaleido Insights in San Francisco. AI-enabled interfaces, she added, "have already gone mainstream. Millions of smartphones with facial and fingerprint recognition have shipped already, and an estimated 89% of phones will ship by 2020. We also see blockchain and related technologies playing an important role in the IoT device identity narrative."
Companies like Filament (backed by Intel), for example, "are developing blockchain-enabled chips so that devices can come preconfigured for specific use cases, such as provenance tracking," Groopman said. "Not only will identity solutions need to take these interactions into account, but such chips could become important enablers for authenticating device identities. Identities that capture every human, device, data, security interaction -- truly a 'digital twin' - are much more unique and difficult to counterfeit than the current solutions," she continued.
IoT growth and cyber security defense are tied together, however, both hold each other back while also facilitating each other's advancement. Until the security issues of the IoT are resolved the sector will not grow at its full potential, so continued development of the IoT is fuelling cyber security development. As the security level increases, more IoT growth is facilitated, which in turn raises vulnerability, holding back the IoT until security can catch up.
A recent report published by Memoori pegged global revenues for smart building cyber security at an estimated $4.26 billion in 2016, reaching $8.65 billion by 2021, representing a CAGR of over 15% across the 5 year period.
Utilizing the power of PKI is a fantastic step for this growing sector. In many ways, it futureproofs the IoT against a range of popular cyber attack methods used today. However, despite developments in identity and other security elements, the digital world will always make us vulnerable, as attackers will also continue to develop different approaches. The IoT will only get ahead in this security race if we change the security culture of all stakeholders involved in this new cyber-physical world.