Public Key Infrastructure (PKI) is an essential tool in securing devices, especially within IoT networks. PKI works because of how it uses digital certificates to verify the private keys end-to-end. This authentication model backed by digital certificates ensures security for your device and a verifiable identity.
Most commonly, IoT devices secured using PKI utilize X.509 certificates, which has a track record of protecting TLS, the basis of https and other applications like digital signatures, code signing, and timestamping. The X.509 certificate sees such prolific use because of its reliability, being secure and flexible and allowing for certificate profile and template customization that can adapt to a variety of IoT use cases – and is a core component of IoT management platforms and automation solutions.
However, even with the use of X.509 certificates, IoT devices are a frequent target for cybercrime – and it’s easy to see why. The sheer volume of devices in the market means that a potential breach could hold immense value for bad actors, and as such, IoT devices need to be more secure than ever.
Secure Supply Chains with Device Identity
Using digital identities keeps IoT secure and offers a solid line of defense, especially when they’re included during production by an Electronic Manufacturing Service (EMS). Without assured digital identities, IoT devices could be subject to unauthorized network access. It also means that if IoT devices are stolen, for example a shipment during transport, the certificates can be revoked – meaning the device would be useless to any illegitimate resellers or users.
This also benefits the EMS firms themselves. When manufacturing the same devices for multiple customers, having provisioned identities for each customer - in a way that is trackable and authenticatable – gives them a competitive advantage. It assures customers that their IoT devices are secure from the moment it leaves production, all the way to their door, while providing a low-friction option for devices to onboard to a platform further down the supply chain.
New Device Identity Models Enhance Security and Flexibility
As the digital landscape evolves, so do the threats to our IoT devices and supply chains. To stay ahead, we need advanced security measures that are both robust and flexible. One such approach is the use of Device Identity (DevID) architectures, which enhance crypto-agility and protect against supply chain threats.
Understanding DevID Certificates
Besides using X.509 certificates, we also leverage the IEEE 802.1AR standard, which includes two types of secure device identifiers (DevIDs): Initial Device Identifier (IDevID) and Locally Significant Device Identifier (LDevID).
- IDevID: Think of this as the device’s birth certificate. It’s a non-expiring certificate, ideally protected by secure hardware, that represents the device’s core identity.
- LDevID: This is more like a driver’s license. It’s a short-term, access-level certificate that allows the device to operate within a specific environment.
This dual-certificate system is particularly effective for securely onboarding IoT devices. The flexibility of LDevIDs allows operators to adapt to network threats and new cryptographic challenges, such as those posed by quantum computing.
Benefits of DevID Architecture
DevID architecture brings with it several benefits to enterprises looking to secure their IoT supply chains, such as:
- Enhanced Security: By using IDevIDs and LDevIDs, you can ensure that your devices have a robust identity framework. This makes it harder for malicious actors to compromise your devices and supply chain.
- Flexibility and Agility: The ability to frequently rotate LDevIDs means you can quickly respond to new threats. This is crucial in a landscape where threats are constantly evolving.
- Simplified Onboarding: DevID architectures streamline the process of securely onboarding new devices, reducing the complexity and time required to integrate new devices into your ecosystem.
- Futureproofing: With the rise of quantum computing, traditional cryptographic methods may become obsolete. DevID models provide the flexibility needed to adapt to these future challenges.
Implementing DevID in IoT Ecosystems
The 802.1AR specification is becoming popular in IoT environments that require secure and flexible responses to threats. This identity pattern can be used across different industries and has been successful with many enterprises in the past. It’s implementation, however, requires careful planning of the supply chain.
First, we consider where and how the IDevIDs are securely provisioned into that device, component, or chipset as well as at what stage of the manufacturing process.
Next, we consider how to potentially leverage some of those IDevID trust attributes that were ideally provisioned securely during the manufacturing into a locally significant, operational LDevID that can be used for allowing the device to connect and operate into the IoT ecosystem. These LDevIDs are generally rotated more frequently through the device lifecycle, enabling adjustable access policies throughout the device’s operation.
Utilising DevID infrastructure to safeguard your supply chains
The IDevID/LDevID architecture allows organizations to adapt to new threats by changing algorithms, trust chains, and security assumptions throughout the device lifecycle. This automated response ensures that devices remain secure even as threats evolve.
By adopting this flexible and secure identity architecture, businesses can protect their IoT devices and supply chains from emerging threats, ensuring a safer and more resilient digital environment. Implementing DevID models not only enhances security but also provides the agility needed to stay ahead in a rapidly changing technological landscape.
