Speaking to Infosecurity at the DigiCert Security Summit in San Diego, DigiCert CEO John Merrill and VP of IoT security Mike Nelson discussed the company’s vision around enabling better IoT security using PKI.
Merrill said that the company is in the process of rolling out a new platform named DigiCert One. “In security, we have an attitude of ‘if it is not broken, I don’t want to change it,’ and we’ve been talking containers, Docker and Kubernetes and how to deploy things faster as most PKI software is three generations [out of date].”
This led DigiCert to roll out the new platform “as most security was built in a way that it is not easily moveable,” but the new platform, which will include a PKI manager and device manager, will be deployable to on premise, in cloud, in AWS and hosted environments.
“We’re not forcing the customer to accept our software and platform as we designed it, we put it where it meets them,” he said.
The first implementation is called Enterprise PKI Manager, which is a PKI application and is being rolled out now, while an IoT Device Manager has also been added. “The part we are adding is we put certs on, and manage them out in the field, and all of that will be in the IoT Device Manager,” Merrill explained.
Leading the IoT division of DigiCert, Nelson came from a healthcare technology background before leading the company into the various factors of IoT. “We’ve been selling a high-provisioning API to help manufacturers with the challenges of authenticating their transactions and encrypting their data, adding digital signatures for integrity, but we now have a device manager that is going to allow us to do a lot more,” he said.
Now everything is connected, and Nelson said that “anything that is connected needs to be secured, as eventually someone will try to hack it.” Also, IoT relies on a lot of over the air updates and these need to be encrypted, while integrity is so important “and the way you do that is through digital signatures and you sign the data packet so it is received.”
Nelson admitted that things are moving in the right direction when it comes to IoT regulations, but we still have a long way to go.
Merrill added that the whole issue is not around how secure a device is, but that it is another endpoint into the system, and PKI has now effectively become a protocol and it is safe for now – until quantum computers come along, at least. “We’re not trying to re-invent the wheel here, but use something that is proven.”
He said that if you get the footprint right and if the key length is not too long, PKI can be perfect and the key with IOT is to design security up front, and IoT use cases are different from servers as you want them to be on premise and air gapped.
Concluding, Nelson said that the future of IoT is appearing to be positive as governments are taking this seriously, and industries are collaborating to create standards, and he predicted that we will see more movement in that direction. However, we will see more attacks, and he considered if this will lead to the level of security being advertised by the manufacturer. We may be some way from a totally secure IoT, but the right steps are being taken by many.