Industrial Internet of Things: common cyber security standards hold the key
11 December 2018
Roderick Hodgson Director of Secure Chorus highlights the limitations of the most common currently adopted approach to securing networks in which specific Industrial Internet of Things (IIoT) devices operate. He discusses the requirement for a more comprehensive network-agnostic approach that secures the data itself. We see how the capabilities of identity-based public key (IDPK) cryptography – and MIKEY-SAKKE in particular – are well adapted to a range of applications in the IIoT. Mr Hodgson explains how combining the MIKEY-SAKKE cryptography standard with industry-developed interoperability standards will help solve critical security challenges found in the IIoT.
The IIoT is the application of Internet of Things technologies used to enhance manufacturing and industrial processes. While the IIoT is not a new phenomenon, in recent years there has been a sharp rise in the number of interconnected devices exchanging increasing amounts of valuable information. This trend is occurring in several industries, with the result that cyberattacks on IIoT have now become a leading concern to governments and enterprise alike. Toplevel areas of risk include major state-sponsored attacks on critical national infrastructure (CNI) as well as industrial espionage aimed at gathering information about an organization.
Attackers’ motivation may include the acquisition of intellectual property, sequestration of proprietary or operational information, or the pursuit of criminal activities such as theft of trade secrets, bribery, blackmail and surveillance.
Existing approaches to securing the IIoT network are valuable as they prevent a range of network-based attacks. Network security provides the first line of defence against attempts to flood the network, or against rogue devices joining the network in an attempt to analyse communication patterns and trends. But they are only valuable to a point: while network security can also be used to protect data from eavesdropping, this protection is limited by the boundary of the network.
Innovation brought about by the IIoT goes beyond specific networks. The IoT takes the data collection and real-time analysis capabilities of new computing technologies (such as Cloud computing, analytics engines and Big Data solutions) beyond the perimeter of a given network. The ability to connect devices directly to these technologies provides potential opportunitiesto all who interact with complex ecosystems. But to make the vision of all these interconnnected systems a reality, confidentiality in the data exchanged and authentication of the devices interacting is required. This can be provided by end-to-end data security approaches.
Today, public key cryptography plays a critical role in many IoT environments, as it ensures confidentiality, integrity, authenticity and non-repudiation in data transmission and data storage. End-to-end encryption can be achieved using a range of public key cryptography 2 approaches. However, the IoT has four specific characteristics that introduce a new set of challenges:
1. the number of devices that need to be secured with the IIoT is greater than in traditional industry environments;
2. devices and systems found in the IIoT are highly varied. While some solutions rely on low-power and low data bandwidth, others are dedicated to performing far more computation over high-speed networks;
3. IIoT devices are being used in a wider range of scenarios, each presenting challenge caused by differences in processing capabilities, use cases, network capabilities and physical locations; and
4. a network of IIoT devices may be comprised of devices and systems sitting both within and outside the security perimeter of an industrial plant. Identity-based public key cryptography is a development in the field of public key cryptography. It allows the public key to be an arbitrary and known unique identifier, such as a phone number, email address or vehicle registration number.
MIKEY-SAKKE is one such type of identity-based public key cryptography approach. MIKEYSAKKE has been developed by the UK government’s National Technical Authority for Information Assurance (CESG), which is now part of the National Cyber Security Centre (NCSC) and a government member of Secure Chorus. MIKEY-SAKKE was standardised by the Internet Engineering Task Force (IEFT). It has also recently been approved by the 3rd Generation Partnership Project (3GPP), the body responsible for standardising mobile communications for use in critical applications, receiving endorsement at global level for its approach to public key cryptography.
MIKEY-SAKKE ensures any encryption key material is directly tied to the identity of an industrial device or sensor. The added use of Key Management Servers (KMS) simplifies key management, providing scaling to number and compatibility with a wide variety of devices and sensors, while Secure Chorus interoperability standards ensure that trust can be provided between parties for the devices they control, beyond the perimeter of a single system or organisation.
Secure Chorus serves as a platform for multi-stakeholder cooperation for the development and adoption of common interoperability standards and has selected MIKEY-SAKKE as its cryptography standard of choice. Mr Hodgson will conclude his presentation by saying that when used in conjunction with the new Secure Chorus interoperability standards, MIKEYSAKKE presents a strong set of standards for solving several security challenges found in the IIoT.
For more information, please visit: www.securechorus.org