In the first of a series of interviews with member companies, Wi-SUN Alliance President and CEO Phil Beecher talks with Gweltas Radenac, IoT Business Line Director at member company WISeKey Semiconductors, branded SEALSQ, a subsidiary of the WISeKey Group, about IoT security and the potential role IoT security-as-a-service could play in securing IoT organizations.
Hi Gweltas and welcome to our new Wi-SUN member interview series. First of all, please tell us a bit more about SEALSQ and your role in the business?
SEALSQ is a wholly owned subsidiary of the WISeKey Group that focuses on developing and selling Secure Semiconductors and Device Identities. As a Wi-SUN member, we simplify the implementation of device identities by Wi-SUN device manufacturers and their customers by offering a managed PKI Service called INeS, which has been designed specifically for the needs of the IoT industry. INeS PKI offers both factory provisioning and cloud-based field provisioning. In factory provisioning, the device identities are bound to the device during the manufacturing process, with private keys inserted into the hardware through, for instance, VaultIC Secure Elements.
My role as IoT Business Line Director is divided in two areas: First, explaining to the customer the hidden risks and complexities in developing and deploying their own CA (Certificate Authority) and PKI with operational requirements like ensuring 24 x 7 x 365 with 99.9% availability, but also ensuring device identity is securely stored and protected inside the hardware. Second, building and delivering scalable solutions that are easy to use, and for the right time to market.
Looking at the idea of IoT security-as-a-service, do you think it will help organizations mitigate IoT security risks?
It’s an interesting concept. But from our perspective as a global cybersecurity company, I think IoT security-as-a-service is unlikely to be used across entire projects, but more likely to address specific challenges within an IoT infrastructure. It is a very fragmented market and will only become more so as IoT projects evolve and grow, and more devices are added to the network. Trying to apply a ‘service-led’ approach across that type of environment will be challenging. The focus right now needs to be on securing IoT devices, for which you need to include at least the following three security properties:
- To know that the software you are running is not tampered with (“integrity”)
- To be sure that you can trust who you are communicating with (“authenticity”)
- To be able to communicate privately (“confidentiality”).
What about the role of cryptography in IoT security?
For modern communications, cryptography is necessary. Unfortunately, cryptography and IoT are not always a good fit. To address this, it’s better to move cryptographic operations from software running on insecure platforms to secure hardware and add cryptographic accelerators into IoT devices. We all assume hardware to be secure, don’t we? But unfortunately, that’s not necessarily the case. This is why secure elements may help. Getting keys onto devices is also a difficult problem as you need to protect their privacy from the point at which you generate the data to the point where they are actually stored on the devices. This normally requires secure key generation facilities, secure transport of key material to manufacturing sites, and a secure facility on the manufacturing line to allow the keys to be safely programmed.
With recent IoT security legislation, do you think this has helped focus organizations’ minds on just how important it is?
The day-to-day impact from the recent EU Cybersecurity Act will be seen when device manufacturers and service providers must be certified for cybersecurity compliance to sell their products. Like the GDPR, the Cybersecurity Act provides a model that other non-EU countries follow when crafting legislation, so getting prepared will be a competitive advantage for the future. In addition, UK proposed IoT cybersecurity law is moving ahead and shifting the responsibility away from consumers to secure their own devices by ensuring strong cybersecurity is built into these products by design.
You said that IoT is fragmented, operating across endpoints and networks, increasing the threat surface. Innovations are often seen as the solution to IoT security, but is a portfolio of solutions needed to deliver secure connectivity, trusted device identity, and so on?
The industry is still grappling with how to secure IoT deployments. A comprehensive security approach takes into consideration different technologies, policies and processes. Any organization interested in exploring security standards for IoT can refer to NISTIR 82229, the Industrial IoT Consortium, and IoT Security Foundation, among others. These specify security frameworks for the IoT and explain how to assess and improve their capabilities to prevent, detect, and respond to security incidents. So yes, it’s fair to say that a portfolio of solutions is required to cover those security frameworks.
Finally, is it realistic to really push all of the above solutions as-a-service? Is there a risk?
For most IoT deployments, a trusted ecosystem of authorized devices and authorized services is the recommended approach. In a trusted ecosystem, unauthorized devices or services are not allowed to interact with authorized devices or services. This prevents unauthorized access to the critical services and data of an IoT device. Without a physical Root of Trust with the right certifications (FIPS or Common Criteria) implemented on the device during design stage, the security-as-a-service concept cannot ensure it remains secure during the entire lifecycle of the device.
Thank you Gweltas.