Securing the manufacturing process of IoT devices
In the manufacturing and industrial sectors, the worlds of IT and OT are converging, and this is mostly due to the introduction of IoT devices. An IoT device is designed to communicate across networks, allowing them to exchange OT data with IT resources. Given the high-risk profile of industrial assets and systems, it’s important to have a defined security strategy and it’s critical to ensure secure machine-to-machine communication is in place.
Original equipment manufacturers (OEMs) need to be proactive by ensuring the proper security capabilities are built into both the devices and the networks in which they operate. Not doing so can lead to attacks throughout the entire manufacturing process.
At Nexus, we encourage a zero trust security approach to ensure that every device has a trusted identity and is authenticated when entering your secure network. This also ensures the integrity of each device and ensures the data collected by the devices remains secure and trustworthy. To keep your manufacturing process secure, we recommend these three steps:
Controlling Production Runs
Controlling the production of IoT devices during their manufacturing is imperative to ensure that only legitimate devices populate the market and make it to customers deploying them in their ecosystems. The unauthorized production of devices that purport to be what they are not, and which may have malicious intent, can be prevented with digital counters that limit production runs. In addition to protecting subsequent deployments, these mechanisms protect the intellectual property and bottom lines of both licensors and manufacturers. But how can we ensure that each device produced has an individual identity? This leads us to the second step.
Injecting Digital Birth Certificates
The injection of a digital birth certificate enables a “transport identity”. This means that each device can be individually identified, and later enrolled when deployed within an IoT ecosystem. A simple analogy is how we as individuals are given a certificate issued by a trusted government department at birth, and how we later use this same certificate when we enroll, for example, in school. Because it is issued by a trusted government source, that piece of paper certifies to those running the educational ecosystem that in that context we are indeed who we say we are. As a result of that certification, the ecosystem knows it should accept us. But what happens to devices during their lifecycle after they become part of an IoT ecosystem? That is where the third step comes into play.
Digital Code Signing
Digitally signing all software and firmware to affirm the integrity and protection from malware ensures the ongoing safe lifecycle management of IoT devices. We all know that software and firmware updates are an everyday occurrence. Many times, these happen in the middle of the night, so there is little or no disruption to operations. While these updates ensure optimum operation and frequently are used to patch security vulnerabilities that may have been discovered, they also present an opportunity for attacks and a vector through which malware and viruses could be introduced into an otherwise closed and trusted ecosystem. Code signing enables devices to automatically validate if code updates are authentic and if they come from trusted sources, thus ensuring the continued integrity of the system.
Nexus' Manufacturing PKI
Nexus offers flexible and scalable certificate authority (CA) software, which enables customers to register, issue, and manage electronic identities for devices and services in any type of IoT use case. Nexus enables:
- IoT device certificates
- Factory certificates
- IoT certificates as a service
Nexus Smart ID IoT provides a factory CA where security requirements mandate an on-premises CA. Nexus GO IoT service, based on Nexus Smart ID IoT, can also provide PKI certificate lifecycle management throughout the devices’ lifetime. A “lifecycle CA” can augment the factory CA and provide revocation status service and renewal of certificates. Nexus Smart ID and the GO IoT service are based on mature, scalable, highly reliable, continuously tested, and maintained products. The multi-CA solution helps you adapt to the PKI hierarchy and request certificates via standard protocols. Nexus' solution offers administration, reporting, and automation features and has a solid track record.