To make the Internet of Things safe, start with manufacturing

Vincent Van Gogh is believed to have said “Great things are done by a series of small things brought together.” This aptly describes the Internet of Things (IoT), where many small things are coming together to shape what we all hope will deliver a great leap in the way we live and do business. In this blog, and in an accompanying interview on the Thales Blog with our colleague Daniel Hjort from Nexus Group, we discuss the challenges that industry faces to ensure safe deployment and management of IoT technologies.

Achieving the IoT’s bold objective requires not only bringing many small things together and carefully orchestrating their interconnections, but also the assurance that their integrity and the data they collect remains secure and trustworthy. This sentiment is shared by industry leaders. According to Maciej Kranz, Cisco VP for strategic innovation, writing for, “[In 2018] IoT security will become the No. 1 priority in the enterprise.” For the IoT to deliver on its promise, organizations that deploy the technology must be able to trust their connected devices, trust that the data they collect is real and unaltered, and ensure that once collected, the data itself is protected for privacy and security.

Watch the recorded Thales-Nexus joint webinar: ”Enabling Trusted Identities for the Internet of Things.”

As an increasing number of connected devices are deployed within IoT ecosystems, enterprises need to identify and authenticate them. Typically, when they are manufactured, IoT devices receive their initial identity in the form of a “digital birth certificate.” Therefore, manufacturing is the first critical link in the chain to establish trust across the IoT. Securing the manufacturing process of IoT devices includes three steps:

  1. Controlling production runs to ensure product legitimacy and prevent counterfeiting
  2. Injecting digital birth certificates to enable device identification and authentication
  3. Digitally signing software and firmware to ensure integrity and protect from malware

Controlling Production Runs

The first step, controlling the production of IoT devices during their manufacturing, is imperative to ensure that only legitimate devices populate the market and make it to customers deploying them in their ecosystems. The unauthorized production of devices that purport to be what they are not, and which may have malicious intent, can be prevented with digital counters that limit production runs. In addition to protecting subsequent deployments, these mechanisms protect the intellectual property and bottom lines of both licensors and manufacturers. But, how can we ensure that each device produced has an individual identity? This leads us to the second step.

Injecting Digital Birth Certificates

The injection of a digital birth certificate enables what Daniel at Nexus (read interview) calls a “transport identity.” This means that each device can be individually identified, and later enrolled when deployed within an IoT ecosystem. A simple analogy is how we as individuals are given a certificate issued by a trusted government department at birth, and how we later use this same certificate when we enroll, for example, in school. Because it is issued by a trusted government source, that piece of paper certifies to those running the educational ecosystem that in that context we are indeed who we say we are. As a result of that certification, the ecosystem knows it should accept us. But, what happens to devices during their lifecycle after they become part of an IoT ecosystem? That is where the third step comes into play.

Digital Code Signing

Digitally signing all software and firmware to affirm integrity and protect from malware, ensures the ongoing safe lifecycle management of IoT devices. We all know that software and firmware updates are an everyday occurrence. Many times these happen in the middle of the night, so there is little or no disruption to operations. While these updates ensure optimum operation, and frequently are used to patch security vulnerabilities that may have been discovered, they also present an opportunity for attacks and a vector through which malware and viruses could be introduced into an otherwise closed and trusted ecosystem.

Code signing enables devices to automatically validate if code updates are authentic and if they come from trusted sources, thus ensuring the continued integrity of the system.

Securing the IoT from the Ground Up

Thales eSecurity and our technology partner Nexus Group are helping secure the IoT from the ground up, starting with the manufacturing of IoT devices. As a leading provider of identity and access management security solutions, Nexus offers flexible and scalable certificate of authority (CA) software, which enables customers to register, issue, and manage electronic identities for devices and services in any type of IoT use case. Combined with Thales eSecurity hardware security modules (HSMs), which protect and manage the underpinning cryptographic keys, Nexus delivers solutions and services to help secure IoT. To learn more visit Thales and Nexus.

Van Gogh could have never imagined the wonders that we can achieve with the IoT, but he understood that many brush strokes could deliver the wonders of a Starry Night. To get the complete picture of our blog series, be sure to read the interview with Daniel Hjort: “Understanding IoT Security Challenges – An Interview with an Industry Expert”. He is Thales’ guest blogger this month.

Watch the recorded Thales-Nexus joint webinar: ”Enabling Trusted Identities for the Internet of Things.”

If you want to reach me for further discussion, contact me on Twitter @asenjoJuan

How to make your IT architecture ready for 2020