How government can secure the Internet of Things
The Internet of Things (IoT) offers possibilities to state and local governments that were previously unfathomable. Examples of IoT “things” include the Internet Protocol television (IPTV) cameras in major metropolitan areas and smart transportation systems that adapt to traffic conditions. Yet, as the IoT grows, the need for security becomes even more critical.
Public Key Infrastructure (PKI) has been playing a “quiet” security role for two decades, but the IoT is causing a resurgence of interest in PKI. However, PKI faces new challenges in securing the IoT.
With some forecasts for the number of IoT devices going well beyond 20 billion by the end of this decade, it is clear that the sheer scale of some IoT projects will be the main challenge compared to traditional enterprise PKI. Most PKI today is user-driven and therefore limited by the size of organizations and the speed that we do things. Some examples include logging on to networks once or twice a day, signing e-mails etc.
The IoT, on the other hand, is driven by machine-to-machine (M2M) or machine-to-server connections. These provide real-time measurements and can raise alerts. The connections can react thousands of times a second across populations of millions of devices. This dramatically elevates the stakes and brings PKI to the center of security architecture planning. Failure of the PKI in an IoT setting will have a profound impact, compounding the effects of a breach or operational error. This means that the PKI of the future will need to be more trusted and more capable than the PKI of the past.
The digital certificates issued by a PKI are well situated to serve as the online identity for IoT’s “things.” Although traditional PKI deployments exist that have the ability to manage millions of certificates, most operate at smaller levels. The magnitude of many IoT deployments will make systems with millions of credentials commonplace. Fortunately, many of these devices, once deployed, will be relatively static. Furthermore, their credentials will have relatively long lifecycles and changes are likely to be rare.
Using hardware security modules and prudent security practices, PKI has long demonstrated its ability to solve high-assurance problems. Going forward in the era of IoT, digital certificates and the PKIs that manage them seem set to be the most effective method for securing this unprecedented volume of connected “things” in local and state government environments.
Richard Moulds is vice president of product management and strategy at Thales e-Security. The firm has a U.S. office in Plantation, Fla.