How to secure IoT devices
French company Legrand, which owns U.S.-based Wattstopper, a commercial lighting controls and building systems company, has been working with CableLabs subsidiary Kyrio and security design partner ...
French company Legrand, which owns U.S.-based Wattstopper, a commercial lighting controls and building systems company, has been working with CableLabs subsidiary Kyrio and security design partner Microchip on Internet of Things (IoT) security. Manufacturing is underway, and products utilizing the embedded Kyrio/Microchip digital PKI certificates are expected to roll out later this summer.
The three companies released a white paper last week with the intent of explaining the technology used, but also to further the idea that IoT issues need to be dealt with not as security, but as logistical problems.
"There have been tons of articles (about) needing IoT security, but no one talks about how," said Ronald Ih, Kyrio director of business development. "With Microchip and Legrand, we are getting to the how …. The how is the logistics."
The white paper spells out the challenges of IoT security, including the fact that there typically is not an active user behind each device. Instead, the devices are rather autonomous and log on and send data on their own. In other words, the IoT device becomes a user on the network and needs to be authenticated.
"The situation demands a practical and economical way to deliver private keys and certificates that belong to hundreds of PKI domains and thousands of manufacturers making billions of devices. This is something PKI can do in theory but is not something that has been done scalably in practice," the white paper said.
While enterprises have used "Cadillac" versions of PKI, these highly customized and costly solutions are not economically or technically feasible for small IoT devices.
"Small devices are highly cost-sensitive and require any security solution to fit into their manufacturing flow - not vice versa," the white paper said.
The Kyrio/Microchip offering embeds the digital certificates in the secure hardware of IoT devices in an integrated way with the manufacturing process flow so that device manufacturers do not have to be security experts. The cryptographic functions are prebaked into the chip, which eliminates the need to implement code in the firmware.
Cloud service providers and network providers want to know devices belong on the network. For example, a commercial lighting company, like Legrand, might have a management system for thousands of lights. They need to know that everything that shows up on the network is a correct, authorized device and not an interloper with a laptop in the parking lot, Ih said.
While Kyrio is working with Legrand on lighting control, Legrand is a global company with other business units that deal with HVAC, motorized shades, etc. Since the security infrastructure will already be in place, all these other groups have to do is drop the chip in, Ih said.
"They don't have to do the other development work," Ih said.
The whitepaper explains that PKI implementation in a small device has been reduced to a line item in a bill of materials. The cryptographic math, securely stored keys, and digital certificate have been baked in. The secure element with its digital certificate is added to the 12C bus next to the host microcontroller, and a small library/SDK is added to the firmware.