In this Spotlight Edition of the Security Ledger Podcast: identity is at the root of many of the security problems facing the Internet of Things, from vulnerable and “chatty” endpoints to a lack of robust update and lifecycle management features. To figure out how we might start to build a more secure IoT ecosystem, we invited Judah Aspler, the Vice President of IoT Strategy at Certified Security Solutions, or CSS Security in to talk about how more agile PKI infrastructure is one element in scaling the Internet of Things without creating a giant security mess.
Most of the information technology field embraced public key infrastructure (or PKI) technology decades ago, recognizing it as the best way to manage identity and secure sensitive software updates and transactions over distributed networks. But in the world of Operational Technology, or OT, the embrace of PKI and cryptographically strong, immutable digital identities is still a work in progress.
We see this truth borne out in the news almost daily. Read a story about independent security researchers uncovering evidence of sensitive and even safety critical systems that are vulnerable to man-in-the-middle attacks or malicious software updates and absent, weak or brittle digital identities are probably to blame. Even worse: that sad state of affairs is the norm on the burgeoning Internet of Things, as well, where lax management of identities is more the rule than the exception.
How is it that our most sensitive systems and IT environments are so woefully behind? To find out, we invited Judah Aspler into the Security Ledger studios. Judah is Vice President of IoT Strategy at CSS Security, which works as a PKI enabler for companies of all sizes and across industries.
Judah says that operational technologies and Internet of Things technologies lag behind traditional enterprise IT in a number of areas, from software signing to secure update and lifecycle management. Often, problems creating and managing digital identities lie at the root of those problems. For example, many legacy OT applications emphasized continuity and simplicity over security, using shared PKI keys across their whole installation base and/or relying on signing keys with expiration dates set decades or more into the future.
While those decisions made sense at the time, they’re no longer suitable for a fast-moving technology and threat environment in which Certificate Authorities, themselves, may fall victim to cyber criminals or encryption algorithms might fall to powerful super- or quantum computing systems.
In the years ahead, what Aspler calls “crypto agility” will be paramount, as changing technology and new threats put pressure on connect device makers and infrastructure owners to rely on strong but replaceable digital identities.
In this podcast, Judah and I talk about the need for what he terms “crypto agility” and how the advent of quantum computing and changes in the risk environment are raising the bar for PKI technology providers.