Securing the IoT with a Purpose-Built IoT Certificates

August 27, 2019 Alix Paultre

One of the biggest issues involving our growing data ecosystem is turning out to be security. It shouldn’t be surprising, however, that this is the case. Ensuring that our belongings, our loved ones, and ourselves are safe is a concept as old as property. Our data identity and our device security are critical aspects of the Cloud and IoT that must be properly and thoroughly addressed in order for further development and adoption to continue.

One of the companies creating solutions for the space, Sectigo, has recently acquired Icon Labs, a maker of cross-platform security solutions for embedded OEMs and IoT device manufacturers. With this acquisition, Sectigo plans to provide device manufacturers, systems integrators and enterprises using connected IoT, with the ability to use purpose-built IoT security certificates from a trusted third-party certificate authority (CA).

Hardening devices with embedded tools manage certificates on the device and protect the integrity of data in transit and at rest; the solution will ensure the integrity of all executed code by leveraging multi-phase secure boot. We were able to reach out to Alan Grau, the VP of IoT and Embedded Systems at Sectigo, to talk about the acquisition and the company’s plans.

ECD: We’re really glad to talk to you because of all the things going on in the security space. So you were at Icon, what's the story with Icon and Sectigo?

Alan: In early May, Icon Labs was acquired by Sectigo, so now we are continuing with the same mission, but doing so within the context of Sectigo. Now Icon has a broader organization supporting us, and Sectigo is a certificate authority company, so issuing certificates for both public PKIU spaces and private PKI, and part of that business was issuing device certificates to IoT device manufacturers. Those companies were saying, "Great, we need certificates, but we also need things like secure boot and a better firewall," you know, all the in-point security solutions for these embedded devices. So they approached me and acquired Icon Labs to provide that broader solution to IoT device manufacturers.

 

ECD: When you say IoT device, you're literally talking about almost every powered device on the planet, because in my humble opinion, one day, if it's got any functionality and it's drawing electricity, there's going to be some level of the Cloud in it.

Alan: We've been able to address security needs across a broad set of markets, and we really are excited about where the IoT is going. But in all the news that we're reading lately, people still haven't addressed security issues in a strong way in many IoT devices, so we're seeing some exciting things and we see some pretty scary stories of people hacking devices and doing some fairly nefarious things.

 

ECD: Well I think that's also part and parcel of a maturing marketplace, because we are finally seeing the industry taking some serious, fundamental steps, like now you can get microcontrollers and SOCs with secure blocks in them for authentication purposes and the like.

Alan: No, we're making progress. I mean there are companies, there are major multinational companies that have hired a product security officer, so they now have not just the chief information security officer worried about the business operations and their network security, but somebody at that same level who's got board mandates to build security into their products, which need legislative initiatives mandating additional levels of security in products. So things are changing, the market is responding.

As you said, there are semiconductor companies that are building low-cost secure elements that can be built into even very low-cost devices to add some of the fundamental hardware-level security elements that are needed. And companies like what we're doing with Icon Labs, now as part of Sectigo, offer the broad software-based components needed to complement and fill out the security solution for using embedded devices.

 

ECD: Can you give me an example of one of the application spaces that you see a lot of potential in where you can do your best value add?

Alan: Absolutely. It's a pretty broad set of capabilities that we're able to provide and a broad set of markets that we're able to address. Industrial control systems, medical devices, smart homes, smart cities, but one of the ones that's really interesting is the transportation market, and the automotive market in particular. Now we're seeing a large number of connected cars and really seeing some interesting security opportunities and implementations in that space.

 

ECD: Much of the current debate is on the nature of what's under the hood, whether it's gasoline or electric, but regardless of what's motivating the vehicle, every vehicle in the future is going to be smart and connected, regardless of whether it's gasoline or a battery driving it down the street.

Alan: Yeah, what's under the hood is hundreds of ECUs, or electric control units. In the industrial world we call them MCUs usually, but in the vehicle world they typically call them ECUs. And some of these are simple little microprocessors that are controlling simple functions like rolling windows up and down, others are controlling the automatic brake systems, controlling engine functions, and then others are the infotainment systems or the vehicle-to-vehicle communication or V2V as it's called, or vehicle-to-infrastructure or V2X.

But all of them are connected, so you now have a world where the microcontroller, which is operating in the vehicle that's controlling the brake system, steering, all those components, is either directly or indirectly connected to a broader vehicle network. This is then connected to the internet and really accessible to anyone anywhere in the world if they try to target it. So the need for security is really fundamental for success and for safety in this market space.

 

ECD: In the case of vehicle systems, it’s a two-pronged fork because on the one hand, we want humans to be safe, but on the other hand, vehicles are also incredibly expensive systems.

Alan: Oh, absolutely. And one of the trends in the IT world is ransomware attacks, right? When cities have been hacked and there have been public reports of cities paying hundreds of thousands of dollars in ransom to ransomware attackers. There's actually an initiative that was announced, of some number of city mayors from large municipalities coming together and basically signing a covenant to not pay ransomware attackers if their systems are infected. But when somebody comes in and they've hacked your 911 system, it's not operational, that really is an untenable situation and has to be addressed.

So the ransomware problem is a very big problem in smart cities, in hospitals, and in traditional IT systems. The reason I bring that up is if somebody is able to extract a ransom of several hundred thousand dollars from a city after they've hacked a 911 system, what sort of a ransom could you extract from an automotive company if you're able to place malicious code on thousands of vehicles and remotely disable them? Now suddenly you've got a car company PR problem…

ECD: Basically a nightmare.

Alan: Oh yeah. And these are realistic scenarios that could happen if security isn't adequately addressed in these vehicles, and I think the scale of the potential for ransomware in the automotive market is really, really high.

 

ECD: So you're pointing out that the vehicle ransomware could also be a systemic issue and just as in a factory situation where I'm targeting a smart facility, I could target a company's fleet even though they're separate vehicles because they're tied together electronically.

Alan: Follow the money, right? If you can infect computer systems in the city of Chicago, you can extract a much larger ransom than if it's a small town. If you can infect enough vehicles that GM or Ford has to be paying the ransom to avoid this PR and service nightmare, you're going to be able to extract a larger ransom, so it's really just about “follow the money” in my view.

 

ECD: Got it. So where does Sectigo put their value to help address this issue?

Alan: Sectigo's core business has been in issuing certificates, so they're providing the certificates for strong authentication. So whenever there's communication, you have certificates that are needed so that you can know who you're talking to. That's the core business Sectigo has been in and is actively doing in the IoT space. With the acquisition of Icon Labs, we're now able to build all those security elements into the vehicle to additionally harden things like secure boot on all the MCUs or ECUs in the car so that you know that you're always running your own firmware in the vehicle, this way hackers can't replace the firmware.

It’s ensuring that updates to the vehicle are also secure, handling data at rest and data in motion. One of the things that's different is that these aren't traditional computing systems, so you need special-purpose security solutions that will work in that environment, and that's what we provide.

 

ECD: That also lends me to think that it requires some sophisticated support; you don't just drop these certificates off on a chip on their desk and say, "Here you go, buddy," there's some implementation assistance I believe you almost certainly provide.

Alan: Yeah, we've got a team of experts that really understand both security and the embedded computing environment and are able to bring that knowledge and expertise to our customers to help them to succeed.

 

ECD: Thank you, Alan. Anything else you'd like to add about the company or the technology?

Alan: As I look at this market, one of the things that I find really exciting from a product point of view is the ability to take what is maybe a traditional set of technologies, TLS for secure communication, PKI for authentication. These are technologies that have been around for years, and now we're taking and seeing them deployed inside of a vehicle network and in these new environments. So, that's where I see some exciting things happening in the industry.

Previous Article
Distributing B2B Apps using the App Store and Private Distribution

For the purposes of this post, we’re going to focus on distributing an app using private distribution with ...

Next Article
Essentials for Integration Testing – Bluetooth Low Energy

BLE is marketed by Bluetooth Special Interest Group (SIG). Bluetooth SIG manages the certification process,...