by Ambuj Kumar
IoT device manufacturers face a growing threat from counterfeit devices created using their intellectual property that has led to a gray market. This further has the potential for severe financial impact and brand reputation damage. Economies of scale often demand that these devices be manufactured in remote sites where the company headquarters can exert limited control. These remote factories are generally not owned by the device manufacturer, are not connected directly with the company headquarters, and their business interests may not be aligned with the interests of the device manufacturing company.
Organizations can address these security risks by creating a unique cryptographic identity for every device that gets manufactured. This identity is injected into the device at the time of manufacturing and is later used by the company’s SaaS services to authenticate the device and provide access to its services. It is critical for the manufacturer to be able to ensure that these cryptographic identities are not stolen, misused or reused at the remote manufacturing site.
Challenges With Existing Solutions
Manufacturers typically use hardware security modules (HSMs) to ensure that the device keys are not stolen or misused. The keys are typically generated at the company headquarters and exported securely using a wrapping key. These keys are then transmitted to another HSM at the remote manufacturing site, which unwraps these keys to be injected in the devices during the manufacturing process. This HSM-based process must satisfy the following requirements:
- Keys should not be leaked at any time during the manufacturing process. This requires that the keys remain secured in the HSM and are not available on the network or the disk outside the HSM in the clear at any time.
- The key management system responsible for managing device keys should be able to manage millions of keys and perform crypto operations at a very high rate. For context, a typical home smart device manufacturer may manufacture more than a million devices per month.
- The HSM on the remote manufacturing site should be highly reliable and resilient. Any critical failure in the HSM can disrupt the manufacturing process, causing significant losses to the manufacturer company.
- The manufacturer company should maintain full control over key generation and usage policies through the HSM on the remote manufacturing site. The policies may include the number of devices that can be manufactured in a day or about the use of keys provided by the manufacturer company.
- The HSM on the remote manufacturing site must be able to provide proof of how it used the keys provided by the manufacturer company and whether it was able to enforce the specified policies. This typically requires providing secure and tamper-proof logs to the manufacturer company.
Device manufacturers have struggled to find an HSM-based solution that can satisfy all the above requirements. While some HSMs allow custom business process with the execution of custom code, this is typically done using a limited SDK, which is complex enough to require expensive professional services. Securing the execution of this custom code and securing access and authorization to HSMs has been another cause of concern, especially because HSMs on the remote manufacturing site typically operate in an untrusted environment and are operated by untrusted personnel. Reliability of HSMs and their ability to keep up with accelerating business demand has been another area of concern.
Next-Generation Hardware Security Modules for Modern IOT Devices
Thankfully, with all the progress the security industry has made, especially in the area of encryption, organizations have a new approach that can work for them. There are new solutions in the market that offer Next-Generation Hardware Security Module (NGHSM) functionalities. Unlike traditional HSMs, NGHSMs are built to meet the requirements of today’s modern distributed manufacturing, online services and billions of devices.
NGHSMs provide remote management of the devices, even when network connectivity between the main site and the remote manufacturing sites is not reliable or unstable.
The two ends of communication verify each other using TLS (the same technology that powers the padlock in your browser) and maintain the privacy and integrity of communication over days and months without requiring sustained connectivity. Think of securely moving inventory across the two sites, except for the fact that inventory consists of digital cryptographic assets and they are transmitted on network!
The intuitive consumer-grade user interface of NGHSMs is built for the cloud era requirements and thus allows multiple people from multiple organizations to control which keys get injected into which devices.
Since IOT devices often have their unique requirements, NGHSMs come with rapid scripting capabilities that allow even regular users to customize the security code running on NGHSMs. Thus, organizations are able to get a personalized NGHSM that’s cloud ready and built for remote operation while benefiting from mass-produced products.
Ambuj Kumar is the co-founder and CEO of Fortanix.