Digital security plays a dual role in the world of original equipment manufacturers (OEMs), who must take security into account in order to optimize operations, reduce the chance for breaches and limit liability issues. They must also embed security within the product that they’re selling in order to drive safe deployments and customer loyalty. In short, the need for innovation and agility in digital-security programs is evolving from a secondary concern to an immediate priority.
IoT security hinges on a solid foundation of checks and balances across the entire ecosystem. Achieving device security rests in the decision makers’ willingness to apply the lessons we’ve learned along the way to the unique requirements of such complex supply chains. The leading method and the evolving standard is the use of digital certificates and keys: securely tagging a device with a unique identity, enabling authentication, authorization, data encryption and verification of secure code.
The most important takeaway from recent cybersecurity horror stories is that really bad things happen when digital security is an afterthought. From the Mirai botnet DDoS attack that was a result of weak authentication methods on devices, to the Equifax breach that went undetected for 76 days due to an expired certificate, to the massive outage that impacted nearly every O2 and Softbank customer as a result of a certificate expiring…these incidents prove that millions of people are impacted when devices are left unprotected and certificates are not properly managed.
The dissemination of digital certificates across enterprises enforces data and device integrity through encryption and authentication. This practice secures data exchanges, validates and asserts with high assurance that messages are genuine, and establishes trust along the way for every user across the ecosystem.
It’s no small feat.
A recent study conducted by Keyfactor and the Ponemon Institute highlights how challenging it is to manage this process—and for the first time, it ties the impact of ineffective certificate and key management back to organizational KPIs and organizational budgets that keeps both IT managers and executives up at night. For example:
- The average economic loss from an expired certificate is $11.1 million.
- Failed audits due to a lack of clear certificate and key management/policies have an annual impact of $14.4 million.
- The economic impact of code-signing-certificate and key misuse topped $15 million in 2018.
Mismanagement of digital certificates can lead to disaster—for starters, manually securing keys and certificates from generation to revocation is a massive task. And for large enterprises, the number of certs needing management can be in the millions.
The Ponemon Report data additionally reveals that manufacturers use an average of 144,000 keys and certificates, yet 79% of respondents don’t even know how many keys and certificates they have. And of respondents in industry and manufacturing, 90% say that certs continuously cause unanticipated interruptions to operations as a result of downtime. Clearly, the inability to manage digital certificates can mean the difference between hitting or missing the bottom line for manufacturers.
The ability to discover, inventory and automate is one of the greatest challenges security and audit teams face across the entire industry. 71% of respondents reported that the lack of visibility into what certificates and keys are actually deployed across the enterprise is a major concern.
Despite all of these challenges, IT departments can begin remediation if they prioritize two strategies for minimizing risk:
- Knowing the expiration date of certificates
- Authenticating and controlling IoT devices
This includes increasing the number of keys and digital certificates being deployed, as well as adding layers of encryption technologies to secure IoT devices.
In order to elevate digital security in the IoT, manufacturers must commit to building an agile and comprehensive digital certificate program. Through digital transformation and investment in areas of impact, OEMs can build a unified ecosystem that secures devices, applications and people throughout the manufacturing process.
Chris Hickman is the chief security officer at Keyfactor.