The extremely fast growing IoT, Industry 4.0 and Smart Contracts markets are generating new challenges for cybersecurity vendors and experts. We see that many “classical” security solutions do not work for these industries at all or cover only few cases. Good example here is the identification and authentication. Practically everybody knows that passwords are obsolete and dangerous but we are still using it for the authentication on our favorite and corporate resources. At the best case, we are switching on something like multi factor authentication supported by our service providers. Usually it looks like one time passwords or code sent via SMS or mobile apps. However, this way is useless for IoT and Smart Contracts projects. There are so many objects and components that are connecting and communicating each other and which are very different by the nature. The typical IoT project consists of many controllers, sensors, gateways, devices, managing platforms and cloud services and, of course, there are different users, operators and administrators. At the same time, each involved side must be sure that it is connecting to the original objects only, all communication channels are strongly protected and received data was not modified on the fly.
Definitely, it is necessary to implement strong mutual password free authentication between machines, people and cloud services, encryption of communication channels, data signing and integrity check. The most popular approaches typically are based on the different PKI implementations and digital certificates management solutions. However, existing time-proven solutions from the WEB world are very heavy, resources consumable and too complicated to be used here. In addition, they do not solve many tasks that are very critical for IoT or Smart Contracts. It is not enough just to encrypt channel or sign data with OpenSSL! The really secure and robust solution for IoT must be light weighting, easy integrating and fully automated. Moreover, this solution must have right answers for next questions at least:
- Where are secret keys generated?
- What kind of random generator was used for the key generation?
- Where is a secret key stored? Who and how can have access to that?
- How well are keys and algorithms protected from different invasive and non-invasive attacks?
- How does the process of certificates generation and enrollment look? How well this process secured and automated?
- How to implement the access control and certificates revocation?
- How to implement the protection from MITM attacks?
In AccessHub we effectively solves next main issues:
Fully automated and secure certificate lifecycle management including truly random secret keys generation, CSR processing, certificates enrollment and revocation, support of EST and OCSP protocols.
Hardware-based protection of secret keys, key-ladders, system software and applications from different hacking technics including very sophisticated ones like side channel attacks, invasive scanning, glitches, malware, reverse engineering, etc.
Effective protection of digital assets like embedded firmware, stored credentials and collected data sets from not authorized usage, cloning or modifying.
Access control and strong mutual authentication of different system components, devices and users based on digital certificates.
Automated VPN connections and protection of communication channels.
Encryption/decryption and signing of high speed data streams (for example, video and audio in a real-time mode).
Encryption and signing of the data immediately from different sources like sensors, cameras, equipment, etc.
Secure remote access and control of different system components and devices from everywhere.
Easy Integration of system components with different control and monitoring platforms (incl. Smart Contracts and BlockChains).
The possible AccessHub integration with industrial IoT or SCADA system looks like this:
This example demonstrates the most typical use-case of the processing of the data receiving from different sources like GPS, Water and Electricity meters, Gas and Radiation sensors in a real-time. All data sources are distributed geographically and in use not trusted Internet connections like a public WiFi and LTE. The AccessHub system provides both the protection of communication channels and protection of data itself. It uses digital certificates for the mutual authentication between all components, data encryption and signing, strong access control and a guarantee of the data integrity.
The AccessHub solution consists of:
AccessHub BackEnd Appliance implements functions of local CA server, EST/OCSP functionality and Secure Access Management. This server can be deployed in a form of hardware appliance, virtual machine or cloud service.
AccessHub secure clients implement all necessary functions for the channels and data protection as well as strong mutual authentication. These clients can be delivered to our customers in a form of middleware to be integrated with 3rd party devices, controllers or chipsets. Also, we can provide own one-board computers/ IoT controllers and ASICs with a pre-integrated AccessHub middleware.