The lack of visibility and control of operational technology (OT) devices to traditional information technology (IT) network and security operations center (NOC/SOC) operators poses major risks to digital transformation initiatives and IT-OT convergence.
The solution provides a cost-effective, automated, and scalable symmetric pre-shared key distribution service for private (Enterprise, Tactical) and public (Internet) networks; permissioned group membership for devices with DNS domain or Mobile Service Provider (MSP) validation; simplifies key generation, distribution, and management; and eliminates complicated certificate provisioning, key renewal, and key/certificate lifecycle management workflows. The agent-less solution protects devices in IoT, IIoT, and OT environments with application security by design to authenticate and communicate securely with data integrity and confidentiality, without requiring expensive PKI based digital certificates for every device, and/or complicated key and certificate lifecycle management services from certificate authorities.
Distributed Intelligent Network (DIN) is defined as critical application, data, and infrastructure elements that reside outside of the traditional Data Center or Enterprise premise location. This would include Intelligent Edge for Analytics/AI applications, Autonomous Machines (robotics, drones, vehicles), 5G mobile network & applications, Smart buildings and energy, Distributed Energy systems (grid, solar, utilities, pipelines), Industrial controls, and the Internet of Things (IoT). As intelligence continues to move outside of traditional Data Centers, it becomes exponentially more vulnerable to attacks. The security paradigm needs to shift from connectivity to provenance and trust in data.
The DIN orchestration platform provides a secure, highly available, and scalable suite of services for key distribution, device discovery and onboarding, key lifecycle management and quantum-safe distribution, and content distribution with supply chain tamper resistance.
IoT solutions are a synergistic confluence of three distinctive platforms: Cloud, Orchestration, and Application (Edge, AI/ML). The IoT reference architecture for connected cyber physical systems comprises of the device layer, edge layer, network layer, orchestration layer, and the (edge, AI/ML) application layer. The orchestration layer is the core component to simplify east-west APIs for lateral integration with collaboration services, north-bound APIs for trusted connect to applications, and south-bound APIs for device orchestration. Choosing a cloud platform is a decision to opt for vendor lock-in or factor in multi-cloud agility. The selection of a proprietary or cloud agnostic middleware APIs is consequential for long-lived devices and/or applications and future cloud platform migration considerations.
Data is the new oil. This is the information technology era paradigm of “data to data lake”, “data to policy”, or “data to process”. In operational technologies (IoT/IIoT) the emerging new paradigm is “data to AI/ML”. Further, in air-gapped and controlled environments (e.g., Purdue models in industrial control systems) on-premises platforms are preferred over on-cloud SaaS platforms.
Certificate Based Security for Lightweight PKI (Simplified)
Symmera’s certificate broker service supports certificate-based authentication with:
- Quantum proof cryptography on existing infrastructures with two-factor device authentication and group permissions based secure channel for certificate and private key distribution
- Automated high velocity or on-demand key rotation with dynamic retrieval of keys and certificates (without requiring local secure element on device) or secure export to local persistent store (with device unique key)
- Simplified and lightweight PKI with a broker service for trusted CA certificates, and automated key and certificate lifecycle management
- Zero PKI with fully managed self-signed local certificates with security extensions (host address or network subnet) for runtime verification, authentication, and authorization in controlled (closed, air-gapped) environments
- High availability with service level failover
- Flexibility with an on-premise virtual appliance or on-cloud hosted service and on-premise proxy option
The solution reference architecture for device orchestration varies based on the building blocks to implement a zero-trust model. Symmera’s DIN services support use of public key infrastructure for device certificates with highly simplified APIs (in any programming language) without requiring implementation of complex key and certificate management protocols and authentication methods on autonomous device platforms.
- A factory default configuration based on device type is generated by the service tenant (or end-user) and installed on devices during manufacture or in the field. The field operator authenticates with SSO and scans the device label using the Symmera Device Onboarder Mobile App for credentialing. A device license and certificate based on the discovered IEEE 802.1ar compliant device identifiers is automatically assigned to the device. At first-time power-on the device is registered and onboarded, using an API or command line utility. This zero-touch provisioning method provides scalability to onboard devices at scale without human errors. All service requests to the orchestration platform require device two-factor authentication, with a configurable option for single-factor authentication based on the operational network environment.
- Applications on the device can retrieve an OEM issued license using a single API or command line utility.
- Applications can retrieve trusted certificates, and device or application certificates with the associated private key by subject name, dynamically on-demand over a secure channel and verify certificate status using APIs in any modern programming language. The private key can optionally be stored on a local secure element – such as a TPM or SIM, or encrypted using a software based PUF. In the absence of a local secure element or writable file system on the device, the certificate and private key can be retrieved on-demand and not stored locally.
- The device can now authenticate using a certificate for peer-to-peer communications with other devices or services hosted on-premises or on-cloud over any secure transport protocol stack such as TLS, SSH, IPsec/IKE, or EAP, and with any cryptographic engine such as a third-party FIPS compliant or quantum-safe library.
- Applications can send trusted data streams such as telematics, device attributes, or operational measurements for visibility and remote monitoring, using a single API to cloud services for AI/ML based data analytics.
- Devices can retrieve updates published by OEMs and after-market application vendors with supply chain provenance and apply updates without modifications to platform specific update methods for control and remote remediation.
- Device metadata can also be ingested using authenticated REST APIs by collaboration services such as SIEM and AI/ML engines for risk monitoring, data analytics, and training models.
