Whitepapers

In 1988, the X.509 standard was first published and introduced the concept of digital certificates. Certificates are extensively used
and essential for server authentication. In 2001, the US Department of Defense (DoD) started issuing the common access card
(CAC) for user authentication. The use of certificates for client (mutual) authentication is rare because of administrative challenges,
non-technical users, and tedious workflows with device and application management. The most common use of certificates for
supply chain provenance is for document and code signing. The advent of post quantum computing introduces potential risks and
vulnerabilities to cryptographic algorithms used for signing, encryption, and key encapsulation mechanisms. This may necessitate
migration of trusted certificate chains (e.g., root and intermediate certificates), revoking certificates, and renewing keys and
certificates. Reengineering line of business applications commissioned on field devices with a service life longevity of 10-30 years
should be a major consideration for product security architects and compliance stakeholders…

Over the past two years, top cloud IoT platform vendors have shutdown key planks of their IoT platform leaving developers high and dry. What are the reasons for failures in IoT/IIoT over the past five years? Let’s dive deeper. With hundreds of different chipsets, and hundreds of thousands of device platforms with limited resources, there is a hyper-scale management problem with high quantum risk-impact. A major simplification required to enable digital transformation at scale is a IoT platform that provides high assurance in the trustworthiness of data and devices. The dichotomy between information technology (IT) and operational technology (OT) workflows, the heterogeneous nature of device platforms, and cloud-platform lock-in (i.e., lack of multi-cloud APIs) were the primary causes for these failures. With massive investments in AI/ML, these cloud IoT platform vendors require a ubiquitous client interface for autonomous devices, analogous to web browsers that serve as universal user agents for web services.

The status quo in converged Enterprise information technology (IT) and operational technology (OT) networks is physical connectivity with network level segmentation, network-based intrusion detection/prevention (IDS/IDP) predicated on insecure plaintext over-the-wire communications, or a bump-in-the-wire broker-based blockchain fabric overlay. Achieving logical trusted connectivity to implement a cost-effective and highly efficient zero-trust architecture over existing network infrastructures and in-field devices requires a paradigm shift from “cyber threats” to “cyber risks” and from “multi-layer peripheral defense” to “operational resilience at the core” for long-term desirable outcomes with application security by design.

The problems have not changed because the solutions have not. The solutions have not changed because the thinking has not. Reanalyze the trajectory of problems. Rethink the directionality of solutions. The future belongs to solutions designed with better insights and anticipation of problems coming down the road. Today’s customers are tech-savvy and understand the value and applicability of innovation to be competitive and profitable within their industry.

The problems have not changed because the solutions have not. The solutions have not changed because the thinking has not. At Symmera, we are boiling it down to first principles and reasoning upwards. Since the Internet big-bang 40 years ago, the fabric of cyberspace has constantly evolved with the shifting of tectonic plates. With open connectivity, security problems arose from malicious websites to malware and social engineering. The industry confronted these problems as an afterthought rather than forethought with digital certificates, antivirus, intrusion detection and prevention, reputation lists, allow/deny signatures, anomaly detection, and sophisticated post-breach forensics.

Billions of devices across major industry and consumer market segments require connectivity to cloud services to securely transmit data for real-time analytics and long-term storage. The application and data silos in the cloud are no longer the fodder for users alone – devices are becoming the prominent, and unquestionably larger, consumers in the cloud economy. The proof is in the estimated numbers – 29 billion connected devices by 2030, with a data volume of 80 zettabytes by 2025. Current methods and solutions are insecure, fragmented, and require heavy engineering by device manufacturers and operators to build and integrate. Cloud based device management and data driven AI/ML initiatives for operational and cost efficiencies need a simpler solution. Undeniably, process automation and conditional based health monitoring of devices can improve productivity and reduce service outages. While digital transformation is a wave in the devices industry, device manufacturers and operators face challenges in adopting technologies that can enable passage to cloud-based ecosystems and services.

Over the past decades it became evident that compromise of user and service accounts could play a major factor in high profile cyberattacks, ransomware and data breaches. Through compromise of user credentials, unauthorized access could be obtained to infiltrate networks, install malware (from exploits to viruses, worms, trojans, spyware, ransomware, rootkits, and bootkits), and infect computer systems for nefarious purposes. That led to server and data enclaves within Enterprise data centers under the surveillance of network and service operations center (NOC/SOC) administrators and operators. Later massive migration to the cloud-based platforms and microservices ushered in the need for single sign-on (SSO), multi factor authentication (MFA), and tokenization for authorization and access controls. In the years ahead, advanced Artificial Intelligence (AI) powered malware will possess immense potential to unleash sophisticated cyberattacks. The staging surface for future cyber-attacks will shift to insecure legacy, brownfield, and greenfield devices. Insecure devices are the soft targets for hackers to infiltrate networks and services. The time has come to cyber proof devices.