On this episode of the IoT For All Podcast, Ryan Chacon is joined by WISeKey’s Security Technologist, Steve Clark, to discuss IoT security and the IoT security landscape. Steve kicks things off by giving a high-level overview of the evolution of IoT security he’s witnessed in his 15 years of working in the field. He then moves into a discussion about what companies should consider and the advice he would provide for adopters. Steve also touches on challenges in the industry and what identity as a basis is for security.
For 15 years, Steve has been influencing the design of secure semiconductors for secure applications at WISeKey, Lynx Corporation, and Atmel/Microchip. He is an innovator with expertise in IoT Architecture, Blockchain, PKI, Anti-Counterfeit, and Privacy. As a Security Technologist at WISeKey, Steve has written patents and been involved in shaping the semiconductor features to conform to the changing security landscape. In the IoT industry, he has been involved with setting security standards as a member of the Security Working Groups, including Wi SUN FAN, Open Connectivity Foundation (OCF), and Industrial Internet Consortium (IIC). Most recently, he worked with NIST’s National Cybersecurity Center of Excellence on the Trusted IoT Network Layer Onboarding project.
Interested in connecting with Steve? Reach out on Linkedin!
WISeKey (NASDAQ: WKEY; SIX Swiss Exchange: WIHN) is a leading global cybersecurity company currently deploying large-scale digital identity ecosystems for people and objects using Blockchain, AI, and IoT, respecting the Human as the Fulcrum of the Internet. WISeKey microprocessors secure the pervasive computing shaping today’s Internet of Everything. WISeKey IoT has an installed base of over 1.6 billion microchips in virtually all IoT sectors (connected cars, smart cities, drones, agricultural sensors, anti-counterfeiting, smart lighting, servers, computers, mobile phones, crypto tokens, etc.). Their technology is Trusted by the OISTE/WISeKey’s Swiss-based cryptographic Root of Trust (“RoT”). It provides secure authentication and identification for the Internet of Things and Blockchain in both physical and virtual environments. The WISeKey RoT serves as a common trust anchor to ensure the integrity of online transactions among objects and between objects and people.
Key Questions and Topics from this Episode:
(1:22) Introduction to Steve and WISeKey
(4:23) Evolution of IoT security
(6:39) Top Considerations for IoT security
(9:37) Identity as a basis for security
(12:34) Current security challenges
(18:25) Advice for people starting on their IoT journey
– [Ryan] Hello everyone and welcome to another episode of the IoT For All Podcast, the number one publication and resource for the Internet of Things. I’m your host, Ryan Chacon. If you are watching this on YouTube, we would truly appreciate it if you give this video a thumbs up and subscribe to the channel, if you have not done so already. If you’re listening to us on a podcast directory like Apple Podcast, please subscribe to get the latest episodes as soon as they’re out, and it helps other people find the content. Alright, on today’s episode, we have Steve Clark, security technologist at WISeKey. They are a global cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using blockchain, AI and IoT. So we’re gonna talk about security for a bit here, about the landscape, top considerations for IoT security in general, how to think about security when it comes to IoT solutions, how to identify, or I guess what identity is, at the basis of security. What does it really mean, what use cases are out there, challenges we’re seeing in the space, and just general advice for how to better prepare when it comes to deploying IoT solutions. All in all, fantastic episode. I think we’ll get a lot of value out of it, but before we get into it- if any of you out there are looking to enter the fast growing and profitable IoT market but don’t know where to start, check out our sponsor, Leverege. Leverege’s IoT solutions development platform provides everything you need to create turnkey IoT products that you can white label and resell under your own brand. To learn more, go to iotchangeseverything.com. That’s iotchangeseverything.com. And without further ado, please enjoy this episode of the IoT For All Podcast. Welcome Steve to the IoT For All Podcast, thanks for being here this week.
– [Steve] Well, it’s good to be here, Ryan, thanks.
– [Ryan] Absolutely. Let’s kick this off by having you give a quick introduction about yourself to our audience, if you wouldn’t mind.
– [Steve] Okay, yeah. I’ve been working with security and secure semiconductors for approximately 15 years. And over that time, I’ve been able to influence the design of semiconductors and look at the architectures in the IoT industry in general. I’m currently working as a security technologist for WISeKey. And over the years, I’ve been involved in the industry’s security standards organization, National Cybersecurity Center of Excellence, to look at IoT onboarding security in general. And basically what that project will result then, is kind of guidelines for IoT onboarding and IoT security in general. So, that’s a little background on me, thanks.
– [Ryan] Fantastic, so for the company that you’re with now, WISeKey, what is it that the company focuses on? Tell us a little bit more about the organization, the role in IoT, that kind of thing.
– [Steve] Sure. Actually, WISeKey Semiconductors has been around for about 25 years. It hasn’t always been WISeKey Semiconductors. We’ve had acquisitions over the years that have changed our names, we started as Atmel. And WISeKey Semiconductors basically make secure elements that provide the secure identities for IoT devices. And we also make those semiconductors to provide, you know, make a secure MCU, we have a smart card capabilities as well. They’re all centered around security and trustworthiness of the devices themselves. In addition to that, with WISeKey, we actually have a certificate authority and a PKI Infrastructure Certificate management system that pairs very nicely with our secure semiconductors. And so we basically cover the root of trust of the platform, of the IoT device, as well as the infrastructure, PKI root of trust and certificate authorities. So that’s a little bit about-
– [Ryan] Fantastic.
– [Steve] We’re based in Geneva, Switzerland and we’re kind of an international company.
– [Ryan] Awesome, awesome. Well, yeah, I appreciate the overview. That’s good context for audience. So, given that you have a decent amount of experience over like the course of your career in the security space, tell us about kind of how the security landscape potentially or I guess not potentially, how the security has kind of evolved through kind of your eyes over the years as it relates to IoT, like where it kind of has been earlier in your career and kind of how it’s evolved into where it is now and just kind of the overall kind of state that we’re in now with security.
– [Steve] Yeah, so early in IoT there was a white paper, I think a Cisco white paper, that said something like, 20 billion devices by the year 2020. So everyone got all excited. And basically, you would get an impression that would be a uniform, kind of a IoT is a uniform thing, but actually what it’s played out like, is IoT is fragmented, and there are very many different aspects of IoT that have come into play. And so there’s been a kind of silos of organizations and protocols and things like that. And over the years, people have attacked the problem of security in a myriad of different ways. And what I see happening now, especially with this National Cybersecurity Center of Excellence project is that there’s a consolidation of okay, what kinds of architectures are going to be secure, and what kinds of protocols are gonna be supported. And there have been a lot of, you know, false starts in both of those areas that I think will be consolidated into a more uniform kind of a security landscape.
– [Ryan] Yeah, it’s been an interesting space to kind of follow and track. I’ve had a number of experts come on and talk about kind of not only the focus of their own organization, but kind of things they’ve seen as important when it comes to IoT security. So that kind of brings up another question that I think would be good to get your thoughts on, is when it comes to IoT security, what are the top considerations that organizations should be thinking about? Whether they’re on the implementation side of the security, or they’re a company adopting a solution that obviously needs security element to it. What should people really be be thinking about when it comes to kind of the foundation of a solid IoT security solution?
– [Steve] Yeah, that’s a great question, Ryan. I think fundamentally, foundationally, the identity of the IoT device is really at the core of it. If you think of it in terms of human identity or people identity. We have birth certificates, and based on an assurance of our identity, you can do things like open bank accounts, you can get passports, you know, have various bank loans and those sorts of things. So once you’ve established the identity, you next ask the question of, okay, what are you authorized to do? Or what do I want to give you permissions to do? So I think, that for both of those circumstances, excuse me. For IoT identity, it’s no different. And in IoT there is a similar kind of a birth credential that you would be assigning to each IoT device. And it is similar because it has information about, just like a birth certificate for a human, it has information about the device itself, where it was manufactured, similar to parents, and it is certified by a trusted authority just like a birth certificate would be certified by a government organization. And if you wanted to check on that birth certificate you can go back to that authority and say, okay, this is the identity of the device that I think I’m dealing with. And then you can ask the question for all of the other security, which is how do I communicate securely with it? How do I update it’s firmware securely, right? What kinds of firmware does it need? Is it gonna have a secure boot? So I can ask all of those additional questions, once I understand the identity. And that is the foundation, and it has applications in many many different IoT use cases, so.
– [Ryan] So yeah, can you elaborate a little bit more on, when you talk about and mention identity as the basis for security, what does that exactly mean for somebody who maybe is not very familiar with security and just understanding the importance there?
– [Steve] Yeah, so, imagine a attack that is based on impersonation. So you’ve got a device that is pretending to be some device that is trusted, and with that identity, whatever permissions and authorities that were granted to that other device are now yours to exploit. And the way to protect that identity, just to get back to the secure semiconductors, the way to protect that identity, is with some kind of hardware security that is tamper proof. And with secure semiconductors, secure elements that is a possible way, that is one way to protect them. There are others with the, you know trust zones and PUFs and those kinds of things. But the secure identity of a secure element becomes the identity of that IoT device. And you can wrap a certificate around that, and as I was describing earlier, get a certificate authority to verify that in a third party, independent kind of a way.
– [Ryan] Gotcha, gotcha, okay. That helps a ton. I think, yeah, it’s very fascinating, kind of interesting stuff to just understand, not just the value, but kind of just the whole scope of what needs to be done, why it’s so important kind of what it helped protect against. So I think it’s something that is often overlooked by a lot of organizations, unfortunately, is when they should be thinking about security and how early they should be implementing it. I don’t think it’s ever too early to kind of be thinking about that, it sounds like, from most discussions I’ve had in our conversation here.
– [Steve] Yeah, yeah. And in fact coming back to your earlier question about what what the IoTs looked like in the early days, people weren’t thinking about security. It was a free for all, and the need for security was recognized, but the implementation of it was lacking in many cases.
– [Ryan] Right, yeah. Yeah, we’ve come a long way, it feels like, even I’ve only been in this space for a number of years, and it’s seems like we’ve come a pretty far distance on the securities side. And just understanding security when it comes to IoT, and the vulnerabilities and how to protect against it. Let me ask you this, in the kind of current landscape that we’re now, what are some of the biggest challenges that you’ve seen on the security front for organizations as they deploy and scale different IoT solutions? Is there any kind of maybe commonalities across use cases or verticals that you’ve seen, consistent kind of challenges? And if so, like how are companies overcoming them?
– [Steve] Yeah, I think one of them would be the counterfeiting, the anti counterfeiting of the IoT devices, and the ability to impersonate IoT devices. And again, the secure elements are a good protection against that. As far as other deployment, there are still many different protocols to choose from, and many different approaches to IoT security. And I think choosing what solution is best for your use case it may be one of the major issues here. And we work with companies that are manufacturers and so they use our chips in their end products. And choosing the right security approach, that fits into your your overall infrastructure and your corporate strategies. I think those are some major questions to answer. And like I said before, the consolidation of the industry is ongoing, and which security protocols and approaches and architectures are appropriate is a big question.
– [Ryan] Definitely, yeah, I know, and this is not just on the manufacturing side as kind of to your comment a second ago, but across a lot of different industries, the level of security that they consider important or necessary for their solution, depends a lot of times on cost, and is sometimes viewed as, maybe their use case is low risk, right? Like, oh, why would somebody ever hack us? Why would this be, you know, so. How do you handle those kind of barriers in conversations with companies or in just a general kind of daily conversations? How do you advise maybe those companies, or how do you kind of handle when they bring up like, you know, we don’t wanna spend a lot on cost because of our budget, and we don’t really think our solution is very vulnerable, or it’s lower risk, I guess.
– [Steve] Yeah, so basically what I would do, is look at their use case and try to identify the threats that would be coming against their products and services. And I mean there are situations where the secure element is absolutely needed, but in other circumstances, that level of security may not be needed, depending on their use case and what they’re trying to protect. So I think a thorough analysis of the architectures and the use case would be where I would start. And as you get, and I think that in many many circumstances, the customer that’s asking that question wouldn’t necessarily see the things the same way that I would see them. Based on the threat models and the attack vectors that are available to the adversaries. And so depending on what they’re trying to protect and depending on various other things, whether or not they need a secure element is up for debate. But in other scenarios like secure smart cities, like smart street lights and city facilities that would use say, a Wi-SUN Alliance kind of a IoT device. Those kinds of devices absolutely, you stop and think about it for a second, and you’ve got an IoT device that’s sitting on a public place somewhere. That’s accessible to adversaries, that has an identity. How do you protect that identity? How do you get the in person, I mean, if someone was going to attack it, they would get the identity out of it and then impersonate it in a adversarial way. So boy, wow, that, really does need a secure element in those kinds of applications. Smart metering and smart cities. Those are all applications that you absolutely need a secure immutable identity.
– [Ryan] Absolutely. So before we wrap up here, I wanna ask you one last kind of general thing that I think our audience would find a ton of value out of. For those listening who are starting kind of on their IoT journey, or maybe kind of in the pilot stage, early on, basically is what I’m getting at. What advice would you have for those organizations when it comes to the security piece of their solution? How should they be thinking about it? What advice on how to kind of go about getting started ensuring they have the right information to engage with a security organization or a security company? Just generally speaking, what advice would you have for them to make sure they kind of do it the right way?
– [Steve] Yeah, so what we have done in the past, is we have security assessment reports, and we’ve done those for several companies, that helps them to align themselves with the actual threats in the threat model and the attack vectors and all those kinds of things. So getting an evaluation from someone who has experience in the industry would be, I think a good first step.
– [Ryan] Okay, fantastic. And is there anything that they need to be thinking about or maybe come prepared with from their side? Or is it more just as long as they understand kind of what they’re trying to do and accomplish then the company they reach out to and engage with will be able to ask the right questions and bring necessary information to the table to help?
– [Steve] Yeah, I think, try to put your requirements, not so much in what you believe to be the end result, but more at a higher level of looking at your requirements from a what are you trying to accomplish. And what objectives does this project have? And then we can, because a lot of times what people will do is they will get an idea in their head and say okay, we need this piece of security. And they really don’t. But what they really need is to reach back and look at what their objectives are in the project, and then it may turn out that they do need what they they believe they needed, but it may turn out that it would be a variation on that, or some other thing. So I think looking at your overall objectives is a good starting place.
– [Ryan] Absolutely. Fantastic, well thanks so much Steve. This has been really good conversation. I appreciate you kind of taking time to do this. I wanted to have, at the end of this, you just kind of share with our audience where they may be able to reach out, follow up with questions, learn more if they’re interested, what’s the best way they can do that?
– [Steve] Yeah, so WISeKey has a website, and it’s www.WISeKey.com. I think that would be a good place to start. We also have LinkedIn and Twitter feeds that you can follow, and I look forward to working with people going forward. Thanks.
– [Ryan] Fantastic. Well thanks again for taking the time. Look forward to getting this out to our audience, and love to find a way to continue to do more content on the security front, and we’ll be in touch.
– [Steve] Okay, well thank you Ryan. Have a great day.
– [Ryan] You too. All right everyone, thanks again for watching that episode of the IoT for All Podcast. If you enjoyed the episode, please click the thumbs up button, subscribe to our channel, and be sure to hit the bell notifications so you get the latest episodes as soon as they become available. Other than that, thanks again for watching, and we’ll see you next time.