New security approaches need to be developed for new technologies like those aimed at enabling the internet of things (IoT), according to PTC senior system specialist Sebastian Bergner.
“One of the most important building blocks of the digital transformation and smart connected products is security,” he told attendees of PTC LiveWorx Europe 2015 in Stuttgart, Germany.
For this reason, Bergner said, PTC’s ThingWorx IoT software platform complies with most IT security standards and includes security features such as encryption, and user and device authentication.
Other features include rights management and permissions management, but he said the security of the system alone is not enough.
“In the future, we will go to systems of systems, which means we will need a secure and trusted ecosystem from the sensor to the user,” said Bergner.
For this reason, PTC is working with security firm Exceet to create the basis for a trusted ecosystem that is open to all industry players.
“We want to address the next level of security which we feel is needed for a future where we expect billions of machines and devices to be talking to each other automatically,” said Björn Peters, lead for IoT at Exceet Secure Solutions.
“In this scenario, in which even machines from competitors may be talking to each other to enable certain services, there has to be assurance that all communications are allowed and can be revoked easily if necessary,” he said.
Read more about IoT security
- The best way of tackling security and privacy concerns around the internet of things is to focus on both from the design phase, say industry leaders
- Experts predict that adaptive and context-aware access control is a necessary next step for the identity and access management industry, particularly as the internet of things takes off
- There are five key information security risks associated with the internet of things that businesses can and should address
- The growing threat of the internet of things is quickly becoming a reality as new attack methods emerge
According to Peters, there is a need for something to secure a whole ecosystem that goes beyond technical things such as connectivity security and virtual private networks.
“Security is not optional, but it is something that you need from the start. It is something you need to be prepared for,” he said.
Peters added that he is also seeing security as a barrier for every IoT project, especially in Europe where there are increasingly stringent rules around data protection.
“Exceed and PTC believe there is a need for a platform to meet the need for a secure device identity lifecycle, which could encourage even more companies to enter the field of IoT,” he said.
Together, the companies are creating such a platform, starting with secure hardware and using secure elements to provide a tamper-proof hardware storage for the private key fully integrated into the ThingWorx platform to enable a trusted infrastructure.
“This trusted infrastructure is the foundation of what we call the trusted management that enables unique device identification, mutual authentication, end-to-end encryption in an object-based way, secure configuration management, and secure rules and rights management,” said Peters.
“We believe we are creating a new security standard, but it is not intended to be a closed shop. We want to have other secure element providers in the game to provide a choice and as many device suppliers as possible.”
Although security is important, said Peters, it is just as important to have security that is appropriate to any particular use case to ensure that security does not unnecessarily become a “show-stopper”.
“Everyone planning an IoT deployment should do an IoT risk assessment, especially if they have high-risk data to find the right security approach for them,” he said.
In a typical implementation, added Peters, a secure element is used to create a “sphere of trust” around the IoT-enabled device connecting through a trusted platform to a trusted ecosystem, where each player which have different access rights to the data according to their role.
“PTC and Exceed want to make the next step in terms of platform security and ID management,” he said.
“The goal is to provide all the basic requirements for IoT security out of the box, but for highest levels of security, consultation will probably be needed to tailor the security system to the particular data protection needs of the project.”