Zero Trust Manufacturing

  /  Industrial IoT   /  Connected Industry   /  Zero Trust Manufacturing
cybersecurity

Zero Trust Manufacturing

The rapid adoption of cloud computing and the Internet of Things (IoT) is ushering in billions of connected devices that, left unsecured, represent a significant risk to businesses and consumers. Connected things include a variety of IoT endpoint devices across several critical infrastructure segments, including utilities, automotive, healthcare, retail, and building automation.

Complex manufacturing supply chains make it difficult to build electronic devices that can be trusted by both the manufacturer and device owner. A dizzying ecosystem of contract manufacturers, component suppliers, software developers, logistics companies, and systems integrators makes for an environment in which multiple security vulnerabilities can mushroom.

This complex ecosystem means that attackers have many avenues to compromise a device’s security as it is being designed, manufactured, tested, and delivered. The original equipment manufacturer (OEM), the company usually respon­sible for bringing the product to market, is often focused on building products that meet its custom­ers’ specifications while minimizing manufacturing and delivery costs. Frequently an afterthought, security is too often bolted on as a feature rather than being a critical element designed at the start of a product’s lifecycle.

With many supply chain partners, the reality is that you cannot trust the manufacturing process’s security to ensure that the hardware, firmware, or credentials of the device have not been altered. To ensure the trustworthiness and safety of devices, manufacturers need to take a “zero trust” approach and design security into the devices while maintaining effective security controls throughout the manufacturing process and product lifecycle. A zero trust manufacturing approach gives manufacturers flexibility when moving production to a different location with little downtime.

Why zero trust manufacturing matters in the IoT world

The more supply chain partners involved in the manufacturing process, the less you can trust that elements like hardware, firmware, and credentials haven’t been altered. As a result, all manufacturers must take a “zero trust” approach to security, especially those that produce IoT devices given the ultra complexity of their supply chains.

What is zero trust manufacturing?

Zero trust manufacturing is an approach to manufacturing trustworthy devices along a supply chain that inherently can’t be trusted. It’s not achieved by any single technology; rather, it describes an approach to designing, manufacturing, testing, and delivering products that can be trusted by the owner.

Importantly, zero trust manufacturing embodies numerous concepts, including hardware-based security, embedded security, public key infrastructure (PKI), key and certificate lifecycle management, device trustworthiness, code signing, and authentication.

Why does zero trust manufacturing matter?

According to Global Market Insights, the market for electronic manufacturing services (EMS) is expected to grow from $500 billion in 2019 to $650 billion by 2026. The EMS market comprises global companies that design, manufacture, test, distribute and provide return/repair services for electronic components and assemblies for original equipment manufacturers (OEMs). This means even more parties will be involved in the manufacturing process, which creates even more opportunities for security gaps.

Zero trust manufacturing also enables OEMs to more rapidly shift contract manufacturing to companies throughout the EMS market, providing a meaningful competitive advantage that helps accelerate time-to-market, minimize production risks, and maintain cost competitiveness.

Common security challenges only further the need zero trust manufacturing

Diving deeper, several common security challenges further the need for zero trust manufacturing – especially among IoT manufacturers.

Manufacturers are subject to a range of debilitating cyber attacks and security breaches, and many of these attacks use sophisticated means to steal security credentials. According to the Verizon 2020 Data Breach Investigation Report, 45 percent of breaches involved hacking, and of those breaches, 80 percent involved brute force or the use of stolen credentials.

Stolen user and device credentials, including private keys and digital certificates, are typically the basis for these attacks and directly affect businesses. In a study by the Ponemon Institute, sponsored by Keyfactor, 92% of organizations experienced at least one certificate-related outage in the past 24 months and 81% of organizations experienced multiple disruptive outages due to expired certificates.

As a result, protecting and managing private keys and digital certificates with a zero trust approach is critical to shielding devices and applications from sophisticated attacks across the supply chain.

IoT threats and vulnerabilities against which a zero trust approach can help protect

Some of the most common IoT threats and vulnerabilities against which a zero trust approach can help protect include:

  • Root CA impersonation: An attack in which hackers authenticate rogue devices and users on a network by compromising the root Certificate Authority (CA).
  • Unauthorized firmware updates: An attack in which hackers compromise code signing credentials to modify firmware.
  • IP theft and counterfeiting: An attack in which hackers use compromised credentials to steal intellectual property and bring counterfeit products to market.

Best practices for zero trust manufacturing

Fortunately, implementing zero trust manufacturing and appropriately managing all of the components that fall within it, such as PKI, certificate lifecycle management, and embedded security, can help avoid attacks like those noted above. Along the way, manufacturers can benefit from following several best practices:

  • Hardware-based security: Introducing device-based, tamper-resistant hardware secure elements creates a trustworthy root of trust.
  • On-device key generation: Generating and storing private keys securely on a device means it can attest to its own identity.
  • PKI management: Automating PKI and certificate lifecycle management can ensure standardized operations and avoid outages.
  • Secure communication with end-to-end encryption: Implementing encrypted SSL/TLS or IP VPN communications ensures data privacy.
  • Secure bootstrap certificate: Replacing the initial bootstrap certificate with an updated certificate ensures the device boots up with the intended firmware.
  • Enable mutual M2M authentication: Implementing strong user access controls and machine-to-machine (M2M) mutual authentication provides two-way verification.
  • Centralized code signing: Ensuring firmware updates are signed by the developer and authenticated by the device avoids compromising situations.

How manufacturers across industries are already benefiting from zero trust manufacturing

Given the value zero trust manufacturing can deliver, what does the practice actually look like in action? Consider these use cases from manufacturers across three different industries:

Healthcare

The rise of network-connected medical devices has demanded stronger authentication since tampering can create serious issues, not the least of which is patient harm. As a result, medical device manufacturers must be able to positively authenticate and authorize everyone who can access, manage, and operate any point in the manufacturing line. Once delivered, security must be managed just as strictly, as the device owner must be able to ensure the operator cannot compromise the integrity of the device or access secret keys that would enable counterfeits.

Utilities

As power utility networks merge their operational technology (OT) control systems and IT networks for more effective communication, better remote access, and more efficient management, they’ve had to remove the traditional firewalls around their networks. This situation has created the need to uniquely identify and authenticate both users and devices on the network since many of the systems and devices used are mission-critical and their misuse can lead to massive economic effects or even death.

Transportation

Advancements in manufacturing have turned vehicles into connected, electronic devices. These vehicles must communicate with an extended network of sensors as well as directly with humans, which requires the ability to positively authenticate at key points of the lifecycle. For instance, when connecting to an electronic charging network, the network must be able to authenticate the vehicle, the user, and the payment method used for purchasing the charge.

The time to get started with zero trust manufacturing is now

The manufacturing supply chain has become increasingly complex, and with the continued explosion of IoT devices, this shift will only continue. To successfully navigate this complexity, manufacturers must ensure security at every step of the way. And the only way to do so effectively is to take a zero-trust approach.

Originally this article was published here.

Download this white paper from Keyfactor to discover the best practices, use cases, and applications for Zero Trust manufacturing.

The internet of things (IoT) has arrived, and so have a host of security challenges along with it.

Despite the fact that complex manufacturing supply chains mean attackers have many avenues to compromise a device, security is often bolted on as a feature rather than being a critical element designed at the start of a product’s lifecycle.

More about The Importance of Security by Design for IoT Devices

It’s time to change this approach. And it all starts with zero trust manufacturing.

Sponsored by KeyFactor