One of the fundamental tenets of security is to ensure only authorized entities gain access to the information, systems, networks, and other protected assets. Identification and access control have been practiced since the early days of civilization; in the Arabian Nights, we come across interesting stories weaved around passcodes and message encoding schemes to protect hidden treasures. We have come a long way since then.

Access cards, biometrics, passwords, physical security keys, and so on are widely used to control access in the human world. With the advent of web and e-commerce, several new protocols and trust models have emerged. These trust models heavily rely on applied cryptography to secure transactions in the cyber world. In the last decade, we have seen wireless authentication and authorization techniques developing at a fast pace to secure enterprise mobility, particularly BYOD practices. In this chapter, we will focus on trustworthy identity...

In Chapter 1, An Unprecedented Opportunity at Stake, we analyzed the divergent nature of IT and OT security priorities. While designing and implementing identity and access control mechanisms for IIoT systems, the unique characteristics of cyber-physical systems need to be factored in.

The protocols developed in the early days of IT—such as Telnet and TFTP—had very few security and cryptographic controls built in, as security was not a top concern back then. Besides, for IT software developers, getting "something to work" has historically been more important than integrating adequate security. So, in the IT world cybersecurity ended up being an incessant cat-and-mouse game where security is bolted on after compromises have already happened. This "patchwork" is not practical in OT domains. In fact, to satisfy the safety, reliability, and resilience standards of cyber-physical systems, bolting on security is simply not going to work.

In this section, the...

In IIoT identity management, the two important challenges are:

In IT domains, the most common way to get an identity is to assign a unique username to an account, usually associated with a human user. Even in BYOD, the identity of mobile devices, such as tablets and smartphones, is tied to the owner's account, and they must be an authorized user of the corporate resources. The scale here is about two or three mobile devices per user. In a highly scaled IIoT use case involving millions of devices, to provision individual usernames would be anything but practical. Besides, IIoT devices typically don't have "users".

This requires the use of other forms of unique device identifiers. In addition to uniqueness, the more intrinsically the identifier correlates to the device, the better the scalability and...

While evaluating the practical applicability of IT-based authentication and authorization techniques for IIoT use cases, it is important that we keep in perspective the unique demands of the cyber-physical world (discussed in the Distinguishing features of IAM for IIoT section).

Figure 3.2 summarizes the three main approaches of authentication:

Figure 3.2: Examples of authentication factors

Public key infrastructures (PKI) are designed to provision public key certificates to devices and applications. PKI is designed to work exclusively with asymmetric cryptography, and relies upon the trust that the participants have in highly trusted centralized service providers. These providers, known as CA, serve as the root of trust, verify the identity of participants, and issue public key digital certificates.

In the web-based economy, PKI has been providing verifiable roots while conforming to a wide variety of architectures, and finding applicability in IIoT architectures as well. In some architectures, the end entity, which can be an IoT device, may be directly interfacing with the CA. In other cases, there may be deep trust chains, with many levels between the end entity and the root CA.

In the case of endpoints in an IIoT architecture, the devices are not inherently trustworthy. Besides, the main value proposition...

PKI-based access control has traditionally relied on ITU-T X.509 certificate standards. In this section, we shall evaluate X.509 and also the emerging IEEE 1609.2 standard, specifically in the context of IIoT use cases.

ITU-T X.509

ISO/IEC/ITU-T X.509 is a digital certificate standard widely used in PKI. In 2008, IETF profiled X-509 Version 3 for internet usage in RFC 5280 (RFC2), also referred to as a PKIX certificate. Today, many IIoT trust implementations use the X.509 digital certificate format (see Figure 3.8). It is a highly organized and hierarchical format used to certify the identity of the entity the certificate has been issued to, a validity period, and the associated public key. In many next-generation IIoT devices, the device manufacturer installs the public/private key pair, which is certified and signed by the manufacturer.

The following figure shows the various fields of X.509 certificates:

Figure 3.8: X.509 Certificate layout

Although X.509...

OAuth is a token-based open standard access control framework. OAuth in conjunction with OpenID Connect protocol provides a federated single-sign-on experience in the web. We see this extensively used by social media sites such as LinkedIn, Facebook, and Twitter. Federated access control holds a lot of promise in IoT applications, and extensions to the OAuth protocol itself to support IoT uses cases are being worked on by IEEE and IETF. At the time of writing, many IoT protocol extensions are also being worked on to fit into the OAuth authentication and authorization framework.

OAuth provides delegated access to resources using Resource Owner (the entity that controls the data being exposed), Authorization Server (issues, controls, and revokes OAuth tokens), Client (the application, website, or other system that requests data on behalf of the resource owner), and a Resource Server (typically an API that exposes/stores...

The edge layer of an IIoT architecture may need to support a variety of wired and wireless protocols such as Zigbee, IEEE 802.11, 3/4/5G, and so on. To manage trust for devices connected over Wi-Fi, authentication protocols as defined by IEEE 802.1X can be leveraged.

IEEE 802.1x provides strong authentication and authorization support. The 802.1X standard supports a variety of advanced extensible authentication protocol (EAP) types (TLS, TTLS, LEAP, and PEAP) for mutual authentication and for setting up encrypted tunnels to avoid man-in-the middle attacks.

Enabling 802.1x authentication requires an access device, which is usually a Wi-Fi access point, and an authentication server that supports RADIUS or some authentication, authorization, and accounting (AAA) protocol such as TACACS+.

The devices participating in 802.1X should both be able to manage the CPU load and have the memory to store strong credentials. 802.1x authentication supports devices with IP addresses. As not all...

To implement end-to-end trust, it is important that IoT messaging protocols support identity and access controls. In this section, identity controls in the most commonly used IoT messaging protocols are briefly described. Chapter 5, Securing Connectivity and Communications, provides a more in-depth assessment of the security capabilities of the protocols at various layers of the IIoT connectivity stack.

An IAM strategy is incomplete unless it includes controls to support the entire identity lifecycle. The identity lifecycle begins with a device bootstrapping to join a trust relationship with other elements of the infrastructure. It ends with device decommission and associated account deactivation and deletion. Along this lifecycle, there are many events and activities that demands adequate visibility and control paradigms from a security standpoint. Two important device management capabilities are discussed in this section.

So far in this chapter, we have discussed the various concepts related to IIoT identity and access management. To put this concept into practice, certain key considerations and tools are presented in this section; they can be used to define an IAM strategy for a specific use case. 

In this chapter, we discussed the fundamental tenets of an IAM strategy and evaluated the various distinguishing aspects of an IIoT deployment in terms of IAM requirements. The reader was introduced to the relevant concepts and technologies associated with IAM, and their corresponding benefits and limitations.

This chapter was designed to provide the reader with a holistic baseline and actionable steps to develop a risk-based and cost-effective IAM strategy for a specific IIoT deployment use case.

Chapter4, Endpoint Security and Trustworthiness, takes the discussion of IIoT device security to the next level by providing a comprehensive analysis of IIoT endpoint security and trustworthiness.