What would you do if your digital assets stopped talking to each other? Are you confident that you could find them all if they vanished from a network map, from large machines to tiny remote sensors? Ellen Boehm is VP of IoT strategy and operations at Keyfactor, which along with the Ponemon Institute recently released the first-ever State of Machine Identity Management report. Ellen spoke recently with Plant Services Chief Editor Thomas Wilk about how this new dimension of asset management is expanding traditional maintenance responsibilities.
Why industrial plant teams need to embrace their creativity to achieve greater success
Why you should automate overall equipment effectiveness data collection
PS: Can you explain what machine identity management is, as well as which plant team members are taking responsibility for it?
EB: Think about how, as humans, we have identities that give us access to apps or devices. Think about a password that you have to log into something, or multi-factor authentication, the type of stuff we’re all used to and comfortable with as people.
But similarly, when it shifts to machines and equipment and assets and applications, there are identities that those things need to leverage to give them proper authentication and access to other devices or servers or systems. Those identities are digital identities that come in many forms, and common forms are keys, public and private keys, symmetric keys, certificates, or other secrets.
So then, what’s machine identity management? It’s really the broader concept around how you have all of those individual pieces that are very important, because it’s what gives somebody authentication and access to something: How do you issue it securely? How do you maintain it? How do you rotate it, refresh it, or revoke it? These are terms that we talk about in certificate and key management all the time. So that’s what the concept is: first, understand where and how you need to use these secret pieces; and then second, how to manage them in a very secure way.
The last part of your question is really around who is responsible for this. There’s a couple different pieces, I think, when it comes to this. If you are new to this as an OEM, as a plant operator, as someone who has been charged with trying to manage these types of things, know that you’re not alone! Know that there are partners and people that can help you figure this out, and there are best practices out there. That’s partially why we released this report, is so that others can read it and learn it and understand what the risks are, and how you can help to mitigate them. That’s really the bottom line.
This article is part of our monthly Big Picture Interview column. Read more interviews from our monthly Big Picture series.
PS: What are some of the things that can go wrong without effective machine identity management?
EB: Let’s start with the first thing, which is, if any of these identities, these secure machine identities have an expiration date on them, if you’re using a certificate and it expires, your line could go down. We have had people come to us and say, “this has happened,” and “when a line goes down every minute it’s dollars and we’re not making product and we’re not delivering to our customers,” and that kind of thing. You have to make sure that you don’t let those keys and certificates get out of date because then your operations and your applications won’t work, so that’s one directly tied to business.
There could be misconfiguration, which then you expect something to be able to authenticate and connect, and it can’t, and that also becomes a reliability issue. And then lastly, I would say if there is lack of knowledge about where and how all of these identities are used. It’s almost an impossible nightmare of this web of identities that you’re trying to (1) discover, (2) get under control, and (3) manage at scale. As we have more and more devices and things that are needing to connect, especially when it comes to using IoT in the factory, we have to start to be able to use a more automated process for issuing and provisioning, and then re-enrolling and then eventually revoking.
PS: That’s fascinating. I mean, I’ve heard anecdotally here and there about lost asset issues, when someone forgets where the sensor was placed if it’s not networked up.
EB: Yeah, how do you find it? It’s just like a needle in the haystack walking around the factory. And I can imagine for global companies with hundreds of factories around the world, if you’re an operations leader and you want visibility into that, and you want to streamline things, you’ve got to have more visibility into it, for sure.
This story originally appeared in the May 2021 issue of Plant Services. Subscribe to Plant Services here.