What would you do if your digital assets stopped talking to each other? Are you confident that you could find them all if they vanished from a network map, from large machines to tiny remote sensors? Ellen Boehm is VP of IoT strategy and operations at Keyfactor, which along with the Ponemon Institute recently released the first-ever State of Machine Identity Management report. Ellen spoke recently with Plant Services Chief Editor Thomas Wilk about how this new dimension of asset management is expanding traditional maintenance responsibilities.
PS: We're excited to talk with you today because there's an issue out there for maintenance and reliability folks to get more familiar with: “machine identity management.” For those readers and listeners for Plant Services who are new to the discipline of machine identity management, especially as it relates to more general asset management and asset care strategies, could you take a little bit of time and explain to our listeners, number one, what it is? And then number two, in your experience, which plant team members are taking on the responsibility for effective identity management?
EB: Yeah, so let's break that down a little bit. We can start firstly with machine identities, and then we can get into the management part, right? So think about how, as humans, we have identities that give us access to apps or devices. Think about a password that you have to log into something, or multi-factor authentication, the type of stuff we're all used to and comfortable with as people. But similarly, when it shifts to machines and equipment and assets and applications, there are identities that those things need to leverage to give them proper authentication and access to other devices or servers or systems. Those identities are digital identities that come in many forms, and common forms are keys, public and private keys, symmetric keys, certificates, or other secrets.
These are pieces that those of us that have been in the industry of digital identities and public key infrastructure, certificates and all, we're very familiar with that. I think what we're seeing is that we've got a lot of knowledge and use of this in the enterprise, in IT, organizations, right? But as we're shifting and starting to leverage those types of identities into IoT, into OT, in factories, that we have a bit of learning, everybody does, about how we can implement this and what's the best way to do it. These machine identities are really keys and certs and secrets. You can think of it that way.
So then, what's machine identity management? It’s really the broader concept around how you have all of those individual pieces that are very important, because it's what gives somebody authentication and access to something: How do you issue it securely? How do you maintain it? How do you rotate it, refresh it, or revoke it? These are terms that we talk about in certificate and key management all the time. So that's what the concept is: first, understand where and how you need to use these secret pieces; and then second, how to manage them in a very secure way.
The last part of your question is really around who is responsible for this. There's a couple different pieces, I think, when it comes to this. If you are new to this as an OEM, as a plant operator, as someone who has been charged with trying to manage these types of things, know that you're not alone! Know that there's partners and people that can help you figure this out, and there are best practices out there. That's partially why we released this report, is so that others can read it and learn it and understand what the risks are, and how you can help to mitigate them. That's really the bottom line.
So the people, then, who need to be thinking about this, generally operations leaders in the factories, maybe factory controls engineers, those who are responsible for perhaps these remote monitoring equipment that goes at the end of the line (I think control systems these days are starting to have more connectivity into them). Just people who are generally responsible for that type of edge point that has been placed in a plant where you need to make sure it's secure, that's likely where I'm starting to see this piece fall. I don't know if you agree with that.
PS: I do. I mean, a lot of our readers are going to have responsibility for that. Our operations readers, our maintenance and especially reliability readers and listeners are getting a lot more familiar with the digital side. I was going to ask you since these teams are normally tasked with seeing around corners, and mitigating and preventing problems before they start with the assets that they're in charge of, what are some of the things that can go wrong without effective machine identity management?
EB: Yes. So when you're doing risk management, you always like to think and brainstorm of what can all possibly go wrong. There are a couple different things that are probably not all going to happen at the same time – it's not going to be this perfect storm. To list them out, let's start with the first thing, which is, if any of these identities, these secure machine identities have an expiration date on them, if you're using a certificate and it expires, your line could go down. We have had people come to us and say, “this has happened,” and “when a line goes down every minute it's dollars and we're not making product and we're not delivering to our customers,” and that kind of thing. You have to make sure that you don't let those keys and certificates get out of date because then your operations and your applications won't work, so that's one directly tied to business.
There could be misconfiguration, which then you expect something to be able to authenticate and connect, and it can't, and that also becomes a reliability issue, like you were saying. And then lastly, I would say if there is lack of knowledge about where and how all of these identities are used. It's almost an impossible nightmare of this web of identities that you're trying to (1) discover, (2) get under control, and (3) manage at scale. As we have more and more devices and things that are needing to connect, especially when it comes to using IoT in the factory, we have to start to be able to use a more automated process for issuing and provisioning, and then re-enrolling and then eventually revoking. And that, again, is the whole management thing. Those are the three things that we typically see going wrong, and how that can contribute to your business.
PS: That's fascinating. I mean, I've heard anecdotally here and there about lost asset issues, when someone forgets where the sensor was placed if it's not networked up.
EB: Yeah, how do you find it? It's just like a needle in the haystack walking around the factory. And I can imagine for obviously, global companies with hundreds of factories around the world, if you're an operations leader and you want visibility into that, and you want to streamline things, you've got to have more visibility into it, for sure.
Listen to the entire interview
PS: Well, you mentioned there's a new report out from Ponemon Institute and Keyfactor that covers these issues, and we'll put the link to that report for those listening in the podcast notes. That report, I took a look at it before we talked today, Ellen, and identified some of the top challenges that are related to machine identity management. I know you've pointed out one or two challenges here. Can you talk about some of the other challenges, and about which ones specifically are emerging as the top priorities that factories are starting to tackle?
EB: Yeah. So I think the first one is around staffing and expertise because this topic that we're talking about, again, it's cryptography, it's certificates, it's key management, right? It's oftentimes not core competencies that people have developed just because maybe a factory was completely self-sufficient, or maybe there did not need to have networked equipment within the factory just because of the nature and the history of things (at that site). But now, as that's changing, you have to be able to have either a partner or an integrator, or maybe even build in-house expertise depending on what's important to you as you're trying to operate. So having people who have familiarity or at least someone that you can work with that knows digital identities and certificates and crypto and then how to manage that to give you advice and help you through this, that's the first of these priorities I think you have to focus on.
The next challenge, I think, would be then this lack of automation, without which...well, firstly, you need the visibility, and then secondly, you need automation to be able to do updates and renewals of these identities. We've talked to many people who have started doing this via spreadsheets or Excel, or some way of saying, "Okay, I put this identity on this control system or this asset management device and it's on line five. And I know that in January of 2022 it's going to expire." But that's in a spreadsheet and so then it relies on a person to go back and check that spreadsheet and then be able to go update. That's just a small example of how if you're doing things manually, and this just goes across the board for anything, there's chances for mistakes. And so having a tool or a platform or just a more automated way to do it will help reduce errors.
PS: Interesting. Yeah. And especially that first one, that's going to resonate with our listeners is what I'm trying to say, the issue of staffing expertise. I'm sorry. I think I cut you off. Were you going to continue on that one?
EB: No. I think maybe the only other thing and it's maybe not directly related to manufacturing lines, but I do want to mention it – there's this concept of code signing or firmware signing. For devices that are running an application, there's likely firmware on that device, and in order to send updates in the field, you want to make sure that the code that's being sent has been signed and comes from the original developer of that code. That's another thing that there's a digital identity to help manage the firmware and the firmware lifecycle, one other thing that can be slightly related to this when it comes to factories that are developing their own networked IoT system, to be able to use proper code signing of applications that are used there. That also is another layer of security that you can employ, to make sure that you don't have hackers getting in and installing malware into your factory operations.
PS: It's telling that the OEMs that we've spoken with, as their assets get more complex – especially things like compressor systems that get networked up and then data gets sent back to the OEMs home server – OEMs have been helping plant engineers, plant managers understand better about issues like machine identity management. You mentioned the skills gap or potential knowledge gaps, so can you tell us where would plant teams be able to expect this knowledge resides if they needed to seek it out? Would it be the OEMs or is it, as you said, also the system integrator community?
EB: Yeah, I think it can land in both of those places. I think other times I'm seeing plants going to their IT organizations even and saying, "Okay, how have you solved this problem of identity management within our enterprise?" You know, obviously, we have identities when people have laptops and they have cell phones that are issued by the company, and we've got VPN connections and all that, those types of things are very well known in the IT organization. I think people are, from the plants and the factories in the product side of the business, are going and trying to learn from what's been done within the enterprise. So I think there's a bit of that sort of sharing.
The others is looking to partners in the industry such as Keyfactor. And again, this is something that we partner with our customers to help provide this service and become an integrated part of their business, is that we know that we focus really on this. This is our core competency. This is our expertise. This is what we do all day long. And it allows you to then focus on running your business, running your factories, producing your products and, focusing where your domain, expertise lies. So I think that's a bit of it. So it could lie in partners, public key infrastructure partners and certificate crypto expert partners. But then also certain integrators are building up a competency more around security and embedded security that can be leveraged. So I think there's a couple different places where it can be found. It really depends on what fits for your business model.