Certification org moves to keep IoT safe from quantum threat

The IoT community does not have a great track record when it comes to proactively embracing security capabilities, but as potential new threats loom with the dawning of the quantum computing age, IoT firms have another chance to take the bull by the horns.

Cybertrust Japan Co., Ltd., Japan’s leading security certification authority, is doing just that, having integrated quantum-computing-hardened private keys from quantum computing hardware, software, and security company Quantinuum into a new certificate issuance and distribution platform for IoT devices. 

The new platform relies on Quantinuum’s Quantum Origin security offering for the quantum computing-hardened keys (meaning they were created with the help of an actually quantum computer, the company’s own H-1 system), and incorporates post-quantum cryptography (PQC) algorithms that have been chosen for standardization by the U.S.-based National Institute of Standards and Technology (Finalized standards are expected by 2024.)

This will add a new level of protection to the certificate exchanges that usually govern the authentication of IoT devices and their connections to other devices or networks that are used to prove device trust. Providing and managing certificates across these devices is complex because of the volume of devices trying to connect to networks and the need to provide fast access to data, according to Quantinuum. Security measures need to be robust while also enabling real-time communications.

While security and privacy traditionally have not been strengths for IoT, governments and industry bodies around the world recently have become more aggressive in trying to change that. The Biden Administration, for example, issued an order in 2021 that called for more stringent IoT security, including the creation of a program to encourage the placement of security trust labels on IoT devices. That labeling program, modeled on the Energy Star labeling program, is supposed to roll out this spring. The ioXt Alliance also has been campaigning for a more cohesive approach to IoT security.

“Standards are only just emerging for IoT and connected OT device security overall,” said Duncan Jones, Head of Cybersecurity at Quantinuum. “Some European countries have implemented security standard labeling of IoT devices and the United States is expected to implement something similar in 2023. General regulations such as the US government’s guidance for cyber resilience in critical infrastructure also touch on this as part of a wider strategy.”

As the global community takes some initial steps to make IoT devices and connections more secure, preparing for quantum threats to IoT security may seem like a less urgent issue. Though quantum computers are widely understood to be advancing to a point that they will be capable of breaking current RSA encryption that could require systems with thousands of qubits and several more years of work (Quantinuum’s H-1 quantum computer, for example, is currently a 20-qubit system.)

However, as many people in the quantum technology sector have pointed out, when an organization finally has a quantum computer capable of cracking RSA encryption, it is possible we will not find out about it until it is too late. That creates urgency in the minds of some, but not all, Jones acknowledged.

“There are cases where forward-thinking organizations within industries that have a lower risk tolerance are looking to build resilience by combining PQC algorithms with quantum computing-hardened cryptographic keys,” he said. “It is not a universal recognition, but many companies are picking up on the risk. We are in conversation with customers across critical infrastructure, finance and cyber security industries that realize the importance of a holistic approach to PQC and the need to start building that capability now.” 

Cybertrust Japan is the first international IoT security certification agency in the world to jump on board with the notion of adding both PQC algorithms and quantum computing-hardened keys to its IoT security platform via Quantum Origin.

Yasutoshi Magara, President & CEO of Cybertrust Japan, said, “Integrating Quantum Origin assures our customers that they can build innovative IoT-based solutions on a platform they can trust to deliver speed and higher security, including post-quantum algorithms support. As a result, customers and partners can use and sell our certification services securely for the long term.” 

Jones argued that leveraging a holistic approach using both PQC and quantum computing-hardened keys is important as companies take stock of how critical their IoT/OT assets and their strategies to connect and integrate these once-separate systems are to their businesses.

“Many organizations are rolling out IoT and connected OT projects as an essential part of their digital transformation, and these connected assets are an essential part of their business model,” he said. “We seek to help those manufacturing and using IoT devices to understand that a holistic strategy for building the necessary resilience is a combination of PQC algorithms and quantum-computing-hardened keys. This holistic approach ensures that IoT manufacturers and users protect the connected devices on which their business models and business operations are increasingly dependent.”

RELATED: Carnegie Mellon's CyLab talks IoT privacy at White House event