By
Building owners and tenants are rapidly transforming workplaces into energy-efficient smart spaces. This has amplified a problem that has long faced the building controls market: How do you onboard IP-based EnOcean controllers, displays, and protocol converters onto a building’s secure IT network? A rash of high-profile security breaches that originated in IoT devices has put Chief Information Security Officers on high alert, and restrictions against adding an IoT device to an IT network without first passing a cybersecurity review are intensifying.
Even if a device passes a cybersecurity review, getting it onto the IT network can be tedious. If a device’s user interface wasn’t designed with IT networks in mind, then configuration options might be missing. Security certificate management can become a Catch-22: A device has to be on the network to receive a security credential, but it can’t be on the network without a credential installed. Some companies solve the latter problem by sending secret credentials over an unprotected open network, but that obviously poses its own risks.
Device Provisioning Protocol for secure onboarding
The Device Provisioning Protocol (DPP), certified under the Wi-Fi Alliance as “Easy Connect,” is a standard that allows devices to be easily provisioned onto a secure network using simple, modern techniques such as QR code scanning. This solution replaces Wi-Fi Protected Setup (WPS), a hugely popular onboarding solution that unfortunately had significant security gaps due, in part, to its reliance on inadequate and outdated Wi-Fi encryption services such as Wi-Fi Protected Access (WPA).
DPP addresses this gap by leveraging WPA3 and enhancing certificate handling to provide robust, secure, and scalable provisioning of IoT devices in any commercial, industrial, government, or consumer application. DPP also supports legacy WPA2 connections.
Designed to accommodate devices with or without a user interface, each DPP-enabled device is manufactured with an elliptic curve public/private key pair. The device can be brought onto a network via many paths, but the most common is by scanning a QR code on the device using a smartphone. The QR code contains the public key and, optionally, the device’s MAC address and serial number.
There are four steps to onboarding an IoT device onto an IT network using DPP, and the entire process can be completed in seconds:
- Bootstrapping: The device shares a public key that is bound to a unique private key;
- Discovery: Unprovisioned devices are identified by the DPP-enabled network infrastructure;
- Authentication and configuration: A request-response process authenticates the device and the configuration service, following which a security role and group are assigned to the device;
- Network access: An Aruba Wi-Fi access point or wired controller advertises the availability of a DPP network. The device and the network exchange keys and separately derive an authenticated Pairwise Master Key (PMK). If each side generates the same PMK, the device is allowed on the network.
Problem solved
DPP can run via Wi-Fi and Ethernet, addressing the vast majority of smart building applications. Cellular-enabled devices can also obtain Wi-Fi credentials via DPP, which allows mobile devices to move between cellular and Wi-Fi networks. DPP QR codes can be scanned individually or batched. Individual scanning is ideal for smaller sites and when a device is being replaced. Batched scanning is perfect for a large upgrade and when commissioning a new site. Finally, DPP eliminates the need to configure security credentials over an open network, thus closing a significant security gap. Once manual steps are eliminated, installation can proceed more quickly and without IT-skilled labor.
Summary
If you need to deploy IP-based EnOcean controllers, displays, or protocol converters on a secure IT network, DPP is the answer. DPP speeds up installation time, closes the security gaps of earlier provisioning systems, and meets the high standards set by CISOs by using WPA3 and other security mechanisms.
Related Articles
Anritsu, Sony Semiconductor validate industry first Non-Terrestrial Network (NTN) NB-IoT testcase
First NTN NB-IoT Protocol Conformance Tests for have been validated on the 5G NR Mobile Test Device Platform Anritsu Corporation has announced that the first NTN NB-IoT Protocol Conformance Tests for has been validated on the 5G NR Mobile Device Test Platform ME7834NR...
Ellisys Introduces Support for CCC Digital Key Technology
Protocol Updates Aid in Test, Validation, and Debug for Automotive and Consumer Electronics Developers and Test Labs Ellisys, a leading worldwide provider of Bluetooth®, Universal Serial Bus (USB), Ultra-Wideband, and Wi-Fi® protocol test and analysis solutions has...
Rohde & Schwarz 170 GHz power sensors ease use and traceability in the D-band
Rohde & Schwarz is launching the new R&S NRP170TWG(N) thermal power sensor for precise power level measurements in the D-band. The new R&S NRP170TWG(N) sensors from Rohde & Schwarz are used in general R&D for 6G mobile communications, novel sub-THz...
Stay Up to Date With The Latest News & Updates
Our Sponsors
Incisor.TV partners with leading organisations in the technology sector.
Follow Us
And stay up to date with our news! We are active across the key social media platforms – please do follow us!
0 Comments