Using PKI to Secure IoT Devices
Scalable, Cost-Effective Protection — From Smart Speakers to Smoke Alarms
The Internet of Things (IoT) has made the world more responsive, efficient and accessible. It’s also turned millions of devices into easy security targets. In fact, the first half of 2021 saw 1.5 billion attacks on smart devices — an uptick of more than 100% year-over-year. Infected devices have been used to steal personal and corporate data, mine cryptocurrencies and build botnets that carry out DDoS attacks.
In this landscape, public key infrastructure (PKI) has emerged as a powerful — and much-needed — solution. PKI technology has helped secure enterprise networks for decades. Increasingly, it’s being deployed as a cost-effective and scalable solution for securing IoT devices, from pacemakers to power grids. Here’s why.
The Basics of PKI for IoT
IoT manufacturers must ensure that devices are authentic before they connect to the cloud. They must also be able to verify the integrity of any data that devices collect, store or transmit.
PKI presents a flexible, low-impact way to accomplish both tasks at once. It works by establishing a comprehensive set of roles, policies and procedures that govern centrally-issued digital certificates containing cryptographic keys. These certificates are then inserted into individual devices, where they work to encrypt the data and authenticate connected devices and applications.
The benefits of using PKI for IoT include:
- A unique, verifiable identity for each device in an IoT ecosystem
- Secure, passwordless authentication between devices and systems
- Strong encryption for data in transit and at rest
- Scalable certificate provisioning and updating throughout the device’s lifecycle
Designing Scalable PKI for IoT Solutions
Deploying PKI can seem dauntingly complex and require expertise to manage it — after all, according to the Ponemon Institute’s 2020 Global PKI and IoT Trends Study, the average organization manages more than 56,000 digital certificates. Cloud-based PKI-as-a-Service (PKIaaS) solutions eliminate many of these challenges, enabling organizations to outsource the complexities of PKI while retaining visibility and control.
The IoT ecosystem presents additional nuances for PKI deployment. IoT device manufacturers rely on tightly orchestrated production processes. Often, the risks of including a step that requires Internet connectivity — like issuing a digital certificate — are too steep.
Fortunately, experienced PKI solutions providers have found a way to overcome this challenge. First, they issue and load digital certificates onto a Hardware Security Module (HSM) in large daily or weekly batches. Then, the manufacturer installs these certificates in an offline environment, avoiding the financial loss that would attend a breach or network outage, while embedding trusted security into each device.
Just as important as certificate installation is ongoing lifecycle management. Devices — and their digital certificates — must be monitored, updated and, eventually, decommissioned. Policy-based device identity lifecycle management tools make this process easier, powering the automatic renewal, reissuance and revocation of digital certificates and simplifying the ongoing task of managing device access.
PKI hierarchies can be customized to fit each organization’s specific manufacturing environment, whether devices are distributed via OEM partners or shipped directly to consumers. In fact, one connected car device manufacturer maintains different roots of trust chains for each of their corporate partners, to simplify certificate management in the event that any of those relationships change. To ensure IoT device integrity, manufacturers must protect digital identities and credentials throughout the entire supply chain.
By 2023, there will be three times more networked devices on Earth than human beings. Robustly designed PKI provides critical protection, powering a trusted ecosystem that’s both scalable and secure.
PKI brings IoT manufacturers simple, cost-efficient security. To learn more, read our eBook, How to Secure IoT Devices With PKI-as-a-Service.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).