Jun 8, 2020 9:38:58 AM

Your Questions Answered: The State of PKI & IoT Security

The world of IoT has continued to rapidly expand, and as product innovators bring connected devices to market, the risk of device hacks and data theft continue to rise. Faster product development and feature delivery often take priority, leading to increased IoT security risks.

Check out the top questions from our recent Q&A session with PKI experts to learn why and how public key infrastructure (PKI) has emerged as an efficient and cost-effective way to secure embedded devices at scale. Or watch the full session on demand:



What is the current state of PKI and IoT security?

IoT in an interesting position in today’s times.  An emerging cloud computing trend is toward edge computing.  And the combination of all three of those needs (IoT, cloud and edge computing) is making the need to secure devices, applications and micro-services running in containers more important.

There’s been an explosion of new of devices, applications and components trying to securely communicate with each other, and it’s only going to get more complex. Many of these systems—especially in industrial systems—are legacy devices that are old and difficult to upgrade or patch.

At the end of the day, IoT essentially is putting a network stack on something that didn’t have one before, naturally introducing greater security challenges. Pair that with the need to keep up with current and future security practices and the growing number of IoT devices, and you have a state of IoT security that is on a path to become more complex and more important than ever.


How can IoT manufacturers address the current and future regulatory IoT compliance landscape?

There’s a lot of black and white in compliance. For example, when it comes to undergoing an audit, you’re either going to pass it, or fail it.

And while there is that very clear line in the sand for general guidance on what to do, it is also critical to understand that security and compliance are not one in the same.

Compliance should be considered the minimum bar when it comes to security. However,  starting with a proper security assessment during initial device design will help ensure proper security is weaved into IoT systems from the very beginning.


Why has PKI emerged as the top technology to secure IoT devices? How is using PKI on traditional enterprise environments different from IoT deployment?

If you’re going to authenticate something, you must somehow bind an identity to a key, and that’s PKI in a nutshell.

In the past few years, the need for what is now termed, “privately rooted PKI,” has exploded. Most organizations want to be able to draw a very tight box around who gets credentials and control over device identities. They essentially are looking for PKIs that operate this way,whether it’s their team or a third party managing it all.

This introduces a lot more fragmentation of roots of trust based on device lines. If you’re an IoT manufacturer, you don’t want to have your devices authenticating on the same roots of trust that your users and their laptops do, and vice-versa. For example, you don’t want a laptop to be able to authenticate as a pacemaker.   

Despite the fragmentation, though, one big rule still applies when it comes to PKI and IoT—things still need to be updatable, even though it’s harder due to constantly changing guidelines.

You can’t just throw a key on something and think it will be static forever. Algorithms and keys age, and manufacturers need to figure out a way to make things updatable and secure.


How do you migrate from a simpler solution to a more complex and robust solution?

First, and foremost: don’t try to build it yourself.

There was a time when companies building IoT devices or implementing into their network would simply get an in-house CA like Microsoft. They try  to implement some set of identities on the devices, build systems manually, and manage those identities, keys and certificates.

Unfortunately, and most of the time without realizing it, in simply trying to make those devices more secure, you're likely building in more insecurities.

The next step would be to think through everything from the beginning. Ask the following questions:

  • How are the identities being issued to the device?
  • How are you going to enroll those devices?
  • How do you on-board the first set of identities once they leave the manufacturing floor?
  • How do you manage PKI, which is going to be different than simply integrating with a CA?

Make sure you have a nice plan of where you see the gaps, and know that there are solutions to help automate that. Like, for example, Keyfactor.

A lot of companies, large manufacturers in particular, will say, "Hey, we've been producing this product for years and it's not very secure. And now we want to build in stronger authentication into the product." But, they simply don't know how to put all of the pieces together because it's not as simple as just having an identity and having a certificate authority.

All the processes and automation between has to do with PKI management and it can be very complex to build yourself.