The countdown is on to Keyfactor Tech Days     | Secure your spot today!

Why the Internet of Things Needs PKI

Internet of Things (IoT)

Securing machine identities is a rising concern for enterprises and cybersecurity leaders venturing into the relatively new terrain of the Internet of Things. Security-conscious IT leaders have put a great deal of time and resources into securing user identities by restricting access to sensitive assets and controlling privileges based on users’ roles in the organization. But many otherwise forward-thinking companies lack a strategy for locking down machine identities. 

The number of machines and the types of machine identities have exploded in the last decade. These identities include not only devices used by employees but also algorithms, APIs, servers, cloud systems, containers, and other digital or synthetic actors. There are also IoT devices like environmental sensors, connected industrial equipment, medical devices, and smart appliances. Machine identities outnumber user identities 10 to 1 in the average enterprise, yet they don’t receive the same level of scrutiny by IT as human identities. 

Many enterprises secure machine identities through public keys and certificates. These certificates act like a passport used by people, devices, and apps to interact with each other securely. If a certificate expires or gets hijacked, the results can be catastrophic, making frequent updates to these certs of utmost importance.

Unfortunately, 74% of organizations don’t even know how many keys and certs they have, let alone where they are or when they expire. This leaves a massive potential entry point for malware and ransomware. Without transparency into what certs are even in use, any data breach carried out via machine identity is likely to remain undiscovered until it has already done a great deal of damage.

Public key infrastructure (PKI) is a set of processes and tools used to manage certificates, providing a solution to this lack of transparency. It gives IT leaders a comprehensive view of what certificates are expiring or compromised and streamlines the process of issuing a new certificate. PKI platforms and service models can automate many of the processes required to manage machine identities, which allows security teams to focus on higher-level objectives.

PKI is key for scaling IoT production

Public keys and certificates are much more efficient than establishing trust through usernames, passwords, and tokens. These methods of authentication aren’t scalable for IoT companies that manufacture devices in the hundreds of thousands, if not millions.

Every device that comes off the assembly line needs its own identity and certificate, and often multiple: one identity from the manufacturer, one from the device owner, and others to access various services like external cloud providers. Each identity is a potential vector of attack if not secured effectively.  

It’s impossible to keep track of all of these identities manually when you’re producing a thousand units per hour. And after an IoT device is deployed into the end user’s environment, how can you inventory, manage, and monitor all its certificates? In 2011, a certificate could last for 10 years. In 2012, that lifespan was cut in half. As of 2020, the lifecycle for certificates has become just one year, and some organizations are moving to lifecycles of one week or even one hour.

There is no way to manage these lifecycles without automation, but plenty of organizations still try, with over 40% of enterprises still attempting to manage keys and certs manually through spreadsheets. This creates a massive bottleneck in the software development lifecycle. 

A PKI solution can help manage certs across development, production, and usage lifecycles, opening the door to the adoption of methodologies like Agile and DevOps, which facilitate scale and allow for faster innovation. PKI reflects and enables these iterative agile approaches.

PKI provides the flexibility to adapt

The Internet of Things is a rapidly developing industry. Regulations can be spotty, new use cases pop up every day, and new technologies like OTA and DevOps toolchains are influencing the industry landscape. There aren’t many agreed-upon best practices and frameworks, but PKI is flexible enough to implement in a wide range of contexts. 

Some enterprises attempt to build their own in-house PKI platform, but the potential cost advantages rarely outweigh the risks and use of resources. A PKI initiative carried out by an inexperienced team may end up costing more than outsourcing the project, and the results may not fully solve the problem. PKI is a very specific field with many potential hazards, and IoT organizations need a whole team of highly-skilled specialists strictly devoted to PKI. It can’t simply be thrust on the same IT team tasked with keeping core-business operations up and running. 

While care should be taken when outsourcing such a crucial security function, experienced PKI as-a-service vendors can often automate, secure, deploy, and scale PKI for a fraction of the cost of developing and running an internal PKI system.

Managing device identity during manufacturing

IoT devices may contain sensitive corporate info like manufacturing or personal health data, which needs to be protected. But even if unsecured devices don’t hold sensitive data by themselves, they can be an access point for threat actors to gain entry into the organization. 

Manufacturers have no way of knowing where a device will end up, and end-user certificates cannot be issued at the manufacturing stage. PKI can smooth the transition of ownership between the manufacturer and the end user.

In many cases, the customer may have to take over the PKI and replace the factory certs with their own. An effective PKI platform will help the end user manage the installation and configuration of IoT devices, establishing ownership and assessing the new environment automatically. When the device turns on for the first time, PKI enables it to communicate with company servers and connect with internal resources. Most importantly, PKI tells the device who its new owner is. 

This clear pass-off of ownership improves the end-user experience because it automates a large portion of the initial setup and configuration. It also allows the IoT device to integrate widely in any environment while mitigating the risk created by sharing its data with adjacent systems. IoT end users don’t want to be burdened with the process of securing the system, they just want it to get up and running with a minimum amount of hassle and to work well once it is set up.

The use cases of IoT devices vary widely, from medical devices to consumer products to military equipment. However, most PKI technology can cover the vast majority of device issuance scenarios, often via industry-specific or configurable workflows. 

Not all publicity is good publicity

IoT, as an industry, will continue to evolve and scale at a rapid rate. We already have self-driving cars and pacemakers that can be monitored from across the globe. But this rapid expansion creates a great deal of risk along with opportunity, and enterprises that neglect IoT security will make headlines, incurring reputational damage and massive financial losses. 

The ability to scale security and manage proliferating machine identities while minimizing cost, effort, and risk is key to the success of IoT manufacturers, and PKI enables organizations to focus on developing effective products rather than managing certs.

Learn more

If you want to dive deeper into the principles of how to secure the Internet of Things, check out our white paper Five Guiding Tenets for IoT Security.