In last year’s trends and predictions blog, we predicted an increase in IoT devices. Sure enough, 2024 saw a large increase, with a groundbreaking 18 billion. For 2025, we predict that this will continue to be an upward trend.
However, this increase will lead to an expanded attack surface, an increased number of IoT devices with inadequate security features (due to the rush of manufacturers to meet demand), more vertical cyberattacks, and increased machine identity compromise.
Those are the obvious consequences. What about the less obvious ones? Like the trends that are to come because of this? What about possible security solutions?
Here are five of our hottest predictions for PKI and IoT in 2025.
# 1 PQC in IoT
Prediction
PQC will be adopted more in high-value (industrial) IoT devices than in high-volume (consumer) ones.
Over the past 30+ years, RSA and ECC have been the primary asymmetric encryption algorithms, but quantum computing’s decryption capabilities have led to the creation of four new algorithms. In the PQC era, encryption will rely on multiple algorithms, allowing one to protect when the other is decrypted.
Unfortunately, this encryption structure can only be done on crypto-agile devices—something only high-value IoT devices have. Plus, PQC algorithms require significant processing power, making them incompatible with consumer devices like cameras and doorbells that have smaller chips and limited resources.
Until smaller PQC algorithms are developed, expect to see them primarily in high-value (industrial) IoT devices like turbines, satellites, and military IoT devices.
Security Takeaway
Even without suitable PQC algorithms for smaller IoT devices, there are several ways you can keep your consumer IoT devices quantum-resistant.
One way to do this is through layered security. First, maintain regular encryption of consumer IoT devices, then consider embedding PQC encryption in security layers, like the gateway layer, application layer, server layer, etc., which have enough resources and processing power. That way, your IoT devices are surrounded by infrastructure that protects against quantum attacks.
– Ellen Boehm, SVP IoT Strategy & Operations at Keyfactor
# 2 Machine Identity Management & PKI
Prediction
Critical sectors will increasingly rely on PKI to manage machine identities due to the expanding IoT attack surface.
Just like 2024, the number of machine identities will continue to grow in 2025, particularly in critical sectors like finance and energy, driven by the surge in connected IoT devices.
Given the sensitive data and services these sectors handle, their machine identities must be secured with the highest standards. The challenge? Many IoT devices in these sectors lack support for advanced protocols to automate identity management.
Security Takeaway
To address this, implement “secure by design” practices. Embedding security into the device’s architecture ensures support for secure machine identities. These “secure by design” features include secure booting, encrypted communications, identity verification protocols, etc.
Additionally, you can use code-signing PKI tools to ensure that only trusted and authenticated software is executed on your IoT devices, further safeguarding machine identities and preventing unauthorized tampering.
SignServer is an example of a PKI tool that you can use for code signing. It is a flexible and secure digital signing solution that ensures that signing is effortless for developers and easy to manage for security. It allows teams to digitally sign any code from anywhere while ensuring that sensitive code-signing keys are protected. That way, security teams can centralize signing tools and workflows, and developers and DevOps engineers can focus on code instead of handling secrets.
– Tomas Gustavsson, Chief PKI Officer at Keyfactor
# 3 IoT Hygiene & Compliance
Prediction
IoT manufacturers in Europe will prioritize IoT device environment hygiene, setting a standard that will influence manufacturers globally.
Europe’s Cyber Resilience ACT (CRA) took effect in the second half of 2024, and although its compliance won’t be required until 2027, chip manufacturers and retailers are already making moves to follow the mandatory compliance requirements.
The primary aim of the CRA is to ensure only secure products reach the market, prompting device manufacturers across all sectors, including medical and industrial, to adopt more stringent security standards.
Similarly, Embedded World North America’s first U.S. event spotlighted strategies for ensuring major chip vendors like STMicro, NXP, Infineon, and Silicon Labs secure IoT devices from the hardware level.
Security Takeaway
IoT developers will be required to have an in-depth understanding of the code and libraries used in their devices. This is because security vulnerabilities can exist in the software components included in an IoT product, which might later become potential entry points for attackers.
Also, they’ll be required to maintain detailed records of all code, including third-party and open-source components, to ensure traceability and proactively identify and address vulnerabilities that attackers could exploit.
Additionally, chip manufacturers will extend the “root of trust” from software to hardware, using PKI-powered certificates to secure chips before market release. This ensures outsourced hardware components are secured against unauthorized access and vertical attacks.
– Ellen Boehm, SVP IoT Strategy & Operations at Keyfactor
# 4 High-Volume, High-Value Attack Targets
Prediction
DDoS attacks targeting IoT-rich environments, including municipal and energy networks, will become more sophisticated.
High-volume (consumer) IoT devices are prime targets for DDoS attackers. The larger the number of devices an attacker can control, the more devastating the effects of their attack. For example, compromising smart home devices like cameras, doorbells, or Wi-Fi routers can provide access to thousands or even millions of devices that could be leveraged in a downstream attack.
IoT devices used in critical sectors like water, electricity, and transportation are also susceptible to direct DoS attacks. The impact of these attacks on critical devices can be severe, as they control essential systems critical to daily life.
There’s also the concern of the impact of DDoS attacks on wireless infrastructure. Now, this extends far beyond just the towers themselves. There’s a lot of supporting hardware and other network components required for these systems to operate effectively. The complexity and scale of this infrastructure make it a potential target for attackers. If compromised, it could have a significant impact. The global network of wireless carriers adds another layer of complexity and risk, with potential vulnerabilities that can span across different regions and providers.
Security Takeaway
To reduce the risk of high-volume DDoS attacks, implement network segmentation to isolate IoT devices from critical systems, limiting attackers’ impact. Pair this strategy with IoT-specific monitoring tools to detect unusual traffic patterns and behaviours, enabling early detection and mitigation of attacks before they cause widespread disruption.
– Chris Hickman, Chief Security Officer at Keyfactor
# 5 Automation
Prediction
IoT security automation will advance to manage the growing diversity of IoT environments, especially in segmented and cloud-native setups.
Manual processes can’t keep up with the scale of IoT devices, from certificate management to detecting anomalies. A critical sector company manually managing millions of IoT devices risks missing key updates, like a zero-day patch or a certificate renewal, which could lead to potentially catastrophic consequences.
IoT security automation will advance to manage the growing diversity of IoT environments, especially in segmented and cloud-native setups.
The solution lies in automating processes using PKI SaaS tools.
Security Takeaway
Invest in automated security solutions that support real-time management of IoT devices. An example is the EJBCA PKI for IoT tool. It allows you to secure the machine identity of your IoT devices either for manufacturing, for your customers, or for devices you use for your company’s operation. You can deploy this tool as a turnkey software appliance, hardware appliance, in the cloud, as a service (SaaS PKI), or in a hybrid model.
Once your automation plan is in place, you can start deploying PQC algorithms and other necessary security best practices to ensure a secure machine identity.
– Ted Shorter, Chief Technology Officer at Keyfactor
Conclusion
As IoT devices continue to grow in number and complexity, security is not negotiable. High-value devices will lead the way in adopting advanced protections like PQC, while global regulations push manufacturers to prioritize security from the start.
Automation and PKI solutions will be essential for safeguarding machine identities and ensuring resilience as more devices connect to corporate networks and the internet.
