Securing the IoT at Scale: How PKI Can Help

The Internet of Things (IoT) is everywhere. These connected devices now work in medical settings, automotive vehicles, industrial and manufacturing control systems, and more.

Unfortunately, security in IoT devices has lagged behind their production, and the time has come for manufacturers to face this challenge head-on. Specifically, manufacturers need a scalable solution to address concerns like authentication, data encryption, and the integrity of firmware on connected devices. Together, these efforts will help ensure manufacturers not only deliver secure products to market but that those devices stay secure throughout their lifetime.

Realizing these security goals requires introducing a public key infrastructure (PKI) strategy for strong authentication in a cost-effective, lightweight, and scalable way.

IoT security has not matched the pace of innovation for these connected devices. For example, manufacturers often ship devices with default passwords or shared cryptographic keys, which puts every single device at risk based on a single hacking event.

The most common security risks in the IoT today center around weak identity and authentication. These risks include:

• Weak authentication: The use of weak default credentials allows hackers to access devices at scale and deploy malware.

• Hard-coded credentials: Hardcoding passwords or keys into software or firmware and then embedding those credentials in plain text into source code simplifies access for developers, but it does the same for everyone else.

• Shared and unprotected keys: Instances of symmetric (rather than asymmetric) encryption, as well as issues properly storing and provisioning encryption keys (even asymmetric ones), makes it easy to compromise devices. Secure storage becomes especially challenging at scale.

• Weak encryption: The use of weak algorithms results in encryption that’s easily penetrated. This challenge stems from the fact that lightweight IoT devices with limited power struggle to generate enough entropy for random number generation.

• Unsigned firmware: Code signing verifies the authenticity and integrity of code, but many IoT devices don’t check for a signature, making them vulnerable to malicious firmware updates.

Despite all these challenges, achieving security in the IoT is well within reach. It all starts with a sound strategy centered around PKI. Digging deeper, PKI can support IoT device security in six critical ways:

• Unique identities: Using certificates introduces a cryptographically verifiable identity into each device for secure network access and code execution. Importantly, these certificates can be updated or revoked at the individual level.

• Open and flexible standard: PKI is an open standard with flexible options for roots of trust, certificate enrollment, and certificate revocation, supporting a variety of use cases.

• High scalability: Issuing unique certificates from a single trusted Certificate Authority (CA) makes it easy for devices to authenticate one another without a centralized server.

• Robust security: A well-managed PKI program offers the strongest authentication, as cryptographic keys are far more secure than methods like passwords and tokens.

• Minimal footprint: Asymmetric keys have a small footprint that makes them ideal for IoT devices with low computational power and memory.

• Proven and tested: PKI is a proven and time-tested approach that experts recognize as a practical and scalable solution for strong security against a variety of attacks.

Importantly, while the fundamentals of PKI remain consistent, the approach required to fit within complex hardware supply chains and IoT device lifecycles is far different from the enterprise PKI companies have used for years. These differences include:

• Scalability and availability: The volume and velocity of certificate issuance is much higher in the IoT than it is in enterprise deployments (think thousands per minute). As a result, PKI components like issuing CAs and revocation infrastructure must meet high availability and performance levels, and the entire program requires a PKI hierarchy with appropriate policies and strong algorithms. 

• Private key generation and storage: Since IoT devices typically live in places that are publicly accessible (unlike enterprise web servers), manufacturers need a way to protect the private keys stored on these devices for authentication. This typically requires generating private keys within a secure hardware component so that they never get exposed outside the device. This approach requires defining security requirements upfront for all vendors throughout the design process.

• Certificate policy: Certificate policy is always important, but adhering to the policy becomes more critical in the IoT given the disparate ecosystem. Each certificate requires clear documentation that confirms the policy to which it adheres so that partners within the IoT supply chain can establish trust with one another.

• Lifecycle management: Lifecycle planning is far different in the IoT than it is in the enterprise given how long devices will live in the field. Manufacturers must understand how identities will be provisioned and updated over time as devices live in the world, and they need response plans for algorithm degradation or a compromised root of trust.

Despite all these challenges, achieving security in the IoT is well within reach. It all starts with a sound strategy centered around PKI. Digging deeper, PKI can support IoT device security in six critical ways:

Ultimately, the manufacturers that can provide strong, unique identities for their IoT devices – and do so at scale – will deliver better protected, differentiated products to market. Achieving that goal starts with these top recommendations for IoT device security:

• Incorporate trusted device identities and provisioning: Use unique digital certificates for every device for more granular management and tracking. Importantly, each of these certificates should tie to an established root of trust with a strong CA hierarchy.

• Manage on-device key generation: Document use cases for on-device key generation to define Certificate Policy and Certificate Practice Statements (CP/CPS). Drafting CP/CPS is optional, but it offers high assurance through greater policy enforcement.

• Consider offline/limited connectivity devices: Enable devices within the same trust chain to authenticate even without an internet connection so that they can continue to receive regular maintenance and updates.

• Support mutual authentication: Require authentication to restrict access to trusted users and systems. Digital certificates allow for mutual authentication between two entities that share a root of trust for more secure data exchanges on open networks.

• Ensure secure boot and code signing: Program devices to only permit execution of code with a verified signature. Adding a secure boot also protects devices by ensuring they only start or install updates once they’ve been signed by a known, trusted authority.

• Incorporate crypto-agility and lifecycle management: Introduce the ability to quickly re-issue or revoke certificates from active devices, as static systems are inherently insecure. Consider cases like certificate expiration, ownership changes, and algorithm degradation, all of which require devices to receive cryptographic updates to remain secure.

If you’re ready to face the IoT security challenge head-on, you’ve come to the right place. Download the complete white paper on the value of PKI for IoT to discover what it takes and learn how Keyfactor Control and EJBCA  Enterprise can help manufacturers bring secure IoT devices to market at scale.