Internet of Things (IoT)

The Internet of Things Needs Crypto-Agility and PKI to Survive Quantum Computing Attacks — Here’s Why

The Internet of Things (IoT) has been growing exponentially. More products are being launched every year. More devices are coming online. More data is being transmitted to the cloud, and more service providers are using that data to deliver new forms of value to consumers and organizations across the world. 

Basically, more critical systems and infrastructure are connected to the internet than ever before. If the importance of security in this scenario is not obvious, consider a few scenarios: 

  • In the world of connected medical devices, imagine if a remote hacker could upload an unsigned, custom firmware to your pacemaker to take control of your heartbeat. 
  • In the connected automotive world, imagine a hacker penetrating the digital defenses of a vehicle’s entertainment system to gain a foothold into the internal network and leapfrog into critical systems like door locks or engine controls, where compromise can lead to human safety concerns. 
  • If you care about the Industrial Internet of Things (IIoT) because you are running a connected factory, then imagine sensors, cameras, or even HVAC equipment in your manufacturing facility being used to exfiltrate sensitive production data to sell to your competitors.  

Unfortunately, IoT cybersecurity is not a solved problem, and here are two of the biggest reasons: security is tricky, and security is evolving. The impending quantum computing revolution only makes these problems more challenging. 

PKI takes (much of) the trickiness out of security

In some places, cybersecurity is still an afterthought, with plenty of hair-raising practices still in place, from undocumented and unprotected backdoors, to shared credentials, to hard-coded passwords, or even unsecured plain-text transmission of secrets and telemetry. 

All of these are less than optimal practices that each address part of the IoT security problem, but they each have critical limitations that increase cybersecurity risk. The problem with doing things yourself is that it takes years of experience to learn the ins and out of what’s possible. It takes extensive design and testing to cover all the edge cases. 

What’s needed is a set of systems and processes that have been properly designed with security principles in mind from the get-go. This is Public Key Infrastructure (PKI), and if you’re already using it, I’m preaching to the choir. 

When you adopt PKI to secure your devices, your systems, their connections to each other and to the cloud, you’re leveraging a proven technology that has evolved over years under the scrutiny of security experts. 

Crypto-agility gives connected devices and systems a way to adapt to change

Nobody is naïve enough to believe that security is static, that the protocols and cyphers and technologies in use today will be feasible in the next generation of products. But future-proofing designs is difficult and costly. As a result, companies are tempted to make the decision to hard-code certain aspects of their design, like cryptographic cyphers and roots of trust. 

The problem with this is that the world of cybersecurity is evolving, and it’s evolving faster than anyone who knows how long it takes to iterate a hardware design or production process would like to hear. A cypher can be proved vulnerable at any moment, and hardware devices may remain in the field for years while only connecting intermittently. 

Crypto-agility is the answer to this: it’s the ability of a system to update its core cryptographic elements in the field, followed by the ability to update its certificates, firmware, and other internal systems in a secure way. Flexibility to update credentials and the root of trust becomes increasingly important as the post-quantum era is upon us. Any connected product or system you are designing today needs crypto-agility baked in.  

The post-quantum future will be here before you know it

The problems of complexity and rapid change come together with the advent of quantum computing. 

Quantum computers do not operate on the basic digital principles of ones and zeros that we are all used to. As a result, even relatively modest quantum computers will be able to trivialize some of the most secure cryptographic algorithms in use today. This sounds like science fiction, but quantum computers are making headway every year. Their arrival is a matter of when, not if. 

Fortunately, forward-thinking organizations like NIST are working with the cryptographic community to establish post-quantum standards that will survive the arrival of quantum computing. In fact, new algorithms have already been announced. This means updating libraries and services to support the new NIST post-quantum cryptographic standards. 

Any connected product or system you are designing today needs to be ready for a post-quantum future. PQShield is a Keyfactor partner and a world leader in the development of new cryptographic standards. To learn more about how organizations can prepare for post-quantum cryptography, read their white paper series on the quantum threat. 

Preparing for change

This is changing, and change will be necessary for any company that wants to produce or use connected devices. 

First, IoT devices need well-thought-out systems and processes for security functions like identity management and cloud communication. This comes from PKI. 

Second, IoT devices need to be prepared for change—while they are in the field. They will need to be ready to implement the new post-quantum standards announced by NIST in July 2022. This can be handled by designing devices and systems with crypto-agility in mind so that the classical cryptography in use today can be seamlessly transitioned to the new standards. 

With these components in play, organizations producing devices for the Internet of Things—as well as those using them—can minimize risk and focus on the products, services, and business models that will create the future, securely. 

Tom Holz

Director of IoT Solutions

The 2022 State of Machine Identity Management Report

Get actionable insights from 1,200+ IT and security professionals on the next frontier for IAM strategy — machine identities.

Read the Report →
close-link