Over the past few months, I’ve had more conversations than ever with product teams, engineers, and security leaders who are all facing the same pressure: how to keep up with the pace of change in IoT security without slowing down innovation required to launch new products.
From new IoT regulations and rising consumer security expectations to increasingly sophisticated cyberattacks on smart devices, the challenges are real, and they’re growing. That’s exactly why we updated our 10 Steps to IoT Security eBook. Not just to refresh the content, but to give OEMs actionable guidance, grounded in today’s reality.
🔍 What’s New
This recently updated edition is your guide for building secure, compliant, and future-ready products. The updated edition:
- Reflects new threat models: Firmware, software supply chains, and device identities are now prime targets.
- Covers evolving standards and expectations: What was acceptable 3 years ago isn’t today.
- Addresses engineering challenges: From crypto-agility to OTA updates in resource-constrained environments.
- Adds deeper guidance on scaling securely: Because what works for 10 devices won’t cut it for 10,000.
So, with that in mind, I’ve pulled together five core priorities every OEM should focus on to start embedding security by design – today. Let’s get into it.
🛠️ Security by Design
1. Build a Zero-Trust Architecture with PKI for IoT
The foundation of digital trust is rooted in Public Key Infrastructure (PKI), and it’s so critical to establish your Root of Trust (RoT) early on in the development process. There are a few considerations to consider, such as hardware, software, or hybrid RoT, as well as design elements, including key and algorithm types, for example.
In short, it’s essential to think through design choices upfront because it is the starting point for establishing a product security platform for the devices you are developing now and in the future.
2. Implement Secure Provisioning and Lifecycle Management
Once the RoT has been established, a secure initial device provisioning process can be set. Typically a birth certificate is issued to each edge device, in the form of an X.509 certificate that is the device’s immutable identity. It lives for the full lifetime of the device to prove origin and authenticity.
Operational certificates can also be issued to devices that are used by an end customer to ensure runtime trust and establish secure TLS connections over time. It’s also critical to have a robust certificate lifecycle management process in place to manage identities over time.
3. Protect Firmware and OTA Updates
Firmware over the air updates are common, but it’s essential to make sure that you have implemented a process for secure code development, including initial signing, auditing, and remote updatings. This prevents malware from being installed on the devices you have sold to customers, and ensures that you have a proper record of all signing operations in the case of an audit.
4. Build in Crypto-Agility and Future-Proofing
NIST has announced that RSA and ECC algorithms will be deprecated by the year 2030, and therefore product OEMs need to think about how to update cryptography that is inside field devices, especially if the devices are still under warranty, or will need to be operational past this impending deadline.
There is an opportunity for connected products to also adopt quantum-safe algorithms. Although integration depends on hardware and software constraints, it’s crucial – especially in certain industries – to factor this into the development of current product lines to ensure long-term security and resilience.
5. Assign Security Ownership Across the Product Lifecycle
Product security is not just one person or company’s responsibility. It is a combination of several stakeholders coming together with a cohesive plan, from the component manufacturer, to the product or solution integrator, to the operator or end customer.
Ensuring strong IoT device security across the product lifecycle requires clear accountability at every stage. Industry or regional regulators also play a role in providing guidance to help raise the standard for connected devices, especially those that protect our critical infrastructure and our quality of life.
IoT Security Is Moving Fast – Don’t Get Left Behind
Security by design isn’t just a best practice anymore – it’s foundational to strong IoT device security. Start with these five priorities and use the updated eBook as a hands-on guide to strengthen your security posture across connected products.
👉 Download the newly revised 10 Steps to IoT Security eBook and take your first step toward building more secure, resilient devices.
