The Internet of Things (IOT) has been one of the major technology drivers of Digital Transformation in the world over the last few years, across industry sectors. The number of connected devices already exceeds the number of human beings on the planet, and research indicates that we are likely to see around 50 billion connected devices over the next five years making up the smart, connected planet. The applications of IOT range from smart homes, smart buildings, smart cities, connected vehicles, smart manufacturing, smart retail, medical devices in healthcare, fitness/wellness trackers, wearable devices, and more. With the rollout of related technologies such as 5G and Internet Protocol (IP) version 6, which are designed to support billions of connected devices, IOT as a technology is all set to play a pivotal role in our digital future.
The need for IOT security
As worldwide IOT adoption goes up, the risk of security breaches also goes up – since each of those billions of connected devices could be vulnerable to an attack. Also, considering the scale of IOT deployments, the economic impact of IOT security breaches will also be felt at a proportionately massive scale.
Likewise, one worrying trend is that vast numbers of connected devices do not have adequate security safeguards and are vulnerable to breaches. Some of the key security risks in IOT deployments include attackers using a connected device as an entry point into the network, introducing malware to alter the function of the device, controlling the device remotely, or tapping into data from the device.
Apart from the economic impact, the nature of IOT technology is such that physical security of individuals as well as organizations can be at risk. For example, altering the function of a device could have physical security implications: a CCTV camera that appears to be working fine, but is showing a “dummy image” instead of the real view, resulting in a threat of a physical intrusion into a home or company premises.
How and why PKI is becoming essential for IOT security
We have seen in earlier articles how Public Key Infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Recent research from Ponemon Institute indicates that over the last few years, IOT is becoming a major driver for PKI adoption. The percentage of respondents who believe that IOT is the most important technology trend driving PKI adoption has nearly doubled to around 41%. The research also predicts that more than 40% of IOT devices in use by 2021 will primarily rely on digital certificates for identification and authentication.
The primary reason why IOT security is becoming synonymous with PKI is scale. As mentioned earlier in this article, most predictions indicate more than 50 billion connected devices on the planet over the next few years. Even a single compromised device can have an enormous security impact – it is difficult to comprehend the scale of impact if many devices are compromised. Connected devices interact with each other through machine to machine (M2M) communication. Each of these billions of interactions will require authentication of device credentials for the endpoints to prove the device’s digital identity. In such scenarios, an identity management approach based on passwords or passcodes is not practical, and PKI digital certificates are by far the best option for IOT credential management today.
IOT devices will also need regular patches and upgrades to their firmware, with code signing being critical to ensure the security of the downloaded firmware – another example of the close linkage between the IOT world and the PKI world.
Certificate management for connected devices, including revocation of expired certificates, is another example where PKI can help to secure IOT devices.
In some sectors such as healthcare and wellness, IOT devices might collect personally identifiable information (PII). With government regulations worldwide mandating secure transit (and storage) of PII data, PKI can help ensure compliance with the regulations by securing the communication channel between the IOT device and the gateway.
The proliferation of connected devices today, projections for billions of devices in the next few years and the continued growth in the number of applications across industry sectors is an indicator of the enormous promise of the Internet of Things (IOT). This promise however could be undermined by the lack of adequate security safeguards with IOT devices. PKI provides some of the best options for IOT security including device identity management, code signing for device firmware, and encrypted communication between devices and other endpoints such as IOT gateways.