Last updated: September 2022

Why PKI as a service can simplify IoT security

The Internet of Things (IoT) is transforming the world we live in. Experts estimate there will be 75 billion connected devices online by 2025. But, as the IoT grows, so does the necessity of securing connected devices in the IoT. Smart companies are using PKI for large-scale identity and data protection needs. Public Key Infrastructure (PKI) is the foundation of securing (IoT) devices, and the most common solution for securing the IoT. As an accepted and well-established standard, PKI is a core component of data confidentiality, information integrity, authentication, and data access control. PKI is the foundation required to secure communication between IoT devices and platforms.

Why PKI?

The rapid growth in the IoT is exciting because nearly all systems, devices and objects are being connected to the internet to automate, provide convenience, and collect and share data. However, this growth is leading many companies to struggle as they look for large-scale, reliable security to protect their IP and investments, as well as earn consumer trust using the IoT. To solve this challenge, PKI is the strongest and best solution for securing the IoT.

Simply put, PKI is a proven technology that enables large-scale authorization and reliable encryption for ultimate trust — yet companies and customers still assume that PKI is too complex or too difficult and try to invent something themselves to protect their IoT infrastructure instead. The scalable and flexible attributes of a PKI solution make it the right choice for securing connected devices. PKI ensures the integrity of data through the following:

• Encryption: Coding of data in transit.
• Authentication: Identifying trust amongst users in network information exchanges. 
• Signing: The verification of untampered configuration settings, software, firmware, etc. during startup, and verification that device updates come from a trusted source.

As companies begin to think about securing their IoT ecosystems with PKI, there are a few primary considerations, such as CA functions, provisioning, and deployment for building a PKI infrastructure to match their specific use-case.

Security advantages in certificate-based methods

Authentication: Identifying trust amongst users in network information exchanges. 

PKI, using digital certificates, is being used on a number of interesting devices, like electric vehicles, medical devices, smart cities and most recently, to securely connect smart home devices of various manufacturers with Matter. Experts recommend certificate-based methods to secure IoT devices because certificates support proper security measures like the implementation of multi-factor authentication. More specifically, TLS/SSL supports two-way certificate-based authentication (e.g., device-to-server, or device-to-device authentication).

Those familiar with the IoT space will recognize messaging protocols: MQTT, CoAP, XMPP, DDS, and HTTP/REST. Some organizations, like Amazon (which uses MQTT and REST protocols for their IoT service), may require TLS certificates as an added layer of protection. For MQTT protocols specifically, an added TLS layer is critical because MQTT machine-to-machine authentication options are sent in the clear using username/password methods. Overall, whether it be through native protocols or a wrap-around approach, certificate-based methods are recommended for security in the IoT. These methods avoid the weaknesses of a typical symmetric key management approach by offering greater scalability and methodical management of these certificates and the key pairs associated with them.

Advantages in certificate lifecycle management

Digital certificates within a PKI infrastructure are flexible and fit many use-cases. Generally, certificates pass through a lifecycle that includes discovery, analysis, procurement, provisioning, management, monitoring, and remediation. But because there is diversity amongst devices and certificate use-cases in the IoT, certificate management lifecycles in the IoT may differ greatly from traditional uses.

To customize PKI to meet specific use-case(s), many companies choose to work with commercial certificate authorities (CAs), like DigiCert, who can lend expertise and provide platforms, like DigiCert® IoT Trust Manager, to manage certificate lifecycles. Provisioning, revocation, and proper configuration of certificates requires smart automation and maintenance — tasks that a PKI as a service can provide for you.

DigiCert IoT Trust Manager provides a comprehensive, automated workflow for companies to manage their IoT devices with certificate-based security, during manufacturing and at the edge. It offers the scalability, flexibility, control and efficiency required for a network of connected devices. Administrators can monitor the entire certificate lifecycle, facilitate secure updates, customize metadata about the device within certificates and remain compliant. Rather than building and maintaining a self-managed PKI, IoT Trust Manager automates PKI deployment, making it easy to manage a large network of devices. Admins can customize permissions and access control to segment administration for different user groups. Because DigiCert IoT Trust Manager is part of DigiCert ONE™, it has the flexibility to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs.

Utilizing security best practices

It is critical organizations take responsibility for their own systems and understand where their keys and certificates are being deployed.

Here are six best practices for key and certificate management:

1. Unified management and control: Bringing management under a single platform for a comprehensive view of your certificate landscape and simpler reporting, traceability and visibility.
2. Enterprise-level control and monitoring: Monitoring platforms allows meticulous tracking for keys and certificates and rotations based on certificate expirations.
3. Discovery: Allows for quick identification of any rogue implementations in company infrastructure.
4. Reporting: Industry-specific compliance reports need to be conducive to regulatory and legislative requirements.
5. Auditing: Integrate standardized audit recording and output into standard security information event management systems (SIEMS). Auditing is crucial for managing and monitoring such a large number of devices in one enterprise.
6. Access control: Strict access control features allow specification of flexible privileges to objects within the system.

Takeaways

Overall, takeaways for using PKI in the IoT are:

• Prioritize authentication for your IoT deployments.
• Consult with PKI experts to assess your specific needs.
• Do not wait for standardization; act today to protect your investments.
• Educate your executive team and board, including updating policies if needed.
• Find a partner to guide you in your IoT security efforts.
• Join an industry collaboration (CSA IoT WG).
• Use PKI as a service to simplify and automate IoT security.

IoT providers and manufacturers must take steps today to protect IoT investments. Learn more at https://www.digicert.com/iot/iot-trust-manager.

To discover how PKI unlocks a connected world of possibilities; read our PKI eBook.