Cybersecurity challenges for IoT PKI and how to solve them
By Mike Hathaway, Chief Product Officer at Ascertia
Every aspect of our lives has become connected through the Internet of Things (IoT) – from our cars to our kettles. This increase in connectivity comes with new threats to our cybersecurity and the need for secure, scalable solutions to protect us. A key deterrent against these cybersecurity challenges is Public Key Infrastructure (PKI) securing communication between IoT devices through digital certification and data encryption.
What is IoT PKI?
The main threat of IoT is the sheer scale of devices, and therefore entry points, on a network. There have been concerns raised since the introduction of IoT around securing each device, avoiding a weak access point to a wider network.
At a high level, PKI enables users to securely exchange their digital information using cryptographic keys to authenticate user and device identities, thus lowering the risk of cyber-attacks from malicious users. PKI has many use cases, including securing telecoms networks, which has similar security issues to the Internet of Things.
IoT PKI is an extension of current practices, developed as a specialised form of PKI to tackle the specific security challenges of the Internet of Things. IoT PKI works by assigning each IoT device with a unique digital certificate including information about its identification, such as its public key and device ID.
Digital certificates are a core component of IoT security, working in tandem with private and public keys to validate user and device identities and meet the standards set by Certificate Authorities (CAs). CAs act as a trusted third-party to confirm the valid identity of an IoT device, authenticating the digital certificates used as part of the PKI.
In practice, once an IoT device attempts to connect with other devices or servers via the network, its digital certificates are required to validate its authenticity. Detecting and renewing invalid or out-of-date certificates will prevent network outages and weaknesses.
The biggest challenges for IoT PKI
Challenges for PKI in an IoT environment can be divided into two groups. On the one hand there is the technical challenge of cloud security presented by specific devices. The other element for IoT PKI that can be difficult is the logistics of scalability, data protection and compliance with regulatory factors.
Device security
The base level of IoT cybersecurity is the massive variety of devices that can provide new points for threat actors to gain access to the network. Each device is an infiltration target for the network, so it’s important to ensure endpoints are secure.
Of those IoT devices, some present more significant security issues than others.
Wearable devices
Smartwatches, fitness trackers, glasses in the near future. People are now wearing IoT devices that collect biometric and location data. This is incredibly sensitive data that, if accessed by a malicious entity, can compromise PKI credentials and more.
Medical devices, such as pacemakers, can fall into this category if they have weak security and can be used to cause potential harm to the wearer and access their data.
Smart locks
Smart locks remove the need for physical keys and can be remotely controlled through IoT devices, allowing access through Bluetooth or Wi-Fi to unlock them.
Whilst these are more likely to be found in a home environment, they can certainly present a threat to remote work and general building access as hybrid work patterns continue to grow in popularity. These devices rely heavily on PKI authentication to verify users, meaning it is critical for smart locks to be kept secure from IoT threats.
Vehicles
More IoT technology is becoming present in cars and bikes. There are vulnerabilities in vehicle software that can be utilised for gaining network access, and more measures need to be implemented to prevent inauthentic PKI certification for automobiles.
Drones also present a similar challenge as the applications of these devices expand into delivery and military use. Compromised drones can be used to steal PKI credentials if they gain access to network systems.
Operational challenges
Beyond the threat of specific IoT devices, managing the effectiveness of PKI in an IoT environment presents logistical challenges.
Scaling cybersecurity systems to protect against an ever-increasing wave of IoT threats can be difficult, putting strain on resources for the PKI infrastructure. Provisioning and managing certificates for more and more devices means that PKI deployments must be equipped to handle the increased load.
There are multiple technologies and standards to help with network security and managing enrolment of multiple device certificates. These include:
- Secure Certificate Enrolment Protocols (SCEP) – a standards for network device enrolment
- Enrolment over Secure Transport (EST) – a standard to improve issuance and lifecycle management of Digital Certificates for secure communications
- Certificate Management Protocol version 2 (CMPv2) – a protocol automating certificate enrolment and lifecycle management
- Automatic Certificate Management Environment (ACME) – a protocol for automating certificate lifecycle management between Cas and ACME clients
Regulatory compliance
Protecting the data and privacy in an IoT environment is critical – PKI plays a pivotal role in ensuring that information is encrypted and transmitted securely.
As IoT ecosystems are incredibly complex, there is a high level of compliance that PKI systems must adhere to in accordance with several regulatory bodies. The regulations that businesses must adapt to depend on location and industry, but all typically require well-maintained audit trails and routine security checks.
The Common Criteria is an example of an international computer security standard and framework that organisations in the digital trust industry follow, providing independent certification for IT products, including PKI and other digital trust solutions.
Best practice
To implement IoT PKI in a safe and scalable way, organisations need to adhere to the standards set by regulatory bodies.
Selecting the appropriate PKI architecture, maintaining certificates, and guaranteeing CA availability are vital for securing the network in an IoT ecosystem. By frequently assessing the effectiveness of cybersecurity and ensuring certificate management is operating correctly, IoT PKI should keep user data secure.
Cyber threat intelligence can also be a deterrent for IoT threats. Educate users on the risks of IoT devices and the security measures they can take. This will help protect the PKI infrastructure from attacks.
