By: Tony Pugielli on March 5th, 2019

Print

What Is Public Key Infrastructure and How Could It Help Secure the IoT?

IoT

Code superimposed over row of serversIT professionals looking to secure their IoT devices are turning to public key infrastructure. What is PKI, and can it help secure your IoT network?

The Internet of Things (IoT) is bringing more and more devices online every day. With an estimated 26.6 billion IoT devices expected to be active by the end of 2019, cybersecurity presents a growing concern. In search of a solution, IT professionals are considering turning to public key infrastructure (PKI) to help avoid costly cybersecurity breaches and better protect both data and physical assets alike.

 

What Is Public Key Infrastructure?

Public key infrastructure, or PKI, is the combination of hardware, software, processes, and procedures used to manage digital certificates and public keys. It is the infrastructure that supports a secure and trusted environment for e-commerce transactions and, now, for the Internet of Things.

PKI authenticates users and devices using a particular set of digital certificates that create a secure connection for both public websites and private networks. There are four main components (or organizations) that form the PKI.

  1. Certificate authorities — third-party organizations that issue certificates for user or device authentication.
  2. Registration authorities — third-party organizations tasked with verifying and validating certificates issued by certificate authorities.
  3. Certificate databases — databases that store certificate requests.
  4. Certificate stores — storage locations that store certificates.

In essence, PKIs are used for user and device authentication — to help establish and validate the identities of people, devices, and services on the internet. This process is designed to help protect user data and ensure accountability and security throughout the transaction process.

 

How Are Companies Using Public Key Infrastructure to Secure IoT Networks?

There are a few common use cases for PKI, which include:

  • Securing web pages
  • Encrypting files and email messages
  • Authenticating email, VPN connections, and wireless nodes
  • Authenticating connections to cloud-hosted data stores

 

The Advantages of Using Public Key Infrastructure for IoT Cybersecurity

There are a number of advantages to using PKI, especially when it comes to authenticating and securing IoT devices. First, PKI offers a unique, verifiable identity that you can use to determine which level of access a device should be granted. PKI basically guarantees an entity’s identity and attributes — it tells you which devices are on your network and/or who the users are. This helps organizations protect their network against costly cybersecurity breaches.

IoT cybersecurity is especially important when it comes to devices. IoT devices need to be authenticated, but they must also authenticate the server to which they are connecting. PKI digital certificates make this possible with something called mutual authentication. And, when it comes to installing software updates, PKI will verify that the update comes from a trusted server. In the IoT, it’s crucially important that devices be capable of identifying and rejecting phishing attacks and malware — mutual authentication promotes this capability.

 

The Drawbacks of PKI

There are, however, a number of drawbacks that come with PKI. The encryption function hosted by the infrastructure involves complex and bandwidth-intensive algorithms. For some IoT devices, this requires substantial power and bandwidth capacity to both encrypt and decrypt data. Encryption can slow down a device — especially when using applications that work with large quantities of data on a regular basis.

In addition to the potential performance issues PKI can incur, experts have questioned whether PKI is really all that safe. PKI’s encryption keys only protect what they are designed to protect — if there are vulnerabilities elsewhere in your network, the PKI will not keep sensitive data from being exfiltrated through separate attack vectors. And given that the certification authority is a third party (albeit a “trusted” one), organizations using PKI won’t be able to recognize or respond to the possibility of cybercriminals issuing false certificates.

PKI can be used to validate authorized users on a secure device or server, encrypt information to be sent privately, and maintain data integrity as it is transferred between devices and servers. Despite a number of potential security and performance drawbacks, however, PKI is playing an increasingly important role in cybersecurity for the IoT.

 

PKI and IoT Security

The IoT is on track to encompass up to a trillion devices, according to some analysts. Besides generating vast amounts of data, these devices are increasingly responsible for powering and running homes, hospitals, factories, electrical grids, cars, and more — and many of these devices are protected only by a simple password or PIN.

The potential cybersecurity implications here are significant. And while the IoT market continues to grow rapidly, the speed of its progress will ultimately be limited by the extent to which it can be reliably secured. Because PKI moves authentication off of IoT devices and onto encrypted gateways, it’s been gaining increasing popularity among cybersecurity experts.

For enterprises considering how best to secure their IoT networks, a prudent first step should be a thorough network assessment. Initiatives like PKI can’t simply be implemented as standalone solutions — to ensure comprehensive cybersecurity for your IoT devices, you’ll need to evaluate your network as a whole. A strong IoT cybersecurity strategy starts with evaluating the most fundamental network components — PKI represents just one potential solution for a single aspect of your overall cybersecurity strategy.

At Turn-key Technologies, we have over thirty years of experience managing cutting-edge networks designed to deliver comprehensive cybersecurity. Our experts bring the knowledge and expertise required to tackle the emerging threats posed by the IoT.

New call-to-action