IoT and PKI – difficulties in sight

Sheila Zabeu -

November 18, 2021

The Internet of Things (IoT) continues to drive the use of Public Key Infrastructure (PKI) and digital certificates, with 47% of respondents to the Ponemon Institute’s 2021 Global PKI and IoT Trends study of more than 2,500 cybersecurity professionals from 17 countries citing it as a key driver of growth in this segment. In the 2017 edition of that study, that percentage was 40%. Just for comparison, in that same year, cloud-based services stood out as the main driver of PKI growth – cited by 54% of respondents; today that share has fallen to 44%. The Internet of Things (IoT) continues to drive the use of Public Key Infrastructure (PKI) and digital certificates, with 47% of respondents to the Ponemon Institute’s 2021 Global PKI and IoT Trends study of more than 2,500 cybersecurity professionals from 17 countries citing it as a key driver of growth in this segment. In the 2017 edition of that study, that percentage was 40%. Just for comparison, in that same year, cloud-based services stood out as the main driver of PKI growth – cited by 54% of respondents; today that share has fallen to 44%.

We can say that there is a growing recognition that PKI is becoming an important authentication system for IoT technologies.  This fact is more than expected, after all, today there are more things (equipment and sensors, for example) connected on the planet than people. And these so-called IoT devices need digital identities to ensure secure operations. 

For this reason, demand is growing for Internet of Things public key infrastructures – or IoT PKI – to provide digital certificates and such:

  • Enable mutual authentication between devices and applications connected via the Internet;
  • Maintain the integrity and confidentiality of data collected by IoT devices;
  • Ensure the legitimacy and integrity of the software transferred to IoT devices;  
  • Preserving the privacy of confidential data as required by cybersecurity regulations.
Source: Ponemon Institute

Worryingly, however, respondents to the Ponemon Institute survey said that IoT is also the area expected to experience the most change and uncertainty. The study highlights some major challenges in the PKI and digital certificate universe. The big hurdle is lack of clarity around who is responsible for PKI within organizations – it was named as the top challenge for the fifth consecutive year, with a significant increase in the share of respondents citing it – from 63% in 2020 to 71% in 2021. Scarcity of resources (51%) and skills (46%) – which has never been greater – rounded out the top three challenges mentioned. More than half of respondents (55%) also said that their organization’s existing PKI is unable to handle new applications. 

General PKI scenario

Year-on-year, there is slow and steady growth in the number of certificates issued and managed across a range of sectors, not just in the IoT universe, however, there has been a significant increase in this volume in recent years – around 50% since 2019 – from 39,197 to 58,639 – mainly on account of increased demand for machine identities and hybrid work protection.

Source: Ponemon Institute

In terms of the digital certificate revocation technique, the most frequently used remains the Online Certificate Status Protocol (OCSP) – mentioned by 57% of respondents. The second most popular is the Certificate Revocation List (CRL) – used by 42% of respondents. 

Similar to what has been happening in recent years, 32% of respondents said they have not implemented any certificate revocation technique. Possible explanations for this relatively high percentage are the use of other means to remove users or devices, the use of short-lived certificates, and the adoption of closed systems.

Hardware security modules (HSMs) continue to be used frequently to manage private keys.

The most commonly cited methods for deploying PKI in organizations are those based on an internal Certificate Authority (CA) or a managed service based on an externally-hosted private CA, according to 62% and 44% of respondents, respectively. The use of externally hosted private CAs showed growth over four years – from 38% of respondents in 2017 to 44% in 2021.