IoT is one of the fastest growing trends in technology today, yet enterprises are leaving themselves vulnerable to dangerous cyberattacks by failing to prioritize PKI security, according to new research from nCipher Security.
The Respondents cited concerns about several IoT security threats, including altering the function of IoT devices through malware or other attacks (68%) and remote control of a device by an unauthorized user (54%). However, respondents rated delivering patches and updates to IoT devices, the capability that protects against that top threat, last on a list of the five most important IoT security capabilities.
The study also found that in the next two years an average of 42% of IoT devices will rely primarily on digital certificates for identification and authentication. But encryption for IoT devices, and for IoT platforms and IoT data repositories, is at just 28% and 25% respectively. PKI is at the core of the IT infrastructure for many organizations, enabling security for critical digital initiatives such as cloud, mobile device deployment, and IoT.
Most respondents use PKI extensively in their organizations, for SSL/TLS certificates (79%), private networks and VPNs (69%), and public cloud-based applications and services (55%). Yet more than half (56%) believe PKI is incapable of supporting new applications. In addition, many respondents see significant technical and organizational barriers to PKI usage, including an inability to change legacy applications (46%), insufficient skills (45%) and resources (38%).
Nearly a third (30%) of organizations - an especially jarring share considering the implications - are not using any certificate revocation techniques. More than two-thirds (68%) cite "no clear ownership" as their top PKI challenge.
But, some enterprises are applying more rigor to PKI security in certain areas. The share of respondents using "password only" for Certificate Authority administrators has dropped 6% from 2018 to 24% this year. And 42% of respondents said that they are using hardware security modules (HSMs) to manage private keys. HSM use as an IoT root of trust jumped significantly over 2018 (from 10% to 22%).
Despite a growing number of options for PKI deployment (cloud, managed and hosted), internal corporate Certificate Authorities (CAs) remain the most popular and have grown 19% over the past five years to 63% - with 80% of financial services organizations favoring this option.
Forty-four percent of respondents believe PKI deployments for IoT devices will consist of a combination of cloud-based and enterprise-based implementations. The most important PKI capabilities for IoT in 2019 are scalability to millions of certificates (46%) and online certificate revocation (37%).
"PKI use is evolving as organizations address digital transformation across their enterprises. In addition to IoT, more than 40% of our respondents also cited cloud and mobile initiatives as driving PKI use," said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. "Clearly, the rapid growth of the IoT is having a huge impact on the use of PKI, as organizations realize that PKI provides core authentication technology for connected devices. For organizations to gain full advantage of their digital initiatives, they must continue to improve the security maturity of their PKIs."