How to Secure IOT Devices: IOT Security Requirements

The key requirements for any IoT security solution are:

• IoT Device and data security, including authentication of devices and confidentiality and integrity of data
• Implementing and running security operations at IoT scale
• Meeting compliance requirements and requests
• Meeting performance requirements as per the use case

IoT security solutions need to implement the functional blocks listed below as interconnected modules, not in isolation, to meet the IoT scale, data security, device trust and compliance requirements.

• IoT Device Trust: Establishing and managing Device Identity and Integrity
• IoT Data Trust: Policy driven end-to-end data security, privacy from creation to consumption
• Operationalizing the Trust: Automating and interfacing to the standards based, proven technologies/products. E.g. PKI products.

To securely participate in the IoT, each connected device needs a unique identity, even before it has an IP address. This digital credential establishes the root of trust for the device’s entire lifecycle, from initial design and manufacturing to deployment, operation, and retirement.

As IoT deployments scale to thousands or millions of devices, these identities become a critical control point for maintaining security, uptime, and compliance. Managing these credentials across their lifecycle is essential.

Entrust uses nShield hardware security modules (HSMs), combined with supporting security applications from Entrust technology partners, to enable manufacturers to provision each device with a unique identity using strong cryptographic processing, key protection, and secure key management. A digital certificate is embedded into each device to enable:

• Authentication of each device introduced to the organization’s architecture
• Verification of the integrity of the operating system and applications on the device
• Secure communications between devices, gateway, and cloud
• Authorized software and firmware updates, based on approved code

A number of organizations have developed security guidelines for the IoT. These include:

• The IoT Security Foundation’s “Best Practice Guidelines”
• The Open Web Application Security Project’s (OWASP) “Security Guidance”
• Groupe Spéciale Mobile Association’s (GSMA) “GSMA IoT Security Guidelines & Assessment”
• The U.S. Department of Commerce National Institute of Standards and Technology’s (NIST) Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices
• The Cloud Security Alliance’s (CSA) “Future Proofing the Connected World: 13 Step to Developing Secure IoT Products”

Strong IoT device authentication is required to ensure connected devices on the IoT can be trusted to be what they purport to be. Consequently, each IoT device needs a unique identity that can be authenticated when the device attempts to connect to a gateway or central server. With this unique ID in place, IT system administrators can track each device throughout its lifecycle, communicate securely with it, and prevent it from executing harmful processes. If a device exhibits unexpected behavior, administrators can simply revoke its privileges.

IoT devices produced through unsecured manufacturing processes provide criminals opportunities to change production runs to introduce unauthorized code or produce additional units that are subsequently sold on the black market.

One way to secure manufacturing processes is to use hardware security modules (HSMs) and supporting security software to inject cryptographic keys and digital certificates and to control the number of units built and the code incorporated into each.

To protect businesses, brands, partners, and users from software that has been infected by malware, software developers have adopted code signing. In the IoT, code signing in the software release process ensures the integrity of IoT device software and firmware updates, and defends against the risks associated with IoT software code tampering or code that deviates from organizational policies.

In public key cryptography, code signing is a specific use of certificate-based digital signatures that enables an organization to verify the identity of the software publisher and certify the software has not been changed since it was published.

Today there are more devices online than people on the planet, and each one requires a trusted digital identity to operate securely. As enterprises transform their business models, rapid adoption of IoT technologies is driving increased demand for Internet of Things public key infrastructure (IoT PKI). PKI enables the issuance of digital certificates for devices, applications, and the software and firmware they run.

As IoT ecosystems scale, PKI has become a critical control point for securing device identities. With millions of connected devices and growing machine identity volumes, organizations must manage certificates at scale, especially as lifecycles shorten to 47 days and environments become more complex.

Safe IoT deployments require not only trusting the devices to be authentic and to be who they say they are, but also trusting that the data they collect is real and not altered. If one cannot trust the IoT devices and the data, there is no point in collecting, running analytics, and executing decisions based on the information collected.

Secure adoption of IoT requires:

• Enabling mutual authentication between connected devices and applications
• Maintaining the integrity and confidentiality of the data collected by devices
• Ensuring the legitimacy and integrity of the software downloaded to devices
• Preserving the privacy of sensitive data in light of stricter security regulations

As IoT deployments expand, these capabilities must be enforced consistently across large, sometimes fragmented infrastructures. Without centralized visibility, automation, and governance, organizations risk certificate-related outages, security gaps, and compliance challenges. This makes modern IoT PKI management essential for secure and scalable operations.