INTERVIEW 58 The rapid growth of internet of things (IoT) devices is transforming industries, from manufacturing and healthcare to energy and transportation. But as organisations connect more assets to their networks, they are also expanding their attack surface. “There are approximately 18 billion endpoints deployed today and this number will grow to greater than 40 billion in 2035,” says Martin Lowry, product manager for IoT at GlobalSign. Managing security at that scale is no small task. “Each device represents a potential entry point for attackers, and overseeing public key infrastructure (PKI) across vast fleets of machine identities can quickly become complex. Organisations must adopt a zero-trust, automated approach to device authentication, certificate issuance and renewal to remain in control.” AI adds another layer of both opportunity and risk. While AI can enhance IoT deployments through improved monitoring and trend analysis, it can also be weaponised. “Bad actors are now using AI to infiltrate and hijack IoT networks and the results could be devastating if the networks are supporting critical infrastructure or other sensitive environments,” says Lowry. “For sectors such as utilities, healthcare and transport, the consequences of a breach could extend far beyond financial loss.” Regulation is evolving in response. In the European Union, the Cyber Resilience Act sets out requirements for cryptographic identity, trust and lifecycle control across devices, software and updates, and will become mandatory for manufacturers by the end of 2027. In the United States, the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency have issued guidance for securely procuring IoT devices. Although primarily aimed at federal agencies, the recommendations are influencing commercial markets. Many of these frameworks require the use of PKI to underpin device identity and secure communications. “To strengthen security and maintain compliance, organisations need a devicecentric identity strategy,” says Lowry. “This includes establishing a manufacturer-owned root certification authority as a trust anchor; injecting a unique digital identity into each device at production and storing it securely in hardware such as a trusted platform module, secure element or eSIM; enforcing authenticated enrolment; and treating every device as untrusted until it proves its identity. Automated lifecycle management, including certificate renewal and revocation, is also critical.” As IoT deployments continue to expand and AI becomes more deeply embedded in operational environments, the scale and sophistication of threats will only increase. “Securing billions of connected devices is no longer just an IT consideration but a strategic imperative,” concludes Lowry. “In an era where IoT and AI are reshaping industries, organisations must ensure that innovation is matched with robust identity, trust and lifecycle controls from the outset.” GlobalSign’s Martin Lowry explains how firms can manage identity, risk and regulation Securing IoT in the age of AI BY ALICE CHAMBERS “ Organisations need a device-centric identity strategy”
RkJQdWJsaXNoZXIy NzQ1NTk=