Pillar 1

Define your needs

Since IoT includes all use cases that involve things connected to the internet, the associated risks vary a lot. You must find out what your biggest threats are, and where you have possible loopholes that hackers can take advantage of.

Be aware of the risks

Do a risk assessment to find out where your biggest risks are. Use any relevant common standards, such as ISO 27001, to assess and counteract on cyberthreats. Do regular revisions as new threats may arise. Since Internet connectivity is part of the definition of IoT, there is an inherent interface with the outside world. You must assess what type of information is captured, processed and transferred by your IoT devices and your IoT cloud applications, and what the consequences of eavesdropping, data manipulation or loss are. What happens if an unauthorized person accesses your device or if manipulated software is executed by it? What happens if hacked devices or malicious software deliver manipulated or forged data to your cloud services?

The risks and their consequences must be balanced against the added value of collecting data, as well as any specific requirements on how accessible your service needs to be and how simple it must be to use.

What do you need to protect and for how long?

Depending on what you need to protect – storing or transferring data, activating a physical function of a device, or accessing a function of a cloud service – different security mechanisms are needed. If the purpose is to keep data secret, it can be encrypted, whereas digital signatures can be used to prove the origin of data and guarantee its integrity. Depending on the lifecycle of your product or data, different measures may be suitable.

Make sure to secure all parts of the IoT solution The European Union Agency for Network and Information Security (ENISA) has defined four layers of an IoT infrastructure [5]:

  • Devices – such as sensors and actuators.
  • Communications – such as PAN, LAN, gateways.
  • Cloud platform, backend, and services – such as databases, process automation, and decision systems.
  • Use cases – such as transport, healthcare, and smart homes.

Consider all the included parts of your solution, to make sure you don’t leave any security holes.

Pillar 2

Team up

IoT security is a complex area. It needs expertise and experience to overview risks and consequences, and to define how to mitigate them. The environment is constantly changing, as new types of operating systems, communication protocols, and cyberattacks are developed. For these reasons, it is crucial to find an established partner to advise you.

Find an experienced advisor

A security expert with a solid background is likely to have come upon issues that are relevant to your use cases, for example they may have experience providing security for large IT deployments or to organizations in the same industry. Many issues can be addressed the same way, even across industries.

Trusting the vendor is key

If you don’t have the competence inhouse on how to secure your IoT application, then it may also seem hard to evaluate and choose a partner. Lack of standards in the IoT area makes it even harder.

Focus on your core business

Taking advantage of the competence and experience of your security advisors lets you focus on your core business and develop innovative and highly usable services to your customers. Look for a security vendor that offers a solution that is easy to use, deploy, and operate. Preferably, you get a choice between operating a solution on-premises or consuming it as a cloud service, whichever fits you best.

Want to know how we can help protect your connected things ?


Pillar 3

Take advantage of available technologies

All connected IoT devices and services must have trusted digital identities to be able to distinguish them from each other and from unauthorized or malicious parties trying to intrude on or disrupt your devices and services. Digital identities are the basis for security services; they enable encrypted communication, verification of the origin of data, and guaranteed integrity of data and software being stored, transferred, or executed.

Public-key infrastructure (PKI) certificates provide cryptographically secure, unforgeable, theft-safe identities, which enable devices and services to be empowered with:

  • Authentication: Strong authentication ensures that only approved users and devices can connect to the network.
  • Encryption: Certificates enable encrypted communication between devices and services.
  • Integrity protection: Digital signatures prove the origin and integrity of data and software.

PKI is a mature and well-standardized technology, so you can choose from a large pool of software vendors, open source implementations, service providers, and system integrators [3]. All these can provide you the same core technology, so that you are safe from being locked into a solution.

Strong authentication

Since IoT means that services and devices are connected with the internet, it is especially important to prevent unauthorized persons from accessing the systems, devices, and cloud services. Passwords are proven to be insecure. According to the Data Breach Investigations Report by Verizon, 81% of hacking-related breaches leveraged stolen or weak passwords. With strong, cryptography-based authentication, you make it much harder for the attackers. For persons that need to access devices or services, apply two-factor authentication (2FA). In addition to the strength of the method, consider how the keys are created, distributed, and stored. Unsecure management spoils the security of even the strongest cryptographic method. Also, look for simplicity in your authentication solutions. For example, a mobile app using biometric factors is both user-friendly and secure. If the security solutions are hard to use, then people find ways around them.

Use industry standards and open source

Other technologies and protocols that fit well into IoT applications include Automated Certificate Management Environment (ACME), Constrained Application Protocol (CoAP), Message Queuing Telemetry Transport (MQTT), Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS) and Enrolment over Secure Transport (EST).

Pillar 4

Ensure scalability and flexibility

IoT has only just begun, and the number of connected devices is constantly increasing. Devices must be possible to manage in an efficient way, no matter if they are a thousand or hundreds of millions. Scalability is a prerequisite for IoT. So, you need to make sure that your security solution also scales.

IoT devices are often limited in resources, such as processing power and communication bandwidth. For end-to-end security, these devices must also be secured, using suitable lightweight cryptographic functions and security protocols.

PKI is scalable

Symmetric cryptography is typically used to secure point-to-point communication. For this, the same secret key is used by both communicating parties for example to encrypt and decrypt information. Keys must be pre-shared for every single connection between devices or services. This works fine for lowscale IoT applications, but key management in this form is clearly not scalable to millions of devices.

Asymmetric cryptography, which is employed in PKI, uses a private and a public key. Only the public key needs to be known by the relying other party. Key distribution is easier, because the public key can be transferred via a nonencrypted, public channel. This works better for large systems. PKI adds a twist to asymmetric cryptography: it works with digital certificates, containing the public key, the identity of the key owner – a device, service, or user – and the digital signature of the issuing certificate authority (CA) to verify the integrity of the certificate content. Using a hierarchy of CAs, PKI allows a relying party to trust certificates of all other parties.

For scalability, the processes of issuing and distributing certificates must be automated. A CA solution must provide such automated processes and corresponding interfaces.

Pillar 5

Take account of industry demands

The IoT area has for a long time been unregulated and without common standards and common security, safety, and privacy policies. Lately, a number of IoT and IIoT security standards have however emerged. Those include IEC 62443 and ETSI EN 303 645 as well as the IEEE 802.1AR specifying an initial device identity (IDevID). [5, 6].

Example: Security in connected cars

The V2X use case raises many specific requirements. As shown, a high-performing PKI platform is one of them. Other requirements are more efficient ways to generate keys using butterfly elliptic curve cryptography, a redundant setup of two certificate authorities (CAs) to guarantee drivers’ privacy, and high availability to reliably function at all times.There are technical standards to describe these requirements, such as IEEE1609.2 in the US [6], and ETSI TS 102 941 and TS 103 097 in the EU [7].

Consider data privacy

In general, consider all international and national regulations that might apply for privacy of data. Since the Global Data Protection Regulation (GDPR) went into effect in May 2018, it is still not clear how it will apply to IoT. Besides personal data, unsecure IoT devices may expose behavioral patterns such as the movement profile or home absence of the owners, or deliver audio and video streams from the private environment.

Stay aware of legal issues

There are many legal issues that are still uncertain. For example, regarding who owns the data collected by an IoT device. Another question is who is responsible and liable, when something goes wrong. Imagine someone hacking an IoT enabled lawn mower, taking control over it and mowing the neighbour’s rose garden – who can be held responsible? Since there are no easy answers to these questions today, the best you can do is to try to stay aware.


The benefits of IoT cannot be denied and it is unlikely that businesses not taking advantage of IoT will survive, but IoT comes with apparent safety, privacy and business risks. Therefore, security considerations and a suitable implementation are crucial for IoT applications.

Stay aware of the risks and define what you need to protect and for how long. Design your IoT infrastructure for security and privacy from the start. Rely on trusted and experienced IT security professionals to help you. Use available technologies such as PKI and strong authentication to ensure security, as well as efficiency, scalability, standardization, and usability. Make sure to follow any specific requirements on performance, protocols and policies for your industry, while being aware of general privacy and legal demands.

As complex as it may appear, if you build on the pillars in this guide, you get a good start to defining your specific needs and your way of securing your IoT application.

Want to know how we can help protect your connected things ?



[1] A Patient Dies After a Ransomware Attack Hits a Hospital: https://www.wired.com/story/a-patient-dies-after-a-ransomware-attack-hits-a-hospital

[2] Mirai (malware) article on wikipedia: https://en.wikipedia.org/wiki/Mirai_(malware)

[3] PKI Is Gearing Up for the Internet of Things, Gartner: https://www.gartner.com/doc/3426421/pki-gearing-internet-things

[4] Cybersecurity IoT program, National Institute of Standards and Technology (NIST):https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

[5] IoT and smart infrastructures, European Union Agency for Network and Information Security (ENISA): https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures

[6] Standard for Wireless Access in Vehicular Environments (WAVE), Institute of Electrical and Electronics Engineers (IEEE): https://standards.ieee.org/findstds/ standard/1609.2-2016.html

[7] Intelligent transport system security, European Telecommunications Standards Institute (ETSI): https://portal.etsi.org/services/centrefortestinginteroperability/activities/intelligenttransportsystem/security.aspx

Explore more resources

How to secure your IoT devices to shape a secure tomorrow

Watch the webinar to discover how your business can ensure that the connected things you produce are provisioned with a trusted identity.



STIHL selects Nexus to secure IOT connected equipment

STIHL is a German manufacturer of chainsaws and handheld power equipment with a vast international manufacturing network. 


Simplified and secured IoT device management

Nexus, Software AG and a range of industry experts are contributing
to the open-source thin-edge.io


Nexus Go enables Danfoss to strengthen security for IoT devices

Danfoss, a leading Danish technology company focusing on infrastructure, energy efficiency and
climate-friendly-solutions, has selected the Nexus Go IoT PKI to help secure their IoT devices.



Smart ID IoT to secure world’s most ambitious smart meter project

Nexus has been selected to provide a key management system (KMS) that enhances the security of a pioneering Smart Metering Project for one of the largest electric energy companies in the Middle East.


Industry leaders come together for pioneering 5G cybersecurity solution

An ambitious initiative has been developed in partnership between Nexus, Telefónica, DEKRA, CTAG, Harman and HPE to make vehicular communications more effective, reliable and secure by using 5G and cryptographic technology.