Critical Infrastructure Attacks Drive HSMs in IoT, ABM Research Finds

By Chad Cox

Associate Editor

Embedded Computing Design

November 24, 2021


Critical Infrastructure Attacks Drive HSMs in IoT, ABM Research Finds
(Image Courtesy of Reuters)

The hacker group DarkSide secured a $4.4 million ransom earlier this year when they locked the Colonial Pipeline Co. out of their own electronic systems.

The hackers gained access to the IT environment for one of the largest oil pipelines in the U.S. using a password that was later found on the dark web. Colonial Pipeline Co.’s infrastructure didn’t even require multi-factor authentication, much less include advanced security measures or hardware-based encryption.

An increase in cyber threats targeting critical infrastructure systems is one reason ABI Research forecasts the value of the global OT cybersecurity market at $18.1 billion by 2023. ABI’s “The Use of Hardware Security Modules in IoT Applications” report predicts hardware security modules (HSMs) will be at the center of this growth as they expand beyond enterprise, government, and payment markets into IoT ecosystems.

ABI estimates that IoT-centric HSM solutions already represent just under half of total HSM revenues and shipments worldwide. Now, in addition to traditional players like Entrust, Thales, and Ultimaco, vendors like Infineon, NXP, ST Microelectronics, Thirdway, and others are offering IoT HSMs.

Generally speaking, IoT HSMs are built for root of trust and key management functions that protect IP, prevent key injection, and enable secure programming. Many are being integrated directly into TPMs, secure hardware extension (SHE) processors to deliver “flexibility without exponentially increasing costs or requiring additional hardware,” says Michela Menting, Digital Security Research Director at ABI Research explains.

“By and large, there are three primary drivers for the use of HSMs in these new markets: a growing body of standards and regulatory compliance for the protection of IoT data and devices; functional and physical safety requirements for critical devices such as cyber-physical systems; and finally intellectual property protection,” Menting explains.

Standardizing Cybersecurity

As Menting notes, a growing body of standards are also emerging that help streamline the development and deployment of IoT security technologies like HSMs. For instance, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) recently launched the Cybersecurity for the Operational Technology Environment (CyOTE) initiative to improve threat detection on sensitive OT networks in the energy sector.

For critical infrastructure providers, implementing robust security measures may not be an option much longer.

For more information on CESER and the CyOTE standard, visit

For more on the ABI Research report, “The Use of Hardware Security Modules in IoT Applications,” go to