Device Security Has Become OEM Infrastructure.

Summary

Four forces — regulation, industry standards, universal connectivity, and AI-assisted vulnerability discovery — have converged on a single irreversible shift: device security has crossed from being a product feature the OEM ships into long-term infrastructure the OEM operates. Every defensive mechanism a connected device has rests on the same load-bearing assumption: that each private key is, at every moment of its existence, only in the place it should be, and only used in the way it should be used.

Of all the places key security has to live, factory provisioning is where the difficulty concentrates — universal across OEMs shipping connected devices, structurally outside the OEM's perimeter, geographically distributed across multiple ODMs and countries. Three approaches exist today (cloud PKI, factory-deployed PKI+HSM, chip-vendor pre-provisioning); from a procurement perspective, three quite different conversations. From an architectural perspective, three variations on a single underlying pattern. This paper develops the case for a fourth answer — not another deployment location, but an architecture designed for factory provisioning from the ground up.

~30pp

Pages

9§

Chapters

4

Architectural Elements

8

Diagnostic Questions

What You'll Learn

10 Takeaways

• Why device security is now infrastructure, not a feature
• The four forces driving long-term operational obligation
• The four faces of key security: storage, management, use, monitoring
• Why factory provisioning concentrates structural difficulty
• Why three current approaches are variations on traditional PKI
• The four functional gaps: KDF, secure channel, CSR attestation, SE management
• The architectural gap: decision and execution must decouple
• The four architectural elements of an alternative
• Lifecycle governance: from factory moment to day 1825
• Eight diagnostic questions to ask of your supply chain

Table of Contents

§1Executive Summaryp. 02§2Four Drivers Are Making Device Security Long-Term and Mandatoryp. 04§3Device Security Rests on Keys, and Keys Are Hardest at the Factoryp. 09§4The Three Current Approaches Are All Traditional PKIp. 13§5Functionally, Traditional PKI Wasn't Built for Provisioningp. 17§6Architecturally, Traditional PKI Binds What Provisioning Needs Apartp. 20§7An Architecture Designed for Provisioningp. 23§8Across the Lifecycle, Traditional PKI Cannot See the Devicep. 26§9Eight Questions to Ask of Your Own Supply Chainp. 29AAppendix — Glossaryp. 31BAppendix — About the Authorp. 32

Why This Matters Now

Regulation has turned device cybersecurity from a one-time check at launch into a continuous obligation OEMs operate against for years. Industry standards — Matter at the front — have moved attestation from optional to gating. Universal connectivity has put every device into the same adversarial environment. And AI-assisted vulnerability discovery has collapsed the cost of finding exploitable bugs on a timescale most shipped devices were not designed against.

Each force on its own is sufficient to move device security from a one-time product property to a multi-year operational obligation. Acting together, they remove any remaining path on which the older posture could have continued to work.

The architectural decisions an OEM makes about device identity in the next eighteen months will determine what they can ship — credibly, auditably, at scale — for the ten years that follow. This is not a procurement timeline. It is an infrastructure timeline.

Who this paper is for

OEM security architects and decision-makers facing factory provisioning at multi-ODM, multi-silicon, multi-country production scale. It develops an architectural argument grounded in operational reality, not a vendor comparison.

Companion case study available — see related resources.

‍