Critical infrastructures (CIs) include the vital resources for the country's economic and health systems and should be kept secure. We face improvements in the Internet of Things which brings benefits and, at the same time, dependency for CIs. Internet of Medical Things (IoMT) is among the CI sectors that gather health-related information from patients via sensors and provide healthcare services accordingly. However, research has highlighted that this large-scale system opens the door to the patients’ private data disclosure. Recent work has concentrated on proposing authentication schemes to address this challenge. Motivated by this, in this paper, we introduce a secure and lightweight authentication and key agreement model named Slight. We informally prove Slight's security and robustness against attacks and formally by using the Scyther tool. We analyze Slight's performance to show it causes minimal computational overhead (0.0076 ms) and comparable communication overhead (1632 bits), making it suitable for IoMT.