August 11, 2023 Building Resilience to Evolving Threats with PKI

Industrial and manufacturing IT leaders can ensure trust and security in their smart factories with public key infrastructure (PKI).

By Andreas Philipp, Senior Business Development Manager, IoT at Keyfactor

The industrial sector is rapidly evolving, and organizations are accelerating their digitalization efforts with automation, AI, and connected sensors and machines. But while these efforts improve efficiency and enable new business models, they also introduce cybersecurity threats such as IoT attacks and ransomware vulnerabilities that threaten to disrupt industrial infrastructure and supply chains.

Even though manufacturers know the importance of cybersecurity, some struggle to navigate its complexity in industrial environments and stay up to speed with emerging industry standard requirements, protocols, and concepts. Below, we’ll dive into how manufacturers can start automating their industrial identity lifecycle, how cybersecurity legislation impacts the industrial sector, and why X.509 certificates are a must for the industrial cybersecurity market.

Automating the industrial identity lifecycle

The proliferation of smart factories has resulted in an explosion of connected machines in manufacturing operations, including devices like environmental sensors and connected industrial equipment. These connected machines all have an associated machine identity – which are unique descriptors of an organization’s devices used to authenticate communication and system access – and are secured through public keys and certificates. These certificates act like a passport used by people, devices, and apps to interact with each other securely.

Unfortunately, nearly two-thirds of IT leaders, including those in the industrial and manufacturing sectors, don’t know exactly how many keys and certificates they have – not to mention where they are or when they expire. This leaves a massive potential entry point for malware and ransomware.

Many industrial organizations are starting to protect their operations with public key infrastructure (PKI), a set of processes and tools used to manage certificates. With PKI, manufacturing IT leaders are given a comprehensive view of what certificates are expiring and can automate many of the processes required to manage machine identities. This includes the process of issuing a new certificate across development, production, and usage lifecycles, eliminating much of the visibility issues industrial organizations experience with connected sensors and machines.

PKI is central to industrial cybersecurity standards and regulations

The increasing need for industrial cybersecurity has led to new standards and regulations that provide operators with a clear roadmap to fulfill the requirements for securing their smart factory environment. Not only is PKI technology a huge contributor to automating the industrial identity lifecycle, but it is also an integral building block in the cybersecurity industrial standards that are on the horizon. These standards have shifted from best practices to precise guidelines and implementation directives that will evolve in the upcoming years.

There are three levels to the cybersecurity standards and regulations as they pertain to industrial: overall framework, regulation and directive, and industry standards. A snapshot of each is as follows, all of which are at various stages of release:

1. Overall framework

• IEC 62443: This is the basic framework for defining the security levels and the functions for operators, product developers, and service providers.

2. Regulation and directive

• EU Cyber Resilience Act: Mandatory requirements for products with digital elements.
• EU NIS2 (Network and Information Security): An expansion of the NIS directive to enhance cybersecurity in the European Union.
• EU Machinery Directive: The core European legislation regulating products of the mechanical engineering industries to increase trust in digital technologies.

3. Industry standards (an extract)

• IEEE 802.1. AR: Secure Identities
• OPC 10000-12: UA Part 12: Discovery and global services
• OPC 10000-21: UA Part 21: Device onboarding
• BRSKI (RFC 8995): Bootstrapping remote secure key infrastructure
• ODVA CIP (Common industrial Protocol)

As these standards and directives continue to be developed, it will be up to industrial vendors to implement the functionality required for infrastructure components like PKI. Manufacturers can then adapt these to their technology and protocol stacks.

Device identity: Where the trusted lifecycle begins

But industrial industry standards and regulations may fall apart if they do not have one common goal – trust. Trust must be established from device manufacturer to integrator to operator. The industrial industry will continue to be challenged to thread trust throughout the supply chain fabric unless it starts the journey with device identity. If you’re unable to provision, provide, or imprint a digital device identity in your physical device, then the whole afterward scenarios are useless.

So, how do industrial enterprises issue trusted devices? The answer is IEEE 802.1AR. The IEEE 802.1AR standard specifies a standard device identity and is the foundation for all future functions and features, including secure device provisioning, secure boot, secure software update, and trusted communication.

IEEE 802.1X supports multiple authentication methods, including public key authentication and X.509 certificates. Obtained through a PKI, X.509 certificates are digitally signed documents that are used to validate the identity of any connected device, sensor, or piece of equipment – helping manufacturers ensure trust in their machines and, ultimately, develop effective products.

Proper validation of X.509 certificates rely heavily on certificate authorities. As part of the X.509 verification process, each certificate must be signed by the same issuer certificate authority named in its certificate. While this can be a complicated process, there are resources that make it easier for industrial enterprises to access PKI infrastructure. One such resource is Open Industrial PKI, which offers a free service for issuing and managing X.509 certificates.

With the continued explosion of connected devices, industrial environments will only become more complex. To successfully navigate this complexity, manufacturers must establish trust and security across their production line. PKI technology makes it possible for manufacturers to enable authentication, encryption, and system integrity for connected sensors, applications, and machines across even the most complex environments.

About the Author:
Andreas Philipp is a Senior IoT Business Development Manager at Keyfactor, where he is focused on the integration and customization of cyber security solutions in the industrial IoT area. With a degree in communications engineering, he started his career more than 30 years ago as a developer in the area of applied cryptography within the area of POS Terminals and hardware security modules. In the course of his career, he managed the sales and marketing department of a medium-sized hardware security module provider for more than 10 years.

Subscribe to Industry Today