The industrial sector is rapidly evolving, and organizations are accelerating their digitalization efforts with automation, AI, and connected sensors and machines. But while these efforts improve efficiency and enable new business models, they also introduce cybersecurity threats such as IoT attacks and ransomware vulnerabilities that threaten to disrupt industrial infrastructure and supply chains.
Many industrial organizations are protecting their operations with public key infrastructure (PKI). The results of Keyfactor’s State of Machine Identity 2023 report reveal that the main drivers furthering the use of PKI, keys, and digital certificates in the enterprise are zero-trust strategies (50%), IoT devices (49%), and cloud-based services (48%). The report covers respondents from more than 12 industries, including a high percentage from the industrial and manufacturing sectors.
Yet even though manufacturers know the importance of cybersecurity, some struggle to navigate its complexity in industrial environments and stay up to speed with emerging industry standard requirements, protocols, and concepts. Here we share how to start automating your industrial identity lifecycle, how EU cybersecurity legislation impacts the industrial sector, and why X.509 certificates are a must for the industrial cybersecurity market.
PKI is central to cybersecurity standards and regulations
The proliferation of smart factories and the bridging of OT and IT together in one infrastructure has made digitalization a necessity in the industrial world. The increasing need for industrial cybersecurity has led to new standards and regulations consolidating the market so that vendors and operators have a clear roadmap to fulfill the requirements for securing their smart factory environment.
“Cybersecurity is absolutely essential, and we find that PKI technology is an integral building block in the cybersecurity industrial standards that are coming up,” said Andreas Philipp, Senior Business Development Manager, IoT at Keyfactor. “These standards have shifted from best practices to precise guidelines and implementation directives that will evolve in the upcoming years.”
There are three levels to the cybersecurity standards and regulations as they pertain to industrial:
- Overall framework
- IEC 62443: This is the basic framework for defining the security levels and the functions for operators, product developers, and service providers.
- Regulation and directive
- EU Cyber Resilience Act: Mandatory requirements for products with digital elements.
- EU NIS2 (Network and Information Security): To enhance cybersecurity in the European Union.
- EU Machinery Directive: To increase trust in digital technologies.
- Industry standards (an extract)
- IEEE 802.1. AR: Secure Identities
- OPC 10000-12: UA Part 12: Discovery and global services
- OPC 10000-21: UA Part 21: Device onboarding
- BRSKI (RFC 8995): Bootstrapping remote secure key infrastructure
“These standards and regulations are at various stages of release, and then it will be up to the vendors like Keyfactor to implement the functionality and shape the infrastructure components like PKI to adapt with the industrial technology and protocol stack,” said Philipp.
Device identity: Where the trusted lifecycle begins
But industrial industry standards and regulations may fall apart if they do not have one common goal – trust. Trust must be established from device manufacturer to integrator to operator. The industrial industry will continue to be challenged to thread trust throughout the supply chain fabric unless it starts the journey with device identity.
“If you’re unable to provision, provide, or imprint a digital device identity in your physical device, then the whole afterward scenarios are useless,” cautions Philipp.
So, how do industrial enterprises issue trusted devices? The answer is IEEE 802.1AR. The IEEE 802.1AR standard specifies a standard device identity and is the foundation for all future functions and features, including:
- Secure device provisioning
- Secure boot
- Secure software update
- Trusted communication
Keyfactor will provide a solution for industrial organizations to implement the IEEE 802.1AR standard for provisioning IDevID and LDevID and enabling low-cost USB HSM from our partner Swissbit, a leader in storing and protecting data. Keyfactor will publish the source code on Github Repro later this year and share more information at upcoming events and webinars.
The launch of Open Industrial PKI and the EJBCA Ready Program
Many machine builders and component manufacturers know that PKI is the enabler of trust in their network, but they grapple with how to leverage PKI technology. That’s the reason why Keyfactor partnereed with Campus Schwarzwald, a German center for teaching, research, and technology in the mechanical engineering and manufacturing industry. Together, we have founded the open innovation network called Open Industrial PKI.
The non-profit offers a free service for issuing and managing X.509 certificates to make it easier for industrial enterprises to access PKI infrastructure. Open Industrial PKI supports the industry with best practices and implementation examples for integrated PKI.
Keyfactor is also working with Campus Schwarzwald on the EJBCA Ready Program, an independent and free-of-charge PKI interoperability testing service, where an industrial organization’s device components are tested against compliance with the standard PKI interfaces.
“We are excited about our partnerships with Campus Schwarzwald as we continue to help manufacturers and industrial operators with the expertise, technology, and resources to scale with digital trust and digital identity,” concluded Philipp.
To learn more about Keyfactor’s initiatives to support industrial cybersecurity and how PKI can protect your organization, watch the on-demand webinar The Role of PKI in Industrial Cybersecurity.