2020-04-14

PKI in manufacturing – Creating an industrial PKI Registration Authority

The industrial Registration Authority (RA) requires extended flexibility and robustness compared to classic Public Key Infrastructure RAs. It needs to be able to model and re-model the production processes while maintaining the security level required to create trusted device identities directly on the production floor.

In a classic Public Key Infrastructure (PKI) concept, the Registration Authority (RA) is responsible for the certificate issuance process, including the authenticity of the identity information that is included in the certificate that is signed by the Certification Authority.

It is often desirable to physically separate the Certificate Authority and the RA, allowing the Certificate Authority to reside in a secure environment with only minimal access, while the RA can reside “closer” to the actual issuing process and enables for an additional layer of security around the Certificate Authority. The Certificate Authority service is often managed in the company’s data center (IT) or by a service provider. This is also the case for industrial or smart manufacturing PKIs. However, what is new is that, the Registration Authority has to be located directly at the production line and carry out the identity verification and certificate issuance during production. This requires a new security approach for the Registration Authority concerning hardware requirements, separation of network interfaces, administrative functions to support the lifecycle of a production line and maintenance services.

The RA as it is defined in a traditional PKI becomes the new industrial RA

The industrial RA has to support all the capabilities of a RA in a classical PKI and more, including:

  • Key generation by the device
  • Key generation by the RA using a built-in random number generator
  • Creation of certificate requests according to the defined protocols and certificate specifications
  • Support for relevant cryptographic algorithms
  • Support the processes of establishing identity.

The process of establishing the identity is one area where the industrial RA typically differs.
Especially when matching the information. The process-related procedures must be considered and individually adapted and readapted as new products are being produced on the production line. Here, a wide range of variants must be considered: Which MES system must be queried; how is the existing data structured; is there a PLM or ERP system that must be queried, what happens in the event of a failure or error, which log information must be written to where and when? The final result for each new product is always to use defined unique identity information such as serial numbers, MAC addresses, motor identification numbers, etc. process it together with available information from relevant systems and, after successful validation, create the corresponding certificate signing request.

In addition, there are sometimes no standardized interfaces in the production networks to communicate with devices during the manufacturing process. For example, some modules can only be accessed via serial interfaces and proprietary protocols. Other systems, such as industrial PCs (IPCs), have Ethernet interfaces, while others have industrial bus interfaces.

Becoming the new industrial RA

The industrial RA requires extended flexibility and robustness compared to the classical PKI RA. It needs to be able to model and re-model the production processes while maintaining the security level required to create trusted device identities directly on the production floor. An industrial RA has to have a flexible and robust:

  • Device interface for communication with different devices in the production. The interface will change as the production line is updated to produce a new product
  • Trust service (PKI Service) interface for communication with the certificate-issuing services. The CA should change, but the Certificate Authority service might also change as the production line is updated to produce a new product
  • Process modeling tool for creating, managing and adapting the identity verification processes. The process for identity verification will change as the production line is updated to produce a new product.
  • IPC-based hardware, that connects to the production facilities and the trust service via separate, physically separated Gigabit Ethernet interfaces and support the defined security policy.
  • Security module, the trust anchor, where all necessary cryptographic keys and data can be stored, a hardware (and in some cases software) protected area.
  • Maintenance/update process that can be performed during operation and by personnel available at the production floor. This is important because an interruption of production processes is unacceptable in the majority of companies.

Two webinars provide deep practical insights

On the 21st of April, PrimeKey is launching its new, first-of-its-kind, Registration Authority product for the manufacturing industry, PrimeKey Identity Authority Manager.

We will accompany the launch with two webinars:

Securing Industry 4.0 – Introducing the first industrial PKI solution to secure smart supply chains

Industry executives will learn, among other things, how to model unique publishing processes for identity discovery, how to put them into operation and how to redesign them as soon as the production process needs to be updated.

Date and time: April 28, 2020, 4:00 p.m
Duration: 45 minutes
Cost: Free

Register here

What’s inside the PrimeKey Identity Authority Manager – a techie’s dream

The focus lies on typical product identities as well as the functions of the Identity Authority Manager and its connection to PKI. In addition, the focus will be on formulating a modern IIoT product strategy and implementing the security functions with the Identity Authority Manager.

Date and time: May 12, 2020, 4:00 p.m.
Duration: 45 minutes
Cost: Free

Register here


 

Author: Andreas Philipp

Andreas Philipp has more than 20 years of extensive experience in several roles and positions within the Security Module Business. He joined PrimeKey in 2017 and is now Business Development Manager with his base in Aachen, Germany.

Contact Andreas:
andreas.philipp@primekey.com

 

 

 


 

 

How can we help?

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us