TUM Logo

Development and Implementation of a Public Key Infrastructure for Industrial Environments

Development and Implementation of a Public Key Infrastructure for Industrial Environments

Supervisor(s): Michael Heinl, Alexander Giehl
Status: finished
Topic: Others
Author: Maximilian Pursche
Submission: 2022-05-16
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching

Description

In the course of Industry 4.0,  industrial OT systems are becoming more and more interconnected with traditional IT systems. 
Previously isolated environments are thus exposed to an increased risk of cyber attacks.  This development has also been recognized  
by  the  International  Society  of  Automation  (ISA)  and  has  led  to  the  joint development of the ISA/IEC 62443 standards in 
cooperation with the International Electrotechnical Commission (IEC). The series of standards aims to adapt IT security concepts to the 
requirements of Industrial Automation and Control Systems (IACS). In this regard, particular attention must be paid to the strong availability 
constraints and the support of essential functions. Over the last few years, Public Key Infrastructure (PKI) based on X.509 certificates has 
emerged as an important component of ITsecurity on the internet. ISA/IEC 62443 recognizes that PKI can also provide a wide range of security 
mechanisms with respect to IACS. However, the way in which the PKI paradigm should be applied to an IACS is hardly addressed by the standard.
This thesis analyzes the ISA/IEC 62443 series of standards for security requirements that may impact PKI deployment in order to subsequently 
provide a guideline on developing a PKI concept for such an environment. For this purpose, the requirements from ISA/IEC 62443 are combined with 
guidance from other sources. Best practices in regards to PKI are taken from international associations, including the CA/BrowserForum, the European 
Telecommunications Standards Institute (ETSI), and the Internet Engineering Task Force (IETF). It is apparent that within an IACS environment, PKIfeatures, 
such as certificate validity periods, have to be evaluated differently than in the internet PKI. In order to assess the viability of the developed guideline, 
TLS is implemented as a tangible PKI use case in a representative test environment. The  actual  evaluation  of  the  use  case  shows  that  modern  IACS  
components  are capable of supporting PKI, but that some important features are still missing for a fully standard-compliant employment. In addition, the 
handling of PKI in IACS turns out to be time-consuming and involves many manual operations, which may render large-scale operations impractical at this 
point in time.