TUM Logo

PKI-based Security for the IACS Supply Chain

PKI-based Security for the IACS Supply Chain

Supervisor(s): Michael Heinl, Sebastian Peters
Status: finished
Topic: Others
Author: Adrian Reuter
Submission: 2022-10-17
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


As a consequence of the tremendous increase of interconnected devices
deployed in the context of Industrial Automation and Control Systems
(IACS) and the industrial Internet of Things, the need for scalable and
yet secure on-boarding procedures increases. A trust relationship
between a new device and its operator domain can be seen as an essential
prerequisite for secure deployment, even before a device receives a
particular network or application layer configuration. Cryptographic
device identities and trust anchors imprinted on devices found the basis
for such trust relationship.

This thesis analyses the IEEE 802.1AR standard for secure device
identifiers and the Bootstrapping Remote Secure Key Infrastructure
(BRSKI) protocol developed by the IETF ANIMA working group, and explores
their suitability for providing a PKI-based security mechanism for the
IACS supply chain. This thesis controversially discusses central design
choices for mapping the BRSKI architecture to the architecture of IACS
and evaluates its conformity with recommendations given by ISA/IEC
62443. Subsequently, this thesis designs, implements, and evaluates a
testbed, which leverages BRSKI to establish locally significant
identities on new devices and demonstrates the integration of BRSKI with
an external domain PKI of an exemplified industrial operator.

Our findings show that the BRSKI architecture can be successfully mapped
to the architecture of IACS and allows for great scalability due to the
high degree of automation of the secure bootstrapping process, without
requiring human interaction. Moreover, our evaluation shows that BRSKI
does not interfere with the strict availability requirement of
industrial environments and can be operated in conformance with the
security requirements defined in ISA/IEC 62443. This thesis concludes by
discussing the process of device ownership verification and highlights
the potential for outsourcing manufacturer-based authentication as a
cloud service.