Abstract
Public key infrastructures (PKIs) are a cornerstone for the security of modern information systems. They also offer a wide range of security mechanisms to industrial automation and control systems (IACS) and can represent an important building block for concepts like zero trust architectures and defense in depth. Hence, the ISA/IEC 62443 series of standards addresses the PKI paradigm, but there is little practical guidance on how to actually apply it to an IACS. This paper analyzes ISA/IEC 62443 for explicit and implicit requirements regarding PKI deployment to provide a guideline for developing and operating a standard-conform PKI. For this purpose, the analyzed requirements and IACS-specific constraints are combined with current research and best practices. To assess its viability, a tangible PKI use case is implemented in a test environment. The evaluation of this use case shows that common IACS components are capable of supporting PKI, but that important features are missing. For instance, the handling of PKI turns out to be time-consuming and involves many manual operations, a potential factor to render large-scale operations impractical at this point in time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
BSI: Kryptographische Verfahren: Empfehlungen und Schlüssellangen (2022)
BSI: Kryptographische Verfahren: Empfehlungen und Schlüssellangen Teil 2 - Verwendung von Transport Layer Security (TLS) (2022)
BSI: Kryptographische Vorgaben für Projekte der Bundesregierung Teil 4: Kommunikationsverfahren in Anwendungen (2022)
CA/Browser Forum: Network & Certificate System Security Requirements (2021)
CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (2022)
CODESYS GmbH: Features and Improvements CODESYS V3.5 SP16 (2020)
ETSI EN 319 401 V2.3.1: Electronic Signatures and Infrastructures; General Policy Requirements for Trust Service Providers (2021)
ETSI EN 319 411-1 V1.3.1: Electronic Signatures and Infrastructures; Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements (2021)
Fockel, M., et al.: Designing and integrating IEC 62443 compliant threat analysis. In: EuroSPI 2019 (2019)
Hagen, B.: Security analysis of an interconnected industrial automation testbed (production line). Master’s thesis, Hochschule Augsburg (2022)
Hanke, M.: Embedded PKI in industrial facilities. In: ISSE/SECURE 2007 (2007)
Heinl, M.P., et al.: MERCAT: a metric for the evaluation and reconsideration of certificate authority trustworthiness. In: CCSW 2019 (2019)
Hughes, L.E.: Issue and manage windows logon certificates. In: Pro AD Certificate Services: Creating & Managing Digital Certificates for Use in MS Networks. Apress (2022)
IEC 61131-3:2013: Programming languages (2013)
IEC 62443-2-1:2010: Establishing an IACS security program (2010)
IEC 62443-2-4:2015: Sec. program requirements for IACS service providers (2015)
IEC 62443-3-2:2020: Security risk assessment for system design (2020)
IEC 62443-3-3:2013: System security requirements and security levels (2013)
IEC 62443-4-2:2019: Technical security requirements for IACS components (2019)
IEC TR 62443-2-3:2015: Patch management in the IACS environment (2015)
IEC TS 62443-1-1:2009: Terminology, concepts and models (2009)
Khan, S., et al.: Survey on issues and recent advances in vehicular public-key infrastructure (VPKI). IEEE COMST 24(3) (2022)
Leander, B., et al.: Applicability of the IEC 62443 standard in Industry 4.0/IIoT. In: ARES 2019 (2019)
Maidl, M., et al.: A comprehensive framework for security in engineering projects - based on IEC 62443. In: IEEE ISSREW 2018 (2018)
Maletsky, K.: RSA vs. ECC Comparison for Embedded Systems (Microchip) (2020)
NIST: FIPS 140-3: Security Requirements for Cryptographic Modules (2019)
NIST: SP 800-57 Part 2 Rev. 1 - Recom. for Key Management: Part 2 - Best Practices for Key Management Organizations (2019)
NIST: SP 800-57 Part 1 Rev. 5 - Recom. for Key Management: Part 1 - General (2020)
OPC UA Foundation: Practical Security Recommendations for building OPC UA Applications. Whitepaper Security Working Group (2018)
Paul, S., et al.: Towards post-quantum security for cyber-physical systems: integrating PQC into industrial M2M communication. In: ESORICS 2020 (2020)
Paul, S., et al.: Mixed certificate chains for the transition to post-quantum authentication in TLS 1.3. In: ASIA CCS 2022 (2022)
RFC 3647: Internet X.509 PKI Certificate Policy & Certification Pract. Framew. (2003)
RFC 5280: Internet X.509 PKI Certificate and CRL Profile (2008)
RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions (2011)
RFC 6960: X.509 Internet PKI Online Certificate Status Protocol (2013)
RFC 7030: Enrollment over Secure Transport (2013)
RFC 8894: Simple Certificate Enrolment Protocol (2020)
Siemens AG: SIMATIC S7-1200 Programmable controller (2015). https://cache.industry.siemens.com/dl/files/121/109478121/att_851433/v1/s71200_system_manual_en-US_en-US.pdf
Siemens AG: Using Certificates with TIA Portal (2019). https://support.industry.siemens.com/cs/attachments/109769068/109769068_CertificateHandlingTIAPortal_V1_0_en.pdf
Siemens AG: Config. of TLS-based PG/HMI Com. and the Protection of Confidential PLC Config. Data (2021). https://support.industry.siemens.com/cs/attachments/109772940/s71200_system_manual_en-US_en-US.pdf
Siemens AG: SIMATIC S7–1500, ET 200MP, ET 200SP, ET 200AL, ET 200pro Communication (2021). https://cache.industry.siemens.com/dl/files/942/84133942/att_1098064/v1/et200sp_manual_collection_en-US.pdf
U.S. Department of Transportation: Security Credential Management System (SCMS). https://www.its.dot.gov/factsheets/pdf/CV_SCMS.pdf
Vahdati, Z., et al.: Comparison of ECC and RSA algorithms in IoT devices. JATIT (2019)
Yunakovsky, S.E., et al.: Towards sec. recommendations for PKIs for production environments in the post-quantum era. EPJ Quantum Technol. 8(1) (2021)
Acknowledgment
This work was supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) under grant no. 13I40V010A.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Heinl, M.P., Pursche, M., Puch, N., Peters, S.N., Giehl, A. (2023). From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures. In: Guiochet, J., Tonetta, S., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2023. Lecture Notes in Computer Science, vol 14181. Springer, Cham. https://doi.org/10.1007/978-3-031-40923-3_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-40923-3_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40922-6
Online ISBN: 978-3-031-40923-3
eBook Packages: Computer ScienceComputer Science (R0)