Skip to main content

From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures

  • Conference paper
  • First Online:
Computer Safety, Reliability, and Security (SAFECOMP 2023)

Abstract

Public key infrastructures (PKIs) are a cornerstone for the security of modern information systems. They also offer a wide range of security mechanisms to industrial automation and control systems (IACS) and can represent an important building block for concepts like zero trust architectures and defense in depth. Hence, the ISA/IEC 62443 series of standards addresses the PKI paradigm, but there is little practical guidance on how to actually apply it to an IACS. This paper analyzes ISA/IEC 62443 for explicit and implicit requirements regarding PKI deployment to provide a guideline for developing and operating a standard-conform PKI. For this purpose, the analyzed requirements and IACS-specific constraints are combined with current research and best practices. To assess its viability, a tangible PKI use case is implemented in a test environment. The evaluation of this use case shows that common IACS components are capable of supporting PKI, but that important features are missing. For instance, the handling of PKI turns out to be time-consuming and involves many manual operations, a potential factor to render large-scale operations impractical at this point in time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. BSI: Kryptographische Verfahren: Empfehlungen und Schlüssellangen (2022)

    Google Scholar 

  2. BSI: Kryptographische Verfahren: Empfehlungen und Schlüssellangen Teil 2 - Verwendung von Transport Layer Security (TLS) (2022)

    Google Scholar 

  3. BSI: Kryptographische Vorgaben für Projekte der Bundesregierung Teil 4: Kommunikationsverfahren in Anwendungen (2022)

    Google Scholar 

  4. CA/Browser Forum: Network & Certificate System Security Requirements (2021)

    Google Scholar 

  5. CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (2022)

    Google Scholar 

  6. CODESYS GmbH: Features and Improvements CODESYS V3.5 SP16 (2020)

    Google Scholar 

  7. ETSI EN 319 401 V2.3.1: Electronic Signatures and Infrastructures; General Policy Requirements for Trust Service Providers (2021)

    Google Scholar 

  8. ETSI EN 319 411-1 V1.3.1: Electronic Signatures and Infrastructures; Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements (2021)

    Google Scholar 

  9. Fockel, M., et al.: Designing and integrating IEC 62443 compliant threat analysis. In: EuroSPI 2019 (2019)

    Google Scholar 

  10. Hagen, B.: Security analysis of an interconnected industrial automation testbed (production line). Master’s thesis, Hochschule Augsburg (2022)

    Google Scholar 

  11. Hanke, M.: Embedded PKI in industrial facilities. In: ISSE/SECURE 2007 (2007)

    Google Scholar 

  12. Heinl, M.P., et al.: MERCAT: a metric for the evaluation and reconsideration of certificate authority trustworthiness. In: CCSW 2019 (2019)

    Google Scholar 

  13. Hughes, L.E.: Issue and manage windows logon certificates. In: Pro AD Certificate Services: Creating & Managing Digital Certificates for Use in MS Networks. Apress (2022)

    Google Scholar 

  14. IEC 61131-3:2013: Programming languages (2013)

    Google Scholar 

  15. IEC 62443-2-1:2010: Establishing an IACS security program (2010)

    Google Scholar 

  16. IEC 62443-2-4:2015: Sec. program requirements for IACS service providers (2015)

    Google Scholar 

  17. IEC 62443-3-2:2020: Security risk assessment for system design (2020)

    Google Scholar 

  18. IEC 62443-3-3:2013: System security requirements and security levels (2013)

    Google Scholar 

  19. IEC 62443-4-2:2019: Technical security requirements for IACS components (2019)

    Google Scholar 

  20. IEC TR 62443-2-3:2015: Patch management in the IACS environment (2015)

    Google Scholar 

  21. IEC TS 62443-1-1:2009: Terminology, concepts and models (2009)

    Google Scholar 

  22. Khan, S., et al.: Survey on issues and recent advances in vehicular public-key infrastructure (VPKI). IEEE COMST 24(3) (2022)

    Google Scholar 

  23. Leander, B., et al.: Applicability of the IEC 62443 standard in Industry 4.0/IIoT. In: ARES 2019 (2019)

    Google Scholar 

  24. Maidl, M., et al.: A comprehensive framework for security in engineering projects - based on IEC 62443. In: IEEE ISSREW 2018 (2018)

    Google Scholar 

  25. Maletsky, K.: RSA vs. ECC Comparison for Embedded Systems (Microchip) (2020)

    Google Scholar 

  26. NIST: FIPS 140-3: Security Requirements for Cryptographic Modules (2019)

    Google Scholar 

  27. NIST: SP 800-57 Part 2 Rev. 1 - Recom. for Key Management: Part 2 - Best Practices for Key Management Organizations (2019)

    Google Scholar 

  28. NIST: SP 800-57 Part 1 Rev. 5 - Recom. for Key Management: Part 1 - General (2020)

    Google Scholar 

  29. OPC UA Foundation: Practical Security Recommendations for building OPC UA Applications. Whitepaper Security Working Group (2018)

    Google Scholar 

  30. Paul, S., et al.: Towards post-quantum security for cyber-physical systems: integrating PQC into industrial M2M communication. In: ESORICS 2020 (2020)

    Google Scholar 

  31. Paul, S., et al.: Mixed certificate chains for the transition to post-quantum authentication in TLS 1.3. In: ASIA CCS 2022 (2022)

    Google Scholar 

  32. RFC 3647: Internet X.509 PKI Certificate Policy & Certification Pract. Framew. (2003)

    Google Scholar 

  33. RFC 5280: Internet X.509 PKI Certificate and CRL Profile (2008)

    Google Scholar 

  34. RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions (2011)

    Google Scholar 

  35. RFC 6960: X.509 Internet PKI Online Certificate Status Protocol (2013)

    Google Scholar 

  36. RFC 7030: Enrollment over Secure Transport (2013)

    Google Scholar 

  37. RFC 8894: Simple Certificate Enrolment Protocol (2020)

    Google Scholar 

  38. Siemens AG: SIMATIC S7-1200 Programmable controller (2015). https://cache.industry.siemens.com/dl/files/121/109478121/att_851433/v1/s71200_system_manual_en-US_en-US.pdf

  39. Siemens AG: Using Certificates with TIA Portal (2019). https://support.industry.siemens.com/cs/attachments/109769068/109769068_CertificateHandlingTIAPortal_V1_0_en.pdf

  40. Siemens AG: Config. of TLS-based PG/HMI Com. and the Protection of Confidential PLC Config. Data (2021). https://support.industry.siemens.com/cs/attachments/109772940/s71200_system_manual_en-US_en-US.pdf

  41. Siemens AG: SIMATIC S7–1500, ET 200MP, ET 200SP, ET 200AL, ET 200pro Communication (2021). https://cache.industry.siemens.com/dl/files/942/84133942/att_1098064/v1/et200sp_manual_collection_en-US.pdf

  42. U.S. Department of Transportation: Security Credential Management System (SCMS). https://www.its.dot.gov/factsheets/pdf/CV_SCMS.pdf

  43. Vahdati, Z., et al.: Comparison of ECC and RSA algorithms in IoT devices. JATIT (2019)

    Google Scholar 

  44. Yunakovsky, S.E., et al.: Towards sec. recommendations for PKIs for production environments in the post-quantum era. EPJ Quantum Technol. 8(1) (2021)

    Google Scholar 

Download references

Acknowledgment

This work was supported by the German Federal Ministry for Economic Affairs and Climate Action (BMWK) under grant no. 13I40V010A.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Michael P. Heinl .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heinl, M.P., Pursche, M., Puch, N., Peters, S.N., Giehl, A. (2023). From Standard to Practice: Towards ISA/IEC 62443-Conform Public Key Infrastructures. In: Guiochet, J., Tonetta, S., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2023. Lecture Notes in Computer Science, vol 14181. Springer, Cham. https://doi.org/10.1007/978-3-031-40923-3_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-40923-3_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-40922-6

  • Online ISBN: 978-3-031-40923-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics