PKI’s critical role in industrial cybersecurity

Dec. 7, 2023
Industrial environments are becoming more complex with automated systems and smart devices being implemented to increase efficiencies

In industrial and manufacturing plants these days, finding an IoT device is like spotting a nut on the factory floor – they're everywhere. From environmental sensors and automated machinery to smart meters and, in some places, robot palletizers, IoT devices abound in factories, distribution centers, and utility plants.

The presence of these devices in industry reflects their ongoing explosion throughout society. According to IoT Analytics’ latest report, the number of connected IoT devices will hit 16.7 billion worldwide this year—more than twice the human population of the Earth—and grow to 30 billion in 2027. The IoT in industry and manufacturing will grow similarly.

IoT devices, however, aren’t just digital tools to improve efficiency, productivity, and safety. They are also machine identities on the network that represent potential vulnerabilities to an organization, its data, and its ability to operate. And machine identities can be just as vulnerable to attack as human users on the network.

Cyberattacks, particularly ransomware, continue to target manufacturing and industry, with manufacturing being the most targeted sector for ransomware in 2022. Stolen user and device credentials are at the heart of most of these attacks.

Leaders in industry and manufacturing are aware of the need to secure and authenticate IoT devices. The problem is that many of them are struggling with how to do it in a complex environment while keeping abreast of new industry standards and requirements.

Bringing Visibility and Control to IoT Devices with PKI

Tools that can help organizations get control of their machine identities are already firmly established and widely used: public-key infrastructures (PKI) and digital certificates.

PKI, the most used form of encryption today, employs public and private keys to encrypt communications between people, devices, and applications. It combines the use of a public key, which anyone can use to encrypt information, and a private key, which only one person can use to decrypt a message. The infrastructure portion of PKI governs the use of digital certificates, which verify the identities of the people, devices, or applications that own private keys and have access to the corresponding public keys.

Digital certificates are the electronic equivalent of passports, containing information that confirms the identities of users or entities. Specifically, X.509 certificates are most used for SSL/TLS connections to ensure that the client (e.g., a web browser) is not fooled by a malicious impersonator pretending to be a known, trustworthy website. 

However, digital certificates have an expiration date that is progressively being reduced. Over the last decade, the lifespan of certificates has been shortened from five years to 398 days, and Google is now shortening the life of Transport Layer Security (TLS) certificates used to authenticate web servers to 90 days.

And the number of devices and certificates to keep track of is continually growing. In the most recent State of Machine Identity Management report, the volume of digital certificates in use within organizations grew by 11% to 255,738 certificates in 2022, many of which they didn’t even know about. Sixty-two percent of respondents said they didn’t know how many certificates they had—in many cases, organizations can have five or 10 times as many as they thought they did.

The Need for Automated Management

Shorter lifespans, combined with the vast number of certificates an organization needs to manage, underscore the importance of automating certificate management. PKI can give organizations a clear visibility into the certificates they have and when those certificates will expire. It allows them to automate the management of the certificates, including the issuance of new certificates across the enterprise.

Automation can help prevent service outages caused by expired certificates, which is a frequent problem. In the same study, 77% of organizations experienced at least two significant certificate-related outages in the previous 24 months and 55% experienced multiple disruptive outages due to expired certificates.

PKI also can be an important piece of implementing zero trust, a critical goal for manufacturing companies that need to ensure the security of their supply chains as well as the integrity of their products. By providing unique digital identities and ensuring the security of end-to-end communications, PKI supports a zero-trust approach, along with other steps such as hardware-based and embedded security, digital certificate management, and continuous authentication.

Enabling Compliance with Industry Standards

In addition to providing unique, secure digital identities to users and devices on industrial networks, PKI also helps operators comply with industry standards for securing their environments, which have gone from recommended best practices to an evolving set of guidelines and mandates.

They include the ISA/IEC 62443 standards, which provide a framework for security levels and set cybersecurity benchmarks for all industry sectors for securing industrial automation and control systems. Several European Union directives can also apply, such as the EU Cyber Resilience Act, which establishes mandatory requirements for products with digital elements.

Several industry standards are also being developed, including IEEE 802.1. AR: Secure Device Identity, which sets a standard for secure device authentication credentials; OPC 10000-21: UA Part 21: Device onboarding, an open-source standard for securing and configuring devices; and ODVA CIP (Common Industrial Protocol) for industrial automation applications. As the standards fully develop and get implemented into components such as PKI by industrial vendors, manufacturers can adapt them to their operations.

Establishing Complete Trust Across Operations

Industrial environments are becoming more complex, as operators implement automated systems and smart devices to increase efficiencies. However the explosive growth of IoT devices—and their associated machine identities on the network—have greatly expanded the attack surface for industrial and manufacturing operations, making them prime targets for ransomware and other attacks.

The need to secure IoT devices as part of an enterprise’s overall security strategy is urgent. PKI can help by providing comprehensive visibility into an organization’s devices using encryption and authentication, and by enabling automated management of their digital certificates. When fully employed across an enterprise, it can also help manufacturers establish complete trust in their operations.

Andreas Philipp is a Senior IoT Business Development Manager at Keyfactor. With a degree in communications engineering, he started his career more than 30 years ago as a developer in applied cryptography within the area of POS Terminals and hardware security modules. During his career, he managed the sales and marketing department of a medium-sized hardware security module provider for more than 10 years. Currently, as Business Development Manager by Keyfactor, Andreas is focused on the integration and customization of cyber security solutions in the industrial IoT area.