AIS – ISA SUMMIT 2108 MID PKI – Add Trust in the OT and IoT Space Fabrizio Leoni– Head of Product Innovation Belgioioso (PV) - July 5th, 2018

1 05 | 07 | 2018

INTERNET OF THINGS THREATS

THREATS AND CONCERNS 1/2

Insecure web

interface

Week

authentication

Insecure

network services

Lack of

encryption

Privacy

concerns

Insecure cloud

interface

Insecure mobile

interface

Insufficient

security configurability

Insecure

software

Poor physical

security

05 | 07 | 2018

INTERNET OF THINGS THREATS

THREATS AND CONCERNS 2/2

2009 2013 2015 2016 2017

Puerto Rico smart

meter hacked

Foscam IP baby-

cam hijacked

Demonstration of

BMW’s connected drive vulnerability

VTech toymaker

data breach

Mirai – DDOS on

Deutsche Telekom Network

Source: Enisa

05 | 07 | 2018

INDUSTRIAL INTERNET OF THINGS

CONVERGENCE OF IT AND OT TRUSTWORTHINESS

Source: IIoT Consortium

Safety Privacy Security Reliability Resilience

Information technology (IT) Operation technology (OT)

IoT

Typical life of an IT HW/SW

component is three/five years

A survey (NIST) revealed that the average life of an industrial system

is 19 years.

05 | 07 | 2018

SCADA

COMMUNICATION CHANNELS

Scada

Level 0 Production scheduling

Level 1 Production

control

Level 2 Plant

supervisory

Level 3 Direct control

Level 4 Field level

Computer centre

Coordinating computer

Supervisory computer

Programmable logic

controller

Sensors

PLC

PLC

PLC

PLC

PLC

PLC

PLC

PLC

05 | 07 | 2018

IEC 62351

GUAARANTING INTEROPERABILITY

IEC 62351 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle

public-key certificates and cryptographic keys to protect digital data and its communication.

The purpose of part No 9 of IEC 62351 is to guarantee interoperability among different vendors by specifying or

limiting key management options to be used.

Certification authority

Machine No.1 Machine No.2

05 | 07 | 2018

PKI INFRASTRUCTURE

ENROLLMENT AND ACCESS PROCESS

Certification authority

Certificate issued to an

entity

Access procedure

PKI-enabled system

Certificate verification

Access granted

05 | 07 | 2018

ATTRIBUTES CERTIFICATES

ROLE BASED ACCESS CONTROL

Attribute certificates provide an effective way to separate the management of identity from the management of

authorizations associated with an identity. Attribute certificates can be used to extend the information in a

public key certificate. They allow for instance for temporary enhancement of the permissions of the public

key certificate holder by specific role-based access information.

Predefined Roles

Attribute name Value

Viewer <0>

Operator <1>

Engineer <2>

Installer <3>

Secadm <4>

Secaud <5>

Rbacmnt <6>

05 | 07 | 2018

INFOCERT CASE HISTORY

HYDROPOWER GENERATION PLANT National power production network • 5 telecontrol centers • 100 RTU for node

2017 Perimeter • 1 telecontrol test center

05 | 07 | 2018

N Control Centersredundant

M Generation Plants

OCSP

responder

OCSP

Client

SCEP

Client

CA

RACert

CRL

repository

SCEP

server

PKI

Admin

PKI in redundant

USE CASES

FOCUS ON INDUSTRY 4.0, SMART CITY AND IOT INITIATIVES Power system

Power distribution

Gas/water distribution

Industrial manufacturing

Power supply

Water network

Charging stations

Living and buildings

Smart meter

Wearables

Car infotainments

Security

INFOCERT AS A TRUSTED THIRD PARTY

THE ROLE

Identity Authentication willingness

Signature Time stamp Geolocation Preservation Encryption

05 | 07 | 2018

MID PKI It’s not only a matter of Technology

ORGANIZATIONAL STRUCTURE • Accountability

• ADMIN’s Authentication

• Physical Access

TECHNOLOGICAL STRUCTURE • Certification Authority (CA)

• Registration Authority (RA)

• Automated Enrollment Protocols (SCEP/EST)

• Online Certificate Status Protocol (OCSP)

• Certificate Revocation List (CRL)

LEGAL STRUCTURE • Compliance Professional Services

• Log & Audit Trail

• Policy Enforcement

05 | 07 | 2018

THE SOLUTION

MDI PKI

Generated and exchanged information within a trusted IoT system are traced,

monitored and attributed with certainty

The issuance of digital certificates for devices and humans allows to certainly assign

responsibilities to actions undertaken by machines and people

High flexibility and market interoperability respectively due to adaptability to different

operating systems and compliance with common standards/protocol

Digital certificates are issued for both machines/devices and for the personnel who interact with them

Out of the box processes for secure secret sharing and automated machine certification

The PKI infrastructure protects the dialogue between operators and devices of the same production network

Benefits

05 | 07 | 2018

CERTIFICATE EMISSION

Certificate emission are managed for:

• Qualified Person

• Operative Person

• Machine

05 | 07 | 2018

QUALIFIED PERSON IDENTIFICATION AND ROLE ASSIGNMENT

05 | 07 | 2018

CHALLENGE PASSWORD PRE-ENROLLMENT

Security process, based on

Enrcypted information share, to

prepare devices for automatic

enrolment

Available with user front-end or rest

api interfaces

05 | 07 | 2018

CRL AND OCSP MANAGEMENT

Multiple revocation control

interfaces on separate modules,

console for OCSP and CRL

management, distributed OCSP

deployment available.

05 | 07 | 2018

MID DATASHEET (1)

Deployment models

On premises virtual (VMware v 6.0.0) fully

equipped or with external data base ORACLE

Cloud solution ready to run for quick POC

deployment, including SCEP and EST clients

Solution components are Nginx or Apache, Oracle or MySQL**, jboss, Linux (Centos/Red Hat 6) and Windows for CA client.

Supported Standards

Certificate compliance with ITU-T X.509v3 and RFC 5280

Certificate enrolment protocol: SCEP, CMP RFC 4210,

EST** RFC 7030

Certificate TLS compliance with CA/Browser Forum v.1.5.1

Revocation compliance with OCSP RFC 6960, CRL RFC

5280

Certification request format: PKCS#10

Key exchange format: PKCS#12

Connectivity protocols: LDAP, HTTPS

HSM interface: PKCS#11, optimized for Thales nShield

Compliance with IEC 62351-9

05 | 07 | 2018

MID DATASHEET (2)

Main Functionalities

Certificate templates for specific policy

Issuing certificate for natural persons

Issuing certificate for TLS server

Issuing certificate for IED or Things devices

Issuing** attribute certificate

Data confidentiality in communication and storage

UI for certificate life cycle management

Trust Anchor** RFC 7030

Certificate status in real time using OCSP

Cryptographic capabilities

Signature algorithm SHA256withRSAEncryption

Signature algorithm with Elliptic Curve ECDSA support**

Hash functions SHA256, SHA512

Certificate Key length 2048

Certificate Root Key length 4096

05 | 07 | 2018

RBAC role draft ISO/IEC TS 62351-8 OID 1.2.840.10070.8 profile A and profile B**

PKI console for Certificate Authority and Registration Authority

PMI** console for Attribute Certificate Authority

Thank you fabrizio.leoni@infocert.it

05 | 07 | 2018