AIS ISA SUMMIT 2108 · control Level 4 Field level Computer centre Coordinating computer...
Transcript of AIS ISA SUMMIT 2108 · control Level 4 Field level Computer centre Coordinating computer...
AIS – ISA SUMMIT 2108 MID PKI – Add Trust in the OT and IoT Space Fabrizio Leoni– Head of Product Innovation Belgioioso (PV) - July 5th, 2018
1 05 | 07 | 2018
INTERNET OF THINGS THREATS
THREATS AND CONCERNS 1/2
Insecure web
interface
Week
authentication
Insecure
network services
Lack of
encryption
Privacy
concerns
Insecure cloud
interface
Insecure mobile
interface
Insufficient
security configurability
Insecure
software
Poor physical
security
05 | 07 | 2018
INTERNET OF THINGS THREATS
THREATS AND CONCERNS 2/2
2009 2013 2015 2016 2017
Puerto Rico smart
meter hacked
Foscam IP baby-
cam hijacked
Demonstration of
BMW’s connected drive vulnerability
VTech toymaker
data breach
Mirai – DDOS on
Deutsche Telekom Network
Source: Enisa
05 | 07 | 2018
INDUSTRIAL INTERNET OF THINGS
CONVERGENCE OF IT AND OT TRUSTWORTHINESS
Source: IIoT Consortium
Safety Privacy Security Reliability Resilience
Information technology (IT) Operation technology (OT)
IoT
Typical life of an IT HW/SW
component is three/five years
A survey (NIST) revealed that the average life of an industrial system
is 19 years.
05 | 07 | 2018
SCADA
COMMUNICATION CHANNELS
Scada
Level 0 Production scheduling
Level 1 Production
control
Level 2 Plant
supervisory
Level 3 Direct control
Level 4 Field level
Computer centre
Coordinating computer
Supervisory computer
Programmable logic
controller
Sensors
PLC
PLC
PLC
PLC
PLC
PLC
PLC
PLC
05 | 07 | 2018
IEC 62351
GUAARANTING INTEROPERABILITY
IEC 62351 specifies cryptographic key management, namely how to generate, distribute, revoke, and handle
public-key certificates and cryptographic keys to protect digital data and its communication.
The purpose of part No 9 of IEC 62351 is to guarantee interoperability among different vendors by specifying or
limiting key management options to be used.
Certification authority
Machine No.1 Machine No.2
05 | 07 | 2018
PKI INFRASTRUCTURE
ENROLLMENT AND ACCESS PROCESS
Certification authority
Certificate issued to an
entity
Access procedure
PKI-enabled system
Certificate verification
Access granted
05 | 07 | 2018
ATTRIBUTES CERTIFICATES
ROLE BASED ACCESS CONTROL
Attribute certificates provide an effective way to separate the management of identity from the management of
authorizations associated with an identity. Attribute certificates can be used to extend the information in a
public key certificate. They allow for instance for temporary enhancement of the permissions of the public
key certificate holder by specific role-based access information.
Predefined Roles
Attribute name Value
Viewer <0>
Operator <1>
Engineer <2>
Installer <3>
Secadm <4>
Secaud <5>
Rbacmnt <6>
05 | 07 | 2018
INFOCERT CASE HISTORY
HYDROPOWER GENERATION PLANT National power production network • 5 telecontrol centers • 100 RTU for node
2017 Perimeter • 1 telecontrol test center
05 | 07 | 2018
N Control Centersredundant
M Generation Plants
OCSP
responder
OCSP
Client
SCEP
Client
CA
RACert
CRL
repository
SCEP
server
PKI
Admin
PKI in redundant
USE CASES
FOCUS ON INDUSTRY 4.0, SMART CITY AND IOT INITIATIVES Power system
Power distribution
Gas/water distribution
Industrial manufacturing
Power supply
Water network
Charging stations
Living and buildings
Smart meter
Wearables
Car infotainments
Security
INFOCERT AS A TRUSTED THIRD PARTY
THE ROLE
Identity Authentication willingness
Signature Time stamp Geolocation Preservation Encryption
05 | 07 | 2018
MID PKI It’s not only a matter of Technology
ORGANIZATIONAL STRUCTURE • Accountability
• ADMIN’s Authentication
• Physical Access
TECHNOLOGICAL STRUCTURE • Certification Authority (CA)
• Registration Authority (RA)
• Automated Enrollment Protocols (SCEP/EST)
• Online Certificate Status Protocol (OCSP)
• Certificate Revocation List (CRL)
LEGAL STRUCTURE • Compliance Professional Services
• Log & Audit Trail
• Policy Enforcement
05 | 07 | 2018
THE SOLUTION
MDI PKI
Generated and exchanged information within a trusted IoT system are traced,
monitored and attributed with certainty
The issuance of digital certificates for devices and humans allows to certainly assign
responsibilities to actions undertaken by machines and people
High flexibility and market interoperability respectively due to adaptability to different
operating systems and compliance with common standards/protocol
Digital certificates are issued for both machines/devices and for the personnel who interact with them
Out of the box processes for secure secret sharing and automated machine certification
The PKI infrastructure protects the dialogue between operators and devices of the same production network
Benefits
05 | 07 | 2018
CERTIFICATE EMISSION
Certificate emission are managed for:
• Qualified Person
• Operative Person
• Machine
05 | 07 | 2018
QUALIFIED PERSON IDENTIFICATION AND ROLE ASSIGNMENT
05 | 07 | 2018
CHALLENGE PASSWORD PRE-ENROLLMENT
Security process, based on
Enrcypted information share, to
prepare devices for automatic
enrolment
Available with user front-end or rest
api interfaces
05 | 07 | 2018
CRL AND OCSP MANAGEMENT
Multiple revocation control
interfaces on separate modules,
console for OCSP and CRL
management, distributed OCSP
deployment available.
05 | 07 | 2018
MID DATASHEET (1)
Deployment models
On premises virtual (VMware v 6.0.0) fully
equipped or with external data base ORACLE
Cloud solution ready to run for quick POC
deployment, including SCEP and EST clients
Solution components are Nginx or Apache, Oracle or MySQL**, jboss, Linux (Centos/Red Hat 6) and Windows for CA client.
Supported Standards
Certificate compliance with ITU-T X.509v3 and RFC 5280
Certificate enrolment protocol: SCEP, CMP RFC 4210,
EST** RFC 7030
Certificate TLS compliance with CA/Browser Forum v.1.5.1
Revocation compliance with OCSP RFC 6960, CRL RFC
5280
Certification request format: PKCS#10
Key exchange format: PKCS#12
Connectivity protocols: LDAP, HTTPS
HSM interface: PKCS#11, optimized for Thales nShield
Compliance with IEC 62351-9
05 | 07 | 2018
MID DATASHEET (2)
Main Functionalities
Certificate templates for specific policy
Issuing certificate for natural persons
Issuing certificate for TLS server
Issuing certificate for IED or Things devices
Issuing** attribute certificate
Data confidentiality in communication and storage
UI for certificate life cycle management
Trust Anchor** RFC 7030
Certificate status in real time using OCSP
Cryptographic capabilities
Signature algorithm SHA256withRSAEncryption
Signature algorithm with Elliptic Curve ECDSA support**
Hash functions SHA256, SHA512
Certificate Key length 2048
Certificate Root Key length 4096
05 | 07 | 2018
RBAC role draft ISO/IEC TS 62351-8 OID 1.2.840.10070.8 profile A and profile B**
PKI console for Certificate Authority and Registration Authority
PMI** console for Attribute Certificate Authority
Thank you [email protected]
05 | 07 | 2018