Requirements from the relevant standards and norms

Figure 1: Authenticity check of supplied components using the device certificates issued by the manufacturer PKI.

© Profinet Protocol Security v1.05. s.l.: PNO, 2019

Various standards and norms explicitly require the secure handling of device identities in order to enable secure operation in the automation solution. In addition to the aforementioned IEEE 802.1AR (1), which describes certificates for device identities, IEC 62443 "Security for industrial automation and control systems", for example, specifies that identities based on secure keys must be used in secure keystores if a security level of greater than or equal to "3" is to be achieved (requirement CR 1.9).

Requirements and concepts for secure commissioning and secure operation are set out in various places, for example in the "Security Extensions for Profinet" [3] or for OPC UA in the "Device Provisioning" section [4]. The procedure always follows the same pattern. As a prerequisite for secure identification, the components must have manufacturer certificates that can be used to check the authenticity of the supplied device(Figure 1). The component is then assigned an identity in the operator network(Fig. 2). This operator certificate is now used for the actual data transmission in the automation system. The manufacturer certificate would only be needed again if the component is to be resold, for example.

Figure 2: Manufacturer and operator certificate: After taking possession, the operator certificate used during operation is also uploaded.

© Profinet Protocol Security v1.05. s.l.: PNO, 2019

Checking the device certificate

The realization of secure device identities begins with the use of secure key memories - such as TPMs - in the relevant products. The key pairs must be generated securely during production. A certificate signing request is then sent to the PKI in order to obtain a device certificate. As this process can only take place at predetermined checkpoints, only authorized devices receive an x.509 certificate that can be traced back to a trust anchor (root certificate) of the device PKI. The certificate is now stored in the device and can be used for authentication in the context of the supported protocols. The component manufacturer provides the trust anchors (root certificates) if they are not already integrated into the applications. For example, the engineering software used to program a controller (PLC) already includes the trust anchors for the respective controllers so that the user does not have to take any further steps.

Figure 3: Typical contents of a device certificate: Manufacturer name, device type and serial number.

© Phoenix Contact

The verification of the device certificate consists of two elements. In the first step, the certificate chain up to the trust anchor must be correct. This means that each certificate has been duly signed by the next higher instance up to the trust anchor - the root certificate. The trust anchor itself must have been obtained from the device manufacturer and stored in the appropriate certificate store. As a rule, software libraries analyze the digital signatures. It is then necessary to check whether the device certificate also matches the component. In accordance with IEEE 802.1AR, the following properties are stored for this purpose:

Figure 4: Digital rating plate with QR code for identification and reference to further information.

© Phoenix Contact

• organizationName (O): Name of the manufacturer,
• commonName (CN): Device type,
• serialNumber (SN): Serial number of the device(Fig. 3).

Additional entries can also be stored. In the context of the development of the digital type plate, in which a URI is specified via a QR code applied to the device, this URI can also be stored in the certificate(Figure 4).