1. Home
  2. /
  3. Use cases
  4. /
  5. Secure device identity in Industrial Cybersecurity

Secure device identity in Industrial Cybersecurity

IEEE 802.1 AR provides frameworks for issuing and managing birth identities for industrial infrastructure and IoT devices. Testing and prototyping with EJBCA today will put you well on your way to building a scalable and robust supply chain security infrastructure.

hero-sub-2

Challenge

Establishing trust on the factory floor

Modern factories are made of complex assembly lines and machines themselves are built from elementary computerized bricks – Programmable Logic Controllers, Human-Machine Interfaces, sensors, Real-Time Units, and gateways. These machines interconnect with one another, with on-site and off-site systems such as Manufacturing Execution Systems (MES), Supervisory Control and Data Acquisition (SCADA), Enterprise Resource Planning (ERP), databases, digital twins, edge and cloud services, SaaS, etc. As ethernet is making more and more progress into field buses, so are IP addressing and protocols like TCP, UDP, HTTP, and MQTT to name a few. And with the latter comes the possibility for any machine or subsystem to mutually authenticate with remote peers and secure end-to-end channels by using Transport Layer Security (TLS), X.509 certificates, and private Public Key Infrastructures (PKI).

How can a factory operator enroll a new machine into their own IT and then provision connections to cloud services or SaaS with a simple process?

What can a machine builder do to ease this process?

What should the OEMs manufacturing the PLCs, HMIs, RTUs, and gateways do to make this possible?

As a developer of industrial equipment and machines or a cybersecurity expert supervising the deployment and operational security of a connected factory, implementing such technology is essential to safeguard against potential cyber threats. Modern industry standards and recommendations call for PKI and X.509 certificates to secure and authenticate communication, software, and supply chains for the industry 4.0. Examples of such standards and recommendations are:  

  • IEEE 802.1 AR - definition of IDevID and LDevIDs, respectively initial device certificate issued/injected by the OEM PKI and operational certificates issued and renewed by the operator PKI.
  • HTTPS, MQTTS - securing HTTP and MQTT with the mutual (D)TLS protocol using X.509 certificates provisioned on both sides by their respective PKI.
  • OPC-UA Part 21 (device onboarding) -  A model to allow the security configuration of a device to be managed over the complete lifecycle of the Device from manufacture to decommissioning
  • RFC 8995 (Bootstrapping Remote Secure Key Infrastructure – BRSKI) - Enables secure and automated provisioning of X.509 certificates to IoT devices during the bootstrapping process
F-Keyfactor_Illustration-IEEE 802.1 AR
arrow

Solution

Get your project off to a good start by adding the appropriate security

By levering EJBCA for your testing and prototyping today, you will be well on your way to creating a trusted supply chain based on a solution that is both scalable and robust.

Using our best practices, how-tos, and videos, you can set up a PKI to issue certificates for your industrial infrastructure and IoT devices. Once you're up, you can start tailoring your PKI and you'll have a fully functional PKI, including roles, certificate profiles, a configured use case/issuing protocol, revocation support, and system documentation.

Get started with our video tutorials and how-tos:

  • Get started with Birth Identities based on IEEE 802.1AR
  • Issuing of TLS certificates via EJBCA RA Web or REST

Tutorials

EJBCA logo website
REST
2023-06-18

Automated certificate issuing via EJBCA REST

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
PYTHON / POSTMAN
EJBCA logo website
Birth Identities
IoT
2023-05-30

Get started with birth identities based on IEEE 802.1AR

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
IEEE 802.1AR
EJBCA logo website
DevOps
Get started
TLS & mTLS
2023-05-11

Certificate management in Kubernetes with cert-manager and EJBCA

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
CERT MANAGER
DevOps
IoT
TLS & mTLS
2023-02-06

Client TLS certificates for mTLS, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS
EJBCA logo website
DevOps
IoT
TLS & mTLS
2023-02-06

Server TLS certificates, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS

Get inspired

Stay up to date with the latest news and blog articles, and find out about upcoming events related to EJBCA.

PKI hierarchies - 1, 2, 3 tiers ?
DevOps
Installation & Deployment
Tech Update
Ejbca
Signserver
27 June, 2024

Configuring EJBCA as an Ephemeral Certificate Authority

EJBCA can be set up to operate as an Ephemeral Certificate Authority (CA). In...
Keyfactor Release
DevOps
Implementing Cryptography
Industrial Cybersecurity & IoT
Installation & Deployment
Post-Quantum Cryptography
Signing
Release
Ejbca
20 June, 2024

New Release Announcement: EJBCA Community 8.3

New release: EJBCA Community 8.3, including Hybrid Certificate support, updat...
Keyfactor Event
Event
Ejbca
Signserver
16 June, 2024

Tomas Gustavsson will be speaking at #CNSCon in Seattle.

Tomas Gustavsson, our Chief PKI Officer, will be speaking at #CNSCon North Am...

Related open-source projects