PKI’s critical role in industrial cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Bringing Visibility and Control to IoT Devices with PKI

Tools that can help organizations get control of their machine identities are already firmly established and widely used: public-key infrastructures (PKI) and digital certificates.

PKI, the most used form of encryption today, employs public and private keys to encrypt communications between people, devices, and applications. It combines the use of a public key, which anyone can use to encrypt information, and a private key, which only one person can use to decrypt a message. The infrastructure portion of PKI governs the use of digital certificates, which verify the identities of the people, devices, or applications that own private keys and have access to the corresponding public keys.

Digital certificates are the electronic equivalent of passports, containing information that confirms the identities of users or entities. Specifically, X.509 certificates are most used for SSL/TLS connections to ensure that the client (e.g., a web browser) is not fooled by a malicious impersonator pretending to be a known, trustworthy website. 

However, digital certificates have an expiration date that is progressively being reduced. Over the last decade, the lifespan of certificates has been shortened from five years to 398 days, and Google is nowshortening the life of Transport Layer Security (TLS) certificates used to authenticate web servers to 90 days.

And the number of devices and certificates to keep track of is continually growing. In the most recentState of Machine Identity Management report, the volume of digital certificates in use within organizations grew by 11% to 255,738 certificates in 2022, many of which they didn’t even know about. Sixty-two percent of respondents said they didn’t know how many certificates they had—in many cases, organizations can have five or 10 times as many as they thought they did.

The Need for Automated Management

Shorter lifespans, combined with the vast number of certificates an organization needs to manage, underscore the importance of automating certificate management. PKI can give organizations a clear visibility into the certificates they have and when those certificates will expire. It allows them to automate the management of the certificates, including the issuance of new certificates across the enterprise.

Automation can help prevent service outages caused by expired certificates, which is a frequent problem. In the same study, 77% of organizations experienced at least two significant certificate-related outages in the previous 24 months and 55% experienced multiple disruptive outages due to expired certificates.

PKI also can be an important piece of implementing zero trust, a critical goal for manufacturing companies that need to ensure the security of their supply chains as well as the integrity of their products. By providing unique digital identities and ensuring the security of end-to-end communications, PKI supports a zero-trust approach, along with other steps such as hardware-based and embedded security, digital certificate management, and continuous authentication.

Enabling Compliance with Industry Standards

In addition to providing unique, secure digital identities to users and devices on industrial networks, PKI also helps operators comply with industry standards for securing their environments, which have gone from recommended best practices to an evolving set of guidelines and mandates.

They include theISA/IEC 62443 standards, which provide a framework for security levels and set cybersecurity benchmarks for all industry sectors for securing industrial automation and control systems. Several European Union directives can also apply, such as theEU Cyber Resilience Act, which establishes mandatory requirements for products with digital elements.

Several industry standards are also being developed, includingIEEE 802.1. AR: Secure Device Identity, which sets a standard for secure device authentication credentials;OPC 10000-21: UA Part 21: Device onboarding, an open-source standard for securing and configuring devices; andODVA CIP (Common Industrial Protocol) for industrial automation applications. As the standards fully develop and get implemented into components such as PKI by industrial vendors, manufacturers can adapt them to their operations.

Establishing Complete Trust Across Operations

Industrial environments are becoming more complex, as operators implement automated systems and smart devices to increase efficiencies. However the explosive growth of IoT devices—and their associated machine identities on the network—have greatly expanded the attack surface for industrial and manufacturing operations, making them prime targets for ransomware and other attacks.

The need to secure IoT devices as part of an enterprise’s overall security strategy is urgent. PKI can help by providing comprehensive visibility into an organization’s devices using encryption and authentication, and by enabling automated management of their digital certificates. When fully employed across an enterprise, it can also help manufacturers establish complete trust in their operations.


Click Here For The Original Source.

National Cyber Security