Gone are the days where manufacturers only had to worry about security within their physical location. Modern manufacturers are managing cyber-physical systems, comprised of connected OT devices that interface and exchange information with IT systems and other participants in the value chain.
Last week at Hannover Messe, the world’s leading industrial event, we took part in a joint demo from the Industrial Internet Consortium (IIC) and Plattform Industrie 4.0 (I4.0) that mimics this heterogeneous security environment by bringing together more than 24 companies. The demo showed how these disparate systems and data exchanged, using existing products and technologies.
Using security event monitoring as a proof point, the demonstrated solution showed how these events can be collected and shared across the value chain to allow members to see all events relevant to them from heterogeneous sources and systems. In the demo, data from remote and local OT (sensors) devices was sent to a redirector gateway, which then sent the information to cloud or local SIEMs (event monitors) where it was available for consumption and triggering of additional workflows.
Note: I’ve embedded a video overview of our role in the demo below.
What Does the Demo Show?
Shared security event monitoring:
- Security events from disparate value chain systems are collected and shared for consumption by all members of the chain
- Demo uses existing products and technologies, showing how this type of solution can be implemented today without disrupting operations
How PKI secures communications and adds trust:
- Authenticating sources of data.
- Ensuring integrity of generated data.
- Encrypting transmission of data and other communications.
- Authorizing access to or from a device.
GlobalSign's Role in the Demo: Establishing Trusted Identity and Securing Communications
Much of the transformative value of these connected value chains is dependent on the generation and consumption of data, but that value is lost if the data cannot be trusted. What is the value in sharing security event monitoring if you can’t trust the source of the data or that the information hasn’t been compromised?
We solve this problem with Public Key Infrastructure (PKI). Providing PKI-based identities (in the form of X.509 certificates) to the various components in the value chain means you can:
- Trust the source of the data – you know the data came from an authorized source.
- Protect data from being altered in transit – you know the data is accurate.
- Ensure data can’t be intercepted – you know the data, your intellectual property, is encrypted and safe.
How It Works
We issued certificates to each of the components in the demo – the devices, the gateways, and the SIEMs. The certificates are from two different issuing CAs – one for the IIC and one for I4.0 – with GlobalSign providing an emulated Bridge CA so they can communicate and trust each other’s certificates. This setup demonstrates how different manufacturers that are part of a supply chain can interoperate their existing PKI setup while still trusting another member’s PKI-based identity.
The certificates are used to identify and authenticate each component of the system, ensuring only authorized devices and SIEMs are generating and consuming the data. Providing certificates to each component also enables the data transmissions to be encrypted and protected from tampering. Servers, Gateways or Control Systems can then use these certificates to enforce access management policies and hence control authorization of devices based on PKI credentials.
Scaling to Meet IIoT Needs
Our Managed PKI platform, which provisioned the certificates used in the demo, is capable of delivering over 3,000 certificates per second. This high volume and velocity capacity meets the elastic needs of device manufacturers and OEMs supporting industrial systems, such as some of the OT devices, gateways and SIEMs included in the demo.
We’ll be back with more insights from the Hannover Messe show, so stay tuned! For more information about GlobalSign's solutions for securing the IoT, visit our website.