Browse Prior Art Database

Automated Certificate Management for Industry 4.0 & Industrial Internet

IP.com Disclosure Number: IPCOM000242200D
Publication Date: 2015-Jun-25
Document File: 9 page(s) / 172K

Publishing Venue

The IP.com Prior Art Database

Related People

Thomas Locher: INVENTOR [+2]

Abstract

Industry 4.0 is a term used to describe the next-generation of production systems. Its core is the computerization and the trend towards an industrial Internet of Things (IoT), which rely on networked systems. We also assume that production processes will be setup in a much more dynamic way across company borders, and thus involve production devices of a multitude of companies. Cyber security in the Industry 4.0 (industrial IoT) context is becoming more and more important, and secure device-to-device authentication is a crucial part of it, especially for production processes across company borders. Currently, the most prevalent method for user authentication on a device is to use usernames and passwords; however, this method is less suitable for device-to-device authentication. Device-to-device authentication across the borders of production companies can be better achieved using public key cryptography and the use of digital certificates, where a Certificate Authority (CA) verifies that the claimed public key is indeed tied to the device and comes from a legitimate source. The certificate is issued by a trusted CA whose public key is typically preinstalled in the devices. While this is a standard approach in classic enterprise IT, it is not yet widely employed in industrial environments. One of the reasons is discussed in the following. In the industrial IoT scenario, a device may be involved in several production processes of several companies. In a production process, however, the owner of the process needs to make sure only authenticated and authorized devices are involved. In the traditional IT domain for user authentication, before issuing a digital certificate to a user or a server in the IT infrastructure, the CA verifies the identity of the requesting party, e.g. by passport, phone, domain validation (by sending an email to the person responsible for the domain) etc. Thus, manual steps verifying the human user’s identity are involved. However, in contrast to the IT world, for devices in the IoT domain this process is rather labor intensive as we foresee the administrator of the devices to manually deal with the registration and validation of a high number of devices, which makes the whole process expensive. In addition, as the selection of a trusted CA often depends on the customer, it is not possible that the devices come with a preinstalled legitimate digital certificate as the certificate issuing process is performed by the trusted CA at the customer’s site. Therefore, the focus of this invention is to answer the question on how the devices can automatically request and obtain a certificate from a CA in a secure but yet efficient manner: a) How can the CA determine which devices are allowed to request a certificate? b) How can the CA perform basic authentication steps for the device that claims to be entitled to a certificate? Note that there may be a registration authority (RA) that has detailed information about the network and that cooperates with a CA to certify devices. For the sake of a simple exposition we assume that the CA and RA are one entity in the following. In contrast to the IT world, in the industrial IoT scenario, the production process itself knows which devices and systems will be used for the productization of a good. We use this knowledge to ensure that all involved components in a production process are trustworthy, i.e., by automatically validating the public keys and the chain(s) of trust. Whenever devices are encountered that have not been used before, the system automatically verifies the device’s identity based on device specific information and issues production process related certificates on-the-fly. Therefore, the invented approach has the following features: a) The devices that are used for a production process are identified based on the formal process description, which include information about the devices in the system, the network topology, the data flows, etc. This information is then extracted and transferred to the CA. In this scenario, this will enable the CA to gain detailed knowledge of the devices that will issue requests. Moreover, since the CA knows about the expiration dates of current certificates, it could even shutdown and only wake up at times when certificates are about to expire or when the configuration of the system changes, e.g., when new devices are added. b) Since the CA (which we consider to be the RA as well as mentioned before) has detailed knowledge about each authorized device, such as its serial number, MAC address, firmware information, manufacturer, type of node, the hops necessary to reach it, at which switch the device is connected etc., it can use this information to perform a basic authentication of the device and verify that the device is allowed to request a certificate. c) The invention comprises a mechanism or process that leverages information about the devices in an industrial control system to securely issue certificates for these devices. For an easier description of the functionality, we use a modularized description. However, the invention is not tied to these modules, i.e., the modules can also be combined or further split. 1) An authentication module running on the CA to verify the authenticity of the requesting device. 2) An extractor module that extracts specific information about a device such as the serial number, MAC address, manufacturer etc. from the devices. 3) A measurement module that measures some of the characteristics of the communication between a device and the CA, such as the path through the network, the sub-network where it is located, number of hops from the device to the CA etc.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 15% of the total text.

Page 01 of 9

Type of document

Invention Disclosure

Pl. from Dept

Automated Certificate Management for Industry 4.0 & Industrial Internet
1.Background

Industry 4.0 is a term used to describe the next-generation of production systems. Its core is the computerization and the trend towards an industrial Internet of Things (IoT), which rely on networked systems. We also assume that production processes will be setup in a much more dynamic way across company borders, and thus involve production devices of a multitude of companies.

Cyber security in the Industry 4.0 (industrial IoT) context is becoming more and more important, and secure device-to-device authentication is a crucial part of it, especially for production processes across company borders. Currently, the most prevalent method for user authentication on a device is to use usernames and passwords; however, this method is less suitable for device- to-device authentication.

Device-to-device authentication across the borders of production companies can be better achieved using public key cryptography and the use of digital certificates, where a Certificate Authority (CA) verifies that the claimed public key is indeed tied to the device and comes from a legitimate source. The certificate is issued by a trusted CA whose public key is typically preinstalled in the devices. While this is a standard approach in classic enterprise IT, it is not yet widely employed in industrial environments. One of the reasons is discussed in the following.


2.Problem Description

In the industrial IoT scenario, a device may be involved in several production processes of several companies. In a production process, however, the owner of the process needs to make sure only authenticated and authorized devices are involved.

In the traditional IT domain for user authentication, before issuing a digital certificate to a user or a server in the IT infrastructure, the CA verifies the identity of the requesting party, e.g. by passport, phone, domain validation (by sending an email to the person responsible for the domain) etc. Thus, manual steps verifying the human user's identity are involved. However, in contrast to the IT world, for devices in the IoT domain this process is rather labor intensive as we foresee the administrator of the devices to manually deal with the registration and validation of a high number of devices, which makes the whole process expensive. In addition, as the selection of a trusted CA often depends on the customer, it is not possible that the devices come with a

1 / 9

Klassifizierung/Classification Information for filing

CH-1429301

Created by

Thomas Locher

Sebastian Obermeier

Phone

Pages

Date

2014-11-28

9


Page 02 of 9

preinstalled legitimate digital certificate as the certificate issuing process is performed by the trusted CA at the customer's site.

Therefore, the focus of this invention is to answer the question on how the devices can automatically request and obtain a certificate from a CA in...