Key management for OT and IoT - ETSI · 2018-10-25 · Certificate Authorities (CAs) Ok, ......
Transcript of Key management for OT and IoT - ETSI · 2018-10-25 · Certificate Authorities (CAs) Ok, ......
Key management for OT and IoT
Sophia Antipolis – 2018 October 25th
OT and IoT vs IT environmentThe Authentication issue:
The very first problem: How can each device trust that each other party really is who is declaring to be?Is this guy/machine really entitled to perform this action?
The answer is identity/role management and related reliable techniques:
The Authentication process and Role Based Access ControlTwo main scenarious are to be considered:
• Human to Machine: the classical User and Password auth method is widely used (e.g. MS AD)
• Machine to Machine (OT and IoT stuff): User and Password are not really suitable.
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
Corporate IT System
EPES OT System
Some key issues remain:
• when the parties are not able to exchange public keys personally, who guarantees the authenticity of the keys themselves?
• How do we share and distribute public keys while private keys are protected?
• How can we handle expiration, revocation and renewal of key pairs?
Public Key Infrastructurewho can give us the trust then?
Public Key Infrastructure (PKI) that release X.509 Certificates managed by
Certificate Authorities (CAs)Ok, Certificate Authorities are nothing new today
Certificates are already widely used all over the web to protect web site server communication.
Many public CAs are operated on the public Internet
So … why are we talking once again about new PKI systems for OT and IoT?
Security means defined for Authentication and
authorization (RBAC)
Secure IP- based and serial communication
Secure application level exchanges
Security monitoring and event logging
Test case definition
Guidelines for applying specific security measures
by utilizing or profiling existing standards and
recommendations
IEC TC57 / WG15 -IEC 62351 series overview
IEC 62351-9
The lifecycle of any Key can be seen from the perspective of several phase.
Each of this phases require a specificprocess and standard approach in order to provide interoperability.
Also each phase of the lifecycle imply cautionsbecause keys must of course be alwayssecure.
Public Key Infrastructures are a widelyadopted mechanism for managing keylifecycle…
25/10/2018 5
Key Management Systems
Generation
Certification
Distribution
Update
Destruction
Archiving
Storage
Registration
Deregistration
Installation
Derivation
Revocation
Categorization IEC 62351-8 profiles to transmit role informatins
Current IEC 62351-8:• Profile A: X.509v3 public key certificate with included role information as certificate
extension• Profile B: X.509v3 Attribute certificate bound to a public key certificate, which uses the
same certificate extension • Profile C: Software token (HMAC-protected structure, Kerberos like), which encapsulates
the same information contained in the certificate extension
Upcoming:• Json/webtoken• Radius
OT and IoT environments are not confortable with traditional monolitic PKI systems based on centralized architectures.
OT and IoT require PKI systems :
• Able to run on Public SaaS, IaaS cloud infrastructure (private and public) but also on segregated networks over on premises environments. The concept is to have «quickly inflatablemeta-PKI»
• Flexible creation and management of Subordinate CA in order to allow the support of multiple environments
• State of the art enrollment procedure using automated protocols and tools.
• Easy (and sustainable) scalability in terms of certificate numbers and service deployment
• e-API management interface (e.g for easy integration with AWS platforms) for the Certificate lifecycle management
• Both ID an Attribute Certificates support to completely enable Role Based Access Control profiles
• Full state of the art PKI standard support compliant to IEC 62351-9 and IEC 62351-8
OT and IoT systems Key Management PKI requirements
TECNOINVESTIMENTI GROUPPillars of the PKI
8
PKI
CA
EST
SCEP
AATA
RA
OCSP
RA: Registration Authority
CA: Certification Authority
TA: Trust Anchor
OCSP: Online Certificate Status Protocol
EST : Enrollment over Secure Transport
SCEP: Simple Certificate Enrolment Protocol
AA: Attribute Authority
TECNOINVESTIMENTI GROUPHow PKI creates trust
PKI
CA
AA
TARA
OCSP
It is the conjunction of processes and technologies
1. CA and RA cover certificates enrolment process
2. OCSP and TA cover certificates daily usage
3. AA covers privileges granting to certificates holders
1. Identification of claimant2. Data registration3. Certificate requests
1. Attribute Certificate issuing2. Certificate status management
1. Publishing CA Roots
1. Publishing certificate status
1. Certificate issuing2. Certificate status management
TECNOINVESTIMENTI GROUPPKI infrastructure – enrolment and access process
Certification authority
Certificate issued to an entity
Access procedure
PKI-enabled system
Certificate verification
Access granted
TECNOINVESTIMENTI GROUPPKI structure
end-user certificates
SubCA
Root CA Enel HydroRoot CA
Natural Person
Enel HydroNatural
Person CA
Server
Enel Hydro TLS CA
IED
Enel HydroIED CA
TECNOINVESTIMENTI GROUPPMI – attribute certificate
Attribute certificates provide an effective way to separate the management of identity from the management of authorizations associated with an identity. Attribute certificates can be used to extend the information in a public key certificate. They allow for instance for temporary enhancement of the permissions of the public key certificate holder by specific role-based access information.Advantages:› one password or pin or other secret to access
private key;› fewer administrators;› lower cost of admin;› overall security policy.
Predefined RolesAttribute name Value
Viewer <0>
Operator <1>
Engineer <2>
Installer <3>
Secadm <4>
Secaud <5>
Rbacmnt <6>
RBAC based on draft ISO/IEC TS 62351-8
TECNOINVESTIMENTI GROUPPMI entities
Source of Authority
Attribute Authority
Privilege Holder
Privilege Verifier
Assigns privilege
Delegate privilege
Trusts
Asserts privilege
Asserts privilege
TECNOINVESTIMENTI GROUPDiscretionary Access Control, Role based PM
The user (holder) is given an AC that binds his/her/its identity (certificate) to the privileges being given to him/her/it.
The holder is given a role and inherits the privileges assigned to the role.
The holder can be identified by a hash value that the relying party willdirectly re-calculate in order to authenticate the holder itself.
Implemented as Role Based Acess Controls.
The role membership and role privileges can be administered separately ifneeded.
No revocation extension for short lived privileges that will not be revokedduring their validity.
TECNOINVESTIMENTI GROUPRelationship between certificates of the same subject
TECNOINVESTIMENTI GROUPTECNOINVESTIMENTI GROUP
Main certificates usage: TLS mutual authentication
• Two parties authenticating each other through verifying the provided digital certificates issued by Cas both parties are assured of the other’s identity
• OCSP and Trust Anchor are a very important part of mutual authentication process
• InfoCert provides client API for implementing SCEP and EST protocols
• InfoCert provides client API for implementing TLS mutual authentication protocol
TECNOINVESTIMENTI GROUPTelecontrol system and PKI
Redundant Control Centers
Redundant Network and System Management
Center
Generation Plants
OCSPresponder
OCSPClient
SCEPClient
CA
RACertCRL
repository
SCEPserver
PKIAdmin
RedundantPKI
RDPs
104s
104s
104s
ESTClient
ESTserver
POC in large hydro power production