BxC's Approach
1. Define Business Use Cases
Digital certificates shall support the secure implementation and operation of business processes. For a beneficial use of PKI in the business environment, management and use of digital certificates must follow business requirements and constraints and not vice versa.
Define business use cases where digital certificates play a vital role, as they give business stakeholders a good understanding of how PKI supports their demands. Such use cases should follow non-technical language to ensure that all stakeholders can follow the demand description and may contribute to the use cases. The more detailed the use case specification and demand description are defined, the better the later design can address them.
2. Assess the OT Environment
The first important step is to create transparency about which capabilities and limitations are in place for cryptographic support of devices and software. For example, legacy assets may lack support for modern hash algorithms, while the use of SHA-1 has not recommended by NIST since 2011.
When planning the implementation of a security solution, requirements and recommendations of international standardization bodies should be followed to ensure that PKI implementation is a sustainable investment.
Modern PKI solutions still support that hash algorithm, although building support for SHA-1 into a PKI hierarchy requires a specific design and increases complexity. Knowing the constraints of the existing OT environment is highly beneficial and saves a lot of time and money during the design and implementation phases.
3. Research and select the Solution
Once the business requirements and constraints are known, finding a solution provider and partner is next, someone who commits to the target picture.
Expertise in PKI and OT constraints is not widely available. Many providers can implement and partly run a PKI, but only a few have experience in OT and its specific boundaries and brownfield challenges. Organizations should not just look for a provider, who can technically implement the solution, but one that understands the business requirements and consults actively during the design and implementation phase from the business and operations viewpoint.
Finding a real partner, not just a delivery person for a hardware or software solution, is an important target to meet. Running a PoC with the envisioned solution and very few use cases should give an impression of how much the provider is able and willing to understand the organization’s business challenges. With the right solution and partner, the risk of further extensions and developments of the PKI and the beneficial business processes is significantly lower.
4. Contain Obsolescence Management
Brownfield environments often operate legacy solutions unable to comply with current cybersecurity and cryptographic requirements. The solution and integration provider should provide the organization with a proactive approach to integrating components into the certificate-based communication.
There may not always be a technical solution to enabling legacy assets for modern cryptographic algorithms’ support and handle digital certificates’ lifecycle. However, a solution partner should provide expertise and integration ideas on such legacy areas of the OT environment. With business requirements, we can integrate legacy solutions into modern IIoT use cases.
5. Plan Operations
Before starting the implementation of a PKI, organizations should have a basic understanding of operating the solution and all lifecycle processes. We have seen a lot of organizations that started the implementation and procrastinated the question of the operations to the operationalization phase. But, if there are no resources for operating the PKI, a managed service provider should be involved in the implementation to ensure a smooth transition into the operational phase. If resources are available, training and upskilling should be targeted during the implementation phase to ensure the staff is prepared for operations once the rollout starts.
The operationalization is often delayed or shows significant problems if operations have not been discussed and planned from the very beginning. A managed service partner can support organizations to bridge the gap if ramping up resources and upskilling needs more time. Ensuring a secure and stable operation of PKI requires a solid operationalization phase is paramount.
BxC Takeaway
The approach described in this article enables brownfield environments to migrate to modern PKI solutions for OT, ensuring security, compatibility, and improved functionality.
We at BxC support organizations during the research, design, implementation, and operation of secure public key infrastructures. At BxC, with our profound skills in PKI and OT cybersecurity, we are dedicated to supporting companies throughout this journey and ensuring sustainable management and further development of organizations’ PKI.