In the course of Industry 4.0, industrial OT systems are becoming more and more interconnected with traditional IT systems.
Previously isolated environments are thus exposed to an increased risk of cyber attacks. This development has also been recognized
by the International Society of Automation (ISA) and has led to the joint development of the ISA/IEC 62443 standards in
cooperation with the International Electrotechnical Commission (IEC). The series of standards aims to adapt IT security concepts to the
requirements of Industrial Automation and Control Systems (IACS). In this regard, particular attention must be paid to the strong availability
constraints and the support of essential functions. Over the last few years, Public Key Infrastructure (PKI) based on X.509 certificates has
emerged as an important component of ITsecurity on the internet. ISA/IEC 62443 recognizes that PKI can also provide a wide range of security
mechanisms with respect to IACS. However, the way in which the PKI paradigm should be applied to an IACS is hardly addressed by the standard.
This thesis analyzes the ISA/IEC 62443 series of standards for security requirements that may impact PKI deployment in order to subsequently
provide a guideline on developing a PKI concept for such an environment. For this purpose, the requirements from ISA/IEC 62443 are combined with
guidance from other sources. Best practices in regards to PKI are taken from international associations, including the CA/BrowserForum, the European
Telecommunications Standards Institute (ETSI), and the Internet Engineering Task Force (IETF). It is apparent that within an IACS environment, PKIfeatures,
such as certificate validity periods, have to be evaluated differently than in the internet PKI. In order to assess the viability of the developed guideline,
TLS is implemented as a tangible PKI use case in a representative test environment. The actual evaluation of the use case shows that modern IACS
components are capable of supporting PKI, but that some important features are still missing for a fully standard-compliant employment. In addition, the
handling of PKI in IACS turns out to be time-consuming and involves many manual operations, which may render large-scale operations impractical at this
point in time.
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching