Yes. Hello. My name is Andreas Philip. I'm from Key Factor and I'm working in the IOT industrial, IO OT department of Key Factor and working there as a senior business developer. And today I want to share with you yeah, our view, our key vertical view from a company who is developing products, who are products for issuing and managing digital identities based on X 5 0 9 certificates.
And I want to share with you our, yeah, our findings and, and how we see the OT world, how we see the OT industrial world in terms of digital identities and how is the status today when it comes to standards and regulations. And later on I talk a little bit about the outlook itself. So at Key Factor itself, we are coming from a typical IT company. So that is what we, we started in 2000 with also with our open source projects in the PKI world, the E-J-B-C-A-C-A.
So we developed the market, we are going into banks and all that.
And I think it was 10 years ago when we started also our journey in the industrial environment, in the OT environment. Yeah. During that, that time the industrial stair space and landscape was completely wild wide west environment where every BU was integrated, something now on security itself.
And, but over the years, and, and that is also my experience of helping our customers to implement stuff, working with technology partners, working with component manufacturers, with this machinery engineer and I, I had this experience is first of all this, we, we must also understand the whole value chain Yeah. That is established in this marketer. So it started from the component manufacturers, the guys who are producing the PLCs, who the guys who are producing the routers, the control computers.
So the agent is, and they are shipped to the mechanical engineering guys who are building up the machine.
It's maybe a CNC center, it's a woodworking machine system.
It's a, or up to a complete production line for, for ikea. So it's, IT that's machine engineering. And they are using all the components they are building and they are assembling the machines itself. And then when it comes to shipping the machine to the operators, where are the machines are, are used on, on the, directly on the shop floor. They has to be integrated into the existing environment, OT environment and, and, and scatter environment. That there, and that is a huge challenge.
And when we are looking from a security perspective on that, that is means that we need over the whole whole value chain, we have to establish a secure communication channel. We have to establish the authenticity Yeah. Of other components of parts of services that we are enabling. And last but not least, and that's very important.
Then we have also issue and we have to maintain and manage digital identities. Yeah.
For the component itself, A component could be a PLC and HI, but it could also be a sensor or an actor that, that has an identity up to the whole machinery or, or part of a seizure machinery or segments. And that, that's, that's, I think that is something that's, that was also for me coming from the IT world, it was essential. So to understand this value chain and then you understand the problems there and, and to solve those problems. But let's have a look at digital identities along this value chain. What are the requirements?
So looking on there, on the first point when it comes to the component manufacturers here, digital identities are used, first of all for the device identification. We are not talking about machine identities. That's completely another way.
It's a device identifier that, that, that proves the origin of the component of the controller of the, of the sensor of the PLC itself. Sometimes we called it issuing a birth certificate when this product is produced on the line. That is essential there.
These identities also for use for secure boot, for firmware updates and everything on the mechanical engineering sites, the guys who are building all these centers, machineries and everything. Yeah. So they are talking about what we heard also here from about remote access server software updates, secure bomb and up to the digital twin and how to mirror physical device identities that is bind to a components up to a digital twin. That's also a challenge. And then we are also talking now also from, from, from key factor side to the digital twin consortium to solve this problem.
Yeah, we cannot copy an X 5 0 9 certificates into the virtualization.
That's not possible today. And last but not least, we're coming to the operator side where all the machineries are operated on the shop floor itself. We have network out indication, the integration into the existing MES systems cloud services, and we have ethernet based communications that we have to adapt, that we have to integrate. And like O-P-C-Y-M-Q-T-T and all other based on ethernet itself that are in the end of the day in a nutshell, digital identities along the value chain of the industry itself.
All of these use cases are now more and more covered by standards and guidelines. And that's important. As I mentioned when I started, it was a completely wild, wild west in this area. Everybody was talking about some things and some standards are blowing up. But nowadays I think it's, it's changed. So this is an older slide from old, I think it's two months or three months old.
No, I think it's from, from end of last year. So therefore I put the overall framework on the top level.
But today, when we are looking into the industry itself, the regulations are moving up on a high priority now with a machinery regulation, with the, in this two, with the Cyber resilience act that are coming out that are now drivers into the market to establish and to, to make use of security and digital identities and to enable or to implement this stunt or this regulations. They are pointing to the IEC 62 4 4 C for example, as a framework where we can have a, where we have a framework in place where we can use, where we can adapt them.
Anza has, I think in April they released a very good map or a mapping guide, how the Cyber Resilience Act is mapped on the different specific industry standards.
I can recommend this to download this. And all of these frameworks and regulations are also underpins now from the industrial side and, and from the industrial organizations here. We see now the industry standards are coming up. There are security digital identities and, and the usage are built in like O-P-C-U-A-O-P-C is A OPC is a very traditional protocol that's in, in the field for for ages.
And, but with the unified architecture annex them, they're coming. They're also introducing now digital identities and with, for example, part 12 of this specification has a global discovery service built in where all digital, well, it's all one functionality to manage the digital identities in an OT O-P-C-U-A based network issuing certificates, if you IDs renewal IDs, updating IDs, proven IDs, that's a built in into the standards. Another part that's also very prominent now with's, what's coming up now it's the part 21 or the B brisky standard, the RFC standard here.
That's the onboarding stuff. That's also a big problem. How to onboard a component into a machinery. How can the component be trusted in an OT networker? And that is what is addressing of these standards. So part 21 from OPC is focusing on this device onboarding stuff. So how can I securely onboard automatically a device in this OT environment? But scheme the last point here, that's also an onboarding standard.
He, he goes a bit further. He's not, he's looking also on the point how a device could be onboarded in an OT network. But also the next point is how the network could trust the device and, and how the device could trust the network. So mutual onboarding procedures, these are not the standards they are coming up now. They are establishing more and more, and they are also, pardon or underpinning all this overall framework like 62 4, 4 3. And I think very prominent standard that is used heavily in the industry. It's now the good old 8 0 2 0.1 AR standard, sir. It's from 2008.
It's for issuing secure device ID some into this environment.
Okay. So little bit more precise, getting a little bit more specific into this place when we are talking about the usage of certificates in this environment and, and digital identities. But what is actually what we are doing today. Yeah.
And, and we heard also here from, from vex, it's the remote access, the secure authentication and remote authentication into a network that that is sometimes essential because this is an enabler. Yeah. For all the digitalization activities are going on from remote maintenance down to on demand services that I could enable in the new strategy of my business when I'm issuing new device generation for this industry 4.0 stuff.
Then we have the certificate based authentication.
That means also mutual authentication, who is communicating with whom, which PLC is communicating, which, which, which control computer and, and doing this authentication purposes. I come later on and, and the next and yeah.
And, and the second slide here to this point. And you as you see also some weaknesses in the implementation right now today. But that brings me to the point why is it so difficult to use this certificates and to use this digital identities in the OT environment today and and to adapt this functionality that we, we all know from our IT world how to use, how to manage certificate, how to manage identities. Now why is it so difficult?
So first of all, what we are facing today and, and that that's really when, when I'm talking to operators and also to mechanical engineering companies, outage is due to unid and expired certificates.
That's a huge problem today.
It's not, it's not that the machine, the machinery or the production line is completely out and it it's shut down. It's only maybe an an HMI is is is black or it's showing that he cannot connect to a servicer. But that is something that has to be fixed. And fixing such a problem means to identify who is the, who is the point where I have to go through, go and have, where I have to change the identity sometimes very often manual today.
So the initial setup as I mentioned, how to initially set up a trusted, yeah, a trusted channel so that I can trust the device that is entering my OT network and how could the device Yeah. Also be be yeah, be valid that, that he's entering also secure in a trusted network itself. Yeah.
And of course I think it's a self sign certificate problem. That is something that we see also very often in this industry. And that reminds me also from the past when we started also our journey with identities based on X 5 0 9. We see many very often self-centered certificate.
I talk a little bit later on, on the next slide on, on this topic itself. But in the, in the end of effect, when I'm, I'm talking to machine builders and, and industries and all our customers, it stated to me and the rest, it's too complex to implement the technology. And we try to, to lay out a, a metro map on all this stuff going on in the OT industry 4.0 industry here itself.
So the, you see the green line? The green line is the standardization and regulation line. Yeah. It's a typical ring line. And then the metro network, we have all the different kind of regulation standards, new standards coming to place.
Maybe if you're looking into your industry, you have also specific standards that's are coming up. That is something that you have to be fulfilled. Then you also have these typical that's here.
The, the, the CS line, that's a crypto line with all the topics that are flying around from tokens, from PPKC elevens, code signing, O-P-C-U-A, all the standards are, are going up. That has to be taken into account. Yeah. And then from the industrial point of view, we have the, the smart factory. So where we have all these typical Yeah. Requirements and, and also functionalities that we want to enable like zero trust strategies. We want to bridge the IT with the ot. We want to enable it to cloud. We we want to, yeah, we need remote services and so on.
Now up to the performance of, of operational environment to use this. And last but not least, we have also the products, the smart product lines.
So new products are introduced who are following this strategy for Industry 4.0.
And, and they, they are coming up also with security by design, talking about built in security anchors like TPM, secure communication, so whatever. So in the end of today is very complex and very, yeah, it's very difficult. But to be honest, I think it's also when you are looking at a mid line here in Berlin, yeah. It's very complex. Yeah. But in the end of the day, what you want is you want to go from one point to another and then you have to navigate yourself to this jungle. And in the end of, from IC is that is the, the job of good consultancy companies who are guiding these customers.
Yeah. To fulfill different kind of regulation and standard that they needed them. But last point here, let's talk a little only point is SSL outages.
That's very prominent in this industry. And that's, it's due to the, yeah, the behaviors that these guys are generating self sign certificates to enable secure communication like between A PLC and the control computer. And that solves the problem in the first step perfectly. So you want to set up an, an infrastructure, you want to set up your, your control network in your OT space, and you want to enable an O-P-C-U-A server with a certificate.
And then you're looking into the manual from the manufacturer. And there you see, okay, if you want to, you have to generate a SELFA certificate and here are the command lines. And this is how you are doing the, how you are, you know, operating or how you are generating yourself. And certificate. One problem problem here is, or I think in 10 years, in five years you're facing an outage.
Why? Because the certificate has a validity inside and you have an expired certificate in place because nobody knows. Exactly. And that is what you're doing when you're generating the self sensor.
You have to enter a validity date into the generation pro or during this generation processor. And that is done normally by an operator, by a maintenance guy. And so you have no, no proper thing. And and that is, and that's real life. So many of them are facing this outages today. That is something, it's very critical. They're picking it up also from the industrial organization. They are seeing that there's a huge demand for changing this. And my last slide, talking a little bit about the outlook, where we are going, where we are moving on.
And my prediction is, and when we are, I'm talking to the VDMA and set for AE to all this organizational standards here, that the topic is that security will be a part of the new safety that's coming up the slide from Vex before she showed also that safety is also in parallel with the security on this layer in the OT environment.
And that's my prediction that we will see step more or that we are step by step we, that the security is added to the safety regulations in the industrial world, especially with the CRR that's coming up now.
That's a huge driver in combination with the machinery directive that, that this, they are moving together and they are, they are going on on, they're following one way and one path. And of course we will also see that. And that's my prediction itself.
I'm, I'm working well along that the, especially in the OT world, that we will see advanced solutions that are developed to meet the application requirements to meet the application and the operational requirements. So, so looking on this year, Han Nova exhibition, yeah.
So we, we are looking and you can see several implementation of security from traditional machine builder companies and they look completely, they have a completely other view and, and point of view and, and usage view on the en environment itself. Siemens introduced the, so-called registration authority on the shop floor in their xenex liner. So that seems that the, the, the PKI is now moving on the dean rail.
So that, that's my prediction that we will see it step by step now that we will see it over the next year. Sir, that brings me to the end. If you're interested in the presentation, it'll contact me. Please feel free. Thank you.
And thank you also for walking us through this. I'll make a quick check in the audience. Any questions for Andreas? You know where to find him. His contact information is here. Thank you very much. Thank you.
