According to the latest studies by TÜV, the number of cyber attacks on industrial companies is growing continuously.
At the same time, the number of 5G campus networks in industrial environments is increasing. New use cases are combining 5G communication with traditional production technology.
In the past, physical isolation of the OT (especially when using wired communication) and network segmentation protected unsecured end devices from unauthorized access.
When using the air interface of wireless communications technologies, such as 5G or WLAN, access to connected networks can no longer be protected by physical access controls alone.
This paper presents a PKI based security framework meant to protect the point of connection between the 5G network, company internal IT networks and OT networks. It aims to support companies in securely integrating their IT and OT networks and realizing their Industry 4.0 use cases, by offering automated certificate management for the OT domain. The presented security framework assumes three distinct security domains: the 5G network itself, an OT domain, and an IT domain. The 5G core offers a range of inbuilt security functionality that can potentially support certificate management over the entire operating cycle of an automation component. The IT domain is expected to employ commonly used measures of ensuring IT security within an internal network, e.g. Firewalls, Network Access Control and user authentication and authorization services. While IT networks traditionally focus on confidentiality, availability, and integrity, OT components focus on reliability, authenticity, and compliance with latency limits. The OT domain may feature a variety of end devices that may support only very specific, sometimes outdated, security features, or possible no security features at all. Our framework aims to bridge the gap between the high level of security already present in the 5G and IT domains and the differing levels of security found in existing OT installations.
The implemented security framework is integrated into a multi-access edge computing (MEC) environment and has direct access to the 5G core network. It provides certificate based authentication of devices and users in differing domains, enabling secure communication between domains, e.g. between IT and OT. It also supports secure communication between end devices and the MEC, and among OT devices. Selected Use Cases will be presented to demonstrate how this framework can be used in practice. Typical industrial use cases such as localization and communication between production systems will be showcased.
[The presented Use Cases and security architecture are developed within the research project “PKI in infrastructures for industrial automation technology” (PIA5) founded by the Federal Office for Information Security (BSI).]