



























Michael P. Heinl, Technical University of Munich, Munich University of Applied Sciences HM
Maximilian Pursche, Technical University of Munich, Fraunhofer AISEC
To address the expanding attack surface caused by increasing digitization and interconnection, operators of Industrial Automation and Control Systems (IACS) adopt security measures already established in information technology, such as Public Key Infrastructure (PKI), to Operational Technology (OT). However, operating a PKI proves to be challenging in complex and heterogeneous IACS landscapes. Hence, operators might rely on external PKI service providers, resulting in new trust dependencies and a loss of direct control over critical security components. In the WebPKI, Certificate Transparency (CT) is leveraged to monitor the certificate issuance of publicly trusted certificate authorities. Since CT's original WebPKI-centric design and trust assumptions do not align with the isolated and constrained nature of IACS environments, we investigate the adaptation of CT to a private IACS-specific PKI infrastructure operated by a service provider. We propose amendments to CT processes and roles, an IACS operator-controlled CT infrastructure, and a layered approach to align with ISA/IEC 62443. Despite the lack of CT support by crypto libraries intended for OT devices, we demonstrate the feasibility of our approach by a proof-of-concept implementation.
BibTeX
@misc{cryptoeprint:2026/963,
author = {Adrian Reuter and Michael P. Heinl and Maximilian Pursche},
title = {Multi-leveled and {ISA}/{IEC} 62443-aware Certificate Transparency to Protect the {PKI} Service Supply Chain of Operational Technology},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/963},
year = {2026},
url = {https://eprint.iacr.org/2026/963}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。