Modern ICS protocols—OPC UA, TLS, DNP3 Secure Authentication—rely on digital certificates for authentication and encryption. But certificates are not "set and forget." They expire, are compromised, must be rotated, and require a supporting infrastructure to manage. Many organizations deploying modern protocols underestimate the operational complexity of certificate management, leading to outages when certificates expire or authentication failures when certificates are revoked.
A mature certificate management program for ICS environments requires infrastructure (PKI), policy (certificate lifecycle), and operational discipline (monitoring, renewal, revocation). This is achievable but requires planning and investment.
ICS PKI Architecture
At the core is a Certificate Authority (CA)—a system that issues and signs digital certificates. Many organizations use an internal PKI, often based on Windows Certificate Authority or open-source tools (OpenSSL, Vault, Sectigo). The CA is responsible for generating and signing certificates, managing the certificate revocation list (CRL), and maintaining the root certificate that all other certificates trust.
ICS PKI should be offline, air-gapped from production networks. The root CA generates subordinate CAs that issue operational certificates. This segregation limits the blast radius if a subordinate CA is compromised; the root CA remains secure and can issue new subordinate CAs if needed. For distributed facilities, regional CAs can issue certificates locally, reducing dependency on a centralized authority.
Certificate Lifecycle Management
- Issuance and Deployment: Establish a process for requesting, approving, and issuing certificates. Each ICS application (OPC UA server, SCADA master, historian) needs a certificate. Document the certificate inventory: which certificate is deployed on which device, issued by which CA, expiring when.
- Renewal and Rotation: Certificates expire, typically annually or more frequently. Establish renewal procedures at 60-90 days before expiration. Rotate certificates on a schedule, even if they haven't expired, to limit exposure from compromised keys. Automate renewal where possible (many CA systems support automated renewal requests).
- Revocation and Recovery: If a certificate is compromised or a device is decommissioned, revoke the certificate immediately. Update the CRL and ensure all applications check the CRL before accepting certificates. For critical ICS systems, implement OCSP (Online Certificate Status Protocol) for real-time revocation checking.
- Audit and Compliance: Maintain audit logs of all certificate operations: issuance, renewal, revocation, and deployment. This is essential for compliance audits and incident investigation. Many regulatory frameworks require certificate management documentation.
Operational Practices for OT Environments
ICS certificate management must be operationally robust. Expired certificates cause outages: if a SCADA historian certificate expires, data flow stops until it is renewed. Plan ahead: implement alerts 90 days before certificate expiration, validate renewal procedures in testing, and schedule renewal during maintenance windows.
Many ICS environments are highly distributed: data centers, remote substations, field devices spread across wide geographic areas. Managing certificates across these devices requires centralized tracking and automated deployment mechanisms. Some organizations use configuration management tools (Ansible, Puppet) to deploy renewed certificates automatically to all devices.
Certificate management is not glamorous, but it is foundational to modern ICS security. We help organizations design and operate PKI systems appropriate for their ICS environment, with particular focus on operational reliability and compliance. Let's discuss your certificate management strategy.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.