Cyber security requirements for utilities and for the so-called “Smart Grid” are becoming more and more important. For example, the standard IEC (International Electro-technical Commission) 62351-9 describes how keys, certificate enrollment, generation and revocation shall be managed in automation industries.
A digital (X.509) certificate is a form of digital identity. Digital certificates are used for several purposes including authentication of users, processes and devices. It is therefore important that the distribution of certificates is done securely. The challenge is to provide an efficient distribution process while also ensuring that malicious intelligent electronic devices do not receive a valid certificate.
To ensure that only valid intelligent electronic devices get a valid certificate, the intelligent electronic devices may need to hold/present some form of valid credentials. One-time passwords are typically the credentials used by devices when performing their initial certificate signing request. The registration data usually is passed to the intelligent electronic devices via configuration tools manually and individually, in an out of band mechanism, where an authorized engineer or cyber security administrator pushes the registration data from a storage media (e.g. USB Stick) into each intelligent electronic device as part of the device configuration.
For example, US 2013 0 145 449 A1 and US 2013 0 132 721 A1 relate to a solution using a USB-Stick or CD to distribute one-time passwords to intelligent electronic devices. A one-time password is used in a proprietary way to add tamper protection to the certificate signing request data.
However, installing the registration data in every single device may be very labour intensive and error prone.