Setting up company-wide PKI for Phoenix Contact

Phoenix Contact is a global market leader for components, systems and solutions in the field of electrical engineering, electronics and automation. The family-owned company currently employs around 20,300 people worldwide and generated 2.97 billion euros sales in 2021. Its headquarters are located in Blomberg, Westphalia. The Phoenix Contact Group includes 14 German and four international companies as well as 55 sales companies around the world. Internationally, Phoenix Contact is present in more than 100 countries.
www.phoenixcontact.com

Problem definition

Phoenix Contact aims to provide standardised cybersecurity in products and industrial solutions to enable future-proof operation of machines, plants and infrastructures. In order to ensure that products and solutions are protected against professional cyber attackers, the requirements of the IEC 62443 standard, which is essential for the manufacturing industry, must be met.

To prove the authenticity of hardware and software products Phoenix Contact relies on the use of high-quality electronic certificates and digital signatures. These certificates are used technically for secure device identity in accordance with IEEE802.1AR and secure firmware updates. To generate the electronic certificates, Phoenix Contact therefore planned to set up a company-wide public key infrastructure that could permanently fulfil the required high level of protection. One of the most important requirements in this project was to seamlessly integrate device registration into an industrial production process.

"Building a scalable and secure PKI for device identities and infrastructure for signatures of software and firmware is a challenging task. This made it all the more important to find suitable technical products and a suitable partner for the implementation project and ongoing support." Dr.-Ing. Lutz Jänicke, Corporate Product & Solution Security Officer, Phoenix Contact

Results

Phoenix Contact chose products from PrimeKey, now Keyfactor, to procure the public key infrastructure. EJBCA Appliance and SignServer Appliances were selected because of their product maturity, global deployment, and extensive PKI features and integration capabilities. The security certified HSMs used and the certified EJBCA software provided the perfect match for implementing the high level of security and ensuring highly available operation.

The company achelos, which also supplied the systems as a certified Keyfactor partner, was assigned with the IT and security planning, configuration and installation, and commissioning. Phoenix Contact thus had a central point of contact for the entire duration of the project, who had both the necessary knowledge of cyber security and the Keyfactor products. achelos will also be looking after the PKI, which has now been put into operation, during the operational phase by providing further support services.