Energy utilities operate many distributed systems that exchange sensitive data over encrypted connections. Self-signed certificates and heterogeneous OT environments make secure management of digital identities difficult. One energy utility was able to automate its certificate management using the Trust Management Appliance (TMA) from ECOS Technology.
The challenge: Complex infrastructures and insecure certificate management
Energy utilities run complex infrastructures comprising numerous systems. In substations, stations, operational buildings, and outdoor facilities, switches, control devices, metering systems, and uninterruptible power supplies (UPS) are in operation. They continuously exchange data and use encrypted connections based on digital certificates. In networked infrastructures, certificates play a central role: they act as digital IDs for devices and enable reliable identity verification. A certificate contains cryptographically verifiable details about the issuer, the holder, and the validity period. Each device checks this information before allowing a connection. This creates a secure foundation for encrypted, verifiable communication. Each device validates this information before allowing a connection. This creates a secure foundation for encrypted, verifiable communication.
Challenges with self-signed certificates
In practice, however, a weak point becomes apparent. Utilities often use self-signed certificates because they consider their installations to be isolated. As a result, each device generates local certificates and uses them for encrypted connections. In this setup, the identity of the communicating parties cannot be verified reliably. This increases the risk that attackers manipulate connections and intercept or alter data traffic.
Another hurdle is the lack of a standard for certificate management in OT systems. While these systems often provide a web interface, they typically lack an integrated option for automated certificate exchange. Responsible teams deploy certificates manually via SSH (the Linux command line) or using proprietary vendor tools. With hundreds or thousands of devices, this effort frequently leads to errors and delays.
Regulatory obligations under NIS2
In addition to technical issues, regulatory requirements also play a major role. The EU’s NIS2 Directive will be mandatory for every affected company no later than 2027. It requires organizations in critical sectors such as energy to implement effective technical and organizational cybersecurity measures.
These include encrypted connections, validated certificates, incident-response processes, risk management, business-continuity concepts, regular security assessments, and documentation of all relevant processes. The Directive also specifies reporting deadlines for incidents and requires evidence that the measures have been implemented.
The challenges at a glance
- Distributed systems with inconsistent certificates
- High error rates due to manual certificate management
- Lack of standards for OT automation
- Stringent requirements under NIS2
The solution: Centralized and automated certificate management
The wide variety of devices used by the energy utility requires a holistic solution that secures and encrypts communications across IT, OT, and IoT. It must also integrate both modern and legacy systems in an automated way. With the Trust Management Appliance (TMA), software vendor ECOS Technology has developed a system designed for this use case: it provides digital keys and certificates for confidentiality, integrity, and authenticity in networked systems. With the Trust Management Appliance (TMA), software vendor ECOS Technology has developed a system designed for this use case: it provides digital keys and certificates for confidentiality, integrity, and authenticity in networked systems.
Functionality and deployment options
The TMA protects digital devices by providing secure identities and handling certificate management. To do so, it issues each system with a certificate. This acts like an ID card, confirming that a device is genuine and has not been tampered with. The appliance creates these certificates—or renews them when needed—and distributes them automatically.
ECOS Technology’s TMA is used in factories with networked machines as well as in office environments. It can run as on-premises hardware, on a server, or in the cloud. For production facilities, a dedicated gateway is available so the solution remains operational even without an internet connection. This creates a central point for certificate management.
Legacy devices in particular often lack features for automated certificate management. That is why the ECOS TMA includes an “Enrollment Agent.” It supports devices that are not designed for automated certificate management by replicating the manual procedures specified by the manufacturer for installing certificates. This significantly reduces workload—especially in the large infrastructures of energy utilities—and helps prevent staff overload. It supports devices that are not designed for automated certificate management by replicating the manual procedures specified by the manufacturer for installing certificates. This significantly reduces workload—especially in the large infrastructures of energy utilities—and helps prevent staff overload.
PKI fundamentals: key pairs and certificates
Certificates are based on a Public Key Infrastructure (PKI). At the core of a PKI is a key pair consisting of a public key and a secret private key. The public key is available to anyone and is used to encrypt messages or verify authenticity. When sending a message, the sender (“Bob”) encrypts it using the recipient’s (“Alice’s”) public key. The message (ciphertext) can only be decrypted with the recipient’s private key.
For signing, the process works in reverse. A digital signature is derived from a message digest (“hash”) generated by a computation and unique to the message content. If the text is changed, the hash value changes as well. The hash is then encrypted using the sender’s private key, serving as proof of authenticity. Any recipient can verify the signature using the sender’s public key: they recompute the hash and compare it with the decrypted value from the signature. If the values match, the message originates from the sender and has not been altered.
Certificates additionally provide clarity about who a given public key belongs to. Without this mapping, an attacker could distribute forged key information. This is the role of a trusted Certificate Authority (CA). The CA attests to the identity of the certificate holder by signing the certificate with its own private key. The interaction of key pairs, certificates, and trusted CAs within a PKI ensures that data can be transmitted in encrypted form and that digital signatures can be verified. Any tampering is detectable, because any change to a message or key becomes evident immediately.
Overview of certificate management capabilities
The ECOS Trust Management Appliance manages the PKI and ensures that all devices have valid certificates. Key capabilities include:
- Lifecycle management for certificates and symmetric keys within the PKI, including generation, import, renewal, revocation, and archiving.
- Automated certificate distribution and renewal via multiple protocols (e.g., SCEP, EST, ACME) and through client systems (Windows, Linux, mobile devices).
- Support for OPC UA–based architectures, which play a major role in energy supply networks. The appliance provides devices with identities and revocation information (e.g., certificate revocation lists).
- Integration via open interfaces, including REST APIs, LDAP synchronization with directory services (e.g., Active Directory), and integration into existing IT/OT environments.
- Authentication of mobile devices and networks in accordance with standards such as IEEE 802.1X
- Secure storage of private keys in a PKI hardware security module (HSM) and protection of the CA structure through a hierarchical root/sub-CA organization.
- Support for multiple algorithms, key lengths, and certificate profiles, designed to address future requirements such as post-quantum (quantum-resistant) algorithms.
The result: security, verifiability, and sustainability
Certificate management with ECOS Technology’s Trust Management Appliance improves security across energy utility infrastructures. The appliance assigns each device a unique identity. Connections between devices, control centers, metering systems, and cloud services are based on validated certificates. In this way, the TMA replaces fragmented point solutions with the trusted structure of a PKI.
Internal processes benefit as well. Audits and assessments can rely on clear evidence. The appliance generates logs and reports that responsible teams can use for internal controls. This helps organizations meet regulatory requirements and pass inspections by public authorities more easily.
The appliance generates logs and reports that responsible teams can use for internal controls. This helps organizations meet regulatory requirements and pass inspections by public authorities more easily.
The appliance’s scalability also creates room for future developments. OT/IT teams can gradually integrate new device types, additional sites, or IoT systems. The PKI’s crypto-agile architecture makes later transitions to new algorithms and key lengths easier. A key advantage is that acting early prevents complex, time-critical migrations later on.
Summary of results
- Centralized identities for all device types
- Automated certificate management across IT and OT
- Auditable processes for audits and assessments
- Scalable, crypto-agile security architecture based on PKI
