Phoenix Contact Secures IoT Devices with Modern PKI Platform

Phoenix Contact is a global leader in automation technology, developing innovative solutions in connection technology, electronics, and automation for over 100 years. Headquartered in Germany, the company serves diverse sectors, including industrial production, renewable energy, and infrastructure.

Compliance in automation manufacturing is tough, especially when it comes to securing IoT devices. Regulations are constantly changing. But Phoenix Contact saw an opportunity where others saw a challenge. By rethinking their approach to Public Key Infrastructure (PKI), they transformed their entire operation.

“Cybersecurity is a very difficult thing to do, and until recently, nobody really paid too close attention to cybersecurity for devices on the shop floor. Now, that’s all changing thanks to the increasing threat landscape and new European regulations,” explains Lutz Jänicke, Corporate Product & Solution Security Officer at Phoenix Contact. This was an opportunity to strengthen their security posture and protect their customers.

Two recent regulations, in particular, have forced a new level of scrutiny around cybersecurity among European companies like Phoenix Contact. The first, NIS 2, targets operators by introducing security standards within companies and on the shop floor itself, while the second, CRA, focuses on consumer and industrial products and the level of protection offered within them.

In response, Phoenix Contact is strengthening cybersecurity management for its operations and building secure processes for device identities as part of IoT product development. Many of these processes already exist throughout different areas of the company, but they now need to be extended end-to-end across the entire company and product portfolio.

“One of the most important things is the integrity of our products. So we need to ensure that all of our software and firmware is correctly signed, which requires a strong PKI program to manage those signatures and certificates. At the same time, we want to enable our customers to verify whether they buy genuine Phoenix Contact products. That means we also need to support secure device identities,” Jänicke shares.

Specifically, Jänicke cites IEC 62443, a standard for industrial automation that requires the use of secure digital signatures and secure digital identities. He notes that the Phoenix Contact security team is currently working to make sure they can fully meet that standard across all of their processes. Meeting this standard was a significant milestone on Phoenix Contact’s path to compliance excellence.

The Phoenix Contact team knew they would need a PKI solution to help meet their compliance goals in a standardized and streamlined way. Market research on potential solutions led Jänicke to Keyfactor EJBCA.

“I immediately liked that Keyfactor had a community edition product that allowed us to evaluate it without a lot of discussion and see the quality of the offering for ourselves. And after using that product and comparing it with other offerings, we chose to work with Keyfactor long term,” he says.

Jänicke notes that one of the biggest selling points for Keyfactor was the flexibility it offered, with options for PKI as a Service and more. With Keyfactor, Phoenix Contact found a partner who could help them cut through the complexity and take control of their PKI.

Additionally, Keyfactor checked all the boxes for Phoenix Contact’s requirements, including a fully automated process for issuing device identities and supporting secure digital signatures across a variety of use cases.

On the flip side, Jänicke shares that most of the other offerings the team evaluated were not as robust as Keyfactor and required more manual processes, which made it difficult to verify the quality of those solutions overall.

After more than four years of working with Keyfactor, Phoenix Contact has successfully standardized and streamlined cybersecurity across the organization. Specifically, Jänicke cites three key areas of impact since working on introducing Keyfactor EJBCA:

Phoenix Contact has a variety of use cases, and this requires the security team to support numerous different types of signatures. Although Jänicke found that Keyfactor did not natively support all of these use cases, he was able to work with the Keyfactor team to develop additional signature formats as needed. This flexibility and responsiveness proved valuable in ensuring Keyfactor could work for all of the company’s ongoing needs.

Building on this, Jänicke notes that he continues to find new ways to use Keyfactor for different PKI needs. He explains: “We are currently evaluating how we can expand our use of Keyfactor for device identity management, as the approach we’re taking to secure our products is evolving all the time. Additionally, we are looking at how we can use a product like Keyfactor Command to improve our certificate lifecycle management.”