Leveraging BRSKI to Protect the Hardware Supply Chain of Operational Technology: Opportunities and Challenges

The increase of interconnected Operational Technology (OT) devices leads to a need for scalable, yet secure onboarding to establish a trust relationship between a new device and its operator domain. The protocol Bootstrapping Remote Secure Key Infrastructure (BRSKI) is a promising candidate to automatically establish such trust relationships and secure the OT hardware supply chain, especially when used in combination with hardware-based cryptographic device identities. Although there is a reference implementation, BRSKI has not seen many real-world applications yet. We develop a testbed to investigate possible causes by analyzing the capabilities of the BRSKI reference implementation, optimizing specific aspects, and extending its functionality to utilize trusted platform modules protecting the device's identity. Subsequently, we assess if BRSKI can be used in conformity with IEC 62443. Our findings suggest that BRSKI provides promising opportunities to secure the OT hardware supply chain but also potential for improvement.