Public Key Infrastructure (PKI) security is not possible in air-gapped networks isolated from PKI servers, and as air-gapped systems and networks increase in size and complexity, additional protections are necessary to secure them. End-to-end encryption and device-to-device authentication are lacking in many Department of Defense (DoD) Facility-Related Control Systems (FRCS). The objective of this project was to demonstrate an automated certificate management solution to bring the enhanced security of a PKI Certificate Authority (CA) to a control system commonly operating in Closed Restricted Networks (CRN) in the DoD – a “CRN CA.”

Project objectives met, demonstrated a low-cost solution to add “internal PKI” security capabilities within closed environments where interconnections with external PKI resources are not feasible or would unduly increase the attack surface of the FRCS. The demonstrated solution supported objectives for simple, quick, low-cost implementation, enhanced security, and extension of the encryption footprint to unsecured endpoints (e.g., Distributed Energy Resources [DER]).

The demonstrated CA CRN solution integrates PrimeKey’s Enterprise Java Bean Certificate Authority (EJBCA) PKI Software and S&C Electric’s GridMaster^® Microgrid Control System as the representative FRCS. EJBCA provided certificates to end-devices and validation services. S&C provided a network of equipment common in microgrid CRNs - two microgrid controllers, an Human Machine Interface for interfacing with the controllers, a Linux syslog server, a Woodward LS-5 to represent a typical DER, and S&C’s GridSim^TM to generate microgrid traffic. To demonstrate a method of authenticating and securing communications to a PKI-incapable DER (i.e., the LS-5), “Secure Endpoints” with EST clients were added to the CRN CA solution’s architecture.

Project objectives were met proving the utility and feasibility of adding an internal PKI to a closed network to secure communications between a diverse group of equipment administered by personnel unfamiliar with PKI concepts. The minimal cost of setting up a CRN CA will need to be scaled based on cost drivers including the number of PKI client devices and implementation methods per device type, and the targeted level of PKI implementation and automation.

Integration of PKI is facilitated by commercially available EJBCA software, so most implementation considerations fall to the PKI capabilities of the client endpoints, including operational impacts with increased bandwidth and processing power usage, auditing configuration and monitoring for PKI activities, key storage, accurate time sources, and certificate validation and revocation options.