Signing Service Established for GSD files

  • Post category:PI NEWS
  • Reading time:3 mins read

PI (PROFIBUS & PROFINET International) now offers a signing service for GSD files for the improved security protection of machines and systems. This is a component of a comprehensive security concept. On the one hand, a signed GSD file ensures its authenticity. On the other, it guarantees the integrity of the functional description of a device from the manufacturer.

The PI Security working groups are currently highly committed to working on implementing details of the relevant security requirements of IEC 62443. The coordinated security concept now includes three PROFINET security classes. One aspect of security class 1 is a concept for signing GSD files for PROFINET. Expansion of the GSDML specification to include signing in a shared container in the OPC (OpenPackageContainer) format was required for implementation here.

To implement the signing of GSD files of PROFINET products, a process was defined for which the PI Certification Office is responsible. This enables all manufacturers of PROFINET devices to deliver the associated GSD file in signed form as a GSDX file. This process envisions two scenarios. In both cases, the PI Certification Office first creates a manufacturer-specific certificate valid for three years. Following this, each interested manufacturer has the choice to sign the GSDs of their own products themselves or to make use of the signing service of the PI Certification Office. In the former case (self-signing), the created certificate is delivered to the manufacturer together with a license for the tools. In the latter (PI signing service), the certificate remains at the PI Certification Office. The manufacturer can upload the GSD files to be signed using a web portal and will then receive the signed file in the GSDX container format shortly thereafter.

To make signing possible, the establishment of a corresponding tool environment has been necessary. To handle provision, PI commissioned recognized service providers in the security field. The tool used for signing GSDs is adapted to the special marginal conditions and signs GSD files using a local private key and generates GSDX files. The associated public validation key is provided in the form of a public key certificate issued by PI. The file format of this so-called GSDX container is standardized and publicly available.

Provision of the signing service occurs through a service portal on PI website (www.profibus.com). The ordering process is fully digital – only the sending of signature cards required with the self-signing service occurs by conventional mail with letter tracking. The personal customer area is secured through two-factor authentication.

An overview of the relationships between IEC 62443 and the specifications for PROFINET security can be found in the white paper entitled “OT security for production plants with PROFINET – A Classification of IEC 62443 for operators, integrators and manufacturers.”