The Digital Computer Passport (DCP): An Evolving Response to Cybersecurity Challenges in OT Infrastructures
Description
ABSTRACT. Deploying OT infrastructures at the scale of an industry sector (Defense, Transport) involves a complex supply chain, with numerous actors intervening at each level of integration across a multitude of applications and devices. This depth is conducive to vulnerabilities exploitable by cyberattacks. Close coordination is necessary to prevent these risks and ensure operational security. The approach through regulations and standards is necessary but far too slow, limited by cycle times and sector diversity.
An Effective Action Point: The Embedded Computer
The common point in this multitude of situations: the embedded computer. It is the mandatory passage between the digital worlds (where decisions are made) and the physical world (where damages are real). These computers are successively modified by actors throughout their history. Having a global solution to measure and control their integrity seems nevertheless within our reach through a generic and comprehensive approach.
The DCP: A Tracking and Control Solution
The Digital Computer Passport (DCP) is created simultaneously with the computer in the form of an immutable chain of data nodes protected by a public blockchain. It contains: • Proof of existence and the unique identity of the platform (via an embedded PUF - Physical Unclonable Function). • An open data package from the manufacturer (information and photos). • An initial signature of the hardware and software and their settings (Manufacturer). • The initial unlock key of the computer (protection of HW ‘in transit’). • A succession of integrity measurement data (measurement definition and results) • Digital signature of private actor data (from integrators, installers, operators). • The service withdrawal report, at the end of its operation. The implementation of the DCP relies on a secure cloud. Access to information is limited to identified users. The data being immutable, it is only possible to add new data nodes to the computer history. To be added, this data must also be signed by the computer's security element. This greatly limits additions by malicious external actors.
The DEDICACE Prototype
Designed by Kontron and Keeex, it implements the DCP concepts on a small scale. Kontron offers you a dedicated session at COB2025 to present the principles and discuss the creation of a DCP working group within the COB community.
Conclusion
We need a coordinated approach to cybersecurity. The DCP offers a promising solution to improve the security of embedded computers. The cyberonboard community is the ideal group to refine the concept through the multiple use cases of their logistical and security practices and to participate in its deployment.
.png)
