#KEYMASTER: Why Certificates Matter in OT Security
2026-02-03
In this episode of #KEYMASTER, Sven Rajala, International PKI Man of Mystery, is joined by Guillaume Crinon, Director of IoT Business Strategy, to explore how certificates and PKI are used in Operational Technology (OT) environments, and why this world looks very different from traditional IT.
OT security is not about patching fast or deploying the latest tools. It is about keeping critical processes running safely, reliably, and continuously, often for decades.
What Makes OT Different from IT?
Operational Technology environments prioritize availability and safety above all else. These systems control physical processes, manufacturing lines, robotics, energy infrastructure, where downtime or malfunction can cause real-world damage or safety risks.
As a result:
- Systems are designed to run unchanged for many years
- Patching is rare and carefully controlled
- “If it isn’t broken, don’t fix it” is often the rule
- Security decisions must never disrupt operations
This mindset shapes how certificates and PKI are adopted in OT.
From Air-Gapped Factories to Industry 4.0
Historically, OT environments relied heavily on physical isolation. Machines were enclosed inside factories, disconnected from external networks, and protected by physical access controls.
That model no longer holds. With Industry 4.0, machines now routinely communicate with:
- Cloud platforms
- Corporate IT systems
- Vendor-operated monitoring services
- Predictive maintenance and analytics tools
As soon as machines communicate outside the factory floor, they need:
- Secure communication
- Authentication
- Identity
And that is where certificates come in.
Certificates as Machine Identity
Today, many industrial components and machines are manufactured with X.509 certificates embedded at production time. These certificates often serve as:
- A long-lived, manufacturer-issued identity
- Proof of authenticity
- A foundation for secure onboarding into customer networks
This initial certificate allows a machine or component to be enrolled into a factory environment and to establish secure connections using TLS.
Protocols in the OT World
Modern OT protocols increasingly support certificate-based security, including:
The tooling exists. Manufacturers are embedding certificates. The expectation is clear: customers should be using them.
Read more:
Beyond Identity: More OT Certificate Use Cases
Certificates in OT are not limited to authentication. They are also used to:
- Secure network communication (TLS)
- Authenticate applications and services
- Verify firmware and software signatures
- Ensure updates are genuine and untampered
- Protect intellectual property and prevent counterfeiting
Code and firmware signing, in particular, is critical. When an update is delivered to a machine, the device must be able to verify that it came from the legitimate manufacturer.
The Reality: Self-Signed Certificate Sprawl
Despite good intentions, many OT environments struggle with PKI best practices. A common pattern looks like this:
- A component arrives with certificate support
- Documentation suggests using a self-signed certificate
- OT teams lack PKI expertise
- Self-signed certificates are deployed “just to make it work.”
- Trust is manually configured on the other end
The result is an environment filled with self-signed certificates that impersonate as real security instead of enforcing it, creating operational complexity and hidden risk.
Regulation and Standards Are Pushing Change
Two major forces are driving better practices:
- Cyber Resilience Act (CRA)
Applies to component manufacturers in Europe and makes them responsible for the cybersecurity of their products. This explains why certificates are now embedded by default. - IEC 62443-4-2
Requires strong authentication of users and equipment in industrial automation and control systems. Today, certificate-based authentication issued by a proper PKI is considered state-of-the-art.
The direction is clear, but adoption may take time.
Read more:
- EU Cyber Resilience Act (CRA): Security and Compliance Across the Product Lifecycle
- PKI’s role in IEC 62443
- Mastering IEC 62443: A Guide to Securing Industrial Automation and Control Systems
Where Certificate Lifecycle Management Fits In
For many OT engineers, PKI itself is not the goal. What they need is:
- Certificates provisioned reliably
- Minimal manual work
- No disruption to operations
- No violation of equipment warranties
This is where Certificate Lifecycle Management (CLM) becomes critical.
CLM tools can:
- Automate certificate provisioning and renewal
- Abstract PKI complexity from OT teams
- Monitor certificate health and expiry
- Support segmented networks and proxy-based access
- Enforce consistent OT security policies across sites
By scripting and automating tasks that would otherwise be manual and error-prone, CLM acts as a bridge between IT security practices and OT operational realities.
Key Takeaways
- OT environments prioritize availability and safety over rapid change
- Industry 4.0 has made secure connectivity unavoidable
- Certificates provide identity, secure communication, and update integrity
- Many OT systems still rely on self-signed certificates, creating risk
- Regulations and standards are pushing the industry toward PKI
- Certificate Lifecycle Management is essential to make PKI usable in OT
OT security is evolving, not by copying IT practices, but by adapting them to a world where systems must run safely for decades. Certificates and PKI are becoming foundational, and CLM is what makes them practical.
Learn more
- Keyfactor for Operational Technology
- Protect critical OT and IIoT infrastructure in industry 4.0
- EU Cyber Resilience Act (CRA): Security and Compliance Across the Product Lifecycle
- PKI’s role in IEC 62443
- Mastering IEC 62443: A Guide to Securing Industrial Automation and Control Systems
- Keyfactor IoT Solution areas
- Keyfactor IoT How-to guides
Related resources
#KEYMASTER: PKI-Powered Code Signing for the CI/CD Era