What is Code Signing?
Code Signing is the process of cryptographically signing software, Firmware or scripts with a digital certificate. The aim is to safeguard the authenticity, integrity and origin of code, so that systems run only trusted, unmodified software.
In OT environments, code signing is essential for Firmware updates, PLC programming and software distribution in production networks, where reliability and continuity are critical.
๐ง Why code signing matters
- Protection against tampering โ prevents adversaries from modifying software undetected
- Source verification โ only code from trusted vendors is accepted
- Supports Secure Boot โ only signed firmware is executed at startup
- Prevents malware installation โ avoids supply-chain or internal-update infections
- Compliance with standards such as IEC 62443, NIS2 and the Cyber Resilience Act
๐ How does code signing work?
- The manufacturer (developer) generates a hash of the code
- The hash is encrypted with the private key of a Code Signing certificate
- The signed hash and certificate are added to the distribution files
- At installation time, the device uses the public key to verify the signature
- Only valid, unaltered and trusted code is executed
๐งช Applications in OT
| Use case | Example |
|---|---|
| Firmware updates | PLCs, drives and I/O cards loaded only with verified firmware |
| Script deployment | Only signed scripts permitted via the OT management system |
| SCADA/HMI software | Protection against tampered visuals or logic |
| BIOS/bootloader verification | Secure Boot in industrial IPCs or gateways |
| Edge/IoT devices | Cloud or OTA updates only via signed distribution |
โ Best practices
| Measure | Explanation |
|---|---|
| Use of HSM or TPM | Securing the private signing key (in hardware) |
| Certificate management | Regular rotation, revocation on compromise, logging |
| Sign configuration files too | E.g. when deploying settings to OT applications |
| RBAC | Only authorised personnel may sign and distribute code |
| CI/CD integration | Automatic signing of builds in the DevOps pipeline |
๐ Risks without code signing
- Installation of malicious firmware via supply-chain attack
- Use of invalid or outdated software in critical installations
- No detection when OTA updates or backups are tampered with
- Issues during audits, compliance or forensic investigations
- Breaches of IEC 62443 and future EU obligations (such as the Cyber Resilience Act)
๐ In summary
Code signing is an indispensable security layer in OT environments for trusting software and Firmware. Without a digital signature, there is no guarantee that the code is safe, original and unmodified.