What is a Trusted Platform Module (TPM)?
A Trusted Platform Module (TPM) is a hardware-based security chip used to securely store and manage cryptographic keys, certificates and other security data. TPMs are designed to safeguard the integrity and confidentiality of systems — even if the operating system is compromised.
In OT environments, TPM is used to provide devices such as Engineering Stations, HMIs, SCADA servers and Firewalls with trusted identity and secure key storage.
🧠 How does TPM work?
- Hardware-based security
- The TPM is physically soldered onto the motherboard or integrated into a module
- Cryptographic functions
- Generates, encrypts and stores keys in a secure environment
- Integrity verification
- Measures critical components during boot (BIOS, bootloader, OS)
- Verifies that nothing has been altered (Secure Boot / Measured Boot)
- Secure storage
- Keys are never exposed unencrypted outside the TPM
TPM provides security at the lowest level of the system — the hardware itself.
🏭 TPM in industrial networks
- Authentication of OT devices on a network
- Disk encryption for HMIs and Engineering Stations with TPM-based key storage
- Secure Boot or Measured Boot in industrial PCs
- Trusted identity for certificate-based authentication
- Integration with Remote Attestation for remote management
Applied in, among others:
- Industrial Windows/Embedded systems with TPM 2.0
- Secure storage for VPN or SSH keys
- Manufacturer-installed TPMs in industrial gateways and edge devices
🔍 TPM vs. HSM vs. software key storage
| Characteristic | TPM | HSM | Software (soft keys) |
|---|---|---|---|
| Storage form | Hardware, on the motherboard | External hardware module | In a file on disk |
| Application | Endpoint security | Enterprise key management | Basic use or legacy applications |
| Physical security | Yes | Very strong | None |
| Use in OT | Embedded devices, PCs | Central key servers | Not recommended |
🔐 Security aspects
- TPMs are resistant to physical attacks and tampering
- Keys can only be used on the original device
- Used in combination with BitLocker, Secure Boot, HTTPS
- TPM 2.0 is required for modern OS security functions
- Meets requirements from IEC 62443 and ISO 27001 for secure key storage
TPM provides trusted baseline security, independent of software integrity.
📌 In summary
Trusted Platform Modules provide a fundamental hardware basis for confidentiality, integrity and authentication in OT and IT systems. TPMs strengthen system security from the moment of startup through to key management and device identity.