ZF Friedrichshafen AG Secures Wireless Manufacturing with Thales HSMs
Leading Manufacturer Uses Thales Hsms To Protect Mission-critical Processes and Meet Regulatory Requirements
With more than 130,000 employees, ZF is one of the world’s leading manufacturers of automotive chassis and driveline technology. The company’s network of 230 manufacturing facilities stretches across 40 countries, producing the innovative transmissions, steering systems, axels, and chassis components that the world’s top vehicle makers need. ZF’s primary focus is on continuing its tradition of quality and innovation, but it realizes that today success requires reliance on advanced technology systems to power manufacturing and core business processes. To secure its systems from internal and external threats, ZF relies on Microsoft Windows Server PKI (public key infrastructure) technology and Thales nShield hardware security modules (HSMs).
“Thales HSMs give us auditable key protection for the computers that conduct our office-based processes, and they enable more cost-effective and scalable security for the technology that drives our production lines,” says Jürgen Paulmichl, information technology security manager for ZF.
Benefits With Thales:
- Reducing IT costs with enterprise-class eSecurity
- Meeting the expectations of auditors and regulators
- Managing HSMs remotely and cost-effectively
- Protecting manufacturing processes from unauthorized access
Decentralized Security Expensive To Maintain
For several years ZF used PKIs to protect individual processes. Within the company’s PKIs, various certificate authorities (CA) issued digital certificates to machines, such as servers and desktop computers, in the company’s network. Using digital certificates, systems could be uniquely identified and authorized to access business systems, such as ZF’s SAP accounting applications.
As ZF operated these PKIs, the company realized that they presented two challenges. Managing thousands of certificates without a centralized process was time-consuming and inefficient, especially when it came to tracking and updating expiring certificates. And importantly from a security perspective, its PKIs were not completely secure or recoverable because the private keys underlying the certificate issuing process were not protected in a scalable, hardware-based environment.
ZF subsequently decided to establish an enterprise-wide PKI. Paulmichl says, “With an enterprise PKI, we can manage certificates more efficiently. We chose to use Thales HSMs to secure our PKI and to enable a more reliable CA key storage environment. Implementing Thales HSMs has proven to be a smart move, as they have allowed us to easily meet the escalating security expectations of auditors, governments, and company leaders.”
To issue certificates and manage its PKI, ZF decided to implement the PKI provided with Microsoft Windows Server. ZF undertook an extensive evaluation process for the HSMs securing the PKI, and it solicited proposals from four leading HSM vendors. The company was looking for seamless integration with Microsoft Windows Server, FIPS certification, and support for 64-bit Windows. Of the HSMs that met those basic requirements, Thales nShield stood out thanks to its remote management capabilities and proven ability to integrate with Microsoft Windows Server.
“Only Thales HSMs had reference customers available to confirm ease of integration with Microsoft Windows Server,” explains Paulmichl. “We were also impressed with the fact that we could manage Thales HSMs remotely. It’s a capability that fit well with ZF’s global reach, allowing us to place HSMs as far away as Brazil while managing them from Germany. Being able to manage HSMs remotely cuts travel and management costs.”
After receiving training from Thales Advanced Services Group, ZF was able to integrate its Thales nShield HSMs into its PKI environment using in-house resources. “Thales provided all the insight we needed to manage our HSMs securely and remotely,” says Paulmichl. “When we do need to administer the HSMs, we do so using smartcards, which enforce separation of duties for added security and compliance validation.”
Today, ZF manages tens of thousands of machine certificates with its PKI, and it secures the CA issuing keys protecting each certificate with Thales HSMs. Perhaps most crucially, the certificates serve to authenticate all of the machines involved in producing its products. Its machines are connected to each other over wireless networks, and the certificates ensure that no unauthorized machine can interfere with or eavesdrop on ZF’s manufacturing processes.
“Thanks to our Thales HSMs, no one can issue, forge, or duplicate a certificate with our PKI. That is important to us from business perspective and to our auditors who must sign off on our processes,” explains Paulmichl.
Headquartered in Friedrichshafen, Germany, ZF develops and manufactures driveline and chassis components for the global automotive industry. The company is best known for its innovative transmissions, including the world’s first 8-speed transmission.
Ready For Changing Regulations
In an effort to fight tax evasion and smuggling, the government of Brazil implemented regulations—called nota fiscal electronica—requiring that manufacturers produce electronic bills of lading “stamped” with a digital signature. The regulations mandate the use of HSMs to store and protect the time stamping certificates. While many manufacturers scrambled to implement compliant systems, ZF was ready. The company simply integrated its PKI with the SAP system it used to generate bills of lading.
“Brazil’s nota fiscal electronica is a good example of how regulations can require HSMs,” says Paulmichl. “Because our processes were already protected by HSMs, it was easy for us to comply. We are able to easily manage our HSMs in Brazil from Germany.”
Performance, Scalability, And Reliability Delivered By Thales
When a process reengineering effort required that ZF update certificates for tens of thousands of machines in a 24 hour period, its IT security staff was pleased that the company’s Thales nShields were more than up to the task. Paulmichl explains, “We rolled out certificates to all clients all over the world in one day. No location reported any errors. Our HSMs performed perfectly. You expect security from HSMs. Thales HSMs also provide the superior performance, scalability, and reliability needed to protect our global manufacturing processes.”