Industrial Control Systems, (also known as Industrial Automation and Control Systems, IACS) are used for managing the automated industrial process and capturing data logged from the flow of the processes. ICS supports network connectivity to improve operational tasks, including remote supervisory and monitoring. Operational technology (OT) relates to the hardware and software which is used to control the equipment within the ICS itself. Traditional OT & Information Technology (IT) environments were separate, meaning OT owners relied on the ‘air gap’ that separated OT from IT systems in order to protect them. Cloud Computing & IoT (Internet of Things) aims to connect OT & ICT (Information and Communication Technology) infrastructure to various devices using different network connectivity technologies, but this bridging of the traditional ‘air gap’ has resulted in widened endpoints to the industrial network, leaving ICSs exposed to ever-increasing security risks and vulnerabilities.
Programmable Logic Controllers (PLC) serve as key component of ICS and OT systems and are equally susceptible to cyber-attacks, with inadequate access control and authentication within these systems posing a major challenge. As a result, 93% of all organizations with OT environments experienced hacking in the past twelve months by June 2022 with over 78% confronted with three or more security incidents. The result is increased demand for enhanced authentication for ICS/IACS and ICS component manufacturers are now actively reviewing the design architecture in building robust password-based credentials.
Key challenges related to OT & PLCs
Weak authentication in current PLC systems
Because ICSs are often limited in adapting higher security stacks due to their low computing output, the password-based credential is commonplace and still being used as an authentication mechanism for human users and processes. However, passwords bring with them significant challenges.
- Password sharing (where users not uniquely defined - not recommended)
- Password management between ID/PW specified for each PLC device
- Difficulty managing user changes (leavers/contractors)
- Inherent password weaknesses (static information vulnerable to brute forcing, phishing, credential stuffing etc)
Exploitation of these vulnerabilities were made clear via the Stuxnet case which directly targeted weakly configured password and continues to pose a risk today.
24/7 operation limits OT security upgrades
Many PLCs power mission critical operations, which often need to operate continuously. This means updates to PLCs including applying security patches and enhancing the security stacks are difficult to manage. In many instances, once an ICS facility begins to operate, the inherent vulnerabilities within these systems remain. This is common knowledge amongst threat actors resulting in these systems being a constant target.
Reluctance to upgrade existing OT/PLC systems
In addition, security upgrades to existing OT systems often require significant time, manpower and resources, which in turn pose considerable cost implications for ICS and OT organisations and manufacturers. As a result, many PLCs continue to operate despite inherent vulnerabilities, leaving PLCs and the systems they operate at considerable risk.
swIDch’s Programmable Logic Controller OTAC provides a highly optimised and highly secure authentication solution specifically for PLC devices. It utilises our dynamic 'one-time authentication code' (OTAC) technology to resolve typical ICS/OT security challenges.
- Password sharing in password-only authentication systems
- Difficulty managing ID/PW specified for each PLC device
- Difficulty managing user changes (leavers / contractors etc)
- Hacking attempts using password cracking software
OTAC ensures only known and authorised users/devices can access PLC using dynamic, non-reusable, constantly changing code guaranteed with 0% duplicates (defeats packet sniffing attacks)
Current PLC certification: Password-based
Issues with current PLC certification using just passwords
- Password sharing between engineers
- Access is granted to users who are indistinguishable (un-identified)
- If a password is stolen (from any user) it can be later used to gain access without any further challenge
Optimal PLC authentication method: OTAC-based authentication
Issues resolved by using OTAC-based authentication
- No password sharing – users enter dynamic codes (OTAC) which are generated differently each time
- Access is only granted to authorised users – who are also fully identifiable
- If the OTAC is stolen and later used it will be denied access by the OTAC verification module
- All of this is possible without any need to modify the existing password interface (8-digit example above)
OTAC resolves Common Vulnerabilities and Exposures (CVE) including:
CVE-2022-32143, CVE-2022-2003, CVE-2022-1794, CVE-2021-37172, CVE-2021-32982, CVE-2021-32978, CVE-2021-20827, CVE-2020-15791, CVE-2020-10628, CVE-2020-10276, CVE-2022-2758
* Example PoC success case from current client utilising swIDch's OTAC technology
Unique features of swIDch’s OTAC technology in PLCs include:
- Uni-directional authentication (no network environment required)
- Lower CPU overhead (ie faster) compared to other authentication/encryption methods
- Can be deployed on existing infrastructure (no large, expensive infrastructure changes required)
- Unique dynamic code for each individual user - no more indistinguishable user access
- Highly configurable code parameters enabling deployment with minimal UI changes if required
- Lightweight SDK/applet available to implement code generator in multiple forms (eg users smartphone or NFC card)
- Low CPU overhead for code verifier which can be implemented on a central backend server or in lightweight module on the PLC itself
- Efficient user and device authentication management reducing time and manpower requirements
- Significant cost saving when compared to alternative solutions
- Faster and lower cost compared to authentication methods using PKI certificates
swIDch’s Programmable Logic Controller OTAC allows manufacturers and operators to significantly increase security with minimal disruption and minimal computing requirements whilst at the same time removing password associated vulnerabilities, and thus greatly simplifying the authentication process. Resolving PLC challenges opens the door to faster time-to-market for new products and solutions and therefore increased productivity and ultimately efficiency, a critical component of all ICS and OT systems.
To understand more how swIDch’s Programmable Logic Controller OTAC can revolutionise ICS and OT systems, contact us below.
Contact us today
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
sufficient to IDENTIFY user