Pain points

Industrial Control Systems, (also known as Industrial Automation and Control Systems, IACS) are used for managing the automated industrial process and capturing data logged from the flow of the processes. ICS supports network connectivity to improve operational tasks, including remote supervisory and monitoring. Operational technology (OT) relates to the hardware and software which is used to control the equipment within the ICS itself. Traditional OT & Information Technology (IT) environments were separate, meaning OT owners relied on the ‘air gap’ that separated OT from IT systems in order to protect them. Cloud Computing & IoT (Internet of Things) aims to connect OT & ICT (Information and Communication Technology) infrastructure to various devices using different network connectivity technologies, but this bridging of the traditional ‘air gap’ has resulted in widened endpoints to the industrial network, leaving ICSs exposed to ever-increasing security risks and vulnerabilities. 


Programmable Logic Controllers (PLC) serve as key component of ICS and OT systems and are equally susceptible to cyber-attacks, with inadequate access control and authentication within these systems posing a major challenge. As a result, 93% percent of all organizations with OT environments experienced hacking in the past twelve months by June 2022 with over 78% percent confronted with three or more security incidents. The result is increased demand for enhanced authentication for ICS/IACS and ICS component manufacturers are now actively reviewing the design architecture in building robust password-based credentials. 

PLC webpage image 1 cropped

Key challenges related to OT & PLCs

shutterstock_2248577885 resized

Weak authentication in current PLC systems

Because ICSs are often limited in adapting higher security stacks due to their low computing output, the password-based credential is commonplace and still being used as an authentication mechanism for human users and processes. However, passwords bring with them significant challenges. 

 
Typical challenges
  • Password sharing (where users not uniquely defined - not recommended)
  • Password management between ID/PW specified for each PLC device
  • Difficulty managing user changes (leavers/contractors)
  • Inherent password weaknesses (static information vulnerable to brute forcing, phishing, credential stuffing etc)

Exploitation of these vulnerabilities were made clear via the Stuxnet case which directly targeted weakly configured password and continues to pose a risk today. 

24/7 operation limits OT security upgrades

Many PLCs power mission critical operations, which often need to operate continuously. This means updates to PLCs including applying security patches and enhancing the security stacks are difficult to manage. In many instances, once an ICS facility begins to operate, the inherent vulnerabilities within these systems remain. This is common knowledge amongst threat actors resulting in these systems being a constant target for threat actors. 

Reluctance to upgrade existing OT/PLC systems    

In addition, security upgrades to existing OT systems often require significant time, manpower and resources, which in turn pose considerable cost implications for ICS and OT organisations and manufacturers. As a result, many PLCs continue to operate despite inherent vulnerabilities, leaving PLCs and the systems they operate at considerable risk.  

Machine arm cropped

The Solution

swIDch’s Programmable Logic Controller OTAC provides a highly optimised and highly secure authentication solution specifically for PLC devices. It utilises our dynamic 'one-time authentication code' (OTAC) technology to resolve typical IACS/OT security challenges.

 
OTAC resolves:
  • Password sharing in password-only authentication systems
  • Difficulty managing ID/PW specified for each PLC device
  • Difficulty managing user changes (leavers / contractors etc)
  • Hacking attempts using password cracking software

OTAC ensures only known and authorised users/devices can access PLC using dynamic, non-reusable, constantly changing code guaranteed with 0% duplicates (defeats packet sniffing attacks)

Current PLC certification: Password-based

PLC webpage image 2_edit

Issues with current PLC certification using just passwords

  1. Password sharing between engineers
  2. Access is granted to users who are indistinguishable (un-identified)
  3. If a password is stolen (from any user) it can be later used to gain access without any further challenge

Optimal PLC authentication method: OTAC-based authentication

PLC webpage image 3_edit

Issues resolved by using OTAC-based authentication

  1. No password sharing – users enter dynamic codes (OTAC) which are generated differently each time
  2. Access is only granted to authorised users – who are also fully identifiable
  3. If the OTAC is stolen and later used it will be denied access by the OTAC verification module
  4. All of this is possible without any need to modify the existing password interface (8-digit example above)
PLC poc image 2 cropped

* Example PoC success case from current client utilising swIDch's OTAC technology

Benefits

 

Unique features of swIDch’s OTAC technology in PLCs include:

  • Uni-directional authentication (no network environment required)
  • Lower CPU overhead  (ie faster) compared to other authentication/encryption methods
  • Can be deployed on existing infrastructure (no large, expensive infrastructure changes required)
  • Unique dynamic code for each individual user - no more indistinguishable user access
  • Highly configurable code parameters enabling deployment with minimal UI changes if required
  • Lightweight SDK/applet  available to implement code generator in multiple forms (eg users smartphone or NFC card)
  • Low CPU overhead for code verifier  which can be implemented on a central backend server or in lightweight module on the PLC itself
  • Efficient user and device authentication management reducing time and manpower requirements
  • Significant cost saving  when compared to alternative solutions 
  • Faster and lower cost compared to authentication methods using PKI certificates

swIDch’s Programmable Logic Controller OTAC allows manufacturers and operators to significantly increase security with minimal disruption and minimal computing requirements whilst at the same time removing password associated vulnerabilities, and thus greatly simplifying the authentication process. Resolving PLC challenges opens the door to faster time-to-market for new products and solutions and therefore increased productivity and ultimately efficiency, a critical component of all ICS and OT systems. 

 

To understand more how swIDch’s Programmable Logic Controller OTAC can revolutionise ICS and OT systems, contact us below.   

 

 

Contact us today

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
Sufficient to IDENTIFY user
DYNAMIC Authentication code
that does NOT duplicate
Uni-directional authentication
in off-the-network environment

OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.

The network connection is NOT necessary at all for generating OTAC.

Reducing an authentication stage that requires the network connection directly means there are fewer gateways for
the hackers
to access our personal information.

Moreover, this feature enables users
to authenticate even when they are
in networkless environments, such
as on the plane, underground, rural or foreign areas.

swIDch can guarantee that the code never duplicates with anyone
at any given moment.

There is NO chance of someone else having the same code.

The users or their devices can be identified with the code alone.

Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.

It means, you can forget about the bundles of static information including IDs and passwords.