In operational technology (OT), environments vary widely, each with unique characteristics. A solution must be highly configurable to integrate across multiple OT endpoints. Endpoint OTAC is designed to flexibly fit different environments and devices, whether deployed directly on individual OT endpoint devices such as PLCs, HMIs, or RTUs, on a central server, or in a hybrid configuration combining both approaches.

1

Deployment Model

 Standalone

2In standalone mode, Endpoint OTAC is deployed directly onto a PLC. This offers the most robust solution as everything is running on the PLC and does not require any network connection. Since the OTAC auth MFA is running locally on the PLC, all authentication requests are handled locally. 

Server

In server mode, the solution is deployed centrally on an OT network server. This is ideal for protecting multiple OT endpoint devices and systems simultaneously, with each device forwarding authentication requests to the central server for verification. 

3

Hybrid

Hybrid deployment combines standalone and server modes. Each OT endpoint device can authenticate locally if the server or network fails, while normal operations still leverage centralised management for large-scale deployments.  

4

Software Components

Endpoint OTAC can be installed as a complete software with an Admin Portal for user management and onboarding as well as the accompanying mobile app (where OTAC is generated) available on Android and iOS.

5

 

REST API

Hosted on a web server and offers important core functions to Verify OTAC, Register a new user and De-Register an existing user.

 

Admin Portal

Web portal to manage users, roles, policies, and licences.

 

User Database

The Stores user information and integrates with existing databases (MS SQL, Oracle, MariaDB, etc.). 

 

Mobile App

Available on Android and iOS; generates OTAC codes and enforces an additional authentication factor such as a PIN or biometric verification (fingerprint/FaceID).

SDK

For customers who like more flexibility and integration, the Endpoint OTAC also provides SDK.

6

 

Application SDK

We provide an Application SDK in C++ that will allow customers to integrate user management and onboarding into their existing application.

 

Mobile SDK

We also provide a mobile SDK for Android and iOS to integrate the OTAC generation into their native mobile app.

Customer Deployment Examples

Customer A

2024-08-12_14h25_09

One of the top-tier PLC manufacturers made a strategic decision to safeguard their PLCs using OTAC authentication with MFA. Now, every newly manufactured PLC comes equipped with OTAC auth MFA right out of the box—a smart move to enhance security for their customers. To seamlessly blend with their existing services, they opted for the Standalone deployment approach, integrating OTAC auth MFA as an embedded SDK.

2024-08-12_14h25_29

Understanding Customer A’s Deployment and Installation Model:

1. User Interaction:

● When a user needs to log in to the engineering application, they are prompted for an entry code—the OTAC

2. OTAC Generation:

● Within their mobile app, we’ve embedded our mobile SDK.

● The user generates an OTAC using our mobile SDK. This OTAC serves as a secure token.

3. Connecting to the Engineering Application:

● Armed with the OTAC, the user then provides it to the engineering application.

● The engineering application establishes a connection via Modbus—a communication protocol—directly to the Security Service residing inside the PLC.

4. Security Service Handling:

● Inside the PLC, the Security Service extracts the OTAC.

● To ensure the user’s authenticity, the Security Service employs our Application SDK.

5. Validation and Authentication:

● Finally, the Application SDK validates and authenticates the user, granting access to the engineering application.

Customer B

2024-08-12_14h25_12

Customer B wanted to fortify the security of existing PLCs for their valued customers. They opted for OTAC auth MFA in server deployment mode. Here’s the breakdown:

  • Centralized Management: Customer B appreciated the centralized approach of OTAC auth MFA. It’s like having a vigilant guardian overseeing multiple PLCs simultaneously.
  • Deployment Strategy: For this setup, they chose the server deployment route and to complete the picture, they went all-in with a full Software install. 

2024-08-12_14h25_40

Customer B’s PLCs come with their very own Web Management Portal (WMP)—a web portal to control and oversee the PLC. Here’s how it all unfolds:

1. User Interaction: When a user wants to access the WMP they are prompted for an entry code—the OTAC.

2. OTAC Generation: Our trusty standard mobile app (available on both Android and iOS) generates the OTAC.

3. Forwarding the Request: The user hands over the OTAC to the WMP. The WMP forwards the request to the Verification API running on the central server via a secure HTTPS channel.

4. The Verification: Once the OTAC has been verified it returns the result back to the PLC and to the WMP.

Customer C

2024-08-12_14h25_14

Customer C, another leading PLC manufacturer, wanted to give their customers flexibility and a choice on whether to have OTAC auth MFA deployed in standalone mode running on each individual PLC or on a central server.

2024-08-12_14h25_50
  • Standalone Mode:
    ○ For customers with a small number of PLCs, they offered standalone mode.
    ○ Everything—OTAC auth MFA and all—runs directly on each individual PLC.
  • Server Deployment:
    ○ Customers with larger deployments could choose server deployment.
    ○ In this setup, everything runs on a central server, and each PLC forwards authentication requests there.

 

International CC Certification for OTAC
Our OTAC technology has obtained the global CC standard for its strong security, stability and reliability. 

Contact us today

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
sufficient to IDENTIFY user
Single-step IDENTIFICATION
and AUTHENTICATION
Uni-directional authentication in
off-the-network environment

Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.

OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks. 

No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI). 

 

Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.  

Learn More

'One-time-authentication-code' technical report by University of Surrey Get In touch

Related Topics

IEC 62443 Meets OTAC
The IEC 62443 standard stands at the forefront of this battle, offering a strategic framework to defend against the evolving landscape of cyber threats. This set of guidelines is not just a recommendation; it’s an imperative shield that protects the critical infrastructure powering our industries.
Read More
Digital Resilience with Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) emerges as a beacon of security in the tumultuous seas of cyberspace. This groundbreaking legislation, proposed by the European Union, is not just a set of guidelines; it’s a robust shield designed to fortify every digital product against the relentless onslaught of cyber threats.
Read More
Quantum-Proofing Our Secrets
Quantum computers represent a paradigm shift in computation, leveraging the unique properties of quantum mechanics to tackle problems that classical computers cannot. As quantum technology advances, we are on the brink of a new era in computing.
Read More