| Description |
Scope
The scope of this paper is to describe, from a high-level, Human User Authentication and Authorization within the OT environment. Workflows are described along with technologies that enable that workflow. However, there will necessarily be aspects of authentication that are specific to the various OT protocols, equipment, and installations that cannot be covered by a whitepaper such as this. The provisioning and bootstrapping of the equipment and software is also outside of the scope of this whitepaper.
Challenges and constraints
Deploying and using authentication in the OT environment does present some challenges beyond what might be found in a typical Information technology (IT) use case. A few of these challenges are:
- Equipment as well as users may be connected or disconnected from the network that provides authentication
- Time synchronization may not be available or supported
- Administrators often want to manage users centrally
- Authentication and authorization should work independently of the interface used (e.g. wired, wireless, Bluetooth, etc.)
- It is not desirable to transmit confidential credentials like passwords to every OT device
- For highly constrained (non-ethernet) field devices, today no public key infrastructure (PKI) solution exists.
- For connected environments, integration with existing IT tools is desirable
- Multifactor authentication is desired, but it is challenging for OT devices to support this directly
- Highly heterogeneous environment with products from various vendors that do not necessarily interoperate
- Some devices operate on highly constrained platforms with little memory or other computing resources (e.g. temperature sensors with HART and Bluetooth Low Energy), but still need to support authentication/authorization
- Emergency access to equipment can be necessary even when a central Identity Provider is not available
- On and offsite repairs, initial commissioning
- As a secondary concern, in many situations traceability of events like authentication is important
- Many devices do not have a user interface
|
go back