Towards Availability of Strong Authentication in Remote and Disruption-Prone Operational Technology Environments
Authors: 
Mohammad Reza Nosouhi, Zubair Baig, Robin Doss, Divyans Mahansaria, Debi Prasad Pati, Praveen Gauravaram, Lei Pan, Keshav SoodAuthors Info & Claims
Mohammad Reza Nosouhi, Zubair Baig, Robin Doss, Divyans Mahansaria, Debi Prasad Pati, Praveen Gauravaram, Lei Pan, Keshav SoodAuthors Info & ClaimsARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 145, Pages 1 - 11
Abstract
Implementing strong authentication methods in a network requires stable connectivity between the service providers deployed within the network (i.e., applications that users of the network need to access) and the Identity and Access Management (IAM) server located at the core segment of the network. This becomes challenging when it comes to Operational Technology (OT) systems deployed in a remote area, as they often get disconnected from the core segment of the network owing to unavoidable network disruptions. As a result, weak authentication methods and shared credential approaches are still adopted in these OT environments, exposing system vulnerabilities to increasingly sophisticated cyber threats. In this work, we propose a solution to enable highly available multi-factor authentication (MFA) services for OT environments. The proposed solution is based on Proof-of-Possession (PoP) tokens generated by an IAM server for registered users. The tokens are securely linked to user-specific parameters (e.g., physical security keys, biometrics, PIN, etc.), enabling strong user authentication (during disconnection time) through token validation. We deployed the Tamarin Prover software-based toolkit to verify security of the proposed authentication scheme. For performance evaluation, we implemented the designed solution in real-world settings. The results of our analysis and experiments confirm the efficacy of the proposed solution.
References
[1]
[n. d.]. Yubico Developers. Retrieved Oct 3, 2023 from https://developers.yubico.com/java-webauthn-server/
[2]
FIDO Alliance. [n. d.]. FIDO Authentication. Retrieved Sep 18, 2023 from https://fidoalliance.org/fido2/
[3]
Manuel Barbosa, André Cirne, and Luís Esquível. 2023. Rogue key and impersonation attacks on FIDO2: From theory to practice. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3600160.3600174
[4]
David Basin, Cas Cremers, Jannik Dreier, and Ralf Sasse. 2022. Tamarin: Verification of Large-Scale, Real-World, Cryptographic Protocols. IEEE Security & Privacy 20, 3 (2022), 24–32. https://doi.org/10.1109/MSEC.2022.3154689
[5]
David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18). 1383–1396.
[6]
David Basin, Ralf Sasse, and Jorge Toro-Pozo. 2021. The EMV standard: Break, fix, verify. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1766–1781.
[7]
Bloomberg. 2021. Colonial Pipeline Cyber Attack: Hackers Used Compromised Password. Retrieved Feb 12, 2024 from https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password?leadSource=uverify%20wall
[8]
Dovell Bonnett. [n. d.]. How to Convince Corporate America to Adopt Multi-Factor Authentication, Today!Retrieved Sep 18, 2023 from https://www.access-smart.com/wp-content/uploads/2020/11/How-to-Convince-Corp-America-on-MFA-Today.pdf
[9]
Mauro Conti, Denis Donadel, and Federico Turrin. 2021. A survey on industrial control system testbeds and datasets for security research. IEEE Communications Surveys & Tutorials 23, 4 (2021), 2248–2294.
[10]
Cas Cremers, Marko Horvat, Sam Scott, and Thyla van der Merwe. 2016. Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP). 470–485. https://doi.org/10.1109/SP.2016.35
[11]
Manuel Dominguez, Juan J Fuertes, Miguel A Prada, Serafin Alonso, Antonio Moran, and Daniel Perez. 2022. Design of Platforms for Experimentation in Industrial Cybersecurity. Applied Sciences 12, 13 (2022), 6520.
[12]
David Basin et al.[n. d.]. Tamarin Prover. Retrieved Sep 28, 2023 from https://tamarin-prover.github.io/
[13]
Anthony Gavazzi, Ryan Williams, Engin Kirda, Long Lu, Andre King, Andy Davis, and Tim Leek. 2023. A Study of Multi-Factor and Risk-Based Authentication Availability. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security’23).
[14]
Dick Hardt. 2012. The OAuth 2.0 authorization framework. Internet Engineering Task Force (IETF) (2012).
[15]
Allegra Hobbs. 2021. The colonial pipeline hack. In SAGE Business Cases. SAGE Publications.
[16]
Jeff Hodges et al.[n. d.]. Web Authentication: An API for accessing Public Key Credentials-Level 3. https://www.w3.org/TR/webauthn-3/
[17]
Javadoc. [n. d.]. Javadoc hosting for open source projects. Retrieved Oct 3, 2023 from https://www.javadoc.io/doc/com.nimbusds/
[18]
Michael Jones, John Bradley, and Nat Sakimura. 2015. Json Web Token (jwt). IETFRFC 7519 (2015).
[19]
Alper Kerman, Oliver Borchert, Scott Rose, and Allen Tan. 2020. Implementing a zero trust architecture. National Institute of Standards and Technology 2020 (2020), 17–17.
[20]
Keycloak. [n. d.]. Open Source Identity and Access Management. Retrieved Oct 3, 2023 from https://www.keycloak.org/
[21]
Georgios Michail Makrakis et al.2021. Industrial and critical infrastructure security: Technical analysis of real-life security incidents. Ieee Access 9 (2021), 165295–165325.
[22]
Jim McCarthy, Don Faatz, Harry Perper, Chris Peloquin, and John Wiltberger. 2018. Identity and access management. NIST Special Publication (2018).
[23]
James J McCarthy. 2018. Identity and Access Management for Electric Utilities. NIST Special Publication (2018).
[24]
Kathleen Moriarty, Burt Kaliski, Jakob Jonsson, and Andreas Rusch. 2016. PKCS# 1: RSA cryptography specifications version 2.2. IETFRFC 8017 (2016).
[25]
OpenIAM. [n. d.]. Identity-First Security. Retrieved Oct 3, 2023 from https://www.openiam.com/
[26]
RISI. 2024. The Repository of Industrial Security Incidents. Retrieved Feb 12, 2024 from https://www.risidata.com/
[27]
Apache Software Foundation. [n. d.]. Apache Syncope. Retrieved Oct 3, 2023 from https://syncope.apache.org/
[28]
VA Stafford. 2020. Zero trust architecture. NIST special publication 800 (2020), 207.
[29]
The Tamarin Team. 2024. Tamarin User Manual. Retrieved Oct 6, 2023 from https://tamarin-prover.github.io/manual/index.html
[30]
TechTarget. [n. d.]. Colonial Pipeline hack explained: Everything you need to know. https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know Accessed: 13th Sep 2023.
[31]
Theodore J Williams. 1994. The Purdue enterprise reference architecture. Computers in Industry 24, 2-3 (1994), 141–158.
[32]
WSO2. 2024. WSO2 Identity Server: The Leading Open Source IAM Solution. Retrieved Oct 3, 2023 from https://wso2.com/identity-server/
Index Terms
- Towards Availability of Strong Authentication in Remote and Disruption-Prone Operational Technology Environments
Recommendations
Spectroscopically Enhanced Method and System for Multi-Factor Biometric Authentication
This paper proposes a spectroscopic method and system for preventing spoofing of biometric authentication. One of its focus is to enhance biometrics authentication with a spectroscopic method in a multi-factor manner such that a person's unique ‘...
Robust Biometric Based Key Agreement and Remote Mutual Authentication
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and CommunicationsBiometric-based authentication is widely accepted as a reliable form of authentication compared to other traditional schemes. However, the open nature of remote authentication makes biometric systems vulnerable to replay and other remote fraudulent ...
Uncoupling Biometrics from Templates for Secure and Privacy-Preserving Authentication
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesBiometrics are widely used for authentication in several domains, services and applications. However, only very few systems succeed in effectively combining highly secure user authentication with an adequate privacy protection of the biometric templates,...
Comments
Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Cyber Security Cooperative Research Centre (CSCRC), Australia
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 146Total Downloads
- Downloads (Last 12 months)146
- Downloads (Last 6 weeks)29
Reflects downloads up to 23 Dec 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in