News & Information(eng)

SSenStone cooperates with LS Electric for localization of PLC with next-generation authentication technology

Written by SSenStone | Feb 26, 2023 4:16:00 PM

SSenStone announced that the company has successfully completed a proof-of-concept (PoC) with LS Electric on preventing external threats toward programmable logic controllers (PLC), a key device for integrated operation and control in automatic operational processes. The two companies plan to work together to resolve global common vulnerabilities of PLCs, which are spreading from manufacturing production fields to advanced system operation and various internet of things (IoT) environments.    

PLCs are regarded as a key device for industry automation, comparable to the 'human brain'. The global PLC market, which was worth $14.6 billion in 2022, expects to reach $20.2 billion by 2028 with a compound annual growth rate (CAGR) of 5.38%.

However, as IoT environments based on network connection increase in industries that apply PLCs, inappropriate access and authentication challenges as a result of cyber attacks are expanding. Thus rectifying the user authentication process based on one password for one device (often within a private network) is a key focus. PLC hacking attempts continue to increase, targeting weaknesses inherent in passwords that use fixed values, as well as password sharing, poor password management, and loopholes in user change management. In addition, many of the current PLC access control security solutions are accompanied by system upgrades that require a lot of time, manpower, and resources, so the administrative burden is by no means small.

SSenStone and LS Electric are focused on solving the inherent weakness of passwords, while simplifying the authentication process by focusing on convenience and scalability of PLC operation and carrying out a POC to make the most of the existing infrastructure. 

First, SSenStone applied its one-time authentication code (OTAC) to PLC user authentication, with a focus on minimising changes from the existing PLC interface instead of creating a new authentication interface. Second, access control list (ACL) management was provided as a post-PLC authentication process. 

As a result, it was confirmed that access through password sharing, as well as access by unauthorized users through password theft, was fundamentally blocked. In particular, it was proven that attacks such as packet sniffing can be neutralized by allowing only authorized users to access the PLC. PLC managers were also satisfied with the new authentication process as it can was performed in the same way as with the existing interface.

Kwon Daehyun, team Leader at Ls Electric and member of IEC SMB, expressed the intention to deepen collaboration between the two companies to implement security enhancements at actual industrial sites.

Yoo Chang-hun, CEO of SSenStone, said, "We were able to prove the solution tackles vulnerabilities inherent in PLC systems through this PoC. We will actively cooperate with LS Electric, who are making strides towards the global automation market, to solve the vulnerabilities of not only PLCs, but also industrial control systems (ICS) and operational technology (OT).

Together with LS Electric, the most prominent industrial automation company in Korea, it has been possible to prove the solution works on PLC systems at home and abroad through this PoC.” 

The LS Electric PoC clearly demonstrated a reduction in manpower and cost, in addition to increased productivity and efficiency, were possible whilst maintaining strong and safe user & device authentication, via a simple, seamless deployment process. SSenStone and LS Electric plan to promote full-scale commercialization in the future, with two companies actively discussing the joint launch of a solution that combines SSenStone's OTAC technology with LS Electric's PLC product family.

 

---------------------------------

More about SSenStone's PoC with LS Electric

Background/Challenge
LS Electric's PLC goes through a user authentication process in which an 8-digit fixed value is entered. Access is granted as soon as a real user enters their password on the login screen. If a colleague other than the actual user enters the same password, they can access the PLC if the password is correct, meaning anyone can access PLC devices. 

PoC on LS Electric PLC device
OTAC-applied PLC performs user authentication with a one-time dynamic code rather than a fixed value. The process of registering real users in the PC server is the same as the existing method. When the user registered on the PC server registers his/her smartphone to be used to generate the PLC login code, all preparations are complete.

  1. Generate an authentication code with a smartphone already registered for PLC login. Even if the network connection is restricted for internal safety, an authentication code can be generated at any time (not network dependent).
  2. If you enter the just-generated code on the PLC login screen, the server verifies whether you are a real user. If you are a registered user, the access is granted
  3. Since all authentication codes can be used only once, you cannot access PLC with illegitimately acquired codes. Even if the user is already registered, access will be denied if the authentication code that has already been used is used.
  4. If you access with an authentication code generated with an unregistered smartphone or enter the authentication code later than the valid time that you can set - (e.g., valid within 30 seconds) - the access will be denied (time settings are also flexible).
  5. OTAC-applied PLC allows access only when the registered user enters the authentication code generated through the registered device, combining multiple steps into one.