With the recent spate of cybersecurity events and associated calls to action among politicians, security of the operations technology (OT) realm is certainly in the spotlight. Though preliminary reports on recent events indicate the fault lay primarily in human error and housekeeping, increased requirements in OT cybersecurity are a certainty for us all.
Multi-factor authentication (MFA) is relatively seldom used in an OT context, but will likely see greater use. It provides an added degree of security that we’ve all become familiar with in our personal lives. The four types of factors used to establish identity are: what the user knows, what the user has, who the user is, and where (or when) the user is. These MFA identification options can take the form of two-factor identification (2FA), which uses two factors; multi-factor identification (MFA), which uses two or more factors; and four-factor identification (4FA), which uses all four factors.
Increasingly, users are not just individuals in the OT and IIoT environment, but devices and services, for which some of the factor identifications options are not feasible. MFA contrasts with the expected ease-of-use, but fortunately supports “single sign-on” once identity is authenticated. Let’s look at examples for each of the four types of authentications and how they might be used in an OT environment.