Evaluating PKI and OTAC for Secure Operational Technology

Mar 24 2025

The image depicts a complex digital landscape illustrating the intricate components of a Public Key Infrastructure PKI system In the foreground a stylized representation of a Certificate Authority CA is shown surrounded by interconnected nodes symbol-1

The ubiquity of Public Key Infrastructure (PKI) in securing our digital world is undeniable. From the padlock icon in our web browsers to the secure connections underpinning e-commerce, PKI's robustness has made it a cornerstone of modern cybersecurity.

Its ability to provide strong authentication, encryption, digital signing, and establish trust has led to its widespread adoption across diverse industries. While many associate PKI primarily with user authentication, its capabilities extend far beyond this, enabling secure communication, data integrity, and verifiable identities in a multitude of applications. However, implementing and managing PKI, particularly in specialized environments like Operational Technology (OT), presents significant complexities and potential pitfalls.

This article will delve into the challenges of leveraging PKI in OT, exploring how its inherent complexities, combined with the unique demands of industrial control systems, can lead to vulnerabilities if not carefully addressed. We will examine the gap between PKI's perceived robustness and the practical difficulties of its deployment in the critical infrastructure sector, highlighting the crucial need for a nuanced understanding of its limitations and the importance of tailored security strategies.

Where is PKI used?

Public Key Infrastructure (PKI) primarily provides a framework for establishing trust in digital communications. Therefore, the broad categories of what PKI does can be summarized below:

Authentication

PKI plays a crucial role in various authentication scenarios, providing strong verification of identities. Here are some key examples:

Device Authentication (IoT): In the Internet of Things (IoT), PKI authenticates devices connecting to networks. This ensures that only authorized devices can communicate, preventing unauthorized access and potential security breaches.
Passwordless Authentication: PKI is a large part of many passwordless authentication systems. By using certificates instead of passwords, users can authenticate their identity with a very high level of security.

Trust

When discussing "trust" in the context of PKI, we're essentially talking about establishing and verifying the legitimacy of digital identities and communications. Here are some key use cases that highlight how PKI builds trust:

Secure Web Browsing (HTTPS): When you see the padlock icon in your browser, it's a result of PKI. SSL/TLS certificates, issued through PKI, verify that the website you're visiting is authentic. This instills trust that your data will be transmitted securely and to the intended recipient.
Secure Email (S/MIME): Digital signatures in emails, facilitated by PKI, provide assurance that the email originated from the claimed sender and that its content has not been altered. This builds trust in electronic communication.

Encryption

PKI is fundamental to enabling encryption in a wide range of applications. Here are some key examples of encryption use cases within a PKI framework:

Secure Web Communication (HTTPS/TLS): This is perhaps the most visible use case. PKI underpins the TLS/SSL protocols that secure web traffic. When you access a website with "HTTPS," PKI certificates are used to establish an encrypted connection between your browser and the web server. This protects sensitive data like login credentials, credit card numbers, and personal information from interception.
Email Encryption (S/MIME): S/MIME (Secure/Multipurpose Internet Mail Extensions) uses PKI to encrypt email messages, ensuring that only the intended recipient can read them. This provides confidentiality for sensitive email communications.

Signing

PKI is essential for digital signing, providing assurance of authenticity and integrity. Here are some key use cases:

Code Signing: Software developers use PKI to digitally sign their applications. This verifies that the software comes from a trusted source and hasn't been tampered with. When you download signed software, your operating system can verify the signature, enhancing security.
Firmware and Software Updates: Manufacturers use PKI to sign firmware and software updates for devices. This ensures that only authorized updates are installed, preventing malicious software from being injected into devices. This is very important for IoT devices.

Complexity in PKI Infrastructure

PKI complexity arises from the interdependence and specialized functions of its components. The Certificate Authority (CA) necessitates secure key management within Hardware Security Modules (HSMs) and strict access control policies. Registration Authorities (RAs) introduce additional identity verification procedures, requiring integration with the CA.

Certificate lifecycle management, encompassing issuance, renewal, and revocation, relies on Certificate Management Systems (CMS) and databases. Certificate distribution and validation, via Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP), demand efficient infrastructure. Cryptographic key generation and storage require adherence to cryptographic standards. The integration of these components, each with specific technical requirements, creates a complex system demanding specialized expertise for effective deployment and maintenance.

Infrastructure Requirements:

Network Infrastructure:
- High bandwidth and low latency for CRL/OCSP distribution.
- Secure communication channels for certificate issuance and revocation.
Server Infrastructure:
- High-availability servers for CA, RA, and OCSP responders.
- Secure storage for certificate databases and logs.
Security Infrastructure:
- HSMs for secure key storage.
- Firewalls and intrusion detection/prevention systems.
- Physical security for CA and RA facilities.
Database Infrastructure:
- Robust and highly available database systems to store certificate and revocation related information.
Time Synchronization:
- Highly accurate and synchronized time sources are required across all PKI infrastructure.

Overall Complexity

The interdependence of these components creates a complex system.
The need for high security and availability adds to the complexity.
Managing the lifecycle of certificates across diverse environments is challenging.
The need for compliance with various standards and regulations.

Pitfalls of Implementing PKI in OT

Implementing PKI in Operational Technology (OT) environments presents unique challenges and potential pitfalls, stemming from the distinct characteristics of these systems.

Legacy Systems and Protocol Limitations:
- Many OT systems rely on legacy equipment with limited processing power and memory.
- Implementing complex cryptographic algorithms and certificate validation processes can strain these resources, causing performance issues or system instability.
- Older OT protocols might not support modern PKI standards.
Real-Time Performance Requirements:
- OT systems often operate with strict real-time constraints.
- Certificate validation and key management operations can introduce latency, potentially disrupting critical processes.
- Delays in certificate revocation can leave systems vulnerable.
Patching and Update Challenges:
- OT systems often have long lifecycles, and updates are infrequent due to production uptime requirements.
- This can lead to vulnerabilities if certificates or cryptographic algorithms become outdated.
- Updating firmware on embedded devices can be a logistical nightmare.
Complexity and Management Overhead:
- PKI introduces significant complexity to OT environments, requiring specialized expertise for deployment and management.
- Managing certificate lifecycles, key distribution, and revocation processes can be challenging in distributed OT networks.
- Integration with existing OT management systems can also be difficult.
Interoperability Issues:
- OT environments often consist of diverse devices and systems from different vendors.
- Ensuring interoperability between these systems and the PKI infrastructure can be a major challenge.
- Proprietary protocols and formats can hinder integration.

Security of Private Keys:
- Protecting private keys in distributed OT environments is crucial.
- Compromised keys can lead to unauthorized access and control of critical systems.
- Physical security of devices becomes very important.

Lack of Standardization:
- While PKI itself is standardized, the implementation of it within OT environments lacks standardization.
- This lack of standardization can lead to inconsistencies and vulnerabilities.
Downtime risk:
- In an OT environment, downtime can have huge financial and even safety implications. Implementing PKI incorrectly, or having a PKI system fail, can cause significant downtime.

Is there an Alternative?

security blog

swIDch's One-Time Authentication Code (OTAC) technology offers several potential advantages over traditional PKI, particularly within the challenging landscape of Operational Technology (OT) environments. Here's a breakdown of key areas where OTAC can provide improvements:

Reduced Complexity:
- PKI: Involves complex infrastructure, including CAs, RAs, CRLs, and HSMs. This complexity can be overwhelming for OT environments with limited resources and expertise.
- OTAC: Simplifies authentication by using dynamic, one-time codes, eliminating the need for complex certificate management. This reduces the infrastructure footprint and management overhead.
Enhanced Suitability for Legacy Systems:
- PKI: Can strain legacy OT devices with limited processing power and memory due to complex cryptographic operations.
- OTAC: Requires minimal processing power, making it suitable for legacy systems and resource-constrained devices common in OT.
Improved Real-Time Performance:
- PKI: Certificate validation and revocation can introduce latency, which is unacceptable in time-sensitive OT processes.
- OTAC: Provides fast authentication with minimal latency, ensuring uninterrupted real-time operations.
Enhanced Security in Offline Environments:
- PKI: CRLs and OCSP require network connectivity for certificate validation, which can be problematic in air-gapped or isolated OT environments.
- OTAC: Can generate and validate codes offline, making it suitable for environments with limited or no network connectivity.
Simplified Patching and Updates:
- PKI: Certificate updates and revocations can be challenging in OT environments with infrequent maintenance cycles.
- OTAC: Eliminates the need for certificate management, simplifying updates and reducing vulnerability windows.

Mitigation of Private Key Risks:
- PKI: The security of private keys is paramount, and their compromise can have severe consequences.
- OTAC: Reduces the reliance on long-lived private keys, minimizing the risk of compromise.

Key Advantages of OTAC:

Dynamic, one-time codes: Provides strong authentication and prevents replay attacks.
Offline functionality: Enables authentication in air-gapped or isolated environments.
Simplified management: Reduces the complexity and overhead associated with PKI.
Lightweight implementation: Suitable for resource-constrained OT devices.

In essence, OTAC offers a more streamlined and adaptable authentication solution for the unique challenges of OT environments, addressing many of the limitations associated with traditional PKI deployments.

PKI vs OTAC

Feature	PKI (Public Key Infrastructure)	OTAC (One-Time Authentication Code)
Core Functionality	Authentication, Encryption, Digital Signing, Trust Establishment	Authentication
Infrastructure Complexity	High (CA, RA, CRL, OCSP, HSMs, etc.)	Low (Code generation and validation)
Resource Requirements	High (Processing power, memory)	Low (Minimal processing power)
Real-Time Performance	Potential latency due to certificate validation/revocation	Low latency, fast authentication
Offline Functionality	Limited (CRLs/OCSP require network)	Strong (Code generation/validation can be offline)
Legacy System Compatibility	Can strain legacy systems	Highly compatible with legacy systems
Certificate Management	Complex (Issuance, renewal, revocation)	Simplified (No certificate management)
Security Mechanism	Asymmetric cryptography	Symmetric cryptography, dynamic one-time codes
Scalability	Can be complex to scale	Highly scalable
Deployment Complexity	High, requires specialized expertise	Low, simpler implementation
Cost	High (Infrastructure, personnel)	Lower (Reduced infrastructure and management)
Use cases in OT	Device identity, secure communication, software updates	Device & user authentication, access control, securing legacy systems, offline environments

Choosing the Right Authentication for OT

Our exploration has revealed the inherent complexities of PKI, its robust capabilities, and the significant challenges it faces when deployed in Operational Technology (OT) environments. While PKI offers essential security functions like authentication, encryption, and digital signing, its infrastructure demands, legacy system incompatibilities, and real-time performance limitations pose considerable hurdles in OT.

The emergence of alternative authentication technologies, such as swIDch's OTAC, presents a compelling alternative, addressing many of PKI's shortcomings in OT. OTAC's simplified architecture, offline functionality, and reduced resource requirements offer a more streamlined and secure approach for protecting critical industrial systems.

As OT environments continue to evolve and face increasing cyber threats, a careful evaluation of authentication solutions, considering both PKI's established strengths and OTAC's innovative approach, is crucial for ensuring robust and resilient security.

--------------------

Author: Vinny Sagar, Solution Architect, swIDch

With over 15 years of experience in pre-sales, consulting and software development in the Identity and Cyber Security space Vinny has helped many clients across various industries and regions to design and deploy Zero Trust solutions that meet their specific needs and challenges.