Read our latest whitepaper on the Pitfalls of Adapting Security Solutions for OT to learn about our experience with the challenges of IT/OT Convergence.
P3KI is similar to a mandate for accessing functionality of your devices and services.
Instead of managing accounts and keeping track of credentials, you carry personalized authorizations you present to the device or service to access individual functions.
P3KI is extremely powerful and flexible. Make sure to check out our showcase projects and scenarios further down to get a better idea of what we make possible.
For our customer BASF we've successfully built a proof of concept enabling the self-service provisioning of personalized Active Directory accounts for SCADA control systems across air-gaps.
The system enables employees and contractors to receive work orders and use these to create temporary accounts in the production network environment which is not connected to the office network or internet.
To formalize requirements and ensure interoperability, a special NAMUR working group, headed by BASF, has been established.
It's possible for contractors to self-manage which of their employees actually fulfills the work order, while maintaining identifiability and traceablility of the actual worker in accordance with regulations like ISO/IEC 63443 and Good Manufacturing Practice.
Key aspect of the system is the secure use of mobile phones to transport personalized permission proofs and worker identities.
The system is currently being expanded by a component to enable physical access control capabilites as well as the possibility to directly log into operator workstations natively without having to handle any credentials.
With our partners at the Maritime Connectivity Platform Consortium (MCP) we've been developing a trust system for the global shipping industry.
The system can be used to verify not just documents and interactions between ship and shore services but also enables the efficient authorization of aids-to-navigation messages (AtoN).
A key factor that makes P3KI especially suitable to the task is it's flexible policy language, enabling precise, location and context dependent permission models. This is relevant, because there is no single player or country in the global shipping industry trusted fully by everyone.
With P3KI it's possible to precicelsy limit what a party is trusted with (e.g., "I trust Denmark to handle everything within Danish waters and ports" and "I trust IALA to certify operators of AtoNs"). These precise expressions of trust can then be flexibly combined to allow verification in scenarios like "A bouy located in Danish waters is only allowed to send data falling within a known geo-fence area and needs to be operated by an IALA accredited entity."
With an undisclosed industry partner we're currently working on a system to securely and efficiently handle customer-centric device bootstrap and maintenance processes.
We are modeling both full and partial ownership handovers that ensure a wide range of customer requirements.
P3KI's flexible policy and delegation semantics allow our customer to build a system capable of seamlessly working with a wide range of requirements and different handling processes defined by their own customer base.
With P3KI our customer does not need to worry about how their customers structure their operations and work processes and neither do their customers have to adjust to a specific way of permissioning handling because it's entirely up to them.