You don't need accounts!

... if you have personalized permissions you carry and manage yourself

What's P3KI?

P3KI is similar to a mandate for accessing functionality of your devices and services.

Instead of managing accounts and keeping track of credentials, you carry personalized authorizations you present to the device or service to access individual functions.

The best parts:

  • You can delegate some or all of these permissions in a fully personalized fashion that will comply to common regulations like, e.g., ISO/IEC 62443 and Good Manufacturing Practice.
  • Everything works fully offline and across air-gapped systems! Resulting in unmached system resiliency.

P3KI is extremely powerful and flexible. Make sure to check out our showcase projects and scenarios further down to get a better idea of what we make possible.

Key Benefits

  • Cost reduction
    by optimizing authorization and authentication processes using edge-managed workflows.
  • Easier risk-management
    based on a precise and auditable permission delegation model.
  • Quicker incident response & forensics
    based on traceable permission chains.
  • Improved business continuity
    by decentralizaton and offline capabilities.
  • Hardening of distributed systems
    based on end-to-end implementation of Zero Trust principles.

Showcase Projects and Scenarios

Cross-Airgap Self-Service Account Provisioning

Keywords: SCADA, ICS, air-gap, self-service accounts, login, physical access control

What we solve

For our customer BASF we've successfully built a proof of concept enabling the self-service provisioning of personalized Active Directory accounts for SCADA control systems across air-gaps.

The system enables employees and contractors to receive work orders and use these to create temporary accounts in the production network environment which is not connected to the office network or internet.

To formalize requirements and ensure interoperability, a special NAMUR working group, headed by BASF, has been established.

Why P3KI is the perfect fit

It's possible for contractors to self-manage which of their employees actually fulfills the work order, while maintaining identifiability and traceablility of the actual worker in accordance with regulations like ISO/IEC 63443 and Good Manufacturing Practice.

Key aspect of the system is the secure use of mobile phones to transport personalized permission proofs and worker identities.

The system is currently being expanded by a component to enable physical access control capabilites as well as the possibility to directly log into operator workstations natively without having to handle any credentials.


Global Trust System for Maritime Shipping

Keywords: maritime, shipping, global trust, aids-to-navigation (AtoN)

What we solve

With our partners at the Maritime Connectivity Platform Consortium (MCP) we've been developing a trust system for the global shipping industry.

The system can be used to verify not just documents and interactions between ship and shore services but also enables the efficient authorization of aids-to-navigation messages (AtoN).

Why P3KI is the perfect fit

A key factor that makes P3KI especially suitable to the task is it's flexible policy language, enabling precise, location and context dependent permission models. This is relevant, because there is no single player or country in the global shipping industry trusted fully by everyone.

With P3KI it's possible to precicelsy limit what a party is trusted with (e.g., "I trust Denmark to handle everything within Danish waters and ports" and "I trust IALA to certify operators of AtoNs"). These precise expressions of trust can then be flexibly combined to allow verification in scenarios like "A bouy located in Danish waters is only allowed to send data falling within a known geo-fence area and needs to be operated by an IALA accredited entity."


Field Device Bootstrap and Update Handling

Keywords: SCADA, ICS, embedded, field devices, update, configuration, management

What we solve

With an undisclosed industry partner we're currently working on a system to securely and efficiently handle customer-centric device bootstrap and maintenance processes.

We are modeling both full and partial ownership handovers that ensure a wide range of customer requirements.

Why P3KI is the perfect fit

P3KI's flexible policy and delegation semantics allow our customer to build a system capable of seamlessly working with a wide range of requirements and different handling processes defined by their own customer base.

With P3KI our customer does not need to worry about how their customers structure their operations and work processes and neither do their customers have to adjust to a specific way of permissioning handling because it's entirely up to them.

Our Partners

 

Contributing Member