Case study · Cybersecurity · Industrial

Three-zone authentication for legacy industrial control systems

IIoT Three Zone Architecture

The brief

Sector: Industrial manufacturing. Regulatory context: IEC 62443, NIS2 preparation. Need: retrofit hardware-based authentication onto a brownfield industrial control system without replacing existing PLCs or disrupting production uptime.

Workstream decomposition

The engagement was split into three parallel workstreams:

  • WS-1: Threat model and zone architecture. Map existing control zones, identify trust boundaries, and define a three-zone authentication model compatible with legacy serial/Modbus protocols.
  • WS-2: PUF-based device identity. Design a physically unclonable function module that can be retrofitted onto existing controllers for per-device identity without firmware changes.
  • WS-3: Compliance mapping. Map the proposed architecture against IEC 62443-3-3 and draft the compliance pathway for the client's certification body.

Method highlight

The central technical challenge was authenticating legacy devices that have no cryptographic capability. Our approach used a sidecar PUF module connected via the maintenance port, generating challenge-response pairs validated by a zone controller. The zone controller maintains a hash table of enrolled devices; any device that fails authentication is isolated at the network switch level within 200ms.

Decision under uncertainty: whether to use SRAM-PUF or arbiter-PUF. Tier-C academic literature favoured arbiter-PUF for this temperature range, but our Tier-A lab testing showed unacceptable bit-error rate at operating temperatures above 75°C. We flagged this in the open-questions register and recommended SRAM-PUF with aging compensation — a decision the client accepted after reviewing both evidence rows.

Deliverable shape

  • Working prototype: 12-node testbed with three authentication zones
  • Research dossier: 47 source rows, 38 high-confidence, 6 medium, 3 flagged
  • Compliance mapping document for IEC 62443-3-3
  • Whitepaper for the client's board and certification body

Outcomes

The client proceeded to production pilot with SRAM-PUF modules across two manufacturing lines. Certification body accepted the compliance mapping as the basis for formal assessment. The prototype's false-rejection rate in the production environment was 0.3%, within the target of <1%.

Evidence note

TierClaimConfidenceSourceNote
ASRAM-PUF FRR < 1% at 25–75°CHighLab test, n=1200
AArbiter-PUF BER unacceptable >75°CHighLab test, n=400Contradicts [C-tier ref]
CArbiter-PUF preferred for industrial tempsMediumIEEE 2024 surveyContradicted by A-tier
← All case studies