Assessment of operator authentication methods in industrial control systems

This paper considers the authentication of operators in instrumentation and control (I&C) systems for industrial facilities. The main emphasis is on such systems for critical facilities, on an example of nuclear power plants (NPPs). Authentication methods known for public information systems (password, token, and biometrics) are surveyed, and their applicability in typical operating conditions of an I&C operator is analyzed. The analysis includes experimental testing of password and biometric authentication methods and an expert assessment of their advantages and disadvantages for I&C systems. According to the testing results, all the methods under consideration have somewhat worse values of the false rejection rate (FRR) compared with the known characteristics from available sources. The best results are shown by biometric identification by the face oval. However, the percentage of FRR for this method is significant, which can affect the availability of the control function for a legitimate operator. As concluded, a promising approach for industrial control systems is to implement multi-factor authentication: token or password protection for blocking authentication jointly with biometric authentication by the face oval with a non-blocking security policy.