OTAC Solutions
OTAC Trusted Access Gateway (TAG)
A powerful, unidirectional dynamic authentication solution that allows operating enterprises to directly control endpoint access in real time, without requiring PLC manufacturer support or firmware modifications.
In Operational Technology (OT), a breach does not simply result in data leakage; it leads directly to equipment malfunction, production downtime, and critical safety risks. Therefore, OT security must begin not at the network 'perimeter', but at the 'endpoint' where human interaction takes place.
Without modifying legacy infrastructure or control devices, the OTAC Trusted Access Gateway (TAG) delivers robust authentication and access control at the final touchpoint before control commands reach the PLC.
Robust Authentication with Zero Impact on Operating Environments
Leveraging a one-time authentication code (OTAC) generated from a registered user device, this solution provides authentication fully optimised for OT environments.
-
-
-
-
-
-
-
-
-
-
-
Eradicating Fixed Credential Vulnerabilities: By removing reliance on static passwords—which can be reused if intercepted—the risks of hacking and credential stuffing are entirely eliminated.
-
-
-
-
-
-
-
-
-
-
Eliminating Bi-directional Network Dependency: User terminals can generate dynamic authentication codes independently, even when offline or disconnected from the network. Without requiring a continuous bi-directional connection between the terminal and the server, authentication is performed by transmitting the generated code to the system in a unidirectional manner.
-
Air-Gapped Network Optimisation: Operates securely even within national critical infrastructure where external internet connectivity is severed, as well as in completely isolated OT air-gapped environments.
-
%20OTAC%20Trusted%20Access%20Gateway%20(TAG)%20Flow.jpg?width=2000&height=1172&name=(EN)%20OTAC%20Trusted%20Access%20Gateway%20(TAG)%20Flow.jpg)
How It Works
The OTAC Trusted Access Gateway (TAG) is flexibly deployed in front of endpoints without changing the configuration of legacy equipment, ensuring secure access control.
-
-
-
-
-
-
-
-
-
-
-
- Gateway Deployment: Positioned in an inline structure between the Client Agent and the OT endpoint requiring authentication.
-
-
-
-
-
-
-
-
- Authentication Request: Upon executing an engineering application, the Client Agent requests Multi-Factor Authentication (MFA) via the user's registered device.
-
OTAC Generation: The user generates and enters a one-time, unidirectional dynamic authentication code (OTAC) from a registered personal medium, such as a smartphone app or smartcard.
-
Verification & Access Granted: The Gateway instantly verifies the entered OTAC and grants access only when the user is confirmed as authorised.
-
-
%20OTAC%20Trusted%20Access%20Gateway%20(TAG)%20Architecture.jpg?width=2000&height=1172&name=(EN)%20OTAC%20Trusted%20Access%20Gateway%20(TAG)%20Architecture.jpg)
To implement a secure, endpoint-based authentication flow, the OTAC Trusted Access Gateway (TAG) organically integrates and operates with the following five components:
-
-
-
-
-
-
-
-
-
-
-
- OTAC Authenticator: A dedicated medium, such as a mobile app or smartcard, that identifies the user and generates the dynamic authentication code (OTAC).
- Client Agent: A client program installed on the user’s PC or workstation that displays a login pop-up and initiates the authentication process when engineering software is launched.
-
-
-
-
-
-
-
-
-
OTAC Gateway: Situated at the access point of the OT system to control (allow/block) user access in real time based on security policies.
-
OTAC Server: Authenticates the user by verifying the received OTAC, whilst managing overall security policies and collecting audit logs.
- Admin Portal: An integrated management web interface providing functionalities such as user and authentication media management, security policy configuration, and access log monitoring.
-
-
Expected Benenfits
The OTAC Trusted Access Gateway (TAG) seamlessly applies to existing OT environments without complex system modifications, delivering true Zero Trust.
-
-
-
-
-
-
-
-
-
-
-
- No Modifications to Legacy PLCs and Infrastructure Required: A security layer can be added independently without replacing PLC equipment or requiring firmware modification support from manufacturers, drastically reducing deployment costs.
- No Modifications to Legacy PLCs and Infrastructure Required: A security layer can be added independently without replacing PLC equipment or requiring firmware modification support from manufacturers, drastically reducing deployment costs.
-
-
-
-
-
-
-
-
- Endpoint-Based Access Protection: Identifies and controls users when accessing critical OT equipment—including PLCs, HMIs, RTUs, and DCSs—protecting vital assets from unauthorised operation.
-
Centralised Integrated Management: Enhances operational efficiency by centrally managing distributed user authentication, access rights authorisation, and authentication exception policies (whitelists/blacklists).
-
Unidirectional-Based Dynamic Authentication: Supports robust access control by utilising OTACs that are newly generated each time, making them impossible to intercept or share, unlike static passwords.
- User-Based Audit Logs: Unlike conventional methods where user distinction was impossible, this provides audit logs containing clear user identification details and authentication histories, showing exactly who accessed which equipment.
-
-
Case Studies
Global Leading Energy Solutions Enterprise
By introducing the OTAC Gateway in a 1:1 inline structure at every local and remote access point of major control equipment, the enterprise established a secure PLC asset protection system that fundamentally blocks unauthorised access.
%20Global%20energy%20solutions%20manufacturer.jpg?width=1250&height=1250&name=(EN)%20Global%20energy%20solutions%20manufacturer.jpg)
① 1:1 Inline Deployment: Perfectly controls the access path physically by mapping a gateway directly to each individual endpoint device (1:1 ratio).
② Blacklist Policy Application: Demands robust user authentication selectively only for core equipment registered in the integrated Admin Portal.
③ User Privilege Management: Finely separates and controls access privileges to endpoint equipment based on external maintenance personnel or internal operators.
National Water Treatment Facility
Tailored to an infrastructure environment consisting of a headquarters and multiple remote operating sites, 1:1 and 1:N control structures were flexibly applied. A highly stable integrated access control environment was successfully realised through a redundant configuration for non-disruptive system operations.
%20National%20water%20treatment%20infrastructure%201_N.jpg?width=1250&height=1250&name=(EN)%20National%20water%20treatment%20infrastructure%201_N.jpg)
%20National%20water%20treatment%20infrastructure%201_1.jpg?width=1250&height=1250&name=(EN)%20National%20water%20treatment%20infrastructure%201_1.jpg)
① Local & Remote Access Path Configuration: Configured routing so that access is granted through the OTAC Gateway at each local and remote access authentication point.
② Gateway Redundancy: Applied an OTAC Gateway redundant configuration to guarantee non-disruptive system operations and a highly stable operating environment.
③ Blacklist Policy Application: Applied a policy to mandate user authentication only for endpoint devices registered in the integrated Admin Portal.
④ Tailored Access Control: Controlled user access based on 1:N or 1:1 models aligned with the site's legacy infrastructure configurations.
Global Regulatory Compliance-Ready

■ IEC 62443: Directly supports compliance with FR1 (Identification and Authentication Control) and FR2 (Use Control) requirements, which form the core of the global Industrial Automation and Control Systems (IACS) standard.
■ NERC CIP: Restricts unnecessary remote access and completely controls unauthorised access to ensure compliance with North American critical infrastructure protection standards for power grids.
■ NIS2: Enables compliance with the European Union's strengthened cybersecurity directive regarding the introduction of Multi-Factor Authentication (MFA) and secure remote access control obligations.
■ Cyber Resilience Act (CRA): Applies control mechanisms to block unauthorised access in line with the EU digital product security act, providing access history and monitoring data for internal activities.
By delivering the most definitive endpoint authentication without requiring network connectivity or firmware modifications, we support the implementation of a genuine Zero Trust-based security architecture demanded by industrial control environments.
OTAC Algorithm Analysis and Academic Verification

New Excellent Technology (NET) Certification Acquired

SSenStone has received the NET Certification from the Ministry of Trade, Industry, and Energy for its "Individual IoT Device Authentication and Transmission Data Security Technology through Unidirectional Dynamic Authentication (OTAC)."
International Common Criteria (CC) Certification Achieved
.png?width=150&height=150&name=%EA%B5%AD%EC%A0%9CCC%EC%9D%B8%EC%A6%9D_%EC%97%A0%EB%B8%94%EB%9F%BC%20(png).png)
OTACTokenV1.0, the authentication solution based on the world’s first unidirectional dynamic authentication technology, OTAC, has earned the international Common Criteria (CC) certification. For more information, please refer to the press release.
OTAC for Phygital Wins IR52 Jang Yeong-sil Award

SSenStone's OTAC for Phygital has been awarded the 40th-week IR52 Jang Yeong-sil Award for 2024, hosted by the Ministry of Science and ICT. For more details, please visit the official IR52 Jang Yeong-sil Award homepage or the press release.
Insights
Contact Us
make your service reliable with SSenStone!
Inquire now.
5F, 329, Cheonho-daero Dongdaemun-gu, Seoul, Republic of Korea (02622)
Contact below if you have an urgent inquiry.
Korea Office (SSenStone)
5F, 329, Cheonho-daero Dongdaemun-gu, Seoul, Republic of Korea (02622)
Tel : 02-569-9668 | Fax : 02-6455-9668
im@ssenstone.com
UK Office (swIDch)
Floor 1, 3 More London SE1 2RE, United Kingdom
Tel : 020-3283-4563
info@swidch.com