After hackers linked to China reportedly gained access to the IT networks  of hundreds of small and medium-sized water and power utilities in the U.S, alarm bells are ringing for utilities and critical infrastructure (CI) operations across the world. In an attack that some observers suggest is pre-positioning for sabotage of water and power supplies should the U.S. look to intervene in any potential conflict with Taiwan, China has demonstrated the inherent weaknesses in operational technology (OT) systems that many have been calling out for the last decade. The Ongoing Volt Typhoon Case This type of threat is something that CISA (the U.S. Government’s Cybersecurity and Infrastructure Security Agency) first warned about over two years ago after detecting the tactics, techniques, and procedures (TTPs) linked to the Chinese hacking group ‘Volt Typhoon' were discovered affecting networks across U.S. critical infrastructure, which led to the warning being issued to CI operators of the potential threat. The Real-World Impact of Infrastructure Attacks The consequences of a successful attack on CI can be severe – for example, a hospital without water supply would be forced to evacuate within hours. A shut down in electricity generation could affect entire cities, bring transport to a halt and disrupt manufacturing facilities. Even when not directly targeting CI, cyberattacks can have far reaching effects. We don’t need to look far to see how a single intrusion can reach when industrial systems are subjected to a cyberattack. The recent Jaguar Land Rover (JLR) hack which forced the complete shutdown of production lines globally and reportedly affected over 5,000  related organisations. This incident is being described as the most expensive cyberattack ever in the UK with estimated economic losses of £1.9 billion (US$2.55 billion), and JLR losing £50 million per week from the shutdown. Costs to business are one measure, but the cost to society could be far greater given the potential turmoil a successful attack on a city’s infrastructure could generate. It is no surprise then, that government cyber agencies would issue directives such as CISA 23-02 which required all US Gov Agencies to immediately implement controls to block access to web interfaces on appliances – but while important these seemingly small changes have wide ranging impacts to operational actions and costs of running utility companies. Persistent Vulnerabilities in Utility Networks According to Dark Reading ’s review of attacks on US water utility companies there remains significant issues with network and system security such as: Inadequate identity and access controls for devices and users. Poor segmentation of IT/OT networks. Legacy OT equipment, often with weak authentication (some reportedly still using default credentials) and remote connectivity. Under-resourced utilities: little staffing, small budgets, less mature cyber practices. Insufficient monitoring and incident detection in OT/ICS domains. Default credentials / insecure configurations of ICS/SCADA devices. While PLC vendors are increasingly building security features  into their devices, the vast majority of operations don't typically run this next-generation gear. Strategic Priorities for CI Operators To mitigate risk, CI operators should prioritise: Strong identity & device authentication  across both IT and OT domains. Network and device segmentation , especially isolating OT from general IT. Reducing attack surfaces by disabling insecure remote access, default credentials, open ports. Continuous Monitoring  for unusual activity or lateral movement within networks.   The Role of VeroGuard in Securing CI The VeroGuard Platform offers a scalable and effective solution for protecting access to systems and technology assets. Role of VeroGuard / VeroMod Hardware-based identity for OT devices : VeroMod reduces the risk of rogue devices and lateral exploitation. User identity verification : VeroCard ensures secure authentication for personnel. Virtual air gap and segmentation : VeroMod allows OT devices to communicate only with authorised endpoints, maintaining isolation while enabling remote access. Legacy infrastructure protection : Utilities can retrofit VeroMod onto existing OT systems, enhancing security without costly replacements. Scalable for resource-constrained utilities : The platform reduces reliance on large in-house cyber teams, addressing the “target rich but cyber poor” challenge.   VeroGuard offers the next generation of platform that secures connected systems, machines and data. The VeroGuard Platform ELIMINATES credential and identity compromise on open networks to act as the foundation of any zero-trust deployment. With our ecosystem partners VeroGuard’s modern end-to-end ICAM solution provides Next Generation MFA^ and advanced Attribute Based Access Control (ABAC) for powerful granular access management to systems and assets. Any critical infrastructure operator migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform. ^Next Generation MFA:  Secure hardware bound cryptographic authenticator ( NIST AAL3 ) with identity verification . Phish-resistant, Tamper-resistant, Verifier impersonation-resistant, Compromise-resistant.

In a bizarre twist that sounds more like satire than cybersecurity research, it was recently demonstrated that a spring onion  (yes the vegetable!) could be used to bypass security on Dell devices by exploiting firmware vulnerabilities. This isn’t just a quirky headline – it’s a serious wake-up call for anyone relying on built-in device security like TPMs or biometrics. What Happened? The vulnerability, as reported by Computer Weekly,  involves flaws in Dell’s firmware that could allow an attacker to bypass secure boot mechanisms. The researchers showed that even with a Trusted Platform Module (TPM) present, the system could be compromised using physical access and “clever manipulation” - like using a vegetable to trigger capacitive sensors  – highlighting how superficial some security implementations can be. The Problem: Trusting the Wrong Hardware The Dell vulnerability highlights that fundamental flaws in modern device security can occur even when a PC has a secure element like a TPM, it’s not truly secure if the firmware can be tampered with. In general, these devices lack tamper-resistance, meaning attackers can gain physical access to probe secure circuits and manipulate them to reveal their secrets. And then there’s biometrics. The “Spring Onion Hack” shows how biometric authentication can be spoofed or bypassed. Once considered cutting-edge, biometrics are now continually proving to be inherently insecure when used as the sole method of authentication. The Limitations of TPM and Biometrics TPM: Not a Silver Bullet TPMs are embedded in general-purpose devices and rely on firmware integrity. If the firmware is compromised, the TPM can be rendered ineffective. TPMs lack physical tamper resistance in most consumer devices. Biometrics: Convenient but Insecure Biometric data is not secret. Can be spoofed and bypassed. The “Spring Onion Hack” shows how easily sensors can be tricked. The VeroGuard Solution: Security by Design At VeroGuard, we believe security should be purpose-built , not patched together from consumer-grade components. Here’s how our solution addresses the issues exposed by the Dell incident: Purpose-Built Hardware Authenticator VeroGuard uses a dedicated hardware authenticator that is designed from the ground up for secure identity verification. The VeroCard is dedicated solely to identity-based functions. It has no physical ports for external connections and cannot be remotely activated, ensuring it remains isolated and secure from unauthorised access.   Tamper Resistance Is Non-Negotiable   Security that can be physically bypassed isn’t security at all. VeroGuard’s authenticator is engineered with true tamper resistance   and certified to payment industry specifications, ensuring that even if an attacker has physical access, they can’t compromise the device or the credentials it protects. No Biometrics, No Guesswork We don’t rely on biometrics. Why? Because; 1)        they’re not secret, and 2)        they’re probabilistic and not deterministic. Biometric authentication systems are intentionally designed to tolerate slight variations in input, because no two biometric scans – even from the same person – are ever exactly identical. Ironically, a 100% match is often treated as suspicious, since it may indicate a replay attack using a previously captured biometric sample. VeroGuard uses cryptographic keys stored in secure hardware. Out-of-Band Authentication Most importantly, VeroGuard’s authentication process occurs outside the target device. This out-of-band approach means that even if the PC or phone is compromised, the authentication remains secure. The device never sees your credentials, making phishing and malware attacks highly ineffective.   Final Thoughts: Don’t Let Your Security Be a Joke The spring onion hack is amusing—until you realise it could happen to your business. It’s time to stop trusting consumer-grade security and start demanding real protection . VeroGuard offers a solution that is not just secure in theory, but secure by design . Dedicated hardware designed specifically for secure identity verification. Purpose built for authentication – NOT general-purpose use Out of Band – Authentication occurs outside the target device. Hardware Security Modules – Credentials are never exposed to the device, reducing phishing and malware risks. Engineered with true tamper-resistance – keys are wiped if tamper is detected

No, but could this be a sign of what's ahead? Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication using passkeys, the industry-wide standard being adopted by thousands of sites and enterprises. Further review of the attack path has shown that the bad actor did not bypass the passkey authentication but was successful in using a downgrade path to achieve their goal of accessing the user’s account. While this review emphasises that passkeys remain a strong and secure method for MFA , it also highlights that not all authenticator types should be considered equal, and that software bound credentials and implementations (in this case the implementation of the passkey authentication standard) should never be completely trusted. TL; DR While smartphone-based passkeys improve user convenience, they compromise FIDO2’s foundational hardware-bound security model. In high-risk environments, only dedicated hardware authenticators like VeroCard   can maintain cryptographic integrity, attestation trust, and robust phishing resistance. What Happened in the Recent "Downgrade" Phishing Attack Using FIDO2 Cross-Device Sign-In? In a recent report (mid‑2025), researchers at Expel observed a real-world phishing campaign by the group known as PoisonSeed, which exploited the cross-device sign-in feature in a clever adversary-in-the-middle attack: Victims received a phishing email directing them to a counterfeit enterprise login portal. After entering credentials, the phishing site relayed them in real-time to the legitimate site and triggered a cross-device sign-in request. The legitimate site generated a QR code for authentication, which the phishing page immediately captured and displayed. When the victim scanned the QR code with their phone, they unknowingly authenticated the attacker to the legitimate site. While this manoeuvre downgrades FIDO2 authentication to a weaker flow and is not a breach of the Fido2 protocol, it uses the weakness of the downgraded process, facilitated using a smartphone based passkey, to obfuscate reality from the victim. Why Using a Smartphone as a FIDO2 Authenticator Is Insecure Using a smartphone as a FIDO2 authenticator introduces fundamental security trade-offs that break key FIDO2 security assumptions, fracture passkey provenance and can enable bad actors to run a downgrade attack on passkey authentication. Passkeys created and stored on smartphones provides a convenience-security compromise that may be acceptable for consumers, but remains unsuitable for enterprise, critical infrastructure, or regulated environments. For these use cases, dedicated hardware authenticators like a VeroCard are the only way to maintain the original security promise of Fido2. Breaking FIDO2’s Original Core Security Premise Fido2 was designed with the principle that the private keys never left the security of the hardware authenticator. Driven by the consumer desire for convenience the Fido2 specification was revised to allow synchronisation of passkeys across cloud ecosystems so that users could easily access systems and sites using a single passkey. When users sync passkeys across devices using cloud services (like iCloud Keychain or Google Password Manager), the baseline security of passkeys is violated: The private credential is copied to multiple devices. Security of passkeys is now dependent on cloud account protections, not local hardware. If a cloud account is compromised, all passkeys are accessible remotely. In some environments users can share passkeys with others – fracturing any assertion of passkey  attestation . This turns a local, hardware-bound credential  into a cloud-distributed secret , significantly weakening the trust model.   How VeroCard Solves These Issues VeroCard restores the original FIDO2 security promise by: Hardware-Enforced Isolation Private keys remain protected in hardware at all times. Each key is device-bound  and tied to the physical VeroCard hardware. No Cloud Syncing Eliminates risks from iCloud, Google account, or password manager compromise. No cross-device duplication or migration of credentials. Downgraded flows are not allowed: VeroCard does not allow the user of QR code downgrades A single user gesture, PIN entry, and subsequent passkey login provide a full MFA without the need for any other factors. VeroGuard  further enhances security by: Requiring User Verification VeroCard enforces user presence  through PIN verification for every login. PIN verification is completed by the VeroGuard Platform prior to allowing the passkey to be used Requires explicit user interaction  resulting in identity verification and impersonation resistance. Origin Binding Enforced in Platform VeroGuard verifies the relying party (domain) has been permitted for the user, and ensures credentials are domain-specific . Centrally managing VeroCards: Tracking and managing devices Block use of and remove credentials Block VeroCard if lost Offering certified end to end process Common criteria PCI-PTS   Summary Risk Area Smartphone Passkeys VeroCard Private key leaves device ❌ Yes (via cloud sync) ✅ No Cloud account attack risk ❌ High ✅ None Cross-device phishing exposure ❌ Possible ✅ Prevented True hardware-based isolation ❌ Weak ✅ Strong Enterprise-grade assurance ❌ Lacks ✅ Delivers Verified user presence ❌ Optional or implicit ✅ Required (and verified) every time Phishing/aitm resistance ⚠️ Can be bypassed with cross-device flows ✅ Guaranteed Hardware certification & standards ⚠️ Some component level ✅ EAL2+/PCI-PTS VeroGuard is Common Criteria EAL 2+ certified  and VeroCard also holds PCI-PTS certification (standards for PIN security), along with FIDO2.

Profiles of the key members of the VeroGuard Team Nic Nuske CTO Nic is a highly experienced executive with over 30 years of experience in the fields of IT, logistics and identity. He has led one of IBMs global divisions in the role of Vice President for Growth Markets, as well as holding several other key roles over a 25 year career with IBM. These include Vice President Global Financing for Asia Pacific and Managing Director on one of IBM’s largest global accounts -Telstra. Nic has served on a number of IT committees and was Chair of the Australian Information Industry Association for Western Australia. Iain Moore CFO Iain has 20 years of experience in business planning, execution of strategy and business growth for large and complex organisations, as well as customer experience improvement programs and cost base transformation. His extensive career includes senior commercial and financial leadership roles working for Global IT firm EDS, Telstra Mid-Market, Small Business & Telstra Country Wide and in FMCG. He holds a CPA and is Company Director accredited (GAICD). Duncan Savage Enterprise Architect Duncan has broad industry experience, having worked in technology, identity and payments projects across the private and public sectors. Prior to joining VeroGuard as the key technical customer interface, Duncan’s experience included 3 years managing the Victorian transport ticketing system (myki) and 7 years in transactional banking at Westpac. Duncan holds a B.Eng (Hons) and Diploma of Project Management Brett Heaven Manufacturing Plant Manager Brett has been employed in the manufacturing sector since 1995, 10 years working for a tier 2 automotive supplier, followed by 13 years employed by a Japanese tier 1 automotive component supplier to Holden and Toyota. Employed at VeroGuard since January 2018 setting up manufacturing processes and facilities. David Walker General Council David is a leading Australian corporate lawyer with extensive experience across a wide range of projects and transactions. Over the course of a 30 year career, he has developed a comprehensive knowledge of corporate law as it pertains to any number of industries. He has held key positions at several pre-eminent firms, including Partner at Allion Partners, Sydney. He has also served as National Head of Corporate at Holding Redlich, amongst other appointments. David is a specialist at mergers & acquisitions, capital management, project structuring and transaction management. Rod Tasker R&D Manager Rod has a successful track record in defining, designing and driving profitable product innovation and business change based on an in-depth appreciation of business and technology. Rod’s achievements include the delivery of strategic plans for banking business units, developing an enterprise Sales and Service architecture, leading the development of a global internet payment service, and developing a variety of e-Banking and e-Payment products. Rod holds a BA, BSc, Grad Dip Banking & Finance and GAICD Other Executives Roseanne Healy Chairman and Non-Executive Director Roseanne has over 20 years experience in strategic advisory and investment banking. She has also held CEO, executive and advisory positions in public, private and equity backed organisations. Roseanne is an accomplished Director and Board Chair and is currently a non-executive director with a number of organisations, including the Murray Darling Basin Commission. Roseanne holds a Bachelor of Economics/Arts; and a Master of Business Research (Commerce) and MBA from the University of Adelaide. She also holds a Bachelor of Laws at the University of Adelaide and is a graduate of the AICD (International). Executives

Amongst the most pressing concerns currently holding back the effective implementation of a digital economy is that of delivering a secure digital identity. For Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. Find Out More Find Out More For Corporate Industry leading ID management solutions, secure remote login options for staff and the ability to store your organisation’s data assets with confidence. A single, unified system to achieve all this and more. Citizen ID The transition to a digital economy requires a trusted, efficient and unified secure method for accessing government services. A VeroGuard Citizen ID seamlessly connects citizens to government services and stops access by impostors to provide trust between citizens and Government. Our platform not only switches between government and corporate applications, but is designed to certify into existing financial networks to utilise existing schemes and settlements at cardholder present level online. It automatically complies with banking identity frameworks and existing retail payment terminals. Citizen ID allows for easy and ultra-secure access to online services for any level of government. It is a universal solution that enables secure online proof of age, online voting, E-health data, E-Prescriptions, digital public transport wallets, event ticketing and so much more. For more information: VeroGuard Citizen ID Business ID Protect your supply chain with the best available security and discover the absolute surety of non-repudiable verification. VeroGuard Business ID is a unified and indisputable solution for verifying the source of all interactions between organisations in your supply chain. In addition to identity management, the solution provides unmatched protection for documents and data, reduces cycle times and prevents the need for data re-entry. It's a universal ID layer for any existing platform that enables a single user account with authentication to access any authorised system. A VeroGuard Business ID provides indisputable, non-repudiable proof of identity for all digital communications and transactions. Our solution verifies every interaction between businesses, as well as those between business and government. VeroGuard stops unauthorised access to systems and data. For more information: VeroGuard Business ID Employee ID Deliver unmatched identity and access management with black-box to black-box level security for communications and data across a single network for organisations and their eco-systems. A VeroGuard employee ID is a unique digital ID allowing for anchored identification, single sign-on, multi-purpose access and verification unified at the user with interoperability across in-house, cloud and hybrid environments. It enables simple, ultra-secure messaging and verifiable identity across the internet, interoperable and compatible with most applications and operating systems. A VeroGuard employee ID replaces ID cards, e-wallets, proximity cards for building access, credit and debit cards, tokens, loyalty cards, licences, e-signatures and more. It’s the only solution that provides indisputable, non-repudiable verification for absolute digital protection. For more information: VeroGuard Employee ID Get VeroGuard Other Solutions People Machines Data Protection Unified, Universal Digital Identity for People Amongst the most pressing concerns currently holding back the effective implementation of a digital economy is that of delivering a secure digital identity. Current identity systems are based on face-to-face interactions, and on physical documents and processes. In a world that is ever more governed by digital transactions and data, existing methods for managing security and privacy are not adequate. The number of identity dependent transactions is growing through increased use of digital channels, and the complexity of these transactions is increasing just as rapidly. Customers have come to expect seamless delivery of services across all platforms and regulators are demanding more transparency around every transaction. Meanwhile, cyber criminals are using more sophisticated technology and tools to conduct their illicit activity. This issue affects every segment of the economy, from government to corporate and even the private citizen. Discover why indisputable, non-repudiable verification of identity is critical to any response against this threat. SOLUTIONS Product: VeroCard

VeroCard: Personal HSM for verified online identity. Certified, phish-resistant MFA, multi-protocol support, unified and universal digital identity. VeroCard The VeroCard is an ultra-secure (in built HSM), unified, universal and portable digital identity that fits in your wallet. It pairs seamlessly with your devices via Bluetooth or NFC and delivers bank-to-bank grade security with hardware encrypted connections. VeroCard can be used anywhere, anytime. Products Solution: People Get VeroGuard Genuine Black Box Security Online VeroCard is so much more than just another digital wallet, it is also a fully functional EFTPOS terminal roughly the size and shape of a credit card. Designed to comply with industry certification for card present payments (PCI PTS), it offers the same level of protection as a bank transaction during online use – the first and only product of its kind. VeroCard is also protected against all forms of physical tampering and there is no need for concern if the card is lost or stolen because VeroCard stores no accessible data and can be remotely disabled. Absolute Personal Identity Protection VeroCard is your personal digital identity. A universal, unified card that enables non-repudiable authentication online for the very first time. It connects to the VeroGuard network to provide absolute protection of your identity in online transactions, communications or when accessing almost any system, as well as enabling superior privacy control. VeroCard is also the perfect tool for convenient management of digital identity access. It acts as a secure point of entry to provide non-repudiable access to websites, applications, cloud storage, physical access, scada, payment and many other systems through our secure platform, with real-time authentication utilising hardware encryption to make it the best protection for guaranteeing online identity ever created. For Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. Find Out More Find Out More For Corporate Industry leading ID management solutions, secure remote login options for staff and the ability to store your organisation’s data assets with confidence. A single, unified system to achieve all this and more. Other Products VeroCard VeroMod VeroVault