After hackers linked to China reportedly gained access to the IT networks  of hundreds of small and medium-sized water and power utilities in the U.S, alarm bells are ringing for utilities and critical infrastructure (CI) operations across the world. In an attack that some observers suggest is pre-positioning for sabotage of water and power supplies should the U.S. look to intervene in any potential conflict with Taiwan, China has demonstrated the inherent weaknesses in operational technology (OT) systems that many have been calling out for the last decade. The Ongoing Volt Typhoon Case This type of threat is something that CISA (the U.S. Government’s Cybersecurity and Infrastructure Security Agency) first warned about over two years ago after detecting the tactics, techniques, and procedures (TTPs) linked to the Chinese hacking group ‘Volt Typhoon' were discovered affecting networks across U.S. critical infrastructure, which led to the warning being issued to CI operators of the potential threat. The Real-World Impact of Infrastructure Attacks The consequences of a successful attack on CI can be severe – for example, a hospital without water supply would be forced to evacuate within hours. A shut down in electricity generation could affect entire cities, bring transport to a halt and disrupt manufacturing facilities. Even when not directly targeting CI, cyberattacks can have far reaching effects. We don’t need to look far to see how a single intrusion can reach when industrial systems are subjected to a cyberattack. The recent Jaguar Land Rover (JLR) hack which forced the complete shutdown of production lines globally and reportedly affected over 5,000  related organisations. This incident is being described as the most expensive cyberattack ever in the UK with estimated economic losses of £1.9 billion (US$2.55 billion), and JLR losing £50 million per week from the shutdown. Costs to business are one measure, but the cost to society could be far greater given the potential turmoil a successful attack on a city’s infrastructure could generate. It is no surprise then, that government cyber agencies would issue directives such as CISA 23-02 which required all US Gov Agencies to immediately implement controls to block access to web interfaces on appliances – but while important these seemingly small changes have wide ranging impacts to operational actions and costs of running utility companies. Persistent Vulnerabilities in Utility Networks According to Dark Reading ’s review of attacks on US water utility companies there remains significant issues with network and system security such as: Inadequate identity and access controls for devices and users. Poor segmentation of IT/OT networks. Legacy OT equipment, often with weak authentication (some reportedly still using default credentials) and remote connectivity. Under-resourced utilities: little staffing, small budgets, less mature cyber practices. Insufficient monitoring and incident detection in OT/ICS domains. Default credentials / insecure configurations of ICS/SCADA devices. While PLC vendors are increasingly building security features  into their devices, the vast majority of operations don't typically run this next-generation gear. Strategic Priorities for CI Operators To mitigate risk, CI operators should prioritise: Strong identity & device authentication  across both IT and OT domains. Network and device segmentation , especially isolating OT from general IT. Reducing attack surfaces by disabling insecure remote access, default credentials, open ports. Continuous Monitoring  for unusual activity or lateral movement within networks.   The Role of VeroGuard in Securing CI The VeroGuard Platform offers a scalable and effective solution for protecting access to systems and technology assets. Role of VeroGuard / VeroMod Hardware-based identity for OT devices : VeroMod reduces the risk of rogue devices and lateral exploitation. User identity verification : VeroCard ensures secure authentication for personnel. Virtual air gap and segmentation : VeroMod allows OT devices to communicate only with authorised endpoints, maintaining isolation while enabling remote access. Legacy infrastructure protection : Utilities can retrofit VeroMod onto existing OT systems, enhancing security without costly replacements. Scalable for resource-constrained utilities : The platform reduces reliance on large in-house cyber teams, addressing the “target rich but cyber poor” challenge.   VeroGuard offers the next generation of platform that secures connected systems, machines and data. The VeroGuard Platform ELIMINATES credential and identity compromise on open networks to act as the foundation of any zero-trust deployment. With our ecosystem partners VeroGuard’s modern end-to-end ICAM solution provides Next Generation MFA^ and advanced Attribute Based Access Control (ABAC) for powerful granular access management to systems and assets. Any critical infrastructure operator migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform. ^Next Generation MFA:  Secure hardware bound cryptographic authenticator ( NIST AAL3 ) with identity verification . Phish-resistant, Tamper-resistant, Verifier impersonation-resistant, Compromise-resistant.

In a bizarre twist that sounds more like satire than cybersecurity research, it was recently demonstrated that a spring onion  (yes the vegetable!) could be used to bypass security on Dell devices by exploiting firmware vulnerabilities. This isn’t just a quirky headline – it’s a serious wake-up call for anyone relying on built-in device security like TPMs or biometrics. What Happened? The vulnerability, as reported by Computer Weekly,  involves flaws in Dell’s firmware that could allow an attacker to bypass secure boot mechanisms. The researchers showed that even with a Trusted Platform Module (TPM) present, the system could be compromised using physical access and “clever manipulation” - like using a vegetable to trigger capacitive sensors  – highlighting how superficial some security implementations can be. The Problem: Trusting the Wrong Hardware The Dell vulnerability highlights that fundamental flaws in modern device security can occur even when a PC has a secure element like a TPM, it’s not truly secure if the firmware can be tampered with. In general, these devices lack tamper-resistance, meaning attackers can gain physical access to probe secure circuits and manipulate them to reveal their secrets. And then there’s biometrics. The “Spring Onion Hack” shows how biometric authentication can be spoofed or bypassed. Once considered cutting-edge, biometrics are now continually proving to be inherently insecure when used as the sole method of authentication. The Limitations of TPM and Biometrics TPM: Not a Silver Bullet TPMs are embedded in general-purpose devices and rely on firmware integrity. If the firmware is compromised, the TPM can be rendered ineffective. TPMs lack physical tamper resistance in most consumer devices. Biometrics: Convenient but Insecure Biometric data is not secret. Can be spoofed and bypassed. The “Spring Onion Hack” shows how easily sensors can be tricked. The VeroGuard Solution: Security by Design At VeroGuard, we believe security should be purpose-built , not patched together from consumer-grade components. Here’s how our solution addresses the issues exposed by the Dell incident: Purpose-Built Hardware Authenticator VeroGuard uses a dedicated hardware authenticator that is designed from the ground up for secure identity verification. The VeroCard is dedicated solely to identity-based functions. It has no physical ports for external connections and cannot be remotely activated, ensuring it remains isolated and secure from unauthorised access.   Tamper Resistance Is Non-Negotiable   Security that can be physically bypassed isn’t security at all. VeroGuard’s authenticator is engineered with true tamper resistance   and certified to payment industry specifications, ensuring that even if an attacker has physical access, they can’t compromise the device or the credentials it protects. No Biometrics, No Guesswork We don’t rely on biometrics. Why? Because; 1)        they’re not secret, and 2)        they’re probabilistic and not deterministic. Biometric authentication systems are intentionally designed to tolerate slight variations in input, because no two biometric scans – even from the same person – are ever exactly identical. Ironically, a 100% match is often treated as suspicious, since it may indicate a replay attack using a previously captured biometric sample. VeroGuard uses cryptographic keys stored in secure hardware. Out-of-Band Authentication Most importantly, VeroGuard’s authentication process occurs outside the target device. This out-of-band approach means that even if the PC or phone is compromised, the authentication remains secure. The device never sees your credentials, making phishing and malware attacks highly ineffective.   Final Thoughts: Don’t Let Your Security Be a Joke The spring onion hack is amusing—until you realise it could happen to your business. It’s time to stop trusting consumer-grade security and start demanding real protection . VeroGuard offers a solution that is not just secure in theory, but secure by design . Dedicated hardware designed specifically for secure identity verification. Purpose built for authentication – NOT general-purpose use Out of Band – Authentication occurs outside the target device. Hardware Security Modules – Credentials are never exposed to the device, reducing phishing and malware risks. Engineered with true tamper-resistance – keys are wiped if tamper is detected

No, but could this be a sign of what's ahead? Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication using passkeys, the industry-wide standard being adopted by thousands of sites and enterprises. Further review of the attack path has shown that the bad actor did not bypass the passkey authentication but was successful in using a downgrade path to achieve their goal of accessing the user’s account. While this review emphasises that passkeys remain a strong and secure method for MFA , it also highlights that not all authenticator types should be considered equal, and that software bound credentials and implementations (in this case the implementation of the passkey authentication standard) should never be completely trusted. TL; DR While smartphone-based passkeys improve user convenience, they compromise FIDO2’s foundational hardware-bound security model. In high-risk environments, only dedicated hardware authenticators like VeroCard   can maintain cryptographic integrity, attestation trust, and robust phishing resistance. What Happened in the Recent "Downgrade" Phishing Attack Using FIDO2 Cross-Device Sign-In? In a recent report (mid‑2025), researchers at Expel observed a real-world phishing campaign by the group known as PoisonSeed, which exploited the cross-device sign-in feature in a clever adversary-in-the-middle attack: Victims received a phishing email directing them to a counterfeit enterprise login portal. After entering credentials, the phishing site relayed them in real-time to the legitimate site and triggered a cross-device sign-in request. The legitimate site generated a QR code for authentication, which the phishing page immediately captured and displayed. When the victim scanned the QR code with their phone, they unknowingly authenticated the attacker to the legitimate site. While this manoeuvre downgrades FIDO2 authentication to a weaker flow and is not a breach of the Fido2 protocol, it uses the weakness of the downgraded process, facilitated using a smartphone based passkey, to obfuscate reality from the victim. Why Using a Smartphone as a FIDO2 Authenticator Is Insecure Using a smartphone as a FIDO2 authenticator introduces fundamental security trade-offs that break key FIDO2 security assumptions, fracture passkey provenance and can enable bad actors to run a downgrade attack on passkey authentication. Passkeys created and stored on smartphones provides a convenience-security compromise that may be acceptable for consumers, but remains unsuitable for enterprise, critical infrastructure, or regulated environments. For these use cases, dedicated hardware authenticators like a VeroCard are the only way to maintain the original security promise of Fido2. Breaking FIDO2’s Original Core Security Premise Fido2 was designed with the principle that the private keys never left the security of the hardware authenticator. Driven by the consumer desire for convenience the Fido2 specification was revised to allow synchronisation of passkeys across cloud ecosystems so that users could easily access systems and sites using a single passkey. When users sync passkeys across devices using cloud services (like iCloud Keychain or Google Password Manager), the baseline security of passkeys is violated: The private credential is copied to multiple devices. Security of passkeys is now dependent on cloud account protections, not local hardware. If a cloud account is compromised, all passkeys are accessible remotely. In some environments users can share passkeys with others – fracturing any assertion of passkey  attestation . This turns a local, hardware-bound credential  into a cloud-distributed secret , significantly weakening the trust model.   How VeroCard Solves These Issues VeroCard restores the original FIDO2 security promise by: Hardware-Enforced Isolation Private keys remain protected in hardware at all times. Each key is device-bound  and tied to the physical VeroCard hardware. No Cloud Syncing Eliminates risks from iCloud, Google account, or password manager compromise. No cross-device duplication or migration of credentials. Downgraded flows are not allowed: VeroCard does not allow the user of QR code downgrades A single user gesture, PIN entry, and subsequent passkey login provide a full MFA without the need for any other factors. VeroGuard  further enhances security by: Requiring User Verification VeroCard enforces user presence  through PIN verification for every login. PIN verification is completed by the VeroGuard Platform prior to allowing the passkey to be used Requires explicit user interaction  resulting in identity verification and impersonation resistance. Origin Binding Enforced in Platform VeroGuard verifies the relying party (domain) has been permitted for the user, and ensures credentials are domain-specific . Centrally managing VeroCards: Tracking and managing devices Block use of and remove credentials Block VeroCard if lost Offering certified end to end process Common criteria PCI-PTS   Summary Risk Area Smartphone Passkeys VeroCard Private key leaves device ❌ Yes (via cloud sync) ✅ No Cloud account attack risk ❌ High ✅ None Cross-device phishing exposure ❌ Possible ✅ Prevented True hardware-based isolation ❌ Weak ✅ Strong Enterprise-grade assurance ❌ Lacks ✅ Delivers Verified user presence ❌ Optional or implicit ✅ Required (and verified) every time Phishing/aitm resistance ⚠️ Can be bypassed with cross-device flows ✅ Guaranteed Hardware certification & standards ⚠️ Some component level ✅ EAL2+/PCI-PTS VeroGuard is Common Criteria EAL 2+ certified  and VeroCard also holds PCI-PTS certification (standards for PIN security), along with FIDO2.

Vero Machine Identity is a Hardware Security Module (HSM) based solution that provides unparalleled security for IoT devices and applications. For Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. Find Out More Find Out More For Corporate Industry leading ID management solutions, secure remote login options for staff and the ability to store your organisation’s data assets with confidence. A single, unified system to achieve all this and more. Get VeroGuard Other Solutions People Machines Data Protection Machine Identity for IoT Vero Machine Identity is a Hardware Security Module (HSM) based solution that provides unparalleled security for IoT devices and applications. The module provides absolute protection for all internet connected devices, including AI/BI engines and tools. It works in conjunction with the VeroGuard network to provide HSM to HSM authentication of device identity. VeroGuard machine identity can be used to secure any type of device and handles the processing load for cryptographic calculations, meaning the IoT machines are not impacted by the security workload. It can be easily embedded into any device without fuss and connects directly to the VeroGuard network to protect both the device itself and any data it transmits. The solution is compatible with existing platforms and requires no upgrade to systems, offering connectivity that includes RJ, CAT, cellular (2G/3/4g/5g) WiFi or BPL/PLC. SOLUTIONS Product: VeroMod Machine ID In order to create an irrefutable identity for any device, VeroMod is simply integrated into the device, or via RJS connection. The machine requests connection and is verified with non-repudiable out of band and hardware encrypted multi factor authentication. At this point, VeroGuard provides HSM to HSM authentication and verification of machine identity, which allows encrypted tunnels to open, connecting machine to machine. All communications are AS 2805/ISO 8583 messaging and VeroMod handles the processing load for cryptographic calculations. Meanwhile, IoT machines are not impacted in any way. Machine ID is tamper resistant, utilises a unique key for every transaction and, with no known source of encryption, exposes no user authentication information. It is a simple and cost effective solution for securing all device data and communications. For more information: VeroGuard Protecting the IoT

VeroGuard Systems solves for unknown identity online. The VeroGuard Platform offers a universal and unified Digital Identity for person and non-person identities, which is able to be used across any application. VeroGuard provides Phish-Resitant MFA, Identity Verification and secure access over open networks. The Platform is certified Common Criteria (Defence) and is applicable to any organisation, can be reused across environments, and provides outstanding return on investment. VeroGuard Securing Your Digital World Defence Certified Suitable for Every Organisation Find Out More For Government Take control of access to critical systems and data and enjoy the confidence of absolute protection from identity fraud. A privacy-securing, universal digital identity platform for citizens and staff. Find Out More For Corporate Eliminate doubt and protect your digital assets with the complete confidence of non-repudiable authentication. The best available digital protection for any corporate application. VeroGuard stops unauthorised access to systems and data. VeroGuard Platform a technology of this generation Purpose How Who Indisputable proof of identity for all online and digital communications. Bank-to-bank grade security for internet and cloud. VeroGuard stops unauthorised access to cyber systems and data. Enjoy complete online confidence with the power of indisputable identity verification. It’s a simple and familiar way to provide absolute protection from digital fraud for all people, devices, transactions and data. No transmission of identifying data. No known source of encryption. Protect online data and communications with the sophistication of Defence level technology. VeroGuard is a unique online platform that provides out-of-band black box security modules for authentication, encryption and communications at both ends of every online transaction. The VeroGuard platform enables online authentication and encrypted transmission across fixed and mobile networks, providing the same level of security as the ATM network. With over 100 years of combined experience in the fields of network security and digital commerce, no one understands the complexity of online fraud better than the team at VeroGuard Systems. Our staff is comprised of industry leading technical innovators who have helped define the parameters of payment security as it exists today. With the support of former leaders from global IT firms, the VeroGuard team is uniquely qualified to meet this challenge. Solutions VeroGuard stops unauthorised access to systems and data. Addressing the rapid growth of cybercrime requires new solutions. The power of indisputable identity verification will change the way you think about digital security. Whether you’re looking for increased protection against fraud, the ability to restrict access to data based on identity, or simply a means to lower operating costs, VeroGuard has the solution. People Machines Data Protection Products VeroGuard is a security platform that powers a variety of unique cyber security products. From the most secure portable digital identity solution available to unparalleled cloud-based data security, VeroGuard secures your digital world. Explore the whole range and discover a product to suit your needs. VeroCard VeroMod VeroVault Why VeroGuard VeroGuard is a complete revolution in digital security that stops unauthorised access to systems and data. It is a unique platform built upon a proprietary, globally patented network providing absolute digital security at a level that no other organisation can offer. The identity protection by VeroGuard utilises out-of-band hardware security modules for authentication, encryption and communications at both ends of every online transaction. This technology is based on the most secure digital protection available anywhere. Until now, this non-repudiable technology has been used almost exclusively for interbank and terrestrial defence applications. VeroGuard is the first and only platform to make indisputable verification possible in online use. Cybercrime is an escalating global issue, with losses projected to reach $US10.5 trillion by 2025. VeroGuard Systems addresses this challenge by providing advanced digital security solutions. Our Platform ensures indisputable identity verification, safeguarding against fraud and data breaches. VeroGuard Systems' defence-certified technology offers a robust layer of protection for organisations globally, making us a leader in digital security innovation. News Whitepapers Our Partners

A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Get VeroGuard Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. For Solutions Cybercrime continues to grow at an alarming rate, becoming a very real problem for the digital transformation of any government department. Such departments are increasingly in need of digital infrastructure, whether it’s Defence, Health, Human Services, Home Affairs or Transit. The only way to continue delivering services in this digital climate is to make them viable for all citizens and employees. That means providing the best possible protection from cyber attack. People Machines Data Protection Purpose Adoption of the VeroGuard digital identity platform enables government departments to be more efficient and effective by providing unified and trustworthy online access. Some immediate benefits include process automation, user enablement, personalisation, enhanced delivery, trusted data for decisions and research and trusted secondary commercialisation of information. VeroGuard stops unauthorised access to systems and data. The time to act is now. Security Online security begins with identification, and nothing less than absolute surety will do. Identity systems have always been based on face-to-face interactions, physical documents and processes. The transition to a digital economy requires radically different identity systems. In a world that’s increasingly governed by digital transactions and data, existing methods for managing security and privacy are no longer adequate. The number of digital-identity dependent transactions is growing through increased use of digital channels. Customers expect seamless service delivery with the most user-friendly experience. Indisputable identity verification by VeroGuard stops unauthorised access to systems and data. Energy The VeroGuard platform offers sophisticated cyber security to meet the substantial demands of the modern energy sector. Absolute digital protection is necessary to maintain constant reliability and resilience, even in the event of a cyber-attack. This presents a unique challenge for the energy sector in that systems under attack cannot be easily disconnected from the network as this could potentially result in safety issues or blackouts. VeroGuard supports grid stability in a cross-border interconnected energy network by verifying the authenticity of machines and humans in and across networks. Developed on .net, VeroGuard is an easy platform to integrate with using API’s that will support both legacy and modern applications. Logistics/Supply Chain VeroGuard provides the complete confidence of a fully integrated, ultra-secure supply chain. As demand increases for efficient delivery of online services, so too does the complexity of supply chains for businesses of all sizes. Every additional link in the supply chain, especially those which are automated, represents another opportunity for data to be compromised. The VeroGuard platform secures each step of the process with non-repudiable identity verification and securely links IoT, business and humans. Moreover, it provides reliable and efficient digital infrastructure that converges multiple functions such as security, identity and payments. This helps to manage existing IT complexity and lower risk as well as increasing the speed of cashflow between suppliers. Defence The unique VeroGuard platform can build capability and a defence level security posture for the Industry. Deployment of VeroGuard’s solution would provide a response to the barriers faced by the defence industry’s contractors, immediately lift industry capability and position them to win and service defence business and improve security throughout the ecosystem. VeroGuard delivers an HSM based secure access platform for all industry members and Defence itself to engage and share resources. In combination with universal, unified HSM based digital identity management and the most secure cloud storage available in the world, VeroGuard can help to build a trusted defence industry ecosystem. Ready to get VeroGuard? Take control of your online and digital operations and experience the confidence of absolute protection from identity fraud. Eliminate the danger of data breaches and minimise expenditure with unique identity management solutions, remote login options and industry leading security for data at rest. A single, unified system can achieve all this and more without the need for expensive infrastructure. There's no reason to leave your assets unprotected - the time to act is now.. Prefer to keep your privacy? Call us and see how we can work together +61 (03) 9558 3090