We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective. Last week’s blog exchange between me and Dale Peterson, is just one example of those differences. Now this week I am going to go in a different direction when it comes to improving security.
Something I believe industry urgently needs is better standards for information exchange between security solutions.
It is great to have the latest security technologies like VPNs, anti-virus (AV), firewalls, IDS, etc. on your plant floor. Unfortunately getting them to interact with each other can be like pulling teeth.
For example, say you have a VPN for remote access. Now there are many criteria that could be used to decide if a given device or person is allowed to connect to the control system over that VPN. A few examples include possession of valid certificates or passwords, being in the correct location, meeting current patch or AV levels or even having the correct job role in the company. How do you easily and securely get the information out of the various systems that create it and into your VPN system? It isn’t easy.
A Platform for Sharing Security Information
Recently there has been progress in solving the problem in the IT space. And even better, there is now a specification created by the Trusted Computing Group (TCG)that explains how it could be solved in the SCADA and ICS worlds.
First a bit of background. The TCG is a standards group that develops vendor-neutral specifications for interoperable trusted computing platforms. TCG is most famous for creating the ISO/IEC standards around Trusted Platform Modules (TPMs), chips that store cryptographic keys to protect information and identify devices.
Now while I am interested in TPMs (my laptop has a TPM and Tofino Firewalls may have them soon too), it is the TCG initiative called Interface for Metadata Access Points (IF-MAP) that really excites me. IF-MAP standardizes the way devices and applications share information with one another. It does for coordination and collaboration of security information what IP did for connectivity.
Securing Large-Scale Industrial Control Systems
TCG recently released for comment a draft specification called TNC IF-MAP Metadata for ICS Security. This specification defines a multi-vendor, interoperable approach to protecting control system networks by providing a central ‘clearing house’ for network security events and information.
The main purpose of this specification is to facilitate the deployment, management, and protection of large-scale secure industrial control systems. This is done by creating virtual layer 2 and/or layer 3 overlay networks on top of a standard shared IP network infrastructure.
This specification is part of the positive trend of standards groups working together towards better ICS security. The TNC specification is intended to align closely with the ISA/IEC concepts of zones and conduits.
An aircraft manufacturer uses the IF-MAP protocol to tie together information from different vendors to determine security policy in real-time. For more information, download the "Understanding IF-MAP" Technical Briefing Kit available below.
SCADA Professionals Need to Speak Up by Feb 28th, 2013
Unfortunately while TCG has had feedback from the IT community, they have received little from the SCADA or ICS community. I think this is a shame for two reasons:
1. It is a good document that the ICS community should read and learn from.
2. The lack of response reinforces the IT world's misperception that ICS professionals don't care about security standards.
Learn about the TCG Specification and Provide Feedback
• Submit comments to email@example.com by Feb 28th, 2013.
Please note that these comments will be publically viewable on the TCG website unless the commentator specifically requests that they are not.
I encourage everyone involved with SCADA and ICS security to review the specification. Then contribute your knowledge by sending any feedback (good or bad) before the close of feedback on February 28, 2013.