Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
We all agree that SCADA and Industrial Control System security needs to improve. However, there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective.
Something I believe the industry urgently needs is better standards for information exchange between security solutions.
It is great to have the latest security technologies like VPNs, anti-virus (AV), firewalls, IDS, etc. on your plant floor. Unfortunately getting them to interact with each other can be like pulling teeth.
For example, say you have a VPN for remote access. Now there are many criteria that could be used to decide if a given device or person is allowed to connect to the control system over that VPN. A few examples include possession of valid certificates or passwords, being in the correct location, meeting current patch or AV levels or even having the correct job role in the company. How do you easily and securely get the information out of the various systems that create it and into your VPN system? It isn’t easy.
There has been progress in solving the problem in the IT space. And even better, there is now a specification created by the Trusted Computing Group (TCG) that explains how it could be solved in the SCADA and ICS worlds.
First a bit of background. The TCG is a standards group that develops vendor-neutral specifications for interoperable trusted computing platforms. TCG is most famous for creating the ISO/IEC standards around Trusted Platform Modules (TPMs), chips that store cryptographic keys to protect information and identify devices.
Now while I am interested in TPMs, it is the TCG initiative called Interface for Metadata Access Points (IF-MAP) that really excites me. IF-MAP standardizes the way devices and applications share information with one another. It does for coordination and collaboration of security information what IP did for connectivity.
TCG recently released for comment a draft specification called TNC IF-MAP Metadata for ICS Security. This specification defines a multi-vendor, interoperable approach to protecting control system networks by providing a central “clearing house” for network security events and information.
The main purpose of this specification is to facilitate the deployment, management, and protection of large-scale secure industrial control systems. This is done by creating virtual layer 2 and/or layer 3 overlay networks on top of a standard shared IP network infrastructure.
This specification is part of the positive trend of standards groups working together toward better ICS security. The TNC specification is intended to align closely with the ISA/IEC concepts of zones and conduits.
Unfortunately while TCG has had feedback from the IT community, they have received little from the SCADA or ICS community. I think this is a shame for two reasons:
1. It is a good document the ICS community should read and learn from.
2. The lack of response reinforces the IT world’s misperception that ICS professionals don’t care about security standards.
There is not much time so submit comments to email@example.com by Feb 28.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.