Trusted Cyber Physical Systems (TCPS) is a new solution from Microsoft that can help protect critical infrastructure organizations against cyber threats.
Introduced last week at Hannover Fair in Germany, Microsoft said the TCPS project wants to handle threats by providing end-to-end security through hardware, software and trust mechanisms.
As a case in point Microsoft talked about the Triton and NotPetya attacks as critical infrastructure attacks.
Triton was used in a highly targeted campaign aimed at a gas refinery in Saudi Arabia, while NotPetya disrupted the operations of several major companies, with some, like Maersk and Federal Express, reporting losses of hundreds of millions of dollars.
The Triton attack on the control and safety systems of an industrial plant brought to the forefront system vulnerabilities in critical infrastructure even when they are designed with failsafe controls, according to Microsoft in a post. Attackers used sophisticated malware to remotely control a safety control workstation. Some controllers accidently triggered failsafe mode as the attackers tried to reprogram them. This attack brought to light two challenges prevalent in today’s connected world – a need to prevent malware from taking control of key operations and a hackers’ ability to leverage third-party operators such as admins of cloud hosting services, or OS, and driver vendors to introduce malware.
Microsoft said this is how Trusted Cyber Physical Systems is realized with the following four properties:
1. Separation of critical execution: Help protect critical infrastructure from malware threats by separating non-critical from critical operations and concentrating on using hardware isolation to protect control of physical systems.
2. Inspectability of execution process: Ensure that any code that handles critical operations must be auditable by operators through source code review.
3. Attestability of processing environment: During operation, each component must be able to verify that data is received and sent only from trustworthy sources. A component also needs to attest its trustworthiness to other components.
4. Minimizing number of entities that need to be trusted: Reducing the number of trusted entities significantly reduces the attack surface for critical infrastructure. In the ideal TCPS solution, the operator will maintain the only root of trust for critical code execution.
One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements, Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.
TEE offers advantages, including the fact code running in a TEE is small and thus has a minimal attack surface, the code is considered trusted, all the data is encrypted, and the TEE hardware ensures software running outside the trusted environment cannot break in.
There is the risk of a compromised user device or SCADA system sending legitimate-looking arbitrary commands.
Microsoft said this can be addressed by using a secure confirmation terminal, a device that displays a message and asks for confirmation if an unusual operation is detected.
The TEE can help in this case by ensuring the display and the input system on the secure confirmation terminal are only accessible from the trusted environment and out of malware’s reach.
Microsoft described a customer scenario where a utility company in charge of several water plants uses TCPS to ensure any operation on cyber-physical systems is authorized by the operations center, which has the ability to securely delegate tasks to trusted third-parties. The solution also allows the company to ensure all operations are recorded as auditable events stored in tamperproof logs.
For more information, click here for a white paper.