Improving SCADA and Industrial Controls Systems

Plenty of disagreement exists about how to make security for industrial systems easier to deploy and more effective, but everyone agrees that SCADA and Industrial Control Systems (ICS) need to—and can—improve. Eric Byres of Tofino thinks one improvement would be the implementation of better standards for information exchange between security solutions.

 “It is great to have the latest security technologies like VPNs, anti-virus firewalls, intrusion detection systems, etc. on your plant floor,” says Byres. “Unfortunately getting them to interact with each other can be like pulling teeth.”

In one example, consider a remote access VPN for connection to the central control system. A number of criteria could be involved in determining access privileges including possession of valid certificates or passwords, meeting current AV or patch levels, being in the right location or even holding the correct role at the company. Simply put, getting information out of the various systems and into the VPN is no cakewalk.

But, according to Byres, a new specification by the Trusted Computing Group (TCG) could solve the SCADA and ICS problem. TCG, a standards group focusing on vendor-neutral specifications for interoperable trusted computing platforms, is best known for creating the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standards around Trusted Platform Modules (TPM). TPM are chips that store cryptographic keys to protect information and identify devices.

However it is a new TCG product, called Interface for Metadata Access (IF-MAP), that has Byres excited. He says that by standardizing the way devices and applications share data, IF-MAP could do for coordination and collaboration what IP did for connectivity.

TCG has released a draft specification called TNC IF-MAP Metadata for ICS Security that defines a multi-vendor, interoperable approach to protection control systems networks by providing a central “clearing house” for network security events and information. The specification is designed to facilitate the deployment, management and protection of large-scale secure industrial systems by creating virtual layer 2 and/or layer 3 overlay networks on top of a shared IP network infrastructure.

The specification is an example of a growing trend toward closer cooperation between standards groups to improve information and communications technology security, and is designed to align closely with the ISA/IEC concepts of zones and conduits.

The document has received feedback from the IT community, but Byres has urged SCADA and ICS professionals to read and comment on the specification as well. Comments may be sent to ics-metadata-comments@trustedcomputinggroup.org.