Speak Up NOW on New IF-MAP Specs for ICS and SCADA Security


We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective. Last week’s blog exchange between me and Dale Peterson, is just one example of those differences. Now this week I am going to go in a different direction when it comes to improving security.

 

Something I believe industry urgently needs is better standards for information exchange between security solutions.

 

It is great to have the latest security technologies like VPNs, anti-virus (AV), firewalls, IDS, etc. on your plant floor. Unfortunately getting them to interact with each other can be like pulling teeth.

 

For example, say you have a VPN for remote access. Now there are many criteria that could be used to decide if a given device or person is allowed to connect to the control system over that VPN. A few examples include possession of valid certificates or passwords, being in the correct location, meeting current patch or AV levels or even having the correct job role in the company. How do you easily and securely get the information out of the various systems that create it and into your VPN system? It isn’t easy.

A Platform for Sharing Security Information

Recently there has been progress in solving the problem in the IT space. And even better, there is now a specification created by the Trusted Computing Group (TCG) that explains how it could be solved in the SCADA and ICS worlds.

 

First a bit of background. The TCG is a standards group that develops vendor-neutral specifications for interoperable trusted computing platforms. TCG is most famous for creating the ISO/IEC standards around Trusted Platform Modules (TPMs), chips that store cryptographic keys to protect information and identify devices.

 

Now while I am interested in TPMs (my laptop has a TPM and Tofino Firewalls may have them soon too), it is the TCG initiative called Interface for Metadata Access Points (IF-MAP) that really excites me. IF-MAP standardizes the way devices and applications share information with one another. It does for coordination and collaboration of security information what IP did for connectivity.

Securing Large-Scale Industrial Control Systems

TCG recently released for comment a draft specification called TNC IF-MAP Metadata for ICS Security. This specification defines a multi-vendor, interoperable approach to protecting control system networks by providing a central ‘clearing house’ for network security events and information.

 

The main purpose of this specification is to facilitate the deployment, management, and protection of large-scale secure industrial control systems. This is done by creating virtual layer 2 and/or layer 3 overlay networks on top of a standard shared IP network infrastructure.

 

This specification is part of the positive trend of standards groups working together towards better ICS security. The TNC specification is intended to align closely with the ISA/IEC concepts of zones and conduits. 

An aircraft manufacturer uses the IF-MAP protocol to tie together information from different vendors to determine security policy in real-time. For more information, download the "Understanding IF-MAP" Technical Briefing Kit available below.

SCADA Professionals Need to Speak Up by Feb 28th, 2013

Unfortunately while TCG has had feedback from the IT community, they have received little from the SCADA or ICS community. I think this is a shame for two reasons:

 

1. It is a good document that the ICS community should read and learn from.

 

2. The lack of response reinforces the IT world's misperception that ICS professionals don't care about security standards.

Learn about the TCG Specification and Provide Feedback

Read about the TCG draft specification

 

Obtain the specification: IF-Metadata for ICS Security

 

• Submit comments to ics-metadata-comments@trustedcomputinggroup.org by Feb 28th, 2013.

 

Please note that these comments will be publically viewable on the TCG website unless the commentator specifically requests that they are not.

 

I encourage everyone involved with SCADA and ICS security to review the specification. Then contribute your knowledge by sending any feedback (good or bad) before the close of feedback on February 28, 2013.

Related Content to Download

Technical Briefing Kit: "Understanding IF-MAP"

 

     Download this document and learn about:

  • What IF-MAP is

  •  

  • How it contributes to better SCADA and ICS security

  •  

  • How IF-MAP ties together information from different vendors to determine security policy in real-time

  •  

  • How IF-MAP contributes to meeting the requirements of both SCADA engineers and IT professionals
     

  • How a major aerospace manufacturer uses IF-MAP

 

Related Links

•    Blog: The Future of Security from the NSA Trusted Computing Conference
•    Blog: IF-MAP: A New Standard for SCADA Security that You Should Know About

•    IF-MAP Organization, Website
•    RTCmagazine.com webpage: Utilize Open Standards to Protect Control System Networks
•    Video: Tofino Security Demonstrates Industrial Control System (SCADA)
•    Video: Boeing protects SCADA devices with Tofino
 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

 

Author Eric Byres


© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand



Thanks

Thanks Eric! I don't know how much I can add in terms of useful commentary, but I'm very interested and will give it a read.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is to prevent automated spam submissions. Data entry is case insensitive.
Image CAPTCHA
Enter the characters shown in the image.