The Future of Security from the NSA Trusted Computing Conference

I am just flying back from attending my first NSA Trusted Computing Conference in Orlando, Florida. While this is not an ICS or SCADA security conference, if you want to get a glimpse of what security technologies to expect in the next decade, this is a good show to attend.

With all the talk in the past year about Stuxnet and USB keys, one exhibit that caught my attention was the General Dynamics booth.  General Dynamics is developing a management system (initially for government or military applications) that allows a security operation center (SOC) to collect and correlate network information from an amazing variety of sources.

General Dynamics’ Security Operation Center

The demonstration begins with a small applet that runs on the operator’s laptop. This applet checks if any removable drives (i.e. USB drives) are connected to the laptop and passes that information to a central data exchange server.

At the same time, a different applet (from a endpoint security company called Triumfant) monitors a smart identity card to determine who is logged into the laptop. It also sends this information to the central server along with details on the person’s role in the organization. At this point, a security manager can see who is logged in to what computers, their role and level in the company and what they have been doing with USB keys. Nice, but not amazing.

But then it gets interesting. Yet another vendor’s firewall has subscribed to the server.  It has asked to be immediately informed if a USB key is inserted in any computer by people below a certain role and privilege level. The moment it is, the firewall changes its rules so that access to a key web server is cut off and alarms are raised.

Using proprietary interfaces, integrating this information to drive firewall policy would be a challenge, but using IF-MAP, it is straight-forward. It sure beats filling USB ports with silicon.

Eric Byres at the Tofino Security/Juniper demo in the Trusted Computing Booth at NSA.

The IF-MAP Standard Makes it Possible

What make this all possible is an emerging standard called IF-MAP (Interface for Metadata Access Protocol). Scott discussed IF-MAP in some detail in a blog article last spring but what is important to know is that IF-MAP acts like a clearing house for real-time event data from any device that cares to publish to it. It is open and fully documented, so equipment from multiple vendors can be combined to create sophisticated and highly flexible systems.

The number of IF-MAP compatible devices at the NSA conference was exciting. In a booth across the aisle, an open source Snort intrusion detection system (IDS) was monitoring for network scans and password cracking attempts and reporting that to the MAP server.

A VPN client in an Android phone used that information to allow or block the phone from connecting to the corporate network.  In yet another booth (run by Infoblox), an employee badge scanner was reporting physical security information to a MAP server.

In the same Infoblox booth, a Tofino Security Appliance was using MAP event information to decide whether to allow an HMI to connect over an encrypted tunnel to a PLC (for more on the Tofino PLC application see our Application Note: Securing Critical Industrial Processes in Real Time).

The Tofino Security demo in the Infoblox booth at NSA.

We see a lot of hope for IF-MAP as a truly open and unified standard for security information management. Currently there are just too many different protocols (public and proprietary) to make true security integration across different systems viable. If the industry can settle on IF-MAP as the standard, security, both in the office and on the plant floor, has a chance to make a major leap forward.

Related Content to Download

Note: you need to be a member of and logged in to have access to the documents below. Register here to become a member.

Application Note - "Securing Critical Industrial Processes in Real Time"


This Application Note explains how a major aerospace manufacturer uses IF-MAP and Tofino Endboxes to provide both IT and SCADA engineers the control they need to insure secure and accurate production.

Article - "Control Network Secure Connectivity Simplified"


This article, co-authored by Scott Howard of Tofino Security with Lisa Lorenzin of Juniper Networks, discusses multiple examples of how IF-MAP can be used to secure control systems.

Notes about IF-MAP and MAP

  • In general, MAP refers to a server and IF-MAP refers to the communication protocol that other devices use to talk to the MAP server
  • IF-MAP is generally pronounced:  “I” “F” “MAP”

Related Links

Add new comment