Mobile Secure Network Connectivity
for Industrial Control Systems
Peaceful Coexistence in Mixed
Control System / IT Environments
Steven C. Venema
Associate Technical Fellow
Architecture & Networked Systems
EOT_RT_Sub_Template.ppt | 1/6/2009 | 1 BOEING is a trademark of Boeing Management Company.
Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Outline
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
ICS Applications at Boeing
•
ICS Connectivity and Security Challenges
•
A Virtual Enclave Architecture
•
Implementation Details and Experience
•
Standards and Commercialization Activities
BRT_NST_Template.ppt | 2 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Example Boeing ICS/SCADA Mobile Applications
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Products with Embedded
Wireless Systems
RTLS / NLS Process
Wireless Systems
RTLS / NLS Process
& Asset Visibility
Moving Line
Assembly Tooling
Factory Tablet PC
With On-Line Work
Instructions
Roaming Autonomous
Guided Vehicles (AGVs)
Monitoring Temperatures
of Sealant Freezers
Parts Measurement and
Assembly Alignment
Communications During
Large Structure Assembly
Network Location Services and Active RFID | 3 Copyright © 2008 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Peaceful Coexistence with IT?
Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
A
l
i
f
l
IT
A complex mix of people, IT,
control systems and products…
BRT_NST_Template.ppt | 4 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Peaceful Coexistence with IT?
Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
A
l
i
f
l
IT
A complex mix of people, IT,
control systems and products…
Requirements of
Culture
Requirements of
Clash
Corporate IT
Clash
SCADA/ICS
BRT_NST_Template.ppt | 5 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
ICS/SCADA Connectivity Challenges (Wired & Wireless)
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
Both legacy and new ICS equipment have connectivity
challenges
challenges
•
Proprietary and insecure protocols
•
Parallel wiring plant in manufacturing facilities
•
Vendors continue to push custom solutions in 802 11 space
•
Vendors continue to push custom solutions in 802.11 space
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 6 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
ICS/SCADA Connectivity Challenges (Wired & Wireless)
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
Both legacy and new ICS equipment have connectivity
challenges
challenges
•
Proprietary and insecure protocols
•
Parallel wiring plant in manufacturing facilities
•
Vendors continue to push custom solutions in 802 11 space
•
Vendors continue to push custom solutions in 802.11 space
We need a standard solution in this space that can:
•
Leverage standard network technologies
•
Leverage standard network technologies
•
Peacefully co-exist with IT-centric networking
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 7 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
SCADA/ICS Security Challenges
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Forcing the evolution of security and connectivity…
Major Suppliers
Need this
Need this
soon
Secure SCADA over Internet
Connectivity
today
now
A control panel intranet connected
Secure SCADA over intranets
Security
Posture
today
Isolated proprietary solutions
Using some Internet technologies
today
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 8 Copyright © 2007 Boeing. All rights reserved.
Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Traditional ICS Connectivity
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
So what’s the problem?
So what s the problem?
•
Isolated networks are expensive and complex
• Duplicate wiring, VLAN management, etc.
Sh
d
t
k
t
i
•
Shared networks are too insecure
• ICS’s are susceptible to worms, viruses, intrusion, etc. but can’t
protect themselves very well
•
Shared network clients need to use cooperative services
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 9 Copyright © 2007 Boeing. All rights reserved.
Shared network clients need to use cooperative services
• DHCP? Static IP addressing doesn’t scale!
• DNS, 802.1x, MPLS, etc.?
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
High-level Architecture Goals
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
1.
Allow control systems to utilize a common shared
network infrastructure to minimize deployment costs
network infrastructure to minimize deployment costs
•
Both wired and wireless
•
Support hybrid approaches (shared + isolated networking
infrastructure) where appropriate
infrastructure) where appropriate
2.
Isolate control systems from the shared network to
protect “primitive” control devices
•
“Bake in” cryptographic identities and authentication
3.
Allow controls engineers (not IT) to manage their
own devices
own devices
•
Create a clear delineation between the roles and
responsibilities of controls engineers and IT services
4
Keep CapEx/OpEx costs low and reliability high
4.
Keep CapEx/OpEx costs low and reliability high
BRT_NST_Template.ppt | 10 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Finding a way…
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Nothing available that fit our needs. So we…
1.
Created an architecture that satisfied our
requirements
2.
Created a Prototype and Pilot
•
Satisfied an initial need in this space (777 crawlers)
3.
Started engaging Standards orgs for wider adoption
g g g
g
•
ISA/SCADA-related standards activities in ISA, TCG and
OpenGroup
4.
Started a commercialization activity
•
Released our code as Open Source Software (OSS)
–
http://www.openhip.org
•
Partnered with an ICS security appliance company to modify
their product using our prototype technology
their product using our prototype technology
BRT_NST_Template.ppt | 11 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Architecture
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Virtual Enclave
Corporate Intranet
“Backhaul”
Enclave Gateways (EG’s) provide:
• An isolated layer-2 virtual enclave (green) for control system devices that
spans arbitrary networks
• Cryptographic identity and security protection from the Intranet
• Authentication and Authorization clients that utilize standard IT services
• DHCP, DNS, 802.1x, WPA, etc.
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 12 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Architecture
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
“Backhaul”
Advantages:
All
h
d
f IT
i d/ i l
k
• Allows shared use of IT wired/wireless networks
• Requires no special configuration of IT network infrastructure
• EG is a standard, “well-behaved” IT network client
• Provides needed isolation for control system devices
Provides needed isolation for control system devices
• Provides clean division of responsibility between IT and ICS engineers
• Supports multiple virtual enclaves simultaneously
Disadvantage:
C
t l
t
d
i
ill
l t
/th
h
t
i ti
d
t
th
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 13 Copyright © 2007 Boeing. All rights reserved.
• Control system devices will see latency/throughput variation due to other
Intranet usage
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Implementation
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
“Backhaul”
•
EG Implementation Options:
EG Implementation Options:
Stand-alone product
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 14 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Implementation
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
“Backhaul”
•
EG Implementation Options:
EG Implementation Options:
Stand-alone product
P
t f
d
l i
“B
kh
l”
t
k
i
Part of underlying “Backhaul” network service
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 15 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Implementation
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
“Backhaul”
•
EG Implementation Options:
EG Implementation Options:
Stand-alone product
P
t f
d
l i
“B
kh
l”
t
k
i
Part of underlying “Backhaul” network service
Part of ICS products
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 16 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Virtual Enclave Implementation
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
Corporate Intranet
“Backhaul”
•
EG Implementation Options:
EG Implementation Options:
Stand-alone product
P
t f
d
l i
“B
kh
l”
t
k
i
Part of underlying “Backhaul” network service
Part of ICS products
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 17 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
How Does It Work?
Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
•
EG’s communicate over end-to-end HIP
tunnels
tunnels
•
Basic HIP Features:
•
Implemented as a layer 3.5 shim on endpoint
T
Application
(Identity, Port)
Implemented as a layer 3.5 shim on endpoint
•
Requires no changes to layer 2/3 network
infrastructure
Transport
(TCP/UDP)
(Identity)
•
Like IPSec, but tunnels are bound to
cryptographic identities, not IP addresses
•
Creates a arbitrary “overlay networks”
i h
h
i
i h VLAN’
HIP
(IP address)
without having to mess with VLAN’s
•
Secure over untrusted network infrastructure
IP layer
Li k l
•
See IETF RFC’s 5201-5207, etc. for more
information
BRT_NST_Template.ppt | 18 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
How Does It Work?
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
EG configuration uses any combination of:
•
Static file based configuration on EG’s
•
Static file-based configuration on EG’s
•
LDAP data services
•
IF-MAP coordination service
•
IF-MAP
Ù
Interface for Metadata Access Points
•
Real-time metadata coordination service that provides highly
Real time metadata coordination service that provides highly
scalable publish, search and subscribe capabilities
•
Originally developed to serve the needs of TCG’s Trusted
Originally developed to serve the needs of TCG s Trusted
Network Connect (TNC) workgroup for interoperable NAC
•
Allows EG’s to have real-time dynamic security policies and
Allows EG s to have real time dynamic security policies and
timely rendezvous in the case of IP address mobility
BRT_NST_Template.ppt | 19 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Properties of Security Coordination
Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
1.
Lots of real-time
d t
it
Relational Database
data writes
2.
Unstructured
relationships
LDAP Directory
relationships
3.
Diverse interest in
changes to the
t t t
current state as
they occur
4.
Distributed data
MAP Database
4.
Distributed data
producers &
consumers
For more information, see
IF-MAP info
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
IF-MAP and TNC at Interop’09
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Implementation Experience
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
Using 777 F/A as a pilot program
•
9 “Crawlers”, F/A tug, Integrated Control System (ICS)
•
In production use for more than 2 years
•
Formed baseline for a standards & commercialization efforts
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 22 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Implementation Experience
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
Using 777 F/A as a pilot program
•
9 “Crawlers”, F/A tug, Integrated Control System (ICS)
•
In production use for more than 2 years
•
Formed baseline for a standards & commercialization efforts
The success of this pilot program and the
large internal demand for this capability
h
ti
t d
d
i
t
thi
has motivated our desire to see this
capability standardized and available in
COTS products
EOT_PW_Sub_no-icon.ppt | 12/10/2007 | 23 Copyright © 2007 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Standards & Commercialization
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
•
Released our code as open
source:
www openhip org
source: www.openhip.org
•
Encouraging vendors to add this
capability to their COTS products
Boeing Prototype EG
~11 x 7 x 2 inches
•
Byres Security has added this
capability as a new module in their
existing Tofino ICS security
appliance product
appliance product
•
Working within ISA100.15 WG to
standardize architecture and
i
l
t ti
fil
implementation profile.
•
Working with The Open Group to
standardize the overall
Tofino EG (LSM)
~5 x 5 x 1.5 inches
standardize the overall
architecture
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
General Applicability
Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Automation &
Control Systems
Healthcare
Equipment &
Data Exchange
Power Generation,
Distribution & Delivery
Resource
Extraction,
Transport &
Data Exchange
Transport &
Refining
EOT_RT_Sub_Template.ppt | 26 Copyright © 2009 Boeing. All rights reserved.
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
Interface Definitions
NOTE: This is a functional diagram only and does not address or imply hardware or products.
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
CCCP CCCP IF CCCP IF CCD CCD
CS
CCCPField
or UOC CCCP-IF CCCP-IFCS
Devices
IF3 IF3 IF2 IF1 IF1 IF1 IF1 IF2IF4 IF3 IF3 IF4
Manager IF5 IF5
IF1
Specific to the requirements of a particular CCCP/UOC
IF2
CCCP-IF interoperability and coordination
Multiple layer-2 (e g 802 3) with management protocols on top We
IF3
Multiple layer-2 (e.g., 802.3), with management protocols on top. We
expect IF3 profiles to be based on layer2 standards. This is
operational data flows, not CCCP-IF configuration management.
IF4
Provides transparent connectivity between CCD’s; no interpretation of
li
ti
t
l (
t f
f 15)
IF4
application protocols (out of scope of .15)
IF5
Configuration, security and operation management interface
(example: connects to WAD in Shell diagram)
Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology
The “Purdue” model
Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology
BRT_NST_Template.ppt | 28 Copyright © 2009 Boeing. All rights reserved.