Mobile Secure Network Connectivity for Industrial Control Systems

(1)

Mobile Secure Network Connectivity

for Industrial Control Systems

Peaceful Coexistence in Mixed

Control System / IT Environments

Steven C. Venema

Associate Technical Fellow

Architecture & Networked Systems

EOT_RT_Sub_Template.ppt | 1/6/2009 | 1 BOEING is a trademark of Boeing Management Company.

(2)

Engineering Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology

Outline

Engineering, Operations & Technology | Boeing Research & Technology E&IT | Networked Systems Technology

• ICS Applications at Boeing

• ICS Connectivity and Security Challenges

• A Virtual Enclave Architecture

• Implementation Details and Experience

• Standards and Commercialization Activities

(3)

Example Boeing ICS/SCADA Mobile Applications

Products with Embedded

Wireless Systems

RTLS / NLS Process

Wireless Systems

RTLS / NLS Process

& Asset Visibility

Moving Line

Assembly Tooling

Factory Tablet PC

With On-Line Work

Instructions

Roaming Autonomous

Guided Vehicles (AGVs)

Monitoring Temperatures

of Sealant Freezers

Parts Measurement and

Assembly Alignment

Communications During

Large Structure Assembly

(4)

Peaceful Coexistence with IT?

Engineering, Operations & Technology | Boeing Research & Technology E&IT |Networked Systems Technology

A

l

i

f

l

IT

A complex mix of people, IT,

control systems and products…

(5)

Peaceful Coexistence with IT?

A

l

i

f

l

IT

A complex mix of people, IT,

control systems and products…

Requirements of

Culture

Requirements of

Clash

Corporate IT

Clash

SCADA/ICS

(6)

ICS/SCADA Connectivity Challenges (Wired & Wireless)

• Both legacy and new ICS equipment have connectivity

challenges

• Proprietary and insecure protocols

• Parallel wiring plant in manufacturing facilities

• Vendors continue to push custom solutions in 802 11 space

• Vendors continue to push custom solutions in 802.11 space

(7)

ICS/SCADA Connectivity Challenges (Wired & Wireless)

• Both legacy and new ICS equipment have connectivity

challenges

• Proprietary and insecure protocols

• Parallel wiring plant in manufacturing facilities

• Vendors continue to push custom solutions in 802 11 space

• Vendors continue to push custom solutions in 802.11 space

We need a standard solution in this space that can:

• Leverage standard network technologies

• Peacefully co-exist with IT-centric networking

(8)

SCADA/ICS Security Challenges

Forcing the evolution of security and connectivity…

Major Suppliers

Need this

soon

Secure SCADA over Internet

Connectivity

today

now

A control panel intranet connected

Secure SCADA over intranets

Security

Posture

today

Isolated proprietary solutions

Using some Internet technologies

today

(9)

Traditional ICS Connectivity

Corporate Intranet

So what’s the problem?

So what s the problem?

• Isolated networks are expensive and complex

• Duplicate wiring, VLAN management, etc.

Sh

d

t

k

t

i

• Shared networks are too insecure

• ICS’s are susceptible to worms, viruses, intrusion, etc. but can’t

protect themselves very well

• Shared network clients need to use cooperative services

Shared network clients need to use cooperative services

• DHCP? Static IP addressing doesn’t scale!

• DNS, 802.1x, MPLS, etc.?

(10)

High-level Architecture Goals

1. Allow control systems to utilize a common shared

network infrastructure to minimize deployment costs

• Both wired and wireless

• Support hybrid approaches (shared + isolated networking

infrastructure) where appropriate

2. Isolate control systems from the shared network to

protect “primitive” control devices

• “Bake in” cryptographic identities and authentication

3. Allow controls engineers (not IT) to manage their

own devices

• Create a clear delineation between the roles and

responsibilities of controls engineers and IT services

4 Keep CapEx/OpEx costs low and reliability high

4. Keep CapEx/OpEx costs low and reliability high

(11)

Finding a way…

Nothing available that fit our needs. So we…

1. Created an architecture that satisfied our

requirements

2. Created a Prototype and Pilot

• Satisfied an initial need in this space (777 crawlers)

3. Started engaging Standards orgs for wider adoption

g g g

g

• ISA/SCADA-related standards activities in ISA, TCG and

OpenGroup

4. Started a commercialization activity

• Released our code as Open Source Software (OSS)

–

http://www.openhip.org

• Partnered with an ICS security appliance company to modify

their product using our prototype technology

(12)

Virtual Enclave Architecture

Virtual Enclave

Corporate Intranet

“Backhaul”

Enclave Gateways (EG’s) provide:

• An isolated layer-2 virtual enclave (green) for control system devices that

spans arbitrary networks

• Cryptographic identity and security protection from the Intranet

• Authentication and Authorization clients that utilize standard IT services

• DHCP, DNS, 802.1x, WPA, etc.

(13)

Virtual Enclave Architecture

Corporate Intranet

“Backhaul”

Advantages:

All

h

d

f IT

i d/ i l

k

• Allows shared use of IT wired/wireless networks

• Requires no special configuration of IT network infrastructure

• EG is a standard, “well-behaved” IT network client

• Provides needed isolation for control system devices

Provides needed isolation for control system devices

• Provides clean division of responsibility between IT and ICS engineers

• Supports multiple virtual enclaves simultaneously

Disadvantage:

C

t l

t

d

i

ill

l t

/th

h

t

i ti

d

t

th

• Control system devices will see latency/throughput variation due to other

Intranet usage

(14)

Virtual Enclave Implementation

Corporate Intranet

“Backhaul”

• EG Implementation Options:

EG Implementation Options:

Stand-alone product

(15)

Virtual Enclave Implementation

Corporate Intranet

“Backhaul”

• EG Implementation Options:

EG Implementation Options:

Stand-alone product

P

t f

d

l i

“B

kh

l”

t

k

i

Part of underlying “Backhaul” network service

(16)

Virtual Enclave Implementation

Corporate Intranet

“Backhaul”

• EG Implementation Options:

EG Implementation Options:

Stand-alone product

P

t f

d

l i

“B

kh

l”

t

k

i

Part of underlying “Backhaul” network service

Part of ICS products

(17)

Virtual Enclave Implementation

Corporate Intranet

“Backhaul”

• EG Implementation Options:

EG Implementation Options:

Stand-alone product

P

t f

d

l i

“B

kh

l”

t

k

i

Part of underlying “Backhaul” network service

Part of ICS products

(18)

How Does It Work?

• EG’s communicate over end-to-end HIP

tunnels

• Basic HIP Features:

• Implemented as a layer 3.5 shim on endpoint

T

Application

(Identity, Port)

Implemented as a layer 3.5 shim on endpoint

• Requires no changes to layer 2/3 network

infrastructure

Transport

(TCP/UDP)

(Identity)

• Like IPSec, but tunnels are bound to

cryptographic identities, not IP addresses

• Creates a arbitrary “overlay networks”

i h

h

i

i h VLAN’

HIP

(IP address)

without having to mess with VLAN’s

• Secure over untrusted network infrastructure

IP layer

Li k l

• See IETF RFC’s 5201-5207, etc. for more

information

(19)

How Does It Work?

• EG configuration uses any combination of:

• Static file based configuration on EG’s

• Static file-based configuration on EG’s

• LDAP data services

• IF-MAP coordination service

• IF-MAP

Ù

Interface for Metadata Access Points

• Real-time metadata coordination service that provides highly

Real time metadata coordination service that provides highly

scalable publish, search and subscribe capabilities

• Originally developed to serve the needs of TCG’s Trusted

Originally developed to serve the needs of TCG s Trusted

Network Connect (TNC) workgroup for interoperable NAC

• Allows EG’s to have real-time dynamic security policies and

Allows EG s to have real time dynamic security policies and

timely rendezvous in the case of IP address mobility

(20)

Properties of Security Coordination

1. Lots of real-time

d t

it

Relational Database

data writes

2. Unstructured

relationships

LDAP Directory

_{relationships}

3. Diverse interest in

changes to the

t t t

current state as

they occur

4. Distributed data

MAP Database

4. Distributed data

producers &

consumers

For more information, see

IF-MAP info

(21)

IF-MAP and TNC at Interop’09

(22)

Implementation Experience

• Using 777 F/A as a pilot program

• 9 “Crawlers”, F/A tug, Integrated Control System (ICS)

• In production use for more than 2 years

• Formed baseline for a standards & commercialization efforts

(23)

Implementation Experience

• Using 777 F/A as a pilot program

• 9 “Crawlers”, F/A tug, Integrated Control System (ICS)

• In production use for more than 2 years

• Formed baseline for a standards & commercialization efforts

The success of this pilot program and the

large internal demand for this capability

h

ti

t d

d

i

t

thi

has motivated our desire to see this

capability standardized and available in

COTS products

(24)

Standards & Commercialization

• Released our code as open

source:

www openhip org

source: www.openhip.org

• Encouraging vendors to add this

capability to their COTS products

Boeing Prototype EG

~11 x 7 x 2 inches

• Byres Security has added this

capability as a new module in their

existing Tofino ICS security

appliance product

• Working within ISA100.15 WG to

standardize architecture and

i

l

t ti

fil

implementation profile.

• Working with The Open Group to

standardize the overall

Tofino EG (LSM)

~5 x 5 x 1.5 inches

standardize the overall

architecture

(25)

General Applicability

Automation &

Control Systems

Healthcare

Equipment &

Data Exchange

Power Generation,

Distribution & Delivery

Resource

Extraction,

Transport &

Data Exchange

Transport &

Refining

(26)

(27)

Interface Definitions

NOTE: This is a functional diagram only and does not address or imply hardware or products.