IF-MAP: A New Standard for SCADA Security that You Should Know About
Readers of this blog are familiar with the significantly increased level of threat to industrial control systems (ICS) that the Stuxnet malware and the publication of many SCADA zero-day vulnerabilities have created.
We have discussed ways of thwarting advanced persistent threats and protecting against zero-day vulnerabilities. Another aspect of the ICS security challenge is managing security across enterprise and industrial networks. For example, let’s consider remote access to industrial networks. A VPN would likely be used to authenticate and allow a particular person to do remote maintenance.
What if Human Resources has just dismissed this person? How is this information conveyed to the VPN concentrator in a timely manner? This might involve a complex web of security interconnects. For example, it might require SNMP to connect to the network hardware maintenance system, syslog to report events to the security center, Active Directory to interface to the Windows account management system, telnet for configuration, SQL to interface with the HR database, and a custom serial link to the badge code reader.
This is expensive to deploy and unsupportable over the long term!
Network Access Control (NAC) Systems are Needed
In the IT world, the term network access control (NAC) describes a key approach for managing network security. NAC uses endpoint health checking and user identification to thwart malicious attacks. It denies access to unauthorized users while allowing access to properly credentialed individuals.
For SCADA security, a NAC solution that is increasing in popularity, and that you should know about, is the open, standards-based approach called Trusted Network Connect (TNC), developed by the Trusted Computing Group (TCG). TNC defines standards for endpoint integrity, and I have demonstrated or spoken about TNC-based solutions at several conferences. I have seen momentum for the standard growing, and I feel it is time for more people involved with SCADA security to be aware of it, hence this article.
Trusted Computing Group’s Open, Standards-Based Approach
Since 2008, TCG has provided a toolkit that allows control network designers to build complex, yet flexible, security systems. One of the key TNC interfaces, Interface to Metadata Access Points (IF-MAP), enables a multi-vendor, interoperable approach to protecting control system networks by providing a central ‘clearing house’ for network security events and information.
(Note: IF-MAP is generally pronounced: “I” “F” “MAP”)
Security technology can leverage IF-MAP to ensure any person or device on the network meets a large number of criteria. These include possession of valid certificates or passwords, being in the correct location, and meeting current patch or AV levels, before the device can communicate on the network.
Infoblox, one of the growing number of vendors who supports IF-MAP, has an excellent animation on their website that explains how IF-MAP plays a real-time coordinating role between security applications and devices.
IF-MAP Example: Secure Remote User VPN Access
Like the Infoblox animation example, extending access to remote users through an SSL VPN highlights the need for coordination between security components. The SSL VPN provides access to the corporate IT network, and a NAC Policy Server provides access control policies to the firewall protecting the control systems network. This allows the user, who has already been authenticated and health-checked by the SSL VPN, access through the firewall into the control system network without forcing a secondary authentication.
On the other hand, if the intrusion prevention system detects malicious activity originating from that user, it can publish information about the policy violation. The SSL VPN and NAC Policy Server can subscribe to that information and take appropriate action when necessary, terminating the user’s remote access session as well as removing the access policies provided to the firewall.
Or how about this scenario – a user is connected remotely via a VPN, but then the building access control system reports that the just swiped their badge on a card reader to enter a control room in the facility. How can the user be in two places at the same time? Clearly we could improve security if we could connect our physical and network security systems together. This type of solution is being implemented now using IF-MAP-compliant products (as shown in the Infoblox animation).
More Real-Time Information Demands more Robust SCADA Security
You have likely seen your organization take steps to integrate business and industrial information using commercial technologies such as Ethernet networking and Windows PCs. And, the use of wireless networks has likely added to security concerns. If this is the case, I suggest that you and your IT team investigate the Trusted Computing Group’s open standards (additional resources are provided at the end of this article).
IF-MAP projects are being rolled out by major corporations, and more and more vendors are supporting it. At Byres Security, we make an IF-MAP version of the Tofino Security Appliance that is in production use at a major manufacturer.
I strongly suggest that you make yourself familiar with IF-MAP and consider how it can play a role in securing your operation. This way you will be part of the solution for more secure control system networks, and contribute to achieving productivity enhancements targets in the future.
Related Links
- Blog: Speak Up NOW on New IF-MAP Specs for ICS and SCADA Security
- Control Network Secure Connectivity Simplified – in this article, which I co-authored with Lisa Lorenzin of Juniper Networks, we discuss multiple examples of how IF-MAP can be used to secure control systems
- IF-MAP community Web site - includes links to open source IF-MAP servers and other resources
- Trusted Computing Group (TCG) – complete protocol specification and a depth of information and resources related to the open standards developed by the group
Add new comment