ARCHITECT’S GUIDE:

ICS SECURITY USING TNC TECHNOLOGY

October 2013

Trusted Computing Group

3855 SW 153rd Drive
Beaverton, OR 97006
Tel (503) 619-0562
Fax (503) 644-6708
admin@trustedcomputinggroup.org
www.trustedcomputinggroup.org

Executive Summary and Action Items

Industrial Control Systems (ICSs) are increasingly being the security defined in ISA/IEC specifications. Specifically,
connected to networks and exposed to viruses, malware, the Interface for a Metadata Access Point (IF-MAP) Metada-
and attacks that affect other network-connected systems. ta for ICS Security specification facilitates the deployment,
As a result, many standards organizations including the management, and protection of large-scale industrial control
International Society of Automation (ISA), the International systems by creating virtual overlay networks on top of stan-
Electrotechnical Commission (IEC), and the Trusted Com- dard shared Internet Protocol (IP) network infrastructure.
puting Group (TCG) [as well as the Internet Engineering
This Architect’s Guide shows information technology (IT)
Task Force (IETF), The Open Group and others] are devel-
and control systems executives and architects how to im-
oping standards-based approaches for increased control
plement a standards-based, interoperable approach to ICS
system security.
security as specified in ISA 99 (now IEC 62443) and ISA
ISA/IEC-62443 defines a zone and conduit strategy to pro- 100.15.
vide ICS security. The zones are layers or subdivisions of
Critical strategies for architects include:
the logical or physical assets of a control system, based on
their control function. Conduits connect the zones, provid- 1. Define the zones to account for all ICS assets
ing a path for data flow, and must be managed to protect 2. Define the attributes of each zone
network traffic. 3. Map all channels or means of data transfer including
TCG standards developed by the Trusted Network Connect mobile transfers
(TNC) workgroup (see sidebar, page 5) can be implemented 4. Define conduits to contain all discovered channels
today to provide increased security and protection from un- 5. Define controls for the flow of digital information
authorized ICS access. These standards help implement for each zone and conduit in the facility
Introduction
Simple industrial control systems are localized and may Finally, the expected life span of ICS products is often 20 to
be a single work cell in a manufacturing plant. However, 30 years, meaning that products will remain installed and
data from widely dispersed automation components in operational long after the vendor has stopped providing
geographically distributed physical processes such as oil security patches. Even when patches are available, most
refineries, oil pipelines, energy transmission, water utili- ICS and SCADA systems operate on 7x24 basis, with
ties, manufacturing environments, and others are often shutdowns only yearly (or never). Thus it can be months
communicated to distant control centers over a network or years before available security patches can be installed.
infrastructure. From simple to highly complex, traditionally
There are many compelling reasons to connect industrial/
isolated control systems networks are increasingly being
factory control system networks with corporate IT net-
interconnected with IP networks.
works, including:
Supervisory Control and Data Acquisition (SCADA) and • Increased visibility for higher efficiency
ICS systems face a number of unique security challenges and cost control
that traditional IT assets do not. First, basic authentica-
• Real-time data integration
tion and authorization functions for network security are
• Agility to facilitate just-in-time delivery/
not supported by of the vast majority of ICS, SCADA, and
manufacturing
process control devices. Second, since these systems are
widely distributed (with the most critical devices scattered • Remote monitoring of the control systems
over 1000’s of miles), remote access is critical. However, to resolve problems more quickly and reduce
traditional Virtual LAN (VLAN) and Virtual Private Net- support costs
work (VPN) approaches to secure connectivity have prov- • Remote management to provide coordinated
en to be highly complex, difficult to manage in real time, regional production/distribution of products such
and not suited for handling the protocols that are found in as electrical power, natural gas, and drinking water
automation networks. As shown in Figure 1, an integrated Secure ICS and IT
Intranet is desirable, providing better visibility, control, flex-
ibility, integrity, and reliability.

INSECURE CONNECTIVITY IDEAL INTEGRATED ICS AND

IT INTRANET
USERS DATA CENTERS NETWORK &
SECURITY
MANAGEMENT USERS DATA CENTERS NETWORK &
SECURITY
MANAGEMENT

GLOBAL
IT INTRANET INTERNET GLOBAL
INTERNET
IT INTRANET
PLANT
WORKER

PLANT ICS DOMAIN 1 ICS DOMAIN 2

ICS WORKER
NETWORK
ICS
NETWORK

ICS DOMAIN 1 ICS DOMAIN 2 ICS DOMAIN 3 ICS DOMAIN 4

Figure 1: The transition from isolated to integrated networks requires a Secure ICS and IT Intranet.

Copyright © 2013 Trusted Computing Group All rights reserved. www.trustedcomputinggroup.org 2

As Sean McGurk, the Director, National Cybersecurity cess demands, and monitoring of industrial control sites
and Communications Integration Center (NCCIC) at the requires both IT and operations management to determine
Department of Homeland Security, stated in testimony to how they will prevent network attacks against production
Congress (May 25, 2011) 1, In our experience in conduct- facilities, distribution systems, and other critical systems..
ing hundreds of vulnerability assessments in the private
sector, in no case have we ever found the operations net- Solution Requirements
work, the SCADA system, or energy management system
separated from the enterprise network. On average, we Equipment in factories and remote facilities is extensively
find eleven direct connections between control system and monitored for temperature, pressure, flow, vibration and
the enterprise operations in any site we visit.” He added, other critical manufacturing and process parameters.
“In some extreme cases, we have identified up to 250 con- Unfortunately, monitoring of critical network parameters
nections between the actual producing network and the is usually minimal to non-existent. In many companies,
enterprise network. as long as the ICS network is allowing data to flow, it is
working “well enough”. Protecting ICS networks requires a
However, just as an enterprise network is not adequately se- thorough, standards-based approach, encompassing:
cured with merely a firewall, neither is a control system net-
• Security solution for separation / protection through
work. Increased risks due to these interconnections include: virtual tunnels and access control lists (ACLs)
• Exposure of legacy equipment not inherently • Provisioning of the security solution, including
secure or able to be secured deployment and certification lifecycle management
• Substantially increased attacks from sophisticated • Monitoring of equipment in local or remote
groups such as advanced persistent threats (APT) ICS networks
• Damage to corporate brand • Maintenance of equipment in local or remote facilities
• Downtime for service offerings
• Lost production Solution Overview
All of these threats have a significant cost impact to the An integrated approach to ICS security based on open
enterprise. standards from TCG & ISA is shown in Figure 2. Based
Even though each industry and company has different fo- on zone models and zone management, a virtual private
cus and priorities, the increased integration, remote ac- overlay network provides secure communications across
an underlay. The overlay net-
works isolate ICS components
SECURE OVERLAY NETWORK into one or more protected vir-
tual enclaves while allowing
ICS DEVICES those components to safely
VIRTUAL connect over to a shared,
PRIVATE LAN untrusted commodity IP infra-
OVERLAY structure.
BHI
CELLULAR Commodity network sub-
NET WiMAX strates in control systems are
BHI SUBNET
BHI often called Backhaul Net-
BHI works. The overlay approach
BHI BHI
provides automated provision-
ing of certificates and Back-
haul Interfaces (BHIs) — net-
SUBNET B SUBNET A work components that provide
ENTERPRISE INTRANET connectivity and security to
interconnected enclaves —
as well as automated applica-
PUBLIC tion of access control policies
INTERNET
from a centralized provisioning
system.

Figure 2: Conceptual diagram of an overlay network for increased network protection.

1
T
 he Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing

Copyright © 2013 Trusted Computing Group All rights reserved. www.trustedcomputinggroup.org 3

Solution Architecture
The “as is” ICS network of a company may exist as a trust- the backhaul network. Communication between ICS de-
ed network. With added constructs to perform the protec- vices occurs through an overlay network that is coor-
tion, SCADA systems can be safely interconnected within dinated and controlled by the BHIs.The encrypted com-
a trusted network. However, problems can occur with munications include IF-MAP data with the MAP Service
mobile devices from different paths crossing organization over HTTPS/TLS, and virtual private LAN service (VPLS)
and trust boundaries, or in a dynamic environment where tunnels from BHI to BHI over host identity protocol (HIP).
points of connection
change, resulting in
added complexity to IF-MAP COORDINATION
Backhaul Connectivity
map to physical net-
• Any link type: Ethernet, Cell,
work ports or requir- WiFi, WiMax, SatCom, etc.
ing mapping in real- • Backhaul authentication

IP OVER BACKHAUL
time. This easily pro- UNTRUSTED
vides sufficient justifi- IP NETWORK
cation for an alterna- Protection
• Authentication
tive methodology.
• Confidentiality
Designed for retro- X • Integrity
fitting new security • Policy Enforcement
X
functionality into ex-
ISOLATION BOUNDA
isting industrial con- FIELD OVERLAY X RY
trol systems as well WORKER NETWORK X
as incorporating into
Transparency

ETHERNET
new ICS products,
IF-MAP-based tech- • Existing
nology creates virtual ICS protocols
• Layer 2 VPLS
overlay networks
on top of standard ICS OPS CENTER FIELD ICS
shared IP network in-
frastructure. This ap-
proach allows for ag- Figure 3: An overlay network architecture that delivers connectivity and protection.
gregation and coordi-
nated/controlled response across multiple, frequently re- IF-MAP provides the capabilities needed for the BHIs to
mote sites. A specific site can get help from headquarters deliver the overlay network functionality, including:
and from other sites, and headquarters can respond to a • Coordination (including current IP addresses,
common problem at multiple sites. Vendors and contrac- identity, certificates, etc.) between the BHIs
tors can be provided constrained, as-needed access to • Administrative policy defining communication
equipment. There are significant advantages to the over- between BHIs
lay approach, particularly when it involves crossing admin-
• BHI overlay policies controlling which ICS devices
istrative/management boundaries of the networks.
the BHI allows to communicate across the overlay
System components include the operator, BHI, overlay • Administration policies controlling who is allowed
network, and ICS devices (such as sensors, actuators, to access and alter the configuration of the overlay
controllers, and supervisory systems such as SCADA network and the BHIs
systems). Network security policies are orchestrated by
IF-MAP using standard metadata. As shown in Figure 3,
BHIs communicate with each other, and with the envi-
ronment’s Metadata Access Point (MAP) service, over

Copyright © 2013 Trusted Computing Group All rights reserved. www.trustedcomputinggroup.org 4

Case Study
The Boeing Company tackled the complex issue of net-
WHAT IS
work visibility and management by control systems and TRUSTED NETWORK CONNECT?
IT experts with TCG’s IF-MAP protocol. The implemented
solution provides security without the complexity and in-
flexibility of common VPN solutions. TCG’s Trusted Network Connect (TNC) network
security architecture and open standards enable in-
The assembly of long-range passenger aircraft employs
telligent policy decisions, dynamic security enforce-
large, highly mobile units called crawlers that have exten-
ment, and communication between security sys-
sive Programmable Logic Controllers (PLC) and Human-
tems. TNC standards provide network and endpoint
Machine Interface (HMI) components. Coordinating the
visibility, helping network managers know who and
assembly process requires that the PLCs have secure ac-
what is on their network, and whether devices are
cess to each other and to SCADA systems in real time.
compliant and secure. TNC standards also enable
Additionally, the crawlers need to leverage the corporate
network-based access control enforcement —
wireless infrastructure for their connectivity.
granting or blocking access based on authentica-
With IF-MAP-based hardware, the IT department can tion, device compliance, and user behavior — and
manage non-IT devices on the business network while security automation.
delegating the control aspects to the ICS team. The ICS
TNC provides security automation, Network Access
devices have network connectivity for control and informa-
Control (NAC), and interoperability in multi-vendor
tion-sharing purposes. In contrast to the VPN alternative,
environments. Products from over two dozen com-
the IF-MAP solution results in:
mercial and open source vendors support and help
• Significant cost savings implement TNC standards.
• Significant reliability improvement by removing Expanded efforts for enterprise security have result-
the human operator/field worker requirement from ed in open specifications including the Interface to a
the provisioning of the certificates, the enforcement Metadata Access Point (IF-MAP). IF-MAP provides
agent, and the actual communications on the a standard way for information security products to
network rapidly share and respond to information about a
• Greater operational simplicity variety of security-related topics and events.
• Improved agility, since it provides the ability to
respond quickly and make required changes
Additional TCG resources providing further
• Increased flexibility in the potential decisions
explanation of IF-MAP include:
• Improved delegation of authority, since the person
who is most knowledgeable and responsible for a Architect’s Guide: Security Automation Using TNC
given set of tools in a factory is able to control & SCAP Technology 4
those tools TNC IF-MAP 5
All of this is accomplished without sacrificing security in TNC IF-MAP Metadata for Network Security 6
the control system or the corporate network.
Further details of this solution can be found in the articles
“Boeing technology offers secure, efficient way to tie togeth-
er business, industrial nets” 2 and “Utilize Open Standards
to Protect Control System Networks” 3.

2
http://www.networkworld.com/news/2013/042213-boeing-268986.html
3
http://www.rtcmagazine.com/articles/view/101522
4
http://www.trustedcomputinggroup.org/resources/tcg_security_automation_architects_guide
5
http://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification
6
http://www.trustedcomputinggroup.org/resources/tnc_ifmap_metadata_for_network_security

Copyright © 2013 Trusted Computing Group All rights reserved. www.trustedcomputinggroup.org 5

Future Benefits and Value Proposition
IF-MAP-based technology enables implementation of the With the proper configuration, IF-MAP-based technology
control system architecture found in the ISA-100 industrial allows the IT department to manage access to its services
wireless standards, which is aligned with security archi- while allowing SCADA and ICS engineers full control over
tectures in ISA/IEC-62443 industrial security standards. their network systems and devices. This combined capa-
With IF-MAP, TCG provides a means to perform that im- bility:
plementation in a standards-based, interoperable manner.
• Enables secure integration of ICS and
ISA is currently exploring the integration of IF-MAP into
IT networks
ISA-100.15 wireless standards and future ISA/IEC-62443
security standards. • Reduces cost of deployment and provisioning
of ICS security components
Similar to the path of the ISA-99 standards committee’s • Increases agility and flexibility due to
work, ISA-100 will become an IEC specification with global standards-based technology
implications. The published ISA-100.15 has been format-
• Accommodates legacy infrastructure
ted for IEC and is expected to be completed and balloted
in 2014. • Reduces operational cost of ICS security

More broadly, overlay networks apply beyond the ICS

arena to environments as diverse as healthcare, financial,
automotive, and the Internet of Things. Lessons learned
from ICS security advances will be applicable to any eco-
system where protected enclaves are required for security
purposes.

Call to Action
• Design ICS security solutions customized for your unique environments.
• Contact vendors and insist on acquiring TCG-certified ICS security solutions based
on the TNC and ISA standards.
• Deploy solutions in pilot first, observe and correct issues, then deploy into production.
• For more information on TCG technologies and architects guides, please visit the
Trusted Computing Group web site www.trustedcomputinggroup.org.
• Additional information on ICS security will be available over the next several months.
Learn about the latest advances by following us on LinkedIn and Twitter.
Contact TCG at admin@trustedcomputinggroup.org with any questions.

Copyright © 2013 Trusted Computing Group All rights reserved. www.trustedcomputinggroup.org 6