SCADA and NAC
I thought I would take somewhat of a break from beating the standards and post-admission drums, and share some thoughts on how companies might bring embedded OS devices (generically) and SCADA devices (specifically) under a NAC umbrella. The move away from serial communications and towards Ethernet and TCP/IP is not a new phenomenon for SCADA devices, nor are the security vulnerabilities and concerns that come as part of the move.
In May of this year, the GAO conducted an audit on the Tennessee Valley Authority, with less than stellar results. The North American Electric Reliability Council now has a set of ratified "Critical Infrastructure Protection" (CIP) standards designed to address these and other concerns. The CIP standards end up setting up roughly as one would expect: Identify critical assets, segment and protect them, control physical access, patch machines, manage security events, etc.
NAC should be able to help with at least some of those. Given the specialized function of these devices, though, as well as the specialized nature of their OS, care must be taken. To wit:
First Do No Harm
What's generally true about network security engineering is doubly true here. Any "security" apparatus that causes lights to go out, or a cooling plant to shut down, is quite obviously bad. In essence, this is a two-fold model change for NAC. First, it is a view that is geared more towards protecting the critical devices, as opposed to protecting the environment from them. Second (and somewhat related), access to the network is presumed as a normal case and restricted only in an extraordinary case.
Passive Device Fingerprinting
Some identification mechanism is necessary to fingerprint these devices and classify them correctly (see below). Given specialized OS platforms, though, performing that fingerprint via agent software seems unworkable.
On-Segment Protection
The segment containing these devices must be protected from all threats, foreign and domestic: malware-infected hosts, mal-intentioned users, mis-informed users, unauthorized hosts, etc. Of course, this includes ongoing protection of the segment, not just protection from device entry.
MAC-Based Authentication for 802.1x
At some point, organizations likely want to meld this under an overarching 802.1x umbrella. Given the likely lack of 802.1x supplicants for these devices, MAC based authentication is required. This is also where the fingerprinting piece comes in to plug the holes inherent in MAC based network admittance.
Generically, of course, this governance problem is applicable to any number of other devices (medical, HVAC, badge readers, etc.) that now have Ethernet connections and IP addresses. The set of Critical Infrastructure Protection standards for the utility industry just provides an additional driver for the IT and Security teams in that industry to do something (or a set of somethings). It is both a challenge and opportunity for NAC vendors to find a way to help, but help in a way that takes into account the specialized nature of these devices.
Comments