05 Jul 2018 Defining Control Security
“The beginning of wisdom is the definition of terms.” – Socrates (470 – 399 B.C.)
Definitions are important – good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition:
pen: a tube of ink with a tiny ball bearing at the tip
How useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition:
pen: a tool for writing or drawing with ink
Someone new to the language would likely hear this second definition and say “ahh – so that’s what those things are called,” because she sees people using pens every day.
Now consider the definitions of “cybersecurity” and “information security”. NIST for example, gives the two terms subtly different and lengthy definitions that can be paraphrased:
cybersecurity = information security = protecting the confidentiality, integrity and availability of information
How useful is this definition and understanding of cybersecurity in the world of industrial control systems? At Waterfall Security we see that our customers care enormously about the safe and reliable operation of their powerful, physical industrial processes. Our customers see that assuring correct and authorized control of physical operations is vital to safety and reliability, and that in modern operations, such control occurs most often through computers. The security of those computers is therefore vital to safe, reliable and correct control of physical industrial processes.
The problem is that the common, short definition of “cybersecurity” above says nothing about safety, reliability or control. Security practitioners have for nearly two decades worked around this problem. Rather than continue the work-around, I propose a new definition for a new term:
Industrial cybersecurity = control security = protecting safe and reliable physical operations by assuring correct and authorized control of physical and cyber assets
The two definitions are equivalent, even though the former says nothing about control and the latter says nothing about information. The information-security work-around for control points out that control signals are short pieces of information whose availability, integrity and confidentiality must be protected. The control-security work-around for information points out that information is stored in cyber assets, and the only way to breach the confidentiality, integrity or availability of that information is to mis-control the cyber asset. The advantage of the control-security perspective is that it focuses attention on what is important to industrial sites.
Applying the Definition
Consider the Industrial Internet of Things for example – edge devices in control networks connect directly to Internet-based cloud systems for big data analysis and optimization benefits. If we look at this architecture from the information-security perspective, then the first thing we observe is that we are sending data straight out to the Internet from the deepest parts of our control systems. The first question many practitioners ask, then, is “how are we going to protect all that data?” If we look at the situation from the control-security perspective, and the first thing we observe is that every message coming from the Internet back into the edge device, even the smallest acknowledgement message, is changing the instructions that the CPU in that device executes. Every such message is therefore a kind of control. The first question we should be asking is “how do we assure that those controls are correct?” The next one we ask is “Where do those control signals come from, and how do we know that those Internet-exposed computers, and the computers that control them, have been correctly controlled?”
Which perspective obscures the real issue? Which one brings it into sharp relief?
Another example – consider encrypted remote access. I sit in a hotel lobby, using a VPN on the hotel WiFi to reach across the Internet and reconfigure a control system component behind a firewall or three. The information-security perspective suggests again “how do we protect the data crossing the Internet?” We protect it with encryption of course, ignoring the fact that cryptosystems encrypt attacks from compromised endpoints just as happily as they encrypt legitimate instructions. The control-security perspective asks “How many machines on the Internet should be permitted to reprogram my control computers? And how have random attackers on the Internet controlled the laptop that I am using to reprogram by control computers right now?” There is no good answer.
Which perspective highlights the most important issues?
The time has come to stop applying the information security definition of cyber security to control system networks. “Protect the data” obscures our need to protect safe and reliable operations by assuring correct and authorized control. I propose that “control security” is a term whose time has come, and one we all need to start using routinely.