Introducing Industrial Control System Cybersecurity Context

Many people consider security in terms of their area of influence. Relay engineers may look at security from a relay perspective (i.e., the security controls within the relay), ignoring the network, monitoring tools, best practices, etc., that protect the system outside of the relay. It is critical to be aware of the security context, or environment, that devices are placed within to understand how best to utilize the features and tools that exist within that device.

What is cybersecurity context, and what does it mean within the bounds of an industrial control system (ICS)? This can be a little confusing to figure out if you aren’t already familiar with it. A general internet search for “cybersecurity context” will generate results dealing with “cybersecurity in a geopolitical context” or “context of cybersecurity,” which discuss how cybersecurity fits into political, organizational, or industrial goals. This type of search may help to learn why cybersecurity is important, but it doesn’t give any guidance into designing or selecting devices to be used in an ICS. If we change that search slightly to be “security context,” we start getting more into the technical realm. A search on “security context” will generate results having to do with authentication and authorization systems that describe permissions of a user on a system, which is also not what we are trying to get at with cybersecurity context within an ICS.

You may have heard of the term defense in depth. Defense in depth is one term used to describe the suite of cybersecurity protective measures that get put in place to protect a system. Defense in depth means a lot of different things to a lot of different people. Most can agree that it includes policies, processes, and technologies that complement each other so that if one protective measure is breached by an attacker, the other protective measures can still deter, prevent, detect, contain, and/or recover from the attack. Defense in depth generally takes a viewpoint that is holistic to the system and accounts for its cybersecurity protective measures as a whole. I coauthored a paper titled “Defense-in-Depth Security for Industrial Control Systems” in 2016 with other SEL employees, if you are interested in more details [1].

Let’s change our perspective a little, and instead of looking at the cybersecurity measures of a system from an overhead viewpoint, let’s look at it from the viewpoint of a single device, like a relay. This will give us the security context of that device. Cybersecurity context of a given device within an ICS is important to understand. It can help with the workflows and data flows of legitimate workers and applications touching that device. It can also help us determine the cybersecurity functions that device needs to support in order to reuse existing defenses provided elsewhere in the system and to positively contribute to the security of the system as a whole. This is helpful to vendors in describing the scope of features in their products when the context assumptions used in development are met by the system. This is also helpful to system architects in determining the proper mix of security-focused services that a device in the system needs to have.

When trying to figure out the security context of a device, there are several questions you can ask. Depending on the answers you develop, you can begin to understand which features a device needs and which features can be offloaded onto other devices in the system.

• Where is the device in the network physically and logically located, with respect to switches, routers, firewalls, intrusion detection system (IDS)/intrusion prevention system (IPS), and other hosts on the broadcast domain?
• What are the capabilities of the network hosting the device with regard to routing, firewalling, intrusion detection, communication isolation, etc.?
• What other devices or hosts can talk directly to the device of concern or sniff (monitor) its traffic?
• What authentication schemes are supported by the device and its peers?
• Does the system provide user-based authentication that the device can reuse?
• What is the impact to the environment if and when the device gets compromised?
• What access control measures prevent physical access to the device?

Without answering these questions and understanding security context, it is very tempting to require every device in your system to have all the security functions that anybody has ever thought of. More is better, right? Unfortunately, that isn’t always the case. There can be some situations where a device needs to have all the security functions under the sun in it. These are generally rare situations, though. More functions equate to more lines of code, more complexity to the device, higher purchasing costs, an increased chance of misconfiguration, an increased chance of present vulnerabilities, an increased attack surface, an increased chance of unintended or unanticipated negative interactions between components, an increased maintenance effort (costs) for the device, and a lack of layered defenses at the system level as the device itself can be perceived to be capable of defending itself. Security context and how the device fits into the overall security of the system is crucial to understand in order to properly protect the system and its functions at a reasonable and maintainable cost.

There is a new trend in cybersecurity revolving around the term zero trust. At its core, zero trust asserts that a computing device should be able to securely function on its own without requiring trust in any external devices or systems. Zero trust implies that security context is not important and that all functions necessary to protect a device should exist in that device. We need to keep in mind that the concept of zero trust was originally developed for general-purpose computer systems and not ICS devices. Zero trust was developed for devices that have mature and near-real-time update capabilities. However, zero trust still requires trust in update servers, in authentication servers, and in other devices on the system to maintain security over time. Therefore, a device’s cybersecurity context is still important within a zero-trust mindset.