Deployment of secure networks connect control engineering solutions
As industrial control systems (ICSs) become integrated with the internet, robust security is critical on every level.
Industrial automation (IA) and building automation (BA) customers have little tolerance for production downtime or liability exposure caused by untrustworthy control engineering (CE) processes. The value of reliable CE solutions be evaluated in both direct value to the CE operator and in terms of avoided costs. As industrial control systems (ICSs) become integrated with corporate networks and the internet, robust security – all the way to the device level – becomes critical.
Control engineering (CE) industry trends
A significant CE industry trend over the past 10 years is the movement to networked solutions; particularly those using connectivity integrated with the global internet. As the cost of connecting has fallen and the ability to connect has become easier, networked entities have exploded in number and the technical complexity of networked CE solutions have increased.
The movement to networked solutions by the CE industry has lagged behind other commercial sectors. This was mostly due to two issues:
- The need to migrate from unique or proprietary technical solutions to ones using standardized interfaces, communication protocols, and data structures and
- The inherently non-deterministic behavior of packet-switched networks.
The first issue has largely been solved. Solution providers are moving to customer solutions offering easier integration with industry standard connectors and processors to a client’s other devices and networks.
Solutions for “Problem (b)” are available. A combination of devices and protocols collectively referred to as time-sensitive networking (TSN)  enable CE application developers to overcome packet switching’s non-determinism and the internet’s complexity. It is possible for basic Ethernet  to provide predictable and guaranteed end-to-end latencies, highly limited latency fluctuations (jitter), and extremely low packet loss.
Operating a secure control engineering network
The ability to operate a safe and secure CE network requires answers to these three questions:
- In the event that a malicious actor does gain access to the network and potentially a device, can hardware be trusted to function as intended?
- If so – can a malicious actor be excluded from specific operations performed by components of a network even if the actor gains access to the network’s communications channels?
- Can intellectual property be protected from extraction or exploitation when put into devices that a malicious actor may try to duplicate, steal, or buy?
Before presenting an approach that can answer these questions, it’s useful to review why it is so difficult to secure network-connected CE solutions.
The internet is a messy security ecology.  The internet’s ~50 billion devices include a huge spectrum of hardware designs and variants with a mix of software versions written to different standards of discipline and precision, and actors with a wide spectrum of motives and objectives. This enormous variability in devices, programs and interactions provides an expansive potential attack surface for malefactors to connect to and exploit CE solution vendors and their customers.
Historically, resistance of CE networks to vendor errors or malefactors was due to isolation, obscurity and simplicity. Isolated networks with few participants, which must be deliberately connected, can largely exclude malefactors. Networks containing unique components, unique software, etc., must have specific attack methods designed and tested. This is something difficult for attackers if they have no access to the design or components of the network.
Simple networks may be easy to troubleshoot and stabilize. In the past few attackers found the motivation to gather the time, energy, and resources required to create connection opportunities where none existed before; to design, test, and prove an attack can work; and to keep an attack viable in the face of rapid diagnostics and remediation.
The movement of CE network designers, vendors and operators to networked connectivity has overcome those historical defenses and highlighted a related issue:
- Isolation. The movement towards industry-standard connections undercuts isolation. Specific intent, focus and design are required to prevent a connection that standardized networking technologies enable. Many victimized network operators find their standalone or air-gapped networks are connected through a modality they had never known about, thought to disable or thought to defend against.
- Obscurity. Component design, how they are meant to function and how to build software to control them are as available to malicious actors as they are to legitimate ones. While a specific device may not be available for a malefactor to buy, the internal components of the device, its design, and its software almost always are discoverable given only modest research.
- Simplicity. Complex networks have potential attack surfaces practically impossible to describe, characterize, and defend because the attack surfaces are not static or fixed. The potential vulnerability of any complex network is not precisely known when it is established and will continuously change, largely unpredictably, throughout its life.
- Uncertain Responsibility. It is rare to find any corporate officer assigned to consider holistically the security and safety of a deployed CE system and empowered to align resources to keep the system secure from evolving threats. These policies are often enforced differently in the corporate IT network versus the operational control systems.
Given the inevitable and ongoing migration from bespoke to standardized and networked solutions, it is time to review and adopt better approaches to securing CE systems.
Control engineering network and security solutions
A holistic security approach should begin with adoption of a strategy that incorporates secure process steps and reliance on provably secure processing hardware and software. We argue here for a major change in industry standard chip provisioning processes and widespread adoption and use of trusted execution environments (TEEs).
The strategy begins with CE solution providers obtaining access to “pristine” chips directly after production assurance testing but before initial firmware provisioning such as setting security-related fuses or installation of production firmware bootloaders. Beginning this way starts the holistic approach to threat mitigation by never allowing the device manufacturers access to the intellectual property (IP) the customer wants protected.
Beginning the securing process this early denies malicious actors in manufacturing sites the option to produce duplicate or cloned firmware usable to produce copycats or counterfeits of the original customer’s devices.
This procedural change leverages the semiconductor foundation for a TEE-based secure digital ecology which is already in production and being delivered. The procedural change enables generating unique chip identifiers by empowering the CE solution vendor to control how many and which specific chips have authorized firmware images installed through use of features already available via modern chip architectures . Those capabilities enable generation of chip-unique identifiers and private cryptographic keys, secure storage of encrypted firmware images, and provisioning so chip identifiers and cryptographic keys are immutable and cannot be counterfeited or extracted. These features can secure IP, prevent cloning and exclude malefactors from CE networks.
This approach safeguards IP until the root of trust (RoT]  and security of the hardware are established. A RoT is the foundational security component of a connected device. A RoT can be described as a set of implicitly trusted functions the rest of the system or device can use to ensure security. In the context of this proposal, the RoT is a unique, secret key for an individual chip. This, in turn, enables each device to become unique.
Used properly, this unique device key enables creation of device-unique cryptographic certificates. The combination of unique device identifier and device unique certificate enables validation of the device identity and cryptographically secure communication with the device without requiring the entire network be secure.
IP is not loaded to the chip until the chip is configured to boot securely and the provisioning application verifies both the hardware is authentic and trustworthy and it is running securely. Once these conditions are verified, a TEE is established on the chip. The TEE will contain and protect the customer’s IP and provide a cryptographically secure processing environment for functions essential to a safe and reliable CE solution.
The unique device key also enables cryptographically protecting firmware so it can function on the specific, individual device it is intended for. The proprietary firmware or other information will not be extractable nor copyable for use on any unauthorized device.
The RoT and TEE enable a CE vendor and its customers to specify or tailor participation in whatever network they construct at the device level and separately from other, network-level protection measures. The identities of authorized network participants can be tied to the RoT and mission critical applications can be designed to either run within a TEE or use features of a TEE to validate their authenticity and safe function. Implemented carefully, users can now provide “Yes” answers to the three critical security questions and allow for deployment of safe and secure CE solutions using current networking technologies. These concepts should be considered fundamental in the current generation of ICSs.
Jake Schaffner, senior strategic analyst, Sequitur Labs; Larry O’Connell, vice president, marketing, Sequitur Labs. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, email@example.com.
2 IEEE 802.1 & IEEE 802.3
3 Retrieved on 04 January 2021, https://www.ahdictionary.com/word/search.html?q=ecology: “Ecology – The relationship between organisms and their environment.”
5 E.g., ARM TrustZoneTM
6 Root of Trust: Retrieved 17 February 2021 from https://www.psacertified.org/blog/what-is-a-root-of-trust/ . Copyright © 2021 Arm Limited