A New ICS Security Paradigm?

Yesterday I took a quick drive up to Atlanta to visit a cybersecurity startup to view a demo of a new ICS security tool. I was introduced to Roger Hill, the founder of Veracity, a couple of weeks ago at an Atlanta cybersecurity meetup. In a brief discussion that night he convinced me that yesterday’s trip could be interesting and he was correct.

Cerebellum

What Roger demonstrated yesterday was a product called Cerebellum (name and email registration required). It is based upon a pretty standard SEL ethernet switch and provides an organization with a new way to control and monitor communications on a control system network. Ethernet switches are certainly not new; they are a ubiquitous part of all sorts of networks. What Veracity has done is to change the basic rules those switches use to direct traffic on the network to a more sophisticated software tool to establish software defined networks (SDN).

The Cerebellum GUI allows the user to specifically define the place of every control system device within the facility network. Based upon the standard Purdue Model of system architecture, it allows the user to define the networks and subnetworks and to establish what devices are allowed to communicate with each other within and across those networks and what information could be pushed across those channels. And, because it is a software defined network, it allows for establishing changes to those communications rules based upon specific non-standard conditions (maintenance for example).

Okay, that is about all I am technically qualified to explain about how the system works and I am certainly not qualified to assess how well this system works in actual practice. If you are in Atlanta next week for the 2017 ICS Cybersecurity Conference, Roger and his team will be providing a demonstration of the operation of Cerebellum.

Digital Forensics

There are a couple of interesting side benefits to the use of this SDN tool. First is that when any device is either physically connected or reconnected to the network, it is automatically isolated from the SDN. Information about the ‘new’ device (a digital fingerprint) is automatically recorded. This includes any communications that it tries to send out on the physical network.

Additionally, any time that a non-permitted communication is attempted, the system can be programed to record and report that communication. Even allowed communications (for example from an engineering work station to a PLC) can be set up so that they are recorded/reported. This allows for more detailed forensic analysis in the event of incidents or attacks.

Roger pointed out that it was also possible to establish honey net networks and to divert non-permitted communications to those networks. This allows the network administrator to watch what a possible network infiltrator is attempting to do as all communications across the honey net can be recorded. It would also allow for feeding incorrect information to an attacker during the reconnaissance phase of their attack.

Management of Change

Cerebellum can also be used as a management of change tool. Approval to changes on the network require approvals and different approval requirements can be set for different parts of the networks and subnetworks. The change messages and the approvals can be recorded as part of the MOC process for the facility.

Ease of Implementation

Installing this tool simply requires replacing existing ethernet switches with new switches. Initially, the new switches can be run in the data acquisition mode, allowing standard switch communication rules to operate while recording communications across the network. The implementation of the Cerebellum rule set can be done on a subnetwork basis first and then further up the network chain. This allows for minimal interruption operations during the implementation of the new security controls.

Commentary

The sharp-eyed reader will have probably noticed that I think that this looks like a very interesting addition to the tool set that can be used to protect industrial control systems. Now what I saw yesterday was a software demonstration and there are limits to what you can learn from such demonstrations. Even the hardware-based demonstration that Roger plans for next week is going to provide only limited information on the efficacy of the system.

Roger is working on a DOE project (Chess Master) on the Use of Cerebellum in the grid security application, but he is looking for opportunities to expand the application of his new technology to other sectors. If you are going to be in Atlanta for the conference next week, be sure to look him up.