Sat Nov 22 06:31:55 PST 2014

Zones: HMI connections: How should HMIs be connected to other ICS systems?


Options:


Option 1: Use digital diodes to prevent HMI control alteration.
Option 2: Use FSM input controls on ICS systems to limit HMI alterations of ICS.
Option 3: Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them.
Option 4: Use controlled configurations for distant environments and provide access through terminal servers.
Option 5: Use remote dial-in access with telephones and modems from controlled environments for distant access.
Option 6: Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access.
Option 7: Use remote dedicated connectivity from controlled environments for distant access.
Option 8: Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.
Option 9: Provide redundancy for distant emergency backup connectivity.
Option 0: Allow only local HMI access.

Decision:

The following approach to HMI access to ICSs is suggested. Use all that apply. If there are conflicts, use the first one listed. To the extent desired, added controls may be used where not otherwise required.

Risk factors Approach
High negative consequences of remote HMI activities EXCEED High consequences of loss of HMI activities. Allow only local HMI access.
Negative consequences of remote HMI activities EXCEED Benefits of remote HMI activities. Allow only local HMI access.
High negative consequences of HMI control alteration or interference AND HMI alteration is required. ALWAYS Use FSM input controls on ICS systems to limit HMI alterations of ICS.
ALSO EITHER [Allow only local access.] OR
[Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them. AND Use remote dedicated connectivity from controlled environments for distant access. AND Use controlled configurations for distant environments and provide access through terminal servers. AND Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area. AND Provide redundancy for distant emergency backup connectivity.]
High negative consequences of HMI control observation ALWAYS Use encryption between the HMI and each ICS it interacts with.
ALSO EITHER [Allow only local access.] OR
[Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them. AND Use remote dedicated connectivity from controlled environments for distant access. AND Use controlled configurations for distant environments and provide access through terminal servers. AND Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.]
ALSO IF HMI control alteration is NOT required. THEN Use a digital diode to prevent HMI control alteration.
Medium negative consequences of HMI control alteration or interference AND HMI alteration is required. EITHER [Allow only local access.] OR
Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them. AND Use controlled configurations for distant environments and provide access through terminal servers. AND EITHER [Use remote dial-in access with telephones and modems from controlled environments for distant access. OR Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access. OR Use remote dedicated connectivity from controlled environments for distant access.]
Medium negative consequences of HMI control observation. EITHER [Allow only local access.] OR
Use encryption between the HMI and each ICS it interacts with. AND Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them. AND EITHER [Use remote dial-in access with telephones and modems from controlled environments for distant access. OR Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access. OR Use remote dedicated connectivity from controlled environments for distant access.]
Negative consequences of HMI control alteration or interference AND HMI alteration is required. Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them. OR Use remote dial-in access with telephones and modems from controlled environments for distant access. OR Use remote dedicated connectivity from controlled environments for distant access. OR Use controlled configurations for distant environments and provide access through terminal servers.
Negative consequences of HMI control observation. Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them. OR Use remote dial-in access with telephones and modems from controlled environments for distant access. OR Use remote dedicated connectivity from controlled environments for distant access.
Remote HMI access to ICS

Basis:

Use digital diodes to prevent HMI control alteration.
A digital diode is used to prevent output channels from being used for input to a high degree of certainty. This will normally require protocol alterations, such as TCP to UDP and UDP to TCP proxies on sending and receiving sides of the diode in order to interface with technologies that depend on 2-way transport.

Use FSM input controls on ICS systems to limit HMI alterations of ICS.
A custom FSM for the input to ICS systems from HMIs provides a means by which all inputs can be checked for validity in the context of the expected ICS machine state. This provides a high degree of certainty that unauthorized and unanticipated input sequences cannot appear at the ICS input.

Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them.
In most low- to medium-consequence cases, a remote location with equivalent protection in every way should be allowed to connect through adequately secured infrastructure, assuming this doesn't exceed risk aggregation thresholds, violate regulatory, contractual, or other similar mandates, or cause problems from potential denial of services.

Use controlled configurations for distant environments and provide access through terminal servers.
Controlled configurations provide a modicum of protection for remote, particularly mobile, systems. By augmenting this with locally controlled terminal services heavily managed internal mechanisms can provide assurance as well as extensive detection and auditing capabilities and provide reasonable access and protection for many cases.

Use remote dial-in access with telephones and modems from controlled environments for distant access.
Remote dial-in access from controlled environments provides a low-speed and, often independent, method of communicating. To the extent that this is different or harder to simultaneously attack, it brings benefits in mitigation of common mode failure risks as well as elsewhere.

Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access.
Remote dial-in access from controlled environments provides a low-speed and, often independent, method of communicating. To the extent that this is different or harder to simultaneously attack, it brings benefits in mitigation of common mode failure risks as well as elsewhere.

Use remote dedicated connectivity from controlled environments for distant access.
Remote dedicated connectivity, typically in the form of leased lines that have cryptographic coverage provided by the vendor, provides high speed, partially independent, and harder to interfere with connectivity between locations.

Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.
For high risk situations, it is simply to risky to allow external locations to connect into internal network areas except as an emergency backup capability the gets enabled only when the local HMI is in an uninhabitable area and access is required to mitigate higher consequences.

Provide redundancy for distant emergency backup connectivity.
For high risk situations, redundant connections to ICS from HMI are used to increase the certainty of service availability. It is all the better if redundant connections are separate and different, for example the use of dial-in, direct connect, and Internet connect, if properly done, may provide three independent paths. Beware of common mode failures, such as the ISP, telephone provider, and dedicated line provider being from the same service provider or passing through the same channels or locations en route.

Allow only local HMI access.
For some high risk situations, it is simply to risky to allow external locations to connect into internal network areas because the potential consequences of such access outweigh the potential benefits.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved