Fri Apr 8 06:49:41 PDT 2016
Zones: HMI connections: How should HMIs be connected to other ICS systems?
Options:
Option 1: Use digital diodes to prevent HMI control alteration.
Option 2: Use FSM input controls on ICS systems to limit HMI alterations of ICS.
Option 3: Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them.
Option 4: Use controlled configurations for distant environments and provide access through terminal servers.
Option 5: Use remote dial-in access with telephones and modems from controlled environments for distant access.
Option 6: Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access.
Option 7: Use remote dedicated connectivity from controlled environments for distant access.
Option 8: Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.
Option 9: Provide redundancy for distant emergency backup connectivity.
Option 0: Allow only local HMI access.
Decision:
The following approach to HMI access to ICSs is suggested. Use all that apply. If there are conflicts, use the first one listed. To the extent desired, added controls may be used where not otherwise required.
| Risk factors | Approach |
|---|
| High negative consequences of remote HMI activities EXCEED High consequences of loss of HMI activities. |
Allow only local HMI access.
|
| Negative consequences of remote HMI activities EXCEED Benefits of remote HMI activities. |
Allow only local HMI access.
|
| High negative consequences of HMI control alteration or interference AND HMI alteration is required. |
ALWAYS Use FSM input controls on ICS systems to limit HMI alterations of ICS.
ALSO EITHER [Allow only local access.] OR
[Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them.
AND Use remote dedicated connectivity from controlled environments for distant access.
AND Use controlled configurations for distant environments and provide access through terminal servers.
AND Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.
AND Provide redundancy for distant emergency backup connectivity.]
|
| High negative consequences of HMI control observation |
ALWAYS Use encryption between the HMI and each ICS it interacts with.
ALSO EITHER [Allow only local access.] OR
[Provide equivalent protection in every way for distant HMI and environments and use authenticated encrypted tunnels to connect them.
AND Use remote dedicated connectivity from controlled environments for distant access.
AND Use controlled configurations for distant environments and provide access through terminal servers.
AND Only allow distant access as an emergency backup when local access is in an uninhabitable or unreachable area.]
ALSO IF HMI control alteration is NOT required. THEN Use a digital diode to prevent HMI control alteration.
|
| Medium negative consequences of HMI control alteration or interference AND HMI alteration is required. |
EITHER [Allow only local access.] OR
Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
AND Use controlled configurations for distant environments and provide access through terminal servers.
AND EITHER [Use remote dial-in access with telephones and modems from controlled environments for distant access.
OR Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access.
OR Use remote dedicated connectivity from controlled environments for distant access.]
|
| Medium negative consequences of HMI control observation. |
EITHER [Allow only local access.] OR
Use encryption between the HMI and each ICS it interacts with.
AND Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
AND EITHER [Use remote dial-in access with telephones and modems from controlled environments for distant access.
OR Use remote wireless access such as cellular, WiFi, laser link, or other similar connections from controlled environments for distant access.
OR Use remote dedicated connectivity from controlled environments for distant access.]
|
| Negative consequences of HMI control alteration or interference AND HMI alteration is required. |
Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
OR Use remote dial-in access with telephones and modems from controlled environments for distant access.
OR Use remote dedicated connectivity from controlled environments for distant access.
OR Use controlled configurations for distant environments and provide access through terminal servers.
|
| Negative consequences of HMI control observation. |
Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
OR Use remote dial-in access with telephones and modems from controlled environments for distant access.
OR Use remote dedicated connectivity from controlled environments for distant access.
|
Remote HMI access to ICS
Basis:
Use digital diodes to prevent HMI control
alteration.
A digital diode is used to prevent output channels
from being used for input to a high degree of certainty. This will
normally require protocol alterations, such as TCP to UDP and UDP to
TCP proxies on sending and receiving sides of the diode in order to
interface with technologies that depend on 2-way transport.
Use FSM input controls on ICS systems to limit
HMI alterations of ICS.
A custom FSM for the input to ICS systems
from HMIs provides a means by which all inputs can be checked for
validity in the context of the expected ICS machine state. This
provides a high degree of certainty that unauthorized and
unanticipated input sequences cannot appear at the ICS input.
Provide equivalent protection in every way for distant HMI and
environments and use authenticated encrypted tunnels to connect
them.
In most low- to medium-consequence cases, a remote
location with equivalent protection in every way should be allowed to
connect through adequately secured infrastructure, assuming this
doesn't exceed risk aggregation thresholds, violate regulatory,
contractual, or other similar mandates, or cause problems from
potential denial of services.
Use controlled configurations for distant
environments and provide access through terminal servers.
Controlled configurations provide a modicum of protection for remote,
particularly mobile, systems. By augmenting this with locally
controlled terminal services heavily managed internal mechanisms can
provide assurance as well as extensive detection and auditing
capabilities and provide reasonable access and protection for many
cases.
Use remote dial-in access with telephones and
modems from controlled environments for distant access.
Remote dial-in access from controlled environments provides a
low-speed and, often independent, method of communicating. To the
extent that this is different or harder to simultaneously attack, it
brings benefits in mitigation of common mode failure risks as well as
elsewhere.
Use remote wireless access such as cellular,
WiFi, laser link, or other similar connections from controlled
environments for distant access.
Remote dial-in access from
controlled environments provides a low-speed and, often independent,
method of communicating. To the extent that this is different or
harder to simultaneously attack, it brings benefits in mitigation of
common mode failure risks as well as elsewhere.
Use remote dedicated connectivity from controlled
environments for distant access.
Remote dedicated
connectivity, typically in the form of leased lines that have
cryptographic coverage provided by the vendor, provides high speed,
partially independent, and harder to interfere with connectivity
between locations.
Only allow distant access as an emergency backup
when local access is in an uninhabitable or unreachable area.
For high risk situations, it is simply to risky to allow external
locations to connect into internal network areas except as an
emergency backup capability the gets enabled only when the local HMI
is in an uninhabitable area and access is required to mitigate higher
consequences.
Provide redundancy for distant emergency backup
connectivity.
For high risk situations, redundant connections
to ICS from HMI are used to increase the certainty of service
availability. It is all the better if redundant connections are
separate and different, for example the use of dial-in, direct
connect, and Internet connect, if properly done, may provide three
independent paths. Beware of common mode failures, such as the ISP,
telephone provider, and dedicated line provider being from the same
service provider or passing through the same channels or locations
en route.
Allow only local HMI access.
For some
high risk situations, it is simply to risky to allow external
locations to connect into internal network areas because the potential
consequences of such access outweigh the potential benefits.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|