- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - The Boeing Company is pioneering a way to securely bring together business IT networks with what ordinarily are entirely separate networks for industrial-control systems (ICS) in order to gain efficiencies and benefits in information-sharing in manufacturing.
Boeing's approach, which has been deployed in some of its airplane manufacturing plants, is leading to a new standards effort at the Trusted Computing Group (TCG) for what could be a revolutionary type of virtual private networking that could be applied not only to manufacturing ICS in the future but the "Internet of things," as it's now sometimes called. That could mean everything from electric or traffic systems to medical equipment in hospitals to nanny cams to oil and gas controls that when accessible via the Internet, are too vulnerable to hacker attacks.
[ BACKGROUND: Control systems hack at manufacturer raises red flag ]
"Boeing has done a great job in ICS security," says Stephen Hanna, distinguished engineer at Juniper Networks and chairman of the TCG's Trusted Network Connect work group where the new standard, influenced by what Boeing has done on a home-grown basis in its networks, is expected to be finalized by this fall.
The IF-MAP protocol is used today to establish a database of security, device management and vulnerability information that's received and aggregated from any security product, such as intrusion-detection systems and firewalls for example, that support IF-MAP. Hanna says a couple of dozen vendors support IF-MAP today, including Lumeta with its IPSonar network-discovery tool, for example, which Juniper uses.
But what Boeing has done with the IF-MAP protocol tackles a different question: Since ICS networks have traditionally been maintained as wholly separate entities, sometimes not TCP/IP-based or only connected via leased lines, how can ICS devices be integrated into the increasingly high-speed business IT networks that are usually connected to the Internet?
There are often strong reasons to interconnect them, such as huge cost savings or a way to unite ICS devices across Internet boundaries when needed, or just for information-sharing purposes. "But it opens up a lot of security issues," Hanna points out.
Craig Dupler, technical fellow in Boeing's research and technology business unit, say Boeing understands the nature of such risk. But it was also clear that there would be a huge advantage in using the IT network there to interconnect some parts of its ICS at Boeing.
So a few years back, research engineers with expertise in networking security devised what became home-grown "black boxes" that Boeing today internally refers to as its "Control Systems Security Solution" at Boeing.
These CS3 black boxes, which support the IF-MAP protocol among other standards, basically act as proxies to protect ICS equipment by orchestrating what each ICS can connect to, whether it's another network or a device. There's a means for policy-based enforcement of encryption or identity management. It allows the IT department to manage non-IT devices on the business network but also to delegate controls to the ICS team.