TNC IF-MAP Metadata for ICS Security 1.0 FAQs

FAQs for TNC IF-MAP Metadata for ICS Security, Version 1.0, Revision 45

FREQUENTLY ASKED QUESTIONS

Q. It appears TCG’s Trusted Network Connect (TNC) architecture will include support for industrial control systems (ICS) networks. What has been added to the TNC architecture?

A. This new ICS Security Metadata specification leverages the existing TNC architecture (IF-MAP in particular) to support a new class of use cases for the Industrial Control Systems (ICS) security domain. The focus is on providing secure, transparent communications ability between logically defined sets of legacy and new ICS devices over any untrusted IP network infrastructure.

Q. What is IF-MAP?

A. IF-MAP, the interface for a Metadata Access Point, is a standard client/server protocol for accessing a Metadata Access Point (MAP). The MAP server has a database for storing information about network security events and objects (users, devices, etc.); it acts as a central clearinghouse for information that infrastructure devices can act on. The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers and data types. MAP clients can publish metadata and/or consume metadata published by other clients.

The original IF-MAP specification was published in 2008 and most recently updated in May of 2014. It extends the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth and enable security automation.

Q. What benefits does IF-MAP offer to users of security products?

A. Users of IF-MAP enabled products can implement more effective, integrated security systems, gaining the following benefits:

• Coordinated security response across multiple products from multiple vendors, ranging from endpoint security to AAA, NAC, IDS/IPS, Data Loss Prevention, firewalls, etc. to infrastructure such as SIEM, CMDB, physical access control systems, and more.
• Stronger security with lower operating costs since various security components can dynamically interoperate, reducing the need for human intervention and accelerating security responses.
• Customer choice and flexibility, leading to lower initial costs. No need to buy all security products from one vendor to get coordinated, integrated security.
• Easier integration of data from multiple vendors and devices into security information and event management (SIEM) and other logging and reporting systems.

IF-MAP enabled products facilitate security automation, which has many benefits. These benefits include:

• Fewer false alarms (and therefore lower operating costs) since sensors can tune their detection algorithms based on user and machine identity and role.
• Simpler, more intuitive policies based on user identity and role instead of IP address.
• Dynamic creation and management of overlay networks protecting existing infrastructure.

Q.  Why did TCG tackle this issue of ICS security?

A. ICS devices are embedded in a large variety of public and private infrastructure. As part of TCG’s mission of providing open, vendor-neutral industry specifications, this new ICS Security Metadata specification provides for scalable management of secure communications between ICS devices over otherwise untrusted networks.

Q. What is new in this TNC specification to address ICS security?

A. This specification defines a set of IF-MAP metadata and extended identifiers along with a prescribed set of MAP client behaviors. Together they provide the necessary coordination and configuration management functionality for creating secure logical overlay networks on which ICS devices can communicate.

Q. How does TNC enable better security for critical infrastructure?

A. The ICS Security Metadata specification facilitates the deployment, management, and protection of large-scale industrial control systems by enabling creation of secure virtual layer 2 and/or layer 3 overlay networks on top of standard shared IP network infrastructure typically used in industrial control systems. Overlay networks isolate key components of these systems into protected enclaves.

This specification builds on the ISA100.15 architectural model for secure ICS communications over untrusted shared networks (TR100.15.01, “Backhaul Architecture Model: Secured Connectivity over Untrusted or Trusted Networks”), which contains an architectural model, use cases, and functional requirements such as identity-based access policy, device identification, and certificate lifecycle management.

The ICS Security Metadata specification follows this ISA100 architecture and is intended for use in retrofitting existing industrial control systems, as well as incorporation directly into new ICS products, as an additional interoperable security capability. While this specification focuses on the ICS security domain, it builds upon and complements the many other security standards and technologies offered by TCG.

Q. What benefits does the ICS Security Metadata specification offer to owners of industrial control systems?

A. Secure virtual overlay networks created between IF-MAP enabled ICS security products provide a range of benefits, including:

• Easy integration of products from multiple vendors, or multiple products from one vendor, to build solutions that can expand and evolve as your needs change
• Stronger security through coordinated identification, authentication, and authorization of ICS security components and ICS device communications
• Dynamic provisioning, deployment, and management of overlays
• Protection of legacy ICS components using less-secure or insecure protocols
• Lower initial costs, derived from the flexibility of interoperable multi-vendor solutions enabling purchase of best-of-breed components from a range of vendors, rather than proprietary single-vendor systems
• Lower operating costs, since administrators can centrally provision communication and access control parameters for overlay networks, rather than individually configuring each enforcement device

Q. What benefits does the ICS Security Metadata specification offer to vendors of ICS components?

A. Using open standards to integrate ICS security products provides many benefits over a proprietary approach or custom integrations:

• Quickly respond to emerging threats by integrating new information, such as security intelligence, into products as needed
• Broader analysis and review of security mechanisms strengthens vendors’ security offerings
• Ability to participate in an ecosystem of solutions and products to offer complete solutions to customers
• Extensible schema allows for easy support for vendor-specific data. Vendors can design metadata to meet the needs of their individual products and solution
• Products can be certified by standards groups to interoperate

Q. How will the new specifications for ICS be used? What kinds of products would be developed to support them? What kinds of changes are required for existing products and deployments?

A. The architecture used in this specification allows for the new security functionality to be inserted into existing control systems deployments as well as be directly incorporated into new ICS products and communications services. This allows an evolutionary deployment that addresses near term needs of existing system while providing a path forward for building this protection directly into future systems.

Q. When will we see products?

A. Multiple vendors have already implemented or are implementing prototype products. Decisions on when to offer products which comply with this specification is an individual vendor business decision.
Q. What is the role of the TPM in securing ICS?

A. The TPM provides both a secure, hardware-based store for cryptographic materials (e.g., private keys for identify certificates), as well as platform measurement functionality in support of remote attestation of platform health. Both of these capabilities can provide important additional security value to the architecture described by this ICS Security Metadata specification; however, the TPM is not required to implement this specification.

Q. Security of critical infrastructure is being addressed by government and many groups. Is TCG working with any of these to support other efforts or existing standards?

A. Yes. Thought leaders from both private industry and the US government have been involved in the maturation of this specification. Additionally, this specification incorporates and aligns with the latest architectural and security models from the International Society for Automation (in particular, ISA99 and ISA100).