TNC IF-MAP Metadata for ICS Security 1.0 FAQs


FAQs for TNC IF-MAP Metadata for ICS Security, Version 1.0, Revision 45


Q. It appears TCG’s Trusted Network Connect (TNC) architecture will include support for industrial control systems (ICS) networks. What has been added to the TNC architecture?

A. This new ICS Security Metadata specification leverages the existing TNC architecture (IF-MAP in particular) to support a new class of use cases for the Industrial Control Systems (ICS) security domain. The focus is on providing secure, transparent communications ability between logically defined sets of legacy and new ICS devices over any untrusted IP network infrastructure.

Q. What is IF-MAP?

A. IF-MAP, the interface for a Metadata Access Point, is a standard client/server protocol for accessing a Metadata Access Point (MAP). The MAP server has a database for storing information about network security events and objects (users, devices, etc.); it acts as a central clearinghouse for information that infrastructure devices can act on. The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers and data types. MAP clients can publish metadata and/or consume metadata published by other clients.

The original IF-MAP specification was published in 2008 and most recently updated in May of 2014. It extends the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth and enable security automation.

Q. What benefits does IF-MAP offer to users of security products?

A. Users of IF-MAP enabled products can implement more effective, integrated security systems, gaining the following benefits:

IF-MAP enabled products facilitate security automation, which has many benefits. These benefits include:

Q.  Why did TCG tackle this issue of ICS security?

A. ICS devices are embedded in a large variety of public and private infrastructure. As part of TCG’s mission of providing open, vendor-neutral industry specifications, this new ICS Security Metadata specification provides for scalable management of secure communications between ICS devices over otherwise untrusted networks.

Q. What is new in this TNC specification to address ICS security?

A. This specification defines a set of IF-MAP metadata and extended identifiers along with a prescribed set of MAP client behaviors. Together they provide the necessary coordination and configuration management functionality for creating secure logical overlay networks on which ICS devices can communicate.

Q. How does TNC enable better security for critical infrastructure?

A. The ICS Security Metadata specification facilitates the deployment, management, and protection of large-scale industrial control systems by enabling creation of secure virtual layer 2 and/or layer 3 overlay networks on top of standard shared IP network infrastructure typically used in industrial control systems. Overlay networks isolate key components of these systems into protected enclaves.

This specification builds on the ISA100.15 architectural model for secure ICS communications over untrusted shared networks (TR100.15.01, “Backhaul Architecture Model: Secured Connectivity over Untrusted or Trusted Networks”), which contains an architectural model, use cases, and functional requirements such as identity-based access policy, device identification, and certificate lifecycle management.

The ICS Security Metadata specification follows this ISA100 architecture and is intended for use in retrofitting existing industrial control systems, as well as incorporation directly into new ICS products, as an additional interoperable security capability. While this specification focuses on the ICS security domain, it builds upon and complements the many other security standards and technologies offered by TCG.

Q. What benefits does the ICS Security Metadata specification offer to owners of industrial control systems?

A. Secure virtual overlay networks created between IF-MAP enabled ICS security products provide a range of benefits, including:

Q. What benefits does the ICS Security Metadata specification offer to vendors of ICS components?

A. Using open standards to integrate ICS security products provides many benefits over a proprietary approach or custom integrations:

Q. How will the new specifications for ICS be used? What kinds of products would be developed to support them? What kinds of changes are required for existing products and deployments?

A. The architecture used in this specification allows for the new security functionality to be inserted into existing control systems deployments as well as be directly incorporated into new ICS products and communications services. This allows an evolutionary deployment that addresses near term needs of existing system while providing a path forward for building this protection directly into future systems.

Q. When will we see products?

A. Multiple vendors have already implemented or are implementing prototype products. Decisions on when to offer products which comply with this specification is an individual vendor business decision.
Q. What is the role of the TPM in securing ICS?

A. The TPM provides both a secure, hardware-based store for cryptographic materials (e.g., private keys for identify certificates), as well as platform measurement functionality in support of remote attestation of platform health. Both of these capabilities can provide important additional security value to the architecture described by this ICS Security Metadata specification; however, the TPM is not required to implement this specification.

Q. Security of critical infrastructure is being addressed by government and many groups. Is TCG working with any of these to support other efforts or existing standards?

A. Yes. Thought leaders from both private industry and the US government have been involved in the maturation of this specification. Additionally, this specification incorporates and aligns with the latest architectural and security models from the International Society for Automation (in particular, ISA99 and ISA100).