Virtual Private Groups for Protecting Critical Infrastructure Networks

In an era when critical infrastructure networks are increasingly less isolated and more accessible from open networks, including the Internet, the air-gap security that these critical networks once enjoyed no longer exists. Malicious individuals can exploit this network connectivity, in conjunction with security weaknesses in widely used, homogeneous, COTS (commercial off-the-shelf) products, to penetrate deep within an organization's critical networks. Such an attack on SCADA (Supervisory Control And Data Acquisition) and Process Control networks could have devastating consequences. This paper describes an approach, Virtual Private Groups (VPGs), for creating and managing a virtual air-gap between these networks and the environments in which they may operate. After a brief description of the security issues that confront these networks, we describe our approach for addressing them. Many of the ideas presented here are the result of work done while implementing a version of VPGs directed towards critical infrastructure networks. In the process of doing that work we made a number of advances in managing policy for VPG and related mechanisms.

[1]  Angelos D. Keromytis,et al.  Design and implementation of virtual private services , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[2]  Tom Markham,et al.  Architecture and applications for a distributed embedded firewall , 2001, Seventeenth Annual Computer Security Applications Conference.

[3]  J. Thomas Haigh,et al.  Trapping Malicious Insiders in the SPDR Web , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[4]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[5]  Paul Rubel,et al.  Generating policies for defense in depth , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[6]  T. Markham,et al.  Distributed embedded firewalls with virtual private groups , 2003, Proceedings DARPA Information Survivability Conference and Exposition.