The channel is the message - By James Wright

For many decades there has been a deadlock between the security researchers and OT engineers on how to build secure industrial control systems (ICS). The former having a monopoly on defining what verifiably secure communication channels are, and the later waiting for a silver bullet solution that can be applied across all ICS domains. This entry will explore the sources of this deadlock, before presenting some directions for security researchers could pursue to begin to bridge the gap between the two communities.

In 1964 Marshall McLuhan published his famous essay ‘The medium is the message’. In it he asserted that the semantic construction of a communication channel technologically determined the kinds of messages that could be sent through it. Applying this kind of analysis to the verifiably secure channels we begin to see where some of the tension arises from between the two communities.

The development of tools by security researchers to verify the security properties of communication channels have been driven by the fields origins in crypt-ography/analysis. The focus of which has been ensuring that the encrypted message was never compromised by the adversary. This objective has technologically determined construction of cryptanalytic adversary models, verifiable security properties, and the fields binding impossibility results. They have all been born of the desire to prevent message compromise, and as such has shaped what security researchers have come to understand as ‘secure’. However, this pursuit has unwittingly restricted what kinds of systems can use verifiably secure channels.

This means that only systems whose processes and message semantics meet the following assumptions can be considered verifiably secure:

1. That all devices have the computational power, and the network enough bandwidth, to quickly perform cryptographic operations.
2. That all devices can fail-safe in the presence of device or channel failure
3. That perfect global time is kept by all agents, and that devices progress only in an event driven manner.

?

To stress. Even if a lightweight, but equally strong, cryptographic function were to be formulated that could meet of assumption 1, the other two assumptions would still prevent ICS from using it. Lightweight cryptography is still antagonistic to the processes needed to build safe ICSs.

?

To maintain the safety of an ICS it has to observe the state of the physical system frequently enough to ensure deterministic control of the state. The frequency of observations of this state, and the time scale on which control actions are valid, is determined by the rate of change a state transitions of the physical system can occur. Over the decades OT engineers have been asking verifiable secure forms of the properties of controllability and observability. To the intuition of security researcher the verification of these control theory properties just feels like a reprioritization of the traditional security properties of Integrity, Availability, Non-Repudiation, Authentication, and Confidentiality. What isn’t communicated between the communities is the network and agent processes used to achieve the deterministic control and observation of the physical state. These network processes must also must operate in a real-time deterministic manner within the channel. Examples of these processes are:

• Strict message ordering in a time driven network communication model to ensure that the network doesn’t become congested.
• Multicast/broadcast communication models to rapidly broadcast emergency messages neighboring actuators.
• Distributed clock resynchronisation algorithms, as local device clocks will drift out of phase with each other.
• Consensus protocols so multiple sensors can decide on the correct value of the physical state.

If the channel that these processes are using resets the are not guaranteed to fail-safe. An interruption to them will eventually lead to the ICS losing its knowledge of the physical state so they can no longer deterministically control the physical system. The technological determinism of assumptions 2 and 3 have excluded these processes have from what is considered verifiably secure channel. For some physical systems, such as shipping and water treatment, the window in which to reestablish knowledge of physical state is big enough to fold in a secure channel reset, so it is possible for them to fail-safe. However, ICSs in aerospace and power systems state transition at such a rate that it is not possible to recover knowledge of the system if the channel fails without a safety violation occurring.

As previously stated, the focus of security researchers is to prevent an adversary from reading an encrypted message while ensuring that their interference isn’t detected. This has lead to the strongest possible adversary models to demonstrate that a communication channel they can operate in the most hostile of networks. This way of thinking is inappropriate for ICS verification, as consequence of an attack on an ICS cannot be hidden when the actuator or physical system becomes damaged by the adversary. The adversary models we verify ICS should reflect that.

The ICS adversary is interested in manipulating a device’s state machine itself of the device establishing, rather than any messages they send. If an adversary can manipulate an ICS’s safety instrumentation system (SIS) from broadcasting its warning that the physical state is becoming unsafe, the ICS’s whole state machine has changed. Internalizing this adversarial orientation reveals that there is an entire orthogonal class of security properties and verification questions that have yet to be theorized and operationalized into tools. ?

Finally the security researchers who verify secure communications channels have always been focused on the prevention of compromise, while ignoring the doctrines of attack detection and response. It is uncertain whether a verifiably secure channel can be developed that is inclusive the processes and reliability that ICSs need, but It is untrue to argue that they have to accept an inherent level of insecurity.

Building secure channels that have fundamental results of network theory and distributed systems explicitly stated within the communication models can build some verifiable security into ICS standards. Models that detect and frustrate an adversary’s attempt to manipulate an ICS device’s state machine.

The inherent insecurity and fragility in our ICS is not technology determined by their inability to conform to the assumptions of a verifiably secure channel. Broadening our understanding of what a verifiably secure means will allow OT engineers to build ICSs with some security. The processes required to build a safe and deterministic ICS may never be encapsulated in what is currently considered a verifiably secure channel that prevents compromise. But this does not mean that there isn’t a verifiably secure channel that can still protect ICSs from manipulation.