These CS3 black boxes, which support the IF-MAP protocol among other standards, basically act as proxies to protect ICS equipment by orchestrating what each ICS can connect to, whether it's another network or a device. There's a means for policy-based enforcement of encryption or identity management. It allows the IT department to manage non-IT devices on the business network but also to delegate controls to the ICS team.
"This is not a traditional VLAN," Dupler emphasizes. It's a way to orchestrate what the controls-systems team can see on the network and the IT department group can see and what they are allowed to manage in a fine-grained manner. "I don't want the heating and ventilation side to see what my robots are doing, for instance," says Dupler.
Not all technical experts at Boeing share the belief this is the best way to manage non-IT devices on an IT network, Dupler is quick to point out. It's still subject to debate. But Boeing is eager to see the type of home-grown CS3 black box it came up with become commercialized for wider use over the long term.
Not only are vendors Infoblox and Juniper interested in the evolution of the concept, but a former research engineer at Boeing, David Mattes, left to start a Seattle-based firm called Asguard Networks a year ago to commercially further Being's "black box" idea. The product Mattes came up with is called SimpleConnect, which supports IF-MAP for ICS. SimpleConnect is being tried out at Boeing under limited circumstances. Asguard Networks has other early-adopter customers as well, including a Florida water utility.
The SimpleConnect box "sits between the devices that need to be protected and a shared network resource, such as a business network or wireless or the Internet or a private network in a plant that needs to be further separated," Mattes says.
SimpleConnect provides a way to orchestrate in an automated fashion the cybersecurity for industrial controls systems by placing a private network overlay on top of a shared network. Eventually, the SimpleConnect box could gain additional security functionality, such as intrusion-detection or firewalling capability, Mattes adds.
However useful the security concept that Boeing pioneered for its own network use, one basic problem is that you can end up with too many black boxes abounding in the network, Dupler acknowledges. If Boeing's approach to security for industrial controls ever catches on and becomes widespread, Dupler says he hopes this security functionality might one day be boiled down to fit inside something small, such as a network-interface card.
Sign up for Computerworld eNewsletters.