Control System Interfaces as a Security Chokepoint

A unique feature of control systems interfaces is that they support a limited number of constrained messages. A message containing a command such as turn on pump, or a telemetry point such as the flow rate in a pipe, don’t require much data to convey the information. Typically such messages have a fixed number of fields of fixed types, and each type is limited to a small number of allowed values. A command like the turn on pump may only need a single bit to encode the information, 1 for on, and 0 for off. The flow may be measured in a range that is limited by the flow sensor, e.g. 0 to 100 gal/min, with a precision of 0.1, so that a limited real value may be used.

These interfaces may only support a few such control messages, so that the total combination of possible allowed values is quite small compared to an unconstrained interface such as on a general purpose computer that must accept a wide range of network traffic. For the pump switch example compared to a general purpose computer, the ratio of acceptable values for pump to acceptable values for the general purpose computer is vanishingly small.

This highly constrained nature of values for control systems represents a great opportunity to secure the systems against cyberattack. In the language of cybersecurity we say that the attack surface of the control system interfaces is much smaller than that of the general purpose computer. Dramatically smaller in fact. Perhaps many orders of magnitude smaller. A small attack surface is one of the goals in securing a system because it gives fewer opportunities for the attacker to exploit. Therefore, a control system that uses the highly constrained nature of the controls interface as part of the cybersecurity posture should be much more secure than a comparable general purpose computer interface.

The control system interface forms a kind of information system chokepoint where the kinds of information that may pass through is highly limited. This is in stark contrast to the information flows on the computing component itself where a virtually unlimited variation of information is flowing through the system as part of the computation process. This may include complicated operating systems with capable kernels and device drivers, as well as potentially complex control system applications.

In a sense, a distributed control system may be viewed as large islands of complex information activity in the components connected by slim fibers of small, highly constrained interface connections. These tight passages as they were, are the place to protect and defend the systems. This is much like a military commander who has to defend his army against a large, capable force. Isn’t it easier to defend a narrow pass, then to take on the whole enemy in a plain? This is the lesson of King Leonidus at Thermopylae where the Greek defeated a vastly superior Persian army headed by their formidable leader Xerces. Shouldn’t we take this lesson from the past to help secure our control systems today, and in the future?

David Viel Founder and CEO

David is the founder of Cognoscenti Systems.