ControlMQ™: The Secure Middleware for Controls The ultimate endpoint protection for controls

ControlMQ™

ControlMQ™ provides the secure foundation for defending controls against network attack by applying a combination of cybersecurity principles into a single solution. This includes methods to encrypt and anonymize message packets on the wire, a hardware root-of-trust based on the NIC, a mechanism to prevent bypass of security processing, and a unique specification language and validation method for control messages. These techniques are combined with traditional cryptography, authentication, and error checking to produce a comprehensive and robust controls messaging mechanism.

Military Roots

Originally developed at Johns Hopkins University Applied Physics Lab for military control systems, this technology is now being made available to the commercial market to provide network cybersecurity for critical infrastructure and controls applications.

Secure Controls MiddlewareSecure Network Communications for Controls

Secure Controls Middleware Properties

Secure Controls Middleware protects distributed control systems and related system components against network cyberattack. To achieve this secure middleware for controls must implement six basic properties and achieve robust implementation.

The six properties required for secure middleware for controls

  • Prevent observation of message content on-the-wire
    Messages need to appear as packets of random bits that are indistinguishable from each other.
  • Detect any modification to messages
    The change of a single bit in a message will invalidate it.
  • Defend the network interfaces of the participating components
    Packets that are not legitimate, valid messages should be discarded, and possibly logged or tracked, and any potential for circumventing the message validation blocked.
  • Deliver a message instance exactly once
    A message should be delivered once and only once to receiving component in a timely manner, which is usually the latency of the network.
  • Prevent out of acceptable range messages from being sent or received
    Messages that have values outside of the system engineering limits should not be allowed to transit the network.
  • Prevent the spread of malware through messages
    Messages should not become a conduit for malware to move through the system network.

Enabling Secure Controls Middleware

Enabling secure middleware for controls requires an absence of vulnerabilities to cyberattack in the implementation itself. No software is perfect, but the quality and robustness of secure middleware can be greatly increased by applying a number of methods and principles.

Enabling methods and principles

  • Simple protocol design
    Protocols are often complex leading to a great combinatorial number of possible protocol interactions between system components. These great number of interactions can lead to unexpected or misunderstood effects. Complicated protocols require complicated implementations that are prone to defects and mistakes in following the design of the protocol. All of which can lead to vulnerabilities. The best protocol is a simple one step messaging where the interaction of sender and receiver is negotiated a-priori to its use.
  • Simple middleware software design
    The use of a simple protocol similarly allows for a simple design of the entire middleware solution, where the minimal functionality to achieve the above properties are used.
  • Small implementation
    Reducing the amount of code similarly reduces the likelihood of a defect being present in the code. Defects tend to appear proportionately to the size of the code and a defect rate of number of defects per thousand lines of code can be described.
  • Complexity is the enemy of security
    Complexity leads to increased potential for mistakes in design and implementation. Complexity tends to grow much faster than linearly with the size of the entity as combinatorial effects and multiple communications interaction effects dominate.
  • Mission critical development methods
    Most software is not developed for mission critical needs and as a result it often has many defects. Use of methods that include detailed design analysis, careful implementation using standard software constructs, extensive unit testing, and extensive system testing dramatically reduces the likelihood of defects in software and systems. Mission critical software typically has a defect rate orders of magnitude lower than most commercial and open source software.

ControlMQ™

ControlMQ™ is the Secure Controls Middleware solution. Only ControlMQ™ satisfies all the of the six required properties for secure middleware for controls. ControlMQ™ enables a vulnerability free implementation by following the development methods described above. ControlMQ™ specifies the most simple, one step protocol where a message is placed on the wire by the sender and pulled from the wire by the receiver. All interactions are configured prior to use in all participating components. ControlMQ™ consists of two elements: a daemon process broker that runs on each component and a development package used to build control applications. ControlMQ™ has been developed using extensive unit and system testing of each feature. Each of the two components has less than 10,000 lines of application code, which is small by modern software standards. Thus, the likelihood of a vulnerability in ControlMQ™ is quite low.

Novel Methods for Secure and Efficient Controls MessagingThe advantage of built in security

Cybersecurity Integrated into Controls

ControlMQ™ is constructed using a set of cybersecurity principles that results in the highest level of cybersecurity for controls. Central to these are the integration of the cybersecurity mechanism into the communications middleware to realize the advantages of built-in security.

Cybersecurity Specialized for Controls

Traditional IT/Data cybersecurity methods do not map well to the specialized needs of controls systems. IT/Data security methods were developed to provide one-size-fits-all cybersecurity to protect general purpose computing. This requires protecting a wide variety of uses like email, web browsing, financial systems, and multimedia. The result is an enormous attack surface that encompasses all the interfaces of all possible O/S, service and applications that are running. This is a daunting task to say the least, and one that hasn’t been completely successful. But, unlike general-purpose computers, controls are highly specialized systems. So, why not use that constraint as an advantage in protecting control systems?

Legacy Protocols

Control systems use a wide variety of protocols that have been developed over decades, each for a particular use. Many who use these protocols would like to continue to do so, so efforts have been made to patch on cybersecurity to these existing protocols. The results have been very helpful, but never completely successful. Inevitably patching leaves some attack paths unprotected. Only comprehensive security, designed in from the start can provide the high level of security for controls applications.

Cybersecurity Principles for Controls

  • Integrated communications middleware and cybersecurity
    Only building cybersecurity into the middleware ensures that all paths in the system are protected. Patched on cybersecurity inevitably does not map well to the design of the application and leave some paths open to exploitation.
  • Highly constrained interfaces
    The interface messages are restricted to a fixed set of arguments of fixed size and base type with the further constraint of value limits on each type. The highly constrained nature of these fixed format messages result in an extremely small attack surface. The lateral movement of malware through these interfaces is highly unlikely, as any effort to shoehorn malware into a series of restricted types would most likely cause the message to fail the validation phase and be dropped.
  • No reply
    A highly defensive posture is assumed by the components. Messages are one-way, having no return value. No reply is made to the sender of a message in the case that a message fails validation for any reason. Instead it is dropped. So, no information is leaked to a potential attacker.
  • Logical construction
    Correct behavior is specified using logical arguments rather than trying to understand and create signatures for incorrect behavior. The technology specifies what should only happen, and then rigorously prevents anything but that allowed behavior from happening. Such a rigorous specification is possible due to the highly constrained nature of the interfaces and messages. The message specification becomes the correct behavior specification for the system interface.
  • H/W root-of-trust
    Hardware properties of the NIC in conjunction with kernel functionality ensure that the processing and validation steps are not bypassed by any attack on the component interface
  • Autonomous posture
    Enforce an autonomous posture for all components to prevent a “brittle” system architecture, which would lock components together. Use of traditional middleware techniques, such as RPCs over TCP connections, results in a highly coupled system that is tantamount to a single program distributed over several components. This tight coupling means that any failure or compromise of one component dooms the entire system to failure or compromise. Instead, in this technology each component acts as an autonomous machine so that the failure or compromise of any one component will only result in the loss of functionality related to that component, and allows other functionality of the system to proceed unimpeded. To enable this autonomous posture connectionless, one-way messaging is used exclusively in the middleware.
  • Operates over asynchronous and unreliable networks
    Controls often operate over networks that are unreliable which either have a high probability of lost packets or occasional loss of connectivity. The technology is robust enough to handle these conditions due to connectionless messaging and reliable transport mechanisms.
  • Bias towards simplicity
    Protocols often suffer from complexity and feature creep as the “just one more thing” effect takes hold and each new issue is solved by adding yet another function, protocol step, or capability. This technology has a single step protocol that includes no negotiations during operations. Only the configuration during installation is required. The SIDL™ language is simple but powerful in its ability to capture message specifications while maximally constraining the range of values to produce a reduced attack surface.

Hardened Controls

The result of applying the above principles is that control system components are hardened against cyberattack. They keep the attack from succeeding in disrupting the functionality of the control system. This is a change in cybersecurity posture for control systems that puts the integrated defense of the components as the primary security mechanism; leaving the cybersecurity watch floor, network surveillance systems to do situational awareness as a backing system, as shown in the diagram below. Contrast this with the standard IT/data cybersecurity method of "detect and remediate", which allows the attack to succeed, but then detects it and tries to restore the system to a good state after the fact. Control systems need hardening to prevent attacks from succeeding. The method of "detect and remediate" will not suffice, as the operational systems under control cannot be put back to a good state after a successful attack.

Hardened Controls

Component Architecture Elements of secure components

Architecture Elements

The architecture for the control systems components is shown in the diagram below. The core element is a security broker, called the SecureSieve™ broker, which runs as a daemon process on the component. NB. This broker runs locally on the component only, not on the network intermediating among components. The broker guards and manages the protected network interface, which is dedicated to transmit and receive ControlMQ™ messages with other components of the control system. The broker performs all the core security functions like crypto, authentication, and integrity checks, and takes advantage of standard crypto and hashing technologies such as RSA, AES, and SHA, which allows the technology to take advantage of hardware acceleration built into most modern CPUs to boost performance. The broker communicates with controls processes through a UNIX socket on the component. Controls applications are developed using the ControlMQ™ Application Framework with messages specified using the SIDL language described below. The Application Framework provides an API to register for messages by type, and send and receive messages with other components.

Component Architecture

Linux Implementation

The initial implementation of ControlMQ™ is for the Linux platform. The kernel works with the NIC to use it as a H/W root-of-trust to ensure that an attacker does not bypass the security processing of the broker. The Linux kernel Netfilter functionality is used to limit the messages sent and received to those of the ControlMQ™ protocol, and the broker does higher-level packet processing.

ControlMQ™ Protocol

The ControlMQ™ protocol is designed to run over Ethernet/IP networks. It uses a novel network stack called the Security stack to ensure proper application of the cybersecurity principles described above. The Security stack is shown below next to the traditional OSI network stack. Levels 1-3 and 7 are the same so that packets can be switched and routed over Ethernet/IP networks. The protocol makes use the IP network protocol 99, which is for “any private encryption”, to avoid using UDP or TCP, which both leak information. Each level of the stack performs a different function starting with level four crypto, level five authentication, which are self explanatory. At level six is representation, which is how the actual message data are constructed by the SIDL language, and enforced by the Framework in the application.

Security Stack Comparison

SIDL™Secure Interface Definition Language

SIDL™

The Secure Interface Definition Language, is a simple, yet powerful language to specify platform independent application interfaces and messages. Messages are one-way datagrams that are sent from one peer to another. Messages are grouped into interfaces, which are given globally unique names. A peer signs up to receive an Interface in order to receive all associated messages. A particular message is then specified by the combination of interface name and message name.

Messages

A message specification contains a series of arguments much like a function declaration. The argument types are specified as user defined sidl_types. A sidl_type is a user-defined type based on three parameters: the bit length, the base primitive type, and the allowed range or ranges of values. A simple example will make this clear. In the file myinterface.sidl we have:

SIDL Example

Here a sidl_type named int16type is defined that is 16 bits in size, is a signed integer primitive type signedint, and has a range of valid values from -1 to 65000, inclusive. An interface named myinterface id defined with two messages: messageA has a single argument intarg1 of the type int16Atype defined above, and messageB with two arguments intarg1 and intarg2 both also of type int16Atype. The SIDL™ compiler compiles this file into both client and server side code that is then compiled and linked with the user application code along with the framework libraries.

SIDL Compile

Development and Deployment Build and deploy secure controls applications

ControlMQ™ Development tools

  • The SIDL compiler
  • Framework libraries in 'C'
  • Example interface code

Production environment components

  • Securesieve™ broker daemon and scripts
  • Configuration tools for setting up a peer instance
  • Configuration tools for generating keys and secrets and sharing information with peers
  • A custom IDS that works with peers components to provide situational awareness of unusual network activity

Try ControlMQ™ Start building and deploy secure controls applications today!

Get your free trial now!

30 Day Free Trial