What you’ll learn:
- 为什么安全和保障应优先于快速上线。
- How does software architecture that offers an isolation environment prevent threats from accessing the sensitive data?
- 为什么选择程序技术很重要。
感觉到,关键基础设施上的网络攻击的新闻报道范围正在上升。2月,我们了解到佛罗里达水处理厂被破坏了。5月,新闻传出了对殖民管道和爱尔兰公共医疗服务部门的袭击。这些事件引发了一个基本问题:这些系统是否应该首先连接?
To be sure, external network connections bring benefits to the business. But they also make those systems vulnerable to attack, as the inclusion of an external connection enables hackers to more easily access these systems and cause mischief.
Do the benefits of connectivity outweigh the associated risks? In some of the recent hacks, the external connectivity was provided to simply offer remote monitoring and control of a function. Is that flexibility better than requiring a human to come to the building? This may seem like a somewhat Luddite statement from someone in the technology sector. But one of the phrases I’ve repeated over the last 10 years has been “just because it is connected does not make it a good idea!”
Once the decision is made to connect crucial infrastructure systems to outside networks, safety and security should take priority over quickly getting the system online. The system architecture for the connected, deployed platform must be carefully constructed to:
- Continually raise the immunity of the system to attack through supported updates to the system.
- 认识到何时被妥协并能够将系统归还到已知良好状态。
- 将系统划分,使得可以以系统的功能,安全性以及无法访问或修改关键资产的方式包含任何入侵。
IT vs. OT
One有见地的文章指出,挑战之一是信息技术(IT)和运营技术(OT)的截然不同的观点。引用“它希望将数据保密;OT希望使所有事物都超越一切,或者使每个人都活着和安全。”
One of my favorite series of books (the movie was awful) wasThe Hitchhiker’s Guide to the Galaxy. In that, a babel fish was inserted in someone’s ear. This enabled any spoken language to be translated into the first language that the person understood. In these connected systems, there’s a similar need to bridge from the old to the new, translating the commands and frameworks used in the IT world into the safe, highly reliable, and highly available world of OT.
When discussing this in other forums, I’ve been challenged on several statements. One of the strongest pushbacks stated, “No software may be run safely on unsecure hardware.” I think we would all agree that we would like more secure hardware components.
The great news is that a number of efforts are underway to improve the system-level security of connected systems, one example beingArm’s平台安全体系结构(PSA)计划。的确,如果这样的系统运行较差的软件受到损害,那么系统的皇冠珠宝将无法访问。也就是说,我们应该退后一步,考虑:
- 硅(不是IP)可用性的时间表。
- 嵌入式系统的设计周期。
- PSA推出的时间表。
- The length of time that embedded platforms are deployed for before they’re traded out.
在过去五年中,ARM合作伙伴发货的1000亿芯片中有多少人符合PSA?现实情况是,那里的大量平台基于传统体系结构(我在这里引用了武器,但是对于X86-,MIPS-和基于RISC-V的组件也存在类似的挑战)。
What’s needed is a software architecture that offers an isolation environment that prevents threats from accessing the sensitive data even when the endpoint has been compromised. Secure systems should be conceived as distributed ones—where security is achieved partly through the physical separation of their individual components and partly through the mediation of trusted functions performed within some of those components.
Creating Separation
有效、安全的虚拟块飞地,建立using virtualization, need to be created in which operating systems, applications, and security functions can execute. Simply put, the control of how a machine’s resources are allocated and secured is separated from the operating system. This turns the endpoint from a point of vulnerability to a point of protection.
就像操作系统在其进程之间强制执行受保护的内存上下文一样,分离内核管理程序在不同的虚拟机(VM)之间执行内存保护上下文。尽管每个VM中的流程可能会相互作用,但他们不可能在没有明确授权的情况下与其他VM进行交互。
操纵管理程序技术的选择很重要。某些嵌入式选项仍在基础操作系统上建立,这意味着如果它们失败,则整个系统可能会崩溃。我们还看到了允许根登录的变体。最小配置的虚拟机程序可以有效地为各种VM分配资源(即在系统启动后无法更改)然后脱离方向,这实际上是前进的路径。
在短期内,网络攻击的速度可能会变得更加频繁。使用安全性设计关键的基础架构系统首先要优先考虑,这将是确保我们的关键网络保持不可渗透尽可能无法穿透的关键。
