Roger Schell, Dramatically Reducing Attack Surface Using Integrity MAC Security Kernel

We face an existential threat of permanent damage to critical physical components in our national infrastructure as a result of their poor resilience against cybersecurity attack. A Programmable Logic Controller (PLC) commonly provides the control system for such components, e.g., bulk power generators. Our proof-of-concept implementation dramatically mitigates threats to such cyber-physical systems (CPS) by specifically leveraging what NIST 800-160 calls "highly assured, kernel-based operating systems in Programmable Logic Controllers".We dramatically reduce the attack surface visible to potential attackers to be ~1% of the total compared to competing approaches. Our demonstration refactors the common CPS architectural approach to data and cooperating processes into hierarchically ordered security domains using the widely available OpenPLC project code base. The GEMSOS security kernel verifiably enforces traditional integrity mandatory access control (MAC) policy on all cross-domain flows. GEMSOS is designed for wide-spread delivery as a Reusable Trusted Device, providing the reference monitor for secure single-board, multi-board, and System-on-a-Chip systems.Only a processing component in the highest integrity domain can directly send/receive control signals, enforcing "safe region" operating constraints to prevent physical damage. This very small attack surface protects the critical physical components, making the overall CPS resilient to skilled adversaries' attacks, even though much larger lower integrity software running in other domains on the same Trusted Device hardware and network infrastructure may be thoroughly compromised. We make available our restructured OpenPLC source to encourage control system manufacturers to deliver verifiable PLC products to, as NIST puts it, "achieve a high degree of system integrity and availability" for control systems. UC Davis is using our demonstration on GEMSOS in their Computer Security Lab, today. About the speaker: Roger R. Schell is internationally recognized for originating several key modern security design and evaluation techniques, and was awarded patents in cryptography, authentication and trusted workstation. His experience includes 20 years in US federal program management (computers), 30 years as a computer industry security product vendor, and 5 years as a graduate cybersecurity engineering faculty member.He is President and a founder of Aesec Corporation, a start-up providing a commercial verifiably secure operating system. Previously Dr. Schell was co-founder and vice president for Gemini Computers, Inc., now an Aesec subsidiary. At Gemini he directed development of their highly secure (what NSA called "Class A1") commercial product, the Gemini Multiprocessing Secure Operating System (GEMSOS). He was also the founding Deputy Director of NSA's National Computer Security Center. He has been referred to as the "father" of the Trusted Computer System Evaluation Criteria (the "Orange Book"). Dr. Schell is a retired USAF Colonel. He received a Ph.D. in Computer Science from the MIT, an M.S.E.E. from Washington State, and a B.S.E.E. from Montana State. The NIST and NSA have recognized Dr. Schell with the National Computer System Security Award. In 2012 he was inducted into the inaugural class of the National Cyber Security Hall of Fame.