New model lets complex corporate networks layer security on top of legacy systems

Established companies gain confidence in cloud computing while safeguarding data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Tem­pered Net­works got its start by tak­ing a unique approach toward lock­ing down the indus­tri­al con­trol sys­tems (ICS) used at the Boe­ing Co.’s air­plane man­u­fac­tur­ing plants.

The prob­lem Boe­ing was try­ing to solve at the time turns out to be much the same as the puz­zle orga­ni­za­tions of all types face today: How do you ingrain secu­ri­ty into com­plex hybrid net­works with­out com­plete­ly throw­ing out lega­cy systems.

Strik­ing that bal­ance in the age of cloud com­put­ing and the Inter­net of Every­thing is cru­cial to empow­er­ing employ­ees to secure­ly and pro­duc­tive­ly lever­age mod­ern IT sys­tems. “Secu­ri­ty is great, but busi­ness has to run,” says Marc Kaplan, vice pres­i­dent of secu­ri­ty archi­tec­ture and ser­vices at Seat­tle-based Tem­pered Networks.

ICS tech­nolo­gies pre­date the inter­net. So those used in man­u­fac­tur­ing plants, util­i­ty plants and trans­porta­tion sys­tems remain a huge secu­ri­ty chal­lenge. The ris­ing dom­i­nance of cloud com­put­ing and mobile devices to run mod­ern-day net­works has exposed ICS con­trols, in par­tic­u­lar, to threat actors.

Relat­ed arti­cle: Crit­i­cal infra­struc­ture attacks remain clear and present danger

Boe­ing, for instance, found it chal­leng­ing to assure secu­ri­ty of its indus­tri­al con­trols while also main­tain­ing a high pace of jet­lin­er pro­duc­tion. “They had to find a way to iden­ti­fy and sep­a­rate sys­tems from each oth­er,” Kaplan says. The solu­tion came in the form of an inno­v­a­tive protocol—called HIP, host iden­ti­ty protocol—developed by Eric­s­son and spon­sored by Boe­ing and the U.S. Navy.

Sta­bil­i­ty and security

Essen­tial­ly, it’s an over­lay, so an envi­ron­ment can keep run­ning the sys­tems it ran before,” he says. It’s an iden­ti­ty-based net­work, an archi­tec­ture that “rides above” an estab­lished sys­tem, with­out chang­ing fun­da­men­tal sys­tem attributes.

It was an impor­tant break­through, since most indus­tries are reluc­tant to make whole­sale changes to lega­cy sys­tems that are work­ing. In today’s bank­ing sec­tor, for exam­ple, “these sys­tems run very old code, and for good rea­son,” Kaplan says. “They’re very sta­ble; the upgrad­ing is a high risk.

Marc Kaplan, Tem­pered Net­works vice pres­i­dent of secu­ri­ty archi­tec­ture and services

When you’re run­ning an elec­tric grid, turn­ing the grid off is not an option, so these sys­tems couldn’t pro­tect them­selves,” he says. They need­ed an easy way to cre­ate iden­ti­ty-based net­work­ing with­out com­pro­mis­ing or crash­ing the exist­ing system.

Kaplan says using the HIP sys­tem pro­vides com­pa­nies some­thing they could not do on their own, “which is rock-sol­id secu­ri­ty with very fast and reli­able connectivity.”

Wider appli­ca­tions

As it has turned out, Tem­pered Net­works’ com­mer­cial­ized ver­sion of HIP has uses beyond indus­tri­al and finan­cial sys­tems. With com­pa­nies turn­ing over large chunks of their net­work­ing infra­struc­ture to host­ed ser­vices, like Microsoft Azure, Google Cloud and Ama­zon EC2, the same dilem­ma has cropped up: “How do I con­nect my enter­prise envi­ron­ment to the cloud and do it seam­less­ly with­out hav­ing to re-archi­tect pieces of it?” Kaplan says.

There’s also the ques­tion of pro­tec­tion. “Once I’ve moved the secu­ri­ty aspects out of my data cen­ter into the cloud, I now have to rely on attrib­ut­es of the cloud provider to keep secu­ri­ty for me,” he says. “There’s more poten­tial for inroads into your enter­prise envi­ron­ment. … You’ve now extend­ed your­self out to anoth­er data center.”

Shar­ing becomes easier

With a HIP sys­tem, com­pa­nies can build over­lays to share net­works and net­work infor­ma­tion. “If I want to send a file to you, I can have my own pro­file with you that you can come to my sys­tem. At the same time, I can have a pro­file that talks to my cor­po­rate net­work, as well,” Kaplan says. “I can extend what would be my cloud direct­ly to the peo­ple I want into my services.”

For a deep­er drill down on what Tem­pered Net­works is bring­ing to the table, please view the accom­pa­ny­ing video.

More sto­ries relat­ed to cor­po­rate net­work security:
Tar­get­ed attacks on indus­tri­al con­trol sys­tems surge
Sophis­ti­cat­ed tools help pro­tect lega­cy indus­tri­al systems
Hacked sirens should serve as warn­ing that bet­ter infra­struc­ture secu­ri­ty is needed