When Intel followed the acquisition of Wind River, the maker of the popular PLC OS VxWorks, with the acquisition of McAfee, our curiosity was peaked. More recently they acquired SIEM vendor NitroSecurity who had a significant and sustained effort on ICS security. So we have been waiting to see what solutions would result from that interesting combination.
On May 15th McAfee had a marketing splash, McAfee Aims To Protect Critical Infrastructure From Increased Attacks.
McAfee and Intel created a “reference implementation” that integrates a number of McAfee security solutions relevant to substations and network operations centers with selected Intel processors and hardware-based security and manageability technologies. The reference implementation emulates the components and functionality commonly found in a critical infrastructure environment. The added capability of end-point security, network security and security management solutions can deliver a secure environment with increased reliability.
There is a link to a Protect Critical Infrastructure page and a solution guide. So far the information has been vague and underwhelming. It talks in general terms about needing multiple product solutions that McAfee offers that are managed across numerous zones. The best and most specific information was:
For example, the McAfee DAM solution provides application programming interface (API) integration with the OSIsoft PI System and pulls asset information tags into the McAfee SIEM solution for more accurate correlation and analysis. Dynamic whitelisting helps prevent any unauthorized code or malware from operating on fixed function devices and is ideal for SCADA and ICS systems that perform a finite set of operations. The McAfee IPS solution also features one of the broadest sets of ICS and SCADA-specific attack signature sets. Key McAfee solutions with native SCADA and ICS support include dynamic whitelisting, SIEM, DAM, and IPS.
More like the PI example and more detail would be very useful. Hopefully it will follow shortly as they integrate NitroSecurity more fully.
One controversial area is the focus of integrating security across zones:
McAfee empowers organizations to address security and regulatory mandates while maintaining availability across IT, SCADA, and ICS. The Security Connected strategy breaks down the silos that segregate these zones from a protection, detection, and incident response perspective and allows for a much more robust security posture.
There are benefits to this approach, but also risk allowing more traffic from the less secure zone into the more secure zone. It would be one thing to push security events from the SCADA or DCS to the SIEM in the enterprise, but as I read the document McAfee envisions much more where security updates are pushed into the more secure zone and security products potentially managed from the least secure zone.
I can’t end this article without a brief mention of PLC security. Since VxWorks is the OS in many PLC’s, it would be great if they worked with PLC vendors to provide them the security hooks that would make providing basic PLC security functions easier.