Publications

Despite the significant amount of effort that often goes into securing mission critical systems, many remain vulnerable to advanced, targeted cyber attacks. In this work, we design and implement TALENT (Trusted dynAmic Logical hEterogeNeity sysTem), a framework to live-migrate mission critical applications across heterogeneous platforms. TALENT enables us to change the hardware and operating system on top of which a sensitive application is running, thus providing cyber survivability through platform diversity. Using containers (a.k.a. operating system-level virtualization) and a portable checkpoint compiler, TALENT creates a virtual execution environment and migrates a running application across different platforms while preserving the state of the application. The state, here, refers to the execution state of the process as well as its open files and sockets. TALENT is designed to support a general C application. By changing the platform on-the-fly, TALENT creates a moving target against cyber attacks and significantly raises the bar for a successful attack against a critical application. Our measurements show that a full migration can be completed in about one second.

Interconnections between process control networks and enterprise networks has resulted in the proliferation of standard communication protocols in industrial control systems which exposes instrumentation, control systems, and the critical infrastructure components they operate to a variety of cyber attacks. Various standards and technologies have been proposed to protect industrial control systems against cyber attacks and to provide them with confidentiality, integrity, and availability. Among these technologies, data diodes provide protection of critical systems by the means of physically enforcing traffic direction on the network. In order to deploy data diodes effectively, it is imperative to understand the protection they provide, the protection they do not provide, their limitations, and their place in the larger security infrastructure. In this work, we briefly review the security challenges in an industrial control system, study data diodes, their functionalities and limitations, and propose a scheme for their effective deployment in trusted process control networks (TPCNs.)