Canonical Network Isolator Component (C-NIC) and the Pull-Push Super Typing Architecture (PPSTA)

Reference#: P03096

Systems today are routinely connected to the now ubiquitous Internet. These include control systems which until recently operated in isolation, but are now connected to the Internet to allow for the convenience of remote management of systems. These systems include: Industrial control systems, SCADA systems, automation systems, and telecomm systems, as well as a myriad of embedded systems which manage e.g. lighting and HVAC systems. In the government sector they also include healthcare, as well as space and military systems. Along with the benefits of being connected to the Internet come the threats that have long plagued desktop computers and back-office servers; that of the malicious hacker, and his malware infecting and misusing the computing resources.

The stakes of malicious hacking against control systems is much higher than that of conventional computer systems. These control systems provide our infrastructure services like electric power, water, traffic control, and telephone service. They also provide for our national defense. A compromise of any one of these systems by malicious hackers would have an immediate and devastating impact on those who depend on the services. Electricity, water, or phone service might be unavailable for days or more. Defense systems like ships or planes could become inoperable.

These threats are not speculative. A number of highly publicized events have already occurred, such as: in 2011 hackers shut down an Illinois water utilitiesí pumping station, in early 2013 two US power plants were infected by malware causing one to be shut down, a Russian nuclear plant was reportedly infected by the Stuxnet malware which was originally targeted at Iranís nuclear enrichment program. In addition, there were recent reports on targeted by cyber-attacks. These are only some of the publicly know attacks. Many more go unreported, including those against government and military systems.

Current defenses are not up to the task of defending these critical systems. Current defenses include: firewalls which block certain ports or only allow access to certain IP addresses, virus scanners which look for known viruses, and intrusion detection systems which look for signatures of malware activity. All of these technologies have been compromised in some way by advanced cyber-attack techniques. The actors engaging in these attacks are not just amateurs or criminals, but now include highly skilled and trained professionals from potential adversary nation-states. The number of control systems in use, range from hundreds of large plant-wide systems to millions of embedded controls devices. The need for network security is only growing as the level of threats increases each year. Billions of dollars are spent on cyber security each year and that amount will likely grow with the number of systems in use and the level of attacks which occur.

Scientists at APL have developed the Canonical Network Isolator Component (C-NIC), a novel method and mechanism based on fundamental principles of data transport and computing to protect control systems against threats that come over the Internet. C-NIC provides a middleware language, SIDL, which developers use to define and implement system interfaces that are exposed to the Internet. The C-NIC enabled systems then send SIDL specified messages over the Internet to communicate with each other. The C-NIC technology ensures that only SIDL messages intended for the system are allowed access to the system, and only those SIDL messages that pass authentication and validation are passed to applications running on the system. All other network traffic is dropped by the C-NIC interfaces. Thus, specified network messages which are designed for use by the system continue to pass unimpeded, while ensuring that packets containing malware do not enter the system. Not one of the many simulated online attacks performed by APL was able to compromise a system configured with the C-NIC technology.

Patent Status: U.S. patents pending.

*A fully functioning prototype system was created using the C-NIC technology to test its ability to repeal malicious network attacks while allowing proper functionality to continue. A production implementation of C-NIC is under development.

Mr. K. Chao
Phone: (443) 778-7927