Canonical Network Isolator Component (C-NIC) and the Pull-Push Super Typing Architecture (PPSTA)
Systems today are routinely connected to the now ubiquitous Internet. These include control systems which until recently operated in isolation, but are now connected to the Internet to allow for the convenience of remote management of systems. These systems include: Industrial control systems, SCADA systems, automation systems, and telecomm systems, as well as a myriad of embedded systems which manage e.g. lighting and HVAC systems. In the government sector they also include healthcare, as well as space and military systems. Along with the benefits of being connected to the Internet come the threats that have long plagued desktop computers and back-office servers; that of the malicious hacker, and his malware infecting and misusing the computing resources.
The stakes of malicious hacking against control systems is much higher than that of conventional computer systems. These control systems provide our infrastructure services like electric power, water, traffic control, and telephone service. They also provide for our national defense. A compromise of any one of these systems by malicious hackers would have an immediate and devastating impact on those who depend on the services. Electricity, water, or phone service might be unavailable for days or more. Defense systems like ships or planes could become inoperable.
Scientists at APL have developed the Canonical Network Isolator Component (C-NIC), a novel method and mechanism based on fundamental principles of data transport and computing to protect control systems against threats that come over the Internet. C-NIC provides a middleware language, SIDL, which developers use to define and implement system interfaces that are exposed to the Internet. The C-NIC enabled systems then send SIDL specified messages over the Internet to communicate with each other. The C-NIC technology ensures that only SIDL messages intended for the system are allowed access to the system, and only those SIDL messages that pass authentication and validation are passed to applications running on the system. All other network traffic is dropped by the C-NIC interfaces. Thus, specified network messages which are designed for use by the system continue to pass unimpeded, while ensuring that packets containing malware do not enter the system. Not one of the many simulated online attacks performed by APL was able to compromise a system configured with the C-NIC technology.
Patent Status: U.S. patents pending.
*A fully functioning prototype system was created using the C-NIC technology to test its ability to repeal malicious network attacks while allowing proper functionality to continue. A production implementation of C-NIC is under development.CONTACT:
Mr. K. Chao
Phone: (443) 778-7927