TCG Trusted Network Communications IF-MAP Metadata for ICS Security Specification Version 1.0 Revision 46 15 September 2014 Published Contact: [email protected] TCG PUBLISHED TCG Copyright © TCG 2005-2014 TCG Copyright 2005-2014 Specification Version 1.0 Copyright © 2014 Trusted Computing Group, Incorporated. Disclaimers, Notices, and License Terms THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Without limitation, TCG disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification and to the implementation of this specification, and TCG disclaims all liability for cost of procurement of substitute goods or services, lost profits, loss of use, loss of data or any incidental, consequential, direct, indirect, or special damages, whether under contract, tort, warranty or otherwise, arising in any way out of use or reliance upon this specification or any information herein. This document is copyrighted by Trusted Computing Group (TCG), and no license, express or implied, is granted herein other than as follows: You may not copy or reproduce the document or distribute it to others without written permission from TCG, except that you may freely do so for the purposes of (a) examining or implementing TCG specifications or (b) developing, testing, or promoting information technology standards and best practices, so long as you distribute the document with these disclaimers, notices, and license terms. Contact the Trusted Computing Group at www.trustedcomputinggroup.org for information on specification licensing through membership agreements. Any marks and brands contained herein are the property of their respective owners. Revision 46 Page ii of 68 TCG PUBLISHED TCG Copyright 2005-2014 Specification Version 1.0 IWG TNC Document Roadmap IF-IMC CESP IF-IMV FED TNC IF-PTS TNC IF-TNCCS Architecture IF-M IF-T MAP Content Authorization Metadata for IF-PEP Network Security Metadata for IF-MAP ICS Security Revision 46 Page iii of 68 TCG PUBLISHED TCG Copyright 2005-2014 Specification Version 1.0 Acknowledgements The TCG wishes to thank all those who contributed to this specification. This document builds on considerable work done in the various working groups in the TCG. Frédéric Guihéry Amossys David Louin Amossys Maxime Olivier Amossys David Mattes (Co-Editor) Asguard Networks Padma Krishnaswamy Batelle Memorial Institute Eric Fleischman Boeing Richard Hill Boeing Steve Venema (Co-Editor) Boeing John Tolbert Boeing Steven Venema Boeing Eric Byres (Invited Expert) Byres Security Nancy Cam-Winget Cisco Systems Josef von Helden Fachhochschule Hannover Arne Welzel Fachhochschule Hannover Ronald Marx Fraunhofer SIT Gerald Maunier Gemalto N.V. Chris Daly General Dynamics C4 Systems Graeme Proudler Hewlett-Packard HSR University of Applied Sciences Andreas Steffen Rapperswil James Tan Infoblox David Vigier Infoblox Cliff Kahn Juniper Networks Lisa Lorenzin (Co-Editor) Juniper Networks Steve Hanna Juniper Networks Mark Labbancz Lumeta Corporation Atul Shah Microsoft Trevor Freeman Microsoft Charles Schmidt MITRE Jim Banoczi US Government Revision 46 Page iv of 68 TCG PUBLISHED TCG Copyright 2005-2014 Specification Version 1.0 Chris Bean US Government Julie Haney US Government Jessica Fitzgerald-McKay US Government Gloria Serrao US Government Theresa Thomas US Government Josef Allen Oak Ridge National Lab Ira McDonald Samsung Carolin Latze SwissCom Paul Sangster Symantec Anne-Rose Gratadour Thales Revision 46 Page v of 68 TCG PUBLISHED TCG Copyright 2005-2014 Specification Version 1.0 Table of Contents 1 Introduction ............................................................................................................ 9 1.1 Scope and Audience ..................................................................................................................... 9 1.2 Keywords ....................................................................................................................................... 9 2 Background .......................................................................................................... 10 2.1 Purpose of IF-MAP Metadata for ICS Security ........................................................................... 10 2.2 Context ........................................................................................................................................ 10 2.2.1 Industrial Control Systems and Overlay Networks .................................................................. 10 2.2.2 Related Standards Work ......................................................................................................... 12 2.3 Lexicon ........................................................................................................................................ 15 2.4 Supported Use Cases ................................................................................................................. 15 2.5 Requirements .............................................................................................................................. 16 2.5.1 General Requirements ............................................................................................................ 16 2.5.2 ICS Domain-Specific Network Security Requirements ........................................................... 16 2.6 Assumptions ................................................................................................................................ 17 3 IF-MAP Metadata for ICS Security ...................................................................... 18 3.1 Authentication and Authorization ................................................................................................ 18 3.1.1 MAP Client Roles .................................................................................................................... 18 3.1.2 Principal Roles ........................................................................................................................ 18 3.1.3 Identifiers and Authentication .................................................................................................. 19 3.1.4 Authorization Policy ................................................................................................................. 22 3.2 Overview of Target Functionality................................................................................................. 23 3.2.1 Configuration and Operational Management .......................................................................... 23 3.2.2 Operational Communications Facilitation ............................................................................... 23 3.2.3 Credential Management .......................................................................................................... 24 3.2.4 MAP Server Auto-Discovery ................................................................................................... 24 3.3 IF-MAP Identifiers Used in This Specification ............................................................................. 24 3.3.1 Use of administrative-domain Identifier Attribute .................................................................... 24 3.4 Extended Identifiers .................................................................................................................... 25 3.4.1 backhaul-interface ................................................................................................................... 26 3.4.2 overlay-manager-group ........................................................................................................... 26 3.4.3 overlay-network-group ............................................................................................................ 26 3.5 IF-MAP Metadata for ICS Security Types ................................................................................... 28 3.5.1 backhaul-policy ........................................................................................................................ 31 3.5.2 bhi-address .............................................................................................................................. 32 3.5.3 bhi-certificate ........................................................................................................................... 32 3.5.4 bhi-identity ............................................................................................................................... 33 3.5.5 device-characteristic ............................................................................................................... 34 3.5.6 dn-hit ....................................................................................................................................... 34 3.5.7 group-xref ................................................................................................................................ 35 3.5.8 ifmap-client-has-task ............................................................................................................... 36 3.5.9 manager-of .............................................................................................................................. 37 Revision 46 Page vi of 68 TCG PUBLISHED TCG Copyright 2005-2014 Specification