Virtual Private Groups for Protecting Critical Infrastructure Networks

In an era when critical infrastructure networks are increasingly less isolated and more accessible from open networks, including the Internet, the air-gap security that these critical networks once enjoyed no longer exists. Malicious individuals can exploit this network connectivity, in conjunction with security weaknesses in widely used, homogeneous, COTS (commercial off-the-shelf) products, to penetrate deep within an organization's critical networks. Such an attack on SCADA (Supervisory Control And Data Acquisition) and Process Control networks could have devastating consequences. This paper describes an approach, Virtual Private Groups (VPGs), for creating and managing a virtual air-gap between these networks and the environments in which they may operate. After a brief description of the security issues that confront these networks, we describe our approach for addressing them. Many of the ideas presented here are the result of work done while implementing a version of VPGs directed towards critical infrastructure networks. In the process of doing that work we made a number of advances in managing policy for VPG and related mechanisms.