TECHNOLOGY IN SYSTEMS
Smartphones and Tablets as User Interfaces for Embedded
BYOD for Industrial Control and Automation
Increasingly, user-owned smartphones and tablets are being brought into both the IT space in businesses as well as into industrial control environments. This dual-use scenario raises questions of corporate security as well as personal privacy.
TDAVID KLEIDERMACHER, CTO, GREEN HILLS SOFTWARE
Page 1 of 1
The enterprise world is going mobile, driven by distributed workforces, the need to stay connected, and the sheer productive horsepower of modern handheld devices. However, unlike PCs that are traditionally IT-owned and managed, handhelds are inherently personal: we use them to watch movies, browse photos, chat with family and friends, and play games. Enterprises cannot tolerate the use of these unmanaged personal devices for the processing of sensitive information and connection to corporate and industrial networks. The inexorable consumerization of IT demands a solution to Bring Your Own Device (BYOD), where a worker can use a handheld for personal activities or in the workplace while ensuring both parties are satisfied with security, usability and cost.
The industrial control and automation industries provide an excellent example of the need for devices that must bridge the gap between gadgets designed for the general consumer and purpose-built tools for the mobile worker. Workers use mobile devices to track inventory, communicate with other workers and managers, search corporate databases for relevant information, and to commission and wirelessly manage industrial control systems and other computerized factory equipment.
A great example of the increased use of mobile devices in industrial settings is the Opto aPAC, an Android application created by Opto 22. Opto 22 manufactures controllers, I/O and solid-state relays for industrial automation and control. Automation engineers and technicians use aPAC to wirelessly monitor and control Opto hardware in the field. The app can be used for debugging, responding to alarms, and system configuration. The aPAC software harnesses the power of modern consumer electronics to make industrial workers more efficient, saving time and money during installation and maintenance.
The traditional approach to equipping workers with mobile devices is corporate-liable: the employer purchases IT “approved” devices, such as a Blackberry on behalf of the employee and pays the employee’s monthly service fees. The result is a device that the employee reviles and represents a TCO (total cost of ownership) to the corporation that is approximately equal to that of a new PC. For most companies, this is essentially a doubling in per-capita client computing cost.
What if the employee was permitted to bring his or her personal smartphone or tablet to use in the workplace? The employee-liable approach would seem to solve some important problems: the employee gets to use the latest and coolest gadgets, and the employer doesn’t need to purchase a device (only reimburse the applicable service fees). While the employer can require the installation of mobile device management (MDM) solutions to reign in the maintenance cost of such devices, this is ultimately a losing battle using common mobile operating systems: they simply do not provide the isolation required to keep the personal and industrial apps, networks and data from interfering with each other. Employees do not feel comfortable with the privacy of their information, and corporations do not feel comfortable with the liability associated with this privacy risk nor with the security of their own internal networks and information.
An increasingly popular answer to BYOD is the multiple personae concept: a single handheld device divided into isolated virtual environments: one for the user’s personal information and apps and another for an IT-managed workspace. Commercial examples include AT&T Toggle and VMware Horizon. The persona concept is easy to understand, use and manage. What these products have in common is they take advantage of Android’s native sandboxing capabilities, as shown in Figure 1.
It is easy to see that the mobile operating system, in this case Android, itself acts as the vulnerability surface area, an area that has proven extremely fertile. While Android and its underlying Linux kernel are developed to quality open source development standards, the lack of formal high assurance design and the dependence upon a monolithic architecture ensure a steady flow of severe vulnerabilities that have been well publicized.
These flaws are regularly used to root smartphones and tablets. Vulnerabilities enable malware originating in the private persona to hijack or disable application-level protections associated with the aforementioned products. Approximately 100 Android kernel vulnerabilities are discovered each year and posted publicly on the U.S. CERT National Vulnerability Database. With 100% probability, hundreds of undiscovered flaws exist today and countless more will be added due to immense code churn: literally thousands of edits per day from thousands of authors worldwide.
Opto 22’s aPAC software communicates wirelessly with fielded industrial controllers, which begs the question: how are these connections protected against these vulnerabilities and their exploits? Even if a security protocol, such as SSL, is used to authenticate the mobile device and encrypt sensitive data transmitted from controller to device, what happens once that data is stored on the handheld? And what assurance can the owners of the industrial equipment have that an Android smartphone, which is very good at downloading malware as well as apps from the Internet, is not going to infect the control system?
While the Stuxnet virus was introduced by corrupted USB thumb drives, a wireless connection provides a far more attractive target for hackers. The multiple persona technology must ensure that the wild west of the open environment cannot affect the industrial environment. In fact, an Opto 22 technician needs a persona dedicated exclusively to managing the equipment and connecting to the industrial network. The sandboxing technology must enforce a policy in which the industrial environment is firewalled from connecting to anything other than a secure tunnel protecting the industrial network.
Let’s take a look at the major types of multiple persona architectures in the context of the goal of providing enhanced isolation between the employee’s personal domain and the industrial domain.
Containers: Linux has a concept of containers, called LXC. Containers are not a form of system virtualization. Rather, containers implement what is called OS virtualization, providing execution environments with access to a subset of the available file system and sometimes separate CPU scheduling resources. Containers can provide the illusion of a multiple personae, running for example two instances of Android and/or other software environments. Clearly, this approach can be used to implement the dual persona concept. However, both personas depend on the security of the single underlying mobile OS.
Type-2 Hypervisor: Type-2 hypervisors are similar to containers in that the secondary environment runs as an application on top of the primary operating system. However, instead of hosting only a private file system and its contained applications, the secondary persona is a full-fledged guest operating system running within a virtual machine created by the hypervisor application (Figure 2). The hypervisor uses the primary operating system to handle I/O and other resource management functions. Type-2 mobile hypervisor products, such as VMware Horizon, are used to provide an industrial persona on top of the primary employee-personal environment.
However, once again the Type-2 model fails to provide strong isolation. Faults or security vulnerabilities in the primary general-purpose operating system will impact the critical functions running in the virtual machine. Furthermore, Type-2 hypervisor applications deployed in the enterprise space have themselves been found to contain vulnerabilities that break the sandbox.
Type-1 Hypervisor: Type-1 hypervisors also provide functional completeness and concurrent execution of a secondary persona. However, because the hypervisor runs on the bare metal, persona isolation cannot be violated by weaknesses in the mobile operating system. Thus, a Type-1 hypervisor represents a promising approach from both a functionality and security perspective. But the hypervisor vulnerability threat still exists, and not all Type-1 hypervisors are designed to meet high levels of security.
One particular variant, the microkernel-based Type-1 hypervisor, is specifically designed to meet high-assurance, security-critical requirements. Microkernels are well known to provide a superior architecture for security relative to large, general-purpose operating systems such as Linux and Android.
In a microkernel Type-1 hypervisor, system virtualization is built as a service on the microkernel. Thus, in addition to isolated virtual machines, the microkernel provides an open standard interface for lightweight critical applications, which cannot be trusted to a general-purpose guest. For example, user authentication and data encryption can be provided by microkernel apps, impervious to vulnerabilities in either persona (Figure 3).
Data protection using Type-1 hypervisor.
The isolation properties of some secure microkernels can even protect against sophisticated covert and side-channel software-borne attacks. The microkernel can also manage and utilize a hardware root-of-trust, such as a smart card microcontroller embedded within a microSD or SIM card when available, providing protection against physical attacks on critical data, such as cryptographic keys. One example of a microkernel Type-1 hypervisor is the Integrity Multivisor from Green Hills Software. The Multivisor’s microkernel is widely deployed in enterprise and embedded electronics and NSA certified cryptographic devices, and is the only software technology certified to Common Criteria EAL 6+ / High Robustness, the level required to protect high value information against sophisticated attackers.
Dual-persona BYOD, based upon secure virtualization technology, provides a strategy for increasing the assurance of mobile device data protection and isolation between the open and industrial worlds. There is simply too much vulnerability to prevent subversion between sandboxes built upon general-purpose mobile operating systems. A modern BYOD solution marries the power of mobile multimedia and applications deployment infrastructure with the ability to wirelessly manage and control critical fielded systems with confidence that the industrial environment will be protected.
Green Hills Software
Santa Barbara, CA.