Boeing technology offers secure, efficient way to tie together business, industrial nets

The Boeing Company is pioneering a way to securely bring together business IT networks with what ordinarily are entirely separate networks for industrial-control systems (ICS) in order to gain efficiencies and benefits in information-sharing in manufacturing.

Boeing's approach, which has been deployed in some of its airplane manufacturing plants, is leading to a new standards effort at the Trusted Computing Group (TCG) for what could be a revolutionary type of virtual private networking that could be applied not only to manufacturing ICS in the future but the "Internet of things," as it's now sometimes called. That could mean everything from electric or traffic systems to medical equipment in hospitals to nanny cams to oil and gas controls that when accessible via the Internet, are too vulnerable to hacker attacks.

[ BACKGROUND: Control systems hack at manufacturer raises red flag ]

"Boeing has done a great job in ICS security," says Stephen Hanna, distinguished engineer at Juniper Networks and chairman of the TCG's Trusted Network Connect work group where the new standard, influenced by what Boeing has done on a home-grown basis in its networks, is expected to be finalized by this fall.

The proposed standard is called the "IF-MAP Metadata for ICS Security." It applies an existing TCG standard known as "Interface for Metadata Access Points" (IF-MAP) to industrial-control systems.

The IF-MAP protocol is used today to establish a database of security, device management and vulnerability information that's received and aggregated from any security product, such as intrusion-detection systems and firewalls for example, that support IF-MAP. Hanna says a couple of dozen vendors support IF-MAP today, including Lumeta with its IPSonar network-discovery tool, for example, which Juniper uses.

But what Boeing has done with the IF-MAP protocol tackles a different question: Since ICS networks have traditionally been maintained as wholly separate entities, sometimes not TCP/IP-based or only connected via leased lines, how can ICS devices be integrated into the increasingly high-speed business IT networks that are usually connected to the Internet?

There are often strong reasons to interconnect them, such as huge cost savings or a way to unite ICS devices across Internet boundaries when needed, or just for information-sharing purposes. "But it opens up a lot of security issues," Hanna points out.

Craig Dupler, technical fellow in Boeing's research and technology business unit, say Boeing understands the nature of such risk. But it was also clear that there would be a huge advantage in using the IT network there to interconnect some parts of its ICS at Boeing.

So a few years back, research engineers with expertise in networking security devised what became home-grown "black boxes" that Boeing today internally refers to as its "Control Systems Security Solution" at Boeing.

These CS3 black boxes, which support the IF-MAP protocol among other standards, basically act as proxies to protect ICS equipment by orchestrating what each ICS can connect to, whether it's another network or a device. There's a means for policy-based enforcement of encryption or identity management. It allows the IT department to manage non-IT devices on the business network but also to delegate controls to the ICS team.

"This is not a traditional VLAN," Dupler emphasizes. It's a way to orchestrate what the controls-systems team can see on the network and the IT department group can see and what they are allowed to manage in a fine-grained manner. "I don't want the heating and ventilation side to see what my robots are doing, for instance," says Dupler.

Not all technical experts at Boeing share the belief this is the best way to manage non-IT devices on an IT network, Dupler is quick to point out. It's still subject to debate. But Boeing is eager to see the type of home-grown CS3 black box it came up with become commercialized for wider use over the long term.

Not only are vendors Infoblox and Juniper interested in the evolution of the concept, but a former research engineer at Boeing, David Mattes, left to start a Seattle-based firm called Asguard Networks a year ago to commercially further Being's "black box" idea. The product Mattes came up with is called SimpleConnect, which supports IF-MAP for ICS. SimpleConnect is being tried out at Boeing under limited circumstances. Asguard Networks has other early-adopter customers as well, including a Florida water utility.

The SimpleConnect box "sits between the devices that need to be protected and a shared network resource, such as a business network or wireless or the Internet or a private network in a plant that needs to be further separated," Mattes says.

SimpleConnect provides a way to orchestrate in an automated fashion the cybersecurity for industrial controls systems by placing a private network overlay on top of a shared network. Eventually, the SimpleConnect box could gain additional security functionality, such as intrusion-detection or firewalling capability, Mattes adds.

However useful the security concept that Boeing pioneered for its own network use, one basic problem is that you can end up with too many black boxes abounding in the network, Dupler acknowledges. If Boeing's approach to security for industrial controls ever catches on and becomes widespread, Dupler says he hopes this security functionality might one day be boiled down to fit inside something small, such as a network-interface card.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags database securityboeingdevice managementNetworkingsecurityICSvpninfobloxjuniper networksJuniper ICS

More about Boeing AustraliaIDGInfobloxJuniperJuniperLumeta

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts