OT Network Best Practices Language and Library

Summary Statement

The objective of this research and development activity (Best Practices Policy Language, or BPPL) is to design and implement a non-proprietary specification of OT networks suitable for machine automation, their devices and services, and their access control policies, along with a machine-checkable specification of best practices against which the OT network configuration might be tested. The best practices specification will be abstracted such that a given specification can be applied to any OT network. For example, a best practices rule to codify the practice that no protocol should cross network segment boundaries would involve universal quantifiers stating that every flow which enters a segment must terminate in that segment, and the set of protocols identified in rules to admit flows to the segment cannot intersect with the set of protocols identified in rules used to permit flows which egress the segment. Stated as such, the best practices rules reference OT network device, rule, service, and policy objects which are specific to a given OT network, but which can be referenced abstractly in the rule statement.

 

Best practice rules will be delicate to express correctly, and for the very limited life of this project we must assume they will be developed by project members. However, one deliverable of the project will be extensive documentation and examples to aid others in the use of the language, and an open source library of best practices rules, particularly those promoted by standards bodies such as NIST.

 

The natural (and obvious) use of the best practices language and library is to analyze a given OT network and identify the best practice rules it follows from a selected set as well as the best practice rules it fails to follow from that set. Our industry partner Network Perception commits to including in its future product line an embedding of this language, a user-friendly interface to it, and analysis of its clients’ networks with respect to the selected rules. A milestone of this project includes Network Perception’s embedding of such analysis within an experimental branch of its NP-Live platform, for testing and validation. The best practices language, documentation, and library will however be sufficient for anyone else, including Network Perception competitors, to develop checkers.

Energy Delivery System (EDS) Gap Analysis

Organizations are adopting a culture of cyber resilience with a goal of ensuring that their operational technology networks comply with best practices. The growing scale of information technology and industrial networks makes intractable for human operators the problem of understanding the implications of all the inter-meshed policies, and whether collectively they align with best practice principles. Known best practices include rules for network segmentation, protocol translation and separation, access control rules that restrict passage through firewalls to only those services which are required. Still, there is not a means of formally describing best practices (such as offered by NIST), nor is there a commonly available machine checkable library of best practices an organization might choose to follow.

More Information

• (Sept. 2020) Refinement of open source format YANG for topology, access rules, and services. We leverage this work from ANAPH.
• (Dec. 2020) Completion of the first draft of BPPL specification. Beginning of the open source best practices policy analysis development.
• (Sept. 2021) Expression of common best practices recommendations (e.g., NIST) in BPPL.
• (Dec. 2021) Completed BPPL library. BPPL checking logic implemented within an experimental branch of the Network Perception NP-Live platform. Begin validation/testing with Network Perception customer. Beginning of validation effort.
• (May 2022) Refinement of BPPL based on validation exercise. Complete documentation for BPPL use and policy development. Completion of tool development and testing.

Discussions with Network Perception about using this as a basis for extending their offerings continue, and we continue to be hopeful that they will launch an internal integration project to integrate this work.   Even though the budget allocated for this project has completed, we would use other funding to aid this transition.