Blocking unsafe behaviors in control systems through static and dynamic policy enforcement

One of the most universally accepted practices in computer security is the use of security policy enforcement. Under a policy enforcement regime, users and programs can only perform actions for which they are authorized by the security policy. Unfortunately, modern control systems fail to make effective use of policy enforcement. In many cases, privilege in control systems is binary-a single password is sufficient to gain most or all privileges within the system. In this paper, we consider the benefits and challenges of enforcing security policies for code running on Programmable Logic Controllers (PLCs). We first summarize two of our previous approaches, which place no trust in the PLC to behave correctly. While these approaches show promise, especially for current PLC architectures, they are lacking in comparison to approaches based on a trustworthy PLC design. Thus, we argue that future PLCs should implement a Trusted Computing Base (TCB). Such a TCB is a small set of trusted hardware and software that is sufficient for enforcing policies directly on the PLC. We also propose a method of doing policy enforcement on PLCs supporting a small TCB, and argue that it is the simpler and more effective means of doing policy enforcement for PLCs. We conclude that future PLCs should support a small TCB.