Automatic Verification of Network Access Control Policy Implementations

Industry Collaborators: 

Cornbelt Energy
Eastern Illini Electric Cooperative
Southwest Power Pool (SPP)

Research Summary: 

This project developed a highly usable, scalable, and effective tool for analyzing security policy implementation for conformance with a global security policy specification for industrial control networks. The tool provides comprehensive analysis of compliance to ensure that all access control mechanisms work collectively in harmony. The tool, called NetAPT (the Network Access Policy Tool), has been fully implemented and has been used successfully to aid in vulnerability assessments and compliance audits at our industry partners. It can be used to make sure that the access controls for the communications infrastructure of the Smart Grid are configured correctly. It can help prove compliance of the existing mechanisms with the various recommendations and standards (e.g., NERC CIP 005) and can help ensure that compliance is maintained despite any new changes to configuration of layer 3 devices (firewalls, routers). NetAPT takes as input firewall configurations, and discovers the network’s topology based on them. It uses advanced data structures and modular design to incorporate a variety of policy rules and maintain extensibility. It has a sophisticated graphical front-end for usability, along with an analysis engine optimized for performance. The GUI and analysis engine can be decoupled and run on separate machines (e.g., GUI on an admin workstation, the engine on a powerful server). SSL is used to communicate between the two components. Specific optimizations for process control networks are included. NetAPT includes parameterized global policy templates, encoding various best practices recommendations and compliance standards that can be quickly customized to the network being analyzed. The tool can greatly reduce the burden of managing complex security setups in large networks, allowing for creation and administration of more secure networks.

The work conducted under this activity was part of what was licensed from the University of Illinois and commercialized as the tool ‘NPView’ by the startup company Network Perception.