MID-081: Secure Network Tunnels

Mitigation Tier: Intermediate

Description

When a protocol itself does not support authentication, encryption, and/or message integrity checking, secure network tunnels can be implemented to provide communications with those security features. Secure network tunnels are best used when devices need to support a specific insecure protocol, either for functionality or to support legacy devices, and cannot have that protocol replaced by a protocol that is more secure by default.

Secure network tunnels will wrap a protocol in a more secure protocol (e.g., TLS, IPsec, SSH tunneling, etc.) that provides security features such as encryption, authentication, and message integrity checking. These added features make sending spoofed, illegitimate, or replayed messages more difficult.

To enable secure network tunnels, both the sending and receiving device must be compatible with the secure tunnel protocol and the underlying wrapped protocol. If the devices themselves cannot be made compatible with the wrapping protocol, a dedicated gateway device can be placed between the incompatible device and upstream network to implement the tunnel. Therefore, the downstream device may continue to use the insecure underlying protocol, while it is shielded within the tunnel while traversing intervening networks.

IEC 62443 4-2 Mappings

CR 4.1 – Information confidentiality
CR 3.1 – Communication integrity - RE (1) Communication authentication

References

[1] W. Floyd. “The TLS (Transport Layer Security) Protocol in Secure Modbus/TCP.” control.com. Accessed: Aug. 28, 2024. [Online.] Available: https://control.com/technical-articles/tls-transport-layer-security-protocol-secure-modbus-TCP/