Skip to content
Paula Livingstone writing · projects · tools

Attestable Review: Working Notes

Literature Review: Where Attestable Sits in OT Security

A positioning entry, not another OT survey. OT security is layered perimeter defence built on Purdue zones, and it asks one question: is this crossing authorised. Admissibility is orthogonal to it, asking whether a value's basis suffices to act on. Attestable is not a perimeter layer but a gate at the cyber-physical boundary the perimeter waves values through.

A review should say not only what a contribution is, but where it sits among the things that already exist. Operational technology security is a mature field with a dominant way of doing things, and it is worth being precise about how the discipline this work proposes relates to it. The short answer is that they are orthogonal: they guard different things and ask different questions, and seeing exactly how is the clearest way to say what this work is and, just as usefully, what it is not.

The dominant paradigm: defence in depth

Operational technology security is organized, overwhelmingly, as layered perimeter defence. The field's own surveys describe it in terms of defence in depth: network segmentation, encryption of traffic, and intrusion detection, arranged in concentric controls so that a failure of one layer is caught by the next (Li et al., 2023). This architecture is built on the Purdue reference model, which divides an industrial system into levels, from the physical process and its controllers at the bottom to the enterprise network at the top, and interposes a demilitarized zone between the operational and enterprise halves (Makrakis et al., 2021). The security effort goes into the boundaries between these zones: what may cross from one level to the next, and whether a given flow of traffic is authorized to make that crossing.

This is a serious and effective discipline, and it is worth noting that its central move, compartmentalize so that a compromise cannot propagate, is the same principle this review has already met twice, as the demilitarized zone of network security and as the separation property of the software supply chain. Three fields have arrived independently at the same architecture. But all three, in the operational-technology case included, are answering one question: is this crossing authorized. They police provenance of transit.

A different question

Admissibility asks something the perimeter never asks. Defence in depth establishes that a value reached a controller by an authorized path, from an expected source, over a permitted protocol, through the correct zone. It does not, and is not built to, establish that the value is well founded. A reading can be perfectly authorized, correctly addressed, cryptographically intact, arriving exactly where the architecture expects it, and still be an unfounded inference that no measurement supports. The perimeter inspects where a value came from and how it travelled. It does not inspect whether the value's basis is sufficient for the action about to be taken on it. This is the same distinction the review drew earlier between integrity and admissibility, now in the specific vocabulary of operational-technology defence: authorization of transit is orthogonal to sufficiency of basis, and a discipline built entirely on the first leaves the second unaddressed.

That orthogonality is the precise location of this contribution. Attestable is not another layer of the perimeter. It does not compete with segmentation or intrusion detection, and it is not made redundant by them, because it operates on a dimension they do not touch. A system can have exemplary defence in depth and still actuate on a probabilistic claim whose basis would not warrant the action, because every existing layer waved the value through as properly authorized.

Why the gap bites now

There is a reason this matters at this moment rather than as a permanent abstraction. Automation is not a newcomer to the operational-technology threat surface. The field already documents automation as an attack vector, with, for example, spikes in malicious industrial traffic driven by automated brute-force tools, and it is already absorbing the wider convergence of control systems with cloud and enterprise infrastructure that widens the surface further (Bhamare et al., 2020). The arrival of probabilistic artificial intelligence into this setting is therefore not a foreign intrusion into a clean environment. It is the intensification of an exposure the field has already been tracking: more automation, now of a kind that generates claims rather than merely transmitting them, feeding the same boundaries that were already under pressure.

Where it sits

The cyber-physical systems security literature gives the exact coordinate. It decomposes such a system into three aspects: the purely cyber, where computations do not touch the world; the physical; and, between them, the cyber-physical, where computation becomes physical action (Humayed et al., 2017). That middle aspect is where a probabilistic value crosses into an irreversible act, and it is precisely the place this work locates its gate. And it is the place where the stakes are highest by the field's own reckoning, because operational technology inverts the usual priorities of security, placing availability and human safety above confidentiality, so that the cost of acting on a wrong value is measured not in disclosed data but in physical consequence (Conti et al., 2021). Attestable sits at that cyber-physical aspect, inside the boundary that defence in depth already guards, asking the one question the perimeter cannot: not whether this value was allowed to arrive, but whether its basis is sufficient to act upon.

References

Bhamare, D., Zolanvari, M., Erbad, A., Jain, R., Khan, K. and Meskin, N. (2020). Cybersecurity for industrial control systems: A survey. Computers & Security, 89. arxiv.org/abs/2002.04124 · read copy

Conti, M., Donadel, D. and Turrin, F. (2021). A Survey on Industrial Control System Testbeds and Datasets for Security Research. arXiv preprint arXiv:2102.05631. arxiv.org/abs/2102.05631 · read copy

Humayed, A., Lin, J., Li, F. and Luo, B. (2017). Cyber-physical systems security: A survey. IEEE Internet of Things Journal, 4(6). arXiv:1701.04525. arxiv.org/abs/1701.04525 · read copy

Makrakis, G. M., Kolias, C., Kambourakis, G., Rieger, C. and Benjamin, J. (2021). Vulnerabilities and Attacks Against Industrial Control Systems and Critical Infrastructures. arXiv preprint arXiv:2109.03945. arxiv.org/abs/2109.03945 · read copy

Li, Y., Wu, S. and Pan, Q. (2023). Network Security in the Industrial Control System: A Survey. arXiv preprint arXiv:2308.03478. arxiv.org/abs/2308.03478 · read copy