Head of Product Management
TRUE KVM: Making keyboard video mouse systems secure by design
There is currently a big debate about technologies employed when using Keyboard Video Mouse (KVM) systems to connect expert users in control rooms or engineering centers with remote, back-racked server- or PC-targets. At its core, it appears to be a technology discussion. Traditionally, KVM systems employed a dedicated network for the connection of users and targets and used a proprietary communication protocol, optimized for the various applications and needs of customers to control and manage the KVM system as well as the target applications and systems.
More recently, systems using the Internet Protocol (IP) as the transport mechanism carrying KVM payload information are promising lower cost of purchase through “Commercially Off The Shelve” (COTS) available equipment providing larger economies of scale and lower “cost per transported bit” at the time of purchase. When acquiring systems with an expected lifetime of over seven or ten years, a proper commercial evaluation has to take into account capital (CAPEX) and operational (OPEX) expenditures. As such, it is much less a technology and much more a commercial, in some case a philosophical discussion.
This discussion is fueled by a number of key hypothesis to take into account when planning and selecting a KVM solution.
- Technically, KVM systems can be separated into two technical solutions which are very close to each other in terms of system performance.
- Commercially, open standard solutions typically offer lower cost of acquisition (larger markets provide better economies of scale).
a. Lower capex for IP based systems.
b. Difficult to assess, hidden operating cost during system lifetime.
c. Some customers don´t take this total cost of ownership (TCO) into account.
- KVM systems support a wide variety of applications with varying needs of security.
a. Public safety and military applications.
b. This is now expanded to include what is coined critical infrastructures (public safety, military, power and water supply, core telecommunication infrastructures).
c. Mission critical commercial process control in nearly any industry vertical.
d. Non mission critical commercial and governmental applications (office infrastructures with limited real-time needs).
- Increasing number of cyber-attacks within connected IP networks (aka the Internet), generally increase the risk of wide area and large-scale network outages.
- Most cyber-attacks exploit technical and human or process vulnerabilities and are, as such, difficult to defend against.
- Increasing number of intelligent devices with automatic machine communication (IoT, IIoT, M2M communication, autonomous driving, etc.) increases traffic volume and mixes physical and logical network infrastructure thus increasing the overall risk of being a victim of a successful attack.
- The discussion about technology selection is more driven by the needs of suppliers not the needs of users and customers.
Let us take a closer look:
Addressing Hypothesis 1
KVM system performance is often evaluated on the basis of these points:
- How easy is it to connect various types of sources and source applications?
- How many endpoints are supported?
- What is the latency/round trip delay of the system from the perspective of the user?
- How long does it take to switch from one target application to another?
- Which video standards and resolutions/framerates are supported?
- Which serial data connections (USBx.y) are supported?
- Which APIs of proprietary equipment are supported?
- How flexible is the control switching to accommodate various workflow requirements?
As usual, the devil is in the detail. That said, small differences can have a huge impact. Lets look at scalability for instance. In a dedicated system like the IHSE Draco switch, each switch is designed to host a maximum number of inputs and outputs. Going one above the maximum requires a new chassis. In an IP based system, this can become a challenge to understand as various inputs can share switching capacity. System performance becomes a question of number of inputs and current load on each input. This can lead to congestion, in which case the switch manufacturer´s packet drop/congestion algorithm kicks in. To avoid this situation, each input must be assessed carefully upfront and the maximum load needs to be factored in. If you want to avoid spending that safety margin in the bandwidth, connectivity becomes a function of traffic parameters and statistics.
This IP based concept also makes scalability predictions much harder. Yes, theoretically, IP based systems are infinitely scalable. In reality, varying network load and additional endpoints/target devices may overload parts of the network structure and appropriate scaling may require a much larger network re-shuffle than one would expect based on the additional load applied. Such matters are further complicated when sharing the IP network with other applications than the KVM system. At that point, non-mission critical traffic may drive switching congestion and hopefully the switch parameters have been set accordingly.
Direct Connect Summary, SECURE CORE
+ Truly out of band with data signal and control signal separation
+ Immune against Cyber Attacks as per design
+ One hand supply & service of complete infrastructure
+ Signal interface and protocol variability
– Proprietary transport protocol
– Proprietary switches
– More difficult CAN/WAN access options
– Requires dedicated transmission lines/bandwidth due to garanteed bandwidth
Once the number of endpoints exceeds a blocking free switching of the IP switch, the structure becomes more challenging. Essentially, based on the expected traffic volume by connected application, the architecture of the overall IP-Switch has to address the needs by employing a variety of switches connected to each other. This is a particular challenge for larger systems.
IP based Summary
+ Standardized transport layer protocol and components
+ TCP/IP provides multiplexing architecture to efficiently use bandwidth => 1G-10G-40G-100G
+ Easier CAN/WAN access options
+ Individual Stream-Routing-Flexibility
– Truly out of band only, when running on a separate network infrastructure – no VLAN
– Dependency on properly configured (homogeneous) network infrastructure
– Vulnerability to Cyber Attacks is eminent as there is no separation of management signal and data signal – systems can be jammed making them inoperable without even considering leaking data
– Dependency of proper interplay of KVM and IP infrastructure as there is no standard defined (Configuration, Firmware Updates, Default Parameters)
Addressing Hypothesis 2
Cost is a key factor in any purchasing decision. Installing a KVM system requires connecting the target servers or PCs to the KVM switch as well as connecting the switch to the user stations. A dedicated KVM network burdens the system with the entire cost of this network. It is a compelling proposal to share this cabling infrastructure with other use cases. This mixed application would significantly lower the investment for the KVM system. As mentioned before, it would increase the complexity in network planning and configuration to avoid dropped mission critical packets due to unpredictable network usage by a large user group outside the KVM system.
To truly avoid this, a clear separation of the two networks is required. In this case, the cost based selection is down to the CAPEX of the actual KVM components (KVM Switch and endpoint connections) and the maintenance of the system. In a dedicated system, the KVM system manufacturer is responsible for ensuring and testing compliance whenever software functionality upgrades or updates are installed. In case the end user customer wishes to exploit volume discounts from a preferred IP switch vendor, compatibility testing lies with the end user customer. Cisco´s Nexus 4001I switch for example received 8 upgrades/updates in the last 5 years. That equates to 1.6 compliance tests for the KVM system per year to maintain an up to date infrastructure which otherwise might become vulnerable to cyber-attacks or to ensure that previous configurations still achieve satisfactory results in high load situations.
Locking the IP switch brand to the one recommended by the KVM manufacturer eliminates the cost advantage of volume IP gear discounts. In order to properly compare the cost of different KVM systems, it is strongly advised to assess the required CAPEX at time of purchase and to look into the estimated annual cost of operations (OPEX) and calculate the total cost of ownership (TCO) for a typical period of seven to ten years operation for a KVM system.
Addressing Hypothesis 3
Security: assess your hierarchy of needs.
As mentioned before, the growing number of cyber-attacks has changed the classification of what is important in a country or local area of responsibility. The emergence of critical infrastructures clearly is not only driving public awareness for the requirement to guard security of the control centers managing this infrastructure but has also increased the sensitivity of the public to pay attention and to raise the expectation for efforts undertaken to protect the well-being of the public.
Critical infrastructures are those essential to maintain an orderly conduct of the public. While previously, this applied to physical security ensured by public safety organizations and eventually the military, it is now also applied to those networks that are essential for the functioning of our society. As a result, electrical energy production and distribution are now considered critical. The same applies to the distribution of clean drinking water which is also dependent on the availability of electrical power to run pumps.
As we begin to realize how interdependent our world is, including transportation and traffic management, the definition of critical infrastructures makes total sense. From a commercial perspective, a chemical company may not be considered critical, however a catastrophic control failure may lead to hazardous emissions. And even when your business does not pose hazardous threats, a number of processes are most likely vital for success and survival of the company. As such, they are mission critical for anyone installing a KVM system to control the production or distribution processes.
Once the risk class is understood, technical precautions have to be selected and implemented accordingly. Can the network be shared with non-critical applications. How can these applications be clearly separated and secured in terms of infrastructure components, operating systems, protocol stacks, payload encryption or control data encryption. IP systems rely on physical network connectivity and enable a logical separation of different classes of services. To ensure a secure environment, all applications need to be understood, properly configured and never compromised by shortcuts (e.g.: the USB stick brought from home, adding a not approved/configured switch to extend capacity “for a short test”, etc.). These temptations have to be anticipated and need to be taken care of technically as well as making users aware of potential risks.
Another solution is of course to select a dedicated, line switched system that does not offer such vulnerabilities.
Addressing Hypothesis 4 and 5
Whether you are entrusted with the well-being of the population of your country or the seamless operation of the production plant, it is wise to carefully assess your needs in terms of network security and the operational implications. ISO27000 attempts to provide a step by step process to help IT teams managing the mission critical infrastructure of a company. It is also expected that ISO27000 will become for critical infrastructure what ISO9000 was for the commercial businesses.
“The world is being divided into those who know they are being hacked and those who don´t. However, everybody is subject to being hacked.” Once you acknowledge this inescapable truth I learnt during the presentation of a datacenter manager several years ago, you know you have to take the necessary precautions to shield your system against hacking exploiting unidentified operating system loopholes sold on the darknet.
As mentioned above, take a step back and look at the security challenge holistically. Saving cost becomes irrelevant in the situation of a catastrophic failure. Many penetrations occur based on human error and ill-guided attempts to take shortcuts. The following diagram is terribly complicated, I agree. But it offers a checklist and a framework to assess risks and implement measures to mitigate them. Many technical conclusions render separated cable networks and infrastructure components as the only viable solution to protect assets.
Addressing Hypothesis 6 and 7
A ubiquitous protocol like IP attracts a large user base and device population. Even in critical infrastructures like electrical power grids, metering devices and smartgrid controllers will rely on IP connections to perform their duties. Shielding the controlroom from malicious upstream data traffic is key. In order to remain in operational control, the controlroom KVM system has to remain intact and operable at all times. The firewall/gateway between the KVM operated control system and the many devices and applications is of paramount importance. Something that is extremely hard to maintain in mixed usage scenarios when for example office and process network share the same infrastructure.
While dedicated systems have a clear relationship between physical cabling network and carried payload application data, IP systems require a physical connectivity and logical separation of networks. This requires a strictly IT based thinking. Additionally, it requires legacy knowledge of the application or production process and going forward an increased sensitivity for security measures and a relentless enforcement of them.
Always start with the application and the process. The KVM solution should make the production easy, safe and cost effective over the entire life of the system. Connectivity into the IP world is a mandatory prerequisite. Before installing an IP based system, assess risks and vulnerabilities, cost of ownership as a result of business needs. Not the other way around.
If you would like to discuss TRUE KVM with me in more detail, please leave a comment, send me a message or contact our technical support or sales teams at an IHSE office near you. We are here to help you get the most out of your KVM system.