Back to Home

Physical Protection of ICS from VPN and Algorithms

The article analyzes trust levels in cybersecurity solutions for ICS based on physics, mathematics, and algorithms. Proposes the attack surface metric S_attack with dynamic dt coefficient for vulnerability management. Recommends data diodes and L1 breakers.

Why VPN Won't Protect ICS: Physics and dt Management
Advertisement 728x90

Physical Protection Mechanisms for ICS: From Algorithms to Controlled Attack Surface

In Industrial Control Systems (ICS), trust in cybersecurity measures is built on fundamental mechanisms: physical principles, mathematical theory, and algorithms. VPNs and firewalls rely primarily on algorithms with low trust levels due to the absence of real-world testing. Quantum encryption devices and data diodes use physical barriers, providing higher protection against external threats.

Sources of Trust in Technical Systems

Trust in equipment is established through scientific validation, real-world testing, and periodic diagnostics. In aviation, this includes strength calculations, static destruction tests, and inspections. Similarly, automatic protections in electrical panels are verified by factory tests and maintenance.

In ICS cybersecurity, real-world testing of algorithms is impossible: you cannot feed all combinations of anomalous packets to a firewall or VPN gateway. Relay protection systems in the energy sector are tested on physical simulators with real currents, which is not available in network security.

Google AdInline article slot

Classification of Cybersecurity Solutions by Mechanisms

Hardware and software-hardware complexes for ICS are divided into classes with different trust levels:

| Product | Physics | Mathematics | Algorithms | Total |

|----------------------|--------|------------|-----------|-------|

Google AdInline article slot

| Firewall | — | — | -3 | -3 |

| VPN Encryption Device| — | +1 | -3 | -2 |

| Quantum Encryption Device| +3 | +1 | -3 | +1 |

Google AdInline article slot

| Data Diode | +3 | — | — | +3 |

| L1 Disconnector | +3 | — | — | +3 |

Physical principles provide the maximum (+3), since without hardware access, an attack is impossible. Mathematics (+1) is theoretically provable, but implementation is vulnerable. Algorithms (-3) carry risks of errors and backdoors.

Attack Surface Metric S_attack

To assess the vulnerability of ICS to external threats, an attack surface is introduced at levels L1–L4 of the OSI model:

$$ S_{attack} = \sum_{nodes} node_{weight} \left( \sum_{physical ports} port_{weight} \left( \sum_{TCP/UDP ports} software_{port_{weight}} \right) \right) $$

  • node_weight: criticality of the device (e.g., PLC — high).
  • port_weight: significance of the physical interface.
  • software_port_weight: vulnerability of the service (e.g., RDP — critical).

Only external ports are considered.

Dynamic Management with Coefficient dt

Remote access to ICS is rarely required — about 50 hours per year. We introduce a binary coefficient dt ∈ {0,1}, reflecting the presence of a physical connection:

$$ S_{attack} = \sum ( node_{weight} \left( \sum ( dt \cdot port_{weight} \cdot \sum software_{port_{weights}} ) \right) ) $$

Advantages:

  • dt=0: port is physically disconnected, attack surface is minimal.
  • dt=1: conscious risk for diagnostics or configuration.

Devices for Implementing dt

  • Data Diodes: dt is always 0, unidirectional data transmission at the physical level. Suitable for monitoring, but not for control.
  • Ethernet L1 Disconnectors: physically disconnect/switch the channel on demand. Combined with VPN for controlled access.

Key Takeaways

  • Physical mechanisms (L1 disconnectors, data diodes) provide the highest level of trust without dependence on algorithms.
  • VPN reduces the attack surface only partially; without dt, the risk remains high.
  • Managing dt allows minimizing vulnerability 99% of the time without losing functionality.
  • Combine product classes: physics + mathematics for multi-layered ICS protection.
  • Real-world testing of cybersecurity algorithms is impossible — rely on proven physical barriers.

ICS protection architecture requires a balance of mechanisms. VPN cannot replace physical control, but paired with an L1 disconnector, it provides a controlled attack surface.

— Editorial Team

Advertisement 728x90

Read Next