Zajištění bezpečnosti v sítích dispečerského řízení a sběru dat … · 2016-05-17 · Ing. Radek Sazama SAFY Global s.r.o. Výhradní distributor společnosti Radiflow

Ing. Radek Sazama

SAFY Global s.r.o.

Výhradní distributor společnosti Radiflow pro Českou

a Slovenskou republiku

Zajištění bezpečnosti v sítích

dispečerského řízení a sběru dat

(SCADA)

technologií RadiFlow

© Copyright 2015, Radiflow Ltd.

The market – Securing the Industrial IoT

-2-


Radiflow - Overview

• Utilities deploy modern Distributed Automation devices

connecting Remote locations over large-scale IP networks

• Exposing Critical applications to Cyber Security Attacks

-3-

Radiflow provides Cyber Security solutions

for Critical Distributed Automation networks


Growing Install-base

-4-


Growing rate of cyber-attacks on SCADA systems

-5-


… and the industry is finally waking-up

-6-


Control center

PLC PLC

OT network

Attack Vectors on Critical Distributed Automation

Computer

Malware

Man in-the

Middle

Rogue

Device

Abused

Access

Need to validate the M2M and H2M sessions

http://www.google.co.il/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=zzGHcCyxA-NmEM&tbnid=YIAQh40sTqyyhM:&ved=0CAUQjRw&url=http://greymousecloud.com/content/network-operations-center&ei=OwXIUY_YNIGntAbZnYH4Cg&psig=AFQjCNHY1V1AmtWP-9uyotNN5Q41Wvcgdw&ust=1372149393692937

http://www.google.co.il/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=zzGHcCyxA-NmEM&tbnid=YIAQh40sTqyyhM:&ved=0CAUQjRw&url=http://greymousecloud.com/content/network-operations-center&ei=OwXIUY_YNIGntAbZnYH4Cg&psig=AFQjCNHY1V1AmtWP-9uyotNN5Q41Wvcgdw&ust=1372149393692937


Securing the Distributed SCADA operations

Defense MethodAttack Vector

SCADA Deep-Packet-Inspection to block

unauthorized traffic from the SCADA server

Malware in the SCADA

Computers

IPS/IDS (Intrusion Prevention/Detection) for

behavioral analysis of distributed automation

Compromised Field

Device

Encrypted VPN tunnels over the untrusted linksMan in the Middle

Restricted access to the critical assets using user-

based and task-based policies

Excess Access Rights in

Remote site

-8-


Radiflow Products

Secure

Gateway / TAP

• Distributed inline/TAP• SCADA DPI Engine• VPN

IDS & NAS

Server

• Central Server• Monitor network traffic• Network-Access-Control

Security Software

Packages

• SCADA White-listing• SCADA Anomaly Detection• Task-based Access-control• Physical-Cyber integration


Integrated Physical & Cyber security

• Distributed SCADA IPS in each site

• Correlation with physical security systems

for dynamic user authentication

• Validate per-user SCADA operations

• Integration with central SIEM tool

-10-

Restricted user operations in the Cyber corridors

of Distributed automation networks


VPN over public network

-11-© Copyright 2014, RADiFlow Ltd.

• Connecting private sub-networks over a public network

• Remote site connection using Hub & Spoke GRE tunnels

• IP Sec used to encrypt the GRE tunnels

• Certificates used to authenticate remote parties

• L2 or L3 VPN modes available

Cell site

ISP #1

NAT

router

Cell site

ISP #2

Primary

SIM

Secondary

SIM

ACTIVE

OFFINTERNET

IPSec tunnel

IPSec tunnel


Security solution validated by US Research Labs

• Role Based IPS/IDS for SCADA Protocols

• Securing Data Traffic (Legacy or IP)

• Secure Authentication

• Persistent, Reliable Logging

-12-


3180 – Secure Utility Gateway


• 8/16xETH 10/100BaseT

• 4xRS-232

• Dual-SIM 2G/3G Cellular modem

• 2+2 Discrete I/O

• ETH switching & IP routing

• SCADA security tool-set

• SCADA Gateway


Portfolio Overview

• Industrial design

• Modular DIN rail switches (7 I/O slots) or Compact system

• Harsh environment - IP30, - 40 ÷ +75° C, IEC 61850-3 EMI

• ETH or RS-232/RS-485 serial interface modules

• Networking

• Advanced Ethernet switching and IP routing functionality

• Serial Tunneling or Service translation

• Physical Interface :

• Copper – Fast Ethernet / Gigabit Ethernet

• Fiber – Single Mode / Multi Mode.

• Cellular – GPRS /UMTS

• Integrated security mechanisms

• MAC/IP filtering per port

• Distributed app-aware firewall

• Remote access and Inter-site connectivity

© Copyright 2015, RADiFlow Ltd.-14-

1031

3180

3700


Secure Utility Gateway - 1031

• Interfaces

– 1xETH 10/100BaseT

– 1xETH100/1000 SFP (second phase)

– 1xRS-232/RS-485 + 1xRS-232

– Dual SIM 2G/3G Cellular modem

– 2+2 Discrete I/O

• Dimensions (HxWxD) [mm] - 110x45x120

-15-


Secure Utility Gateway - 1031

– Dynamic & Static Routing

– Transparent Serial Tunneling

– Terminal Server

– SCADA Gateway

– SCADA Firewall

– L2 VPN

– L3 VPN

– IPSec

– NAT

– OSPF

– RIP

– Protection of dual SIM

-16-

– L3-24 ACLs

– Telnet Server & Client

– SSH Server & Client *

– NTP*

– Counters and Statistics

– LEDs

– TFTP /SFTP*

– Discrete Channels

– Auto Crossing

– Auto Negotiation

– Time conditioned reload

– Ping

– Rmon*


Messageboard

Model-Based IDS/IPS

• Learns the network and builds a model of network behavior:

o Connections between stations

o Network hierarchy (Servers and clients, controllers and IO devices)

o Sequence of commands, Memory and IO access, etc

o Commands rates

• Anomaly detection compared to baseline

• Network info collection

• Distributed TAPs

• Our gateways

• Interface to network taps/firewalls and SIEM tools

• Intuitive GUI

http://www.google.co.il/url?url=http://www.remigroup.com/motors/product.html&rct=j&frm=1&q=&esrc=s&sa=U&ei=4sWGVP2zC8yzUZzPgoAI&ved=0CDMQ9QEwDzgU&usg=AFQjCNGTsPCLhU-FY6YzeZrWUsTCqQgTIw

http://www.google.co.il/url?url=http://www.remigroup.com/motors/product.html&rct=j&frm=1&q=&esrc=s&sa=U&ei=4sWGVP2zC8yzUZzPgoAI&ved=0CDMQ9QEwDzgU&usg=AFQjCNGTsPCLhU-FY6YzeZrWUsTCqQgTIw


Anomaly Detection

• Learning the Network Topology: Devices, Links

– Detecting new devices

– Detecting topology changes

• Learning device Sampling time

• Passive Machine Profiling

– Detecting out-of-order commands

– Detecting PLC scanning attacks

• Detecting abnormal memory access to devices

• Preventing un-authorized Firmware upgrade.

-18-


Measuring Operational Behavior

• Focusing on communication problems

• Detecting abnormal Delays in the link.

• Detecting abnormal rate of packet dropping.

• Detecting abnormal rate of retransmit

-19-


Integrated security in a Ruggedized switch

-20-

Multi-

Service

Resilient

Network

Ruggedized

System

Secure

Access

Service

Validation

Service

ManagementOperational Simplicity

Defense-in-depth solution

Solid infrastructure

© Copyright 2015, RADiFlow Ltd.


SCADA Behavioral

Detection Server

Secure Utility

Gateway/Router

SCADA

IPS/IDS

RADiFlow Portfolio Evolution

Physical & Cyber

Integration

Identity

Management


Focus Applications

• Power T&D (Smart-Grid, Sub-station automation)

• Smart-City, Safety and Security

• Intelligent Transportation (Railways, Highways)

• Drilling and Pipelines (Water, Oil & Gas)


Case Study – Substation secure gateway

-23-


Case study – Securing Renewable plants

-24-


Case Study – Consolidated Smart-Grid network

• Mix of fiber and cellular backhauling

• Regulation for Separate VPNs for AMI and DA

-25-

• Implementation highlights− Service-aware VPN functionality

− SCADA firewall

− Fiber or cellular uplinks

− Service-aware QoS for cellular

network

− Serial interfaces with protocol gateway

− Zero-touch provisioning for mass

deployment



Case study – Resilient Smart-Grid network

• 2 mobile operators, switch-over based on:

– RSSI degradation

– PPP keep-alive

– Periodic ICMP ping

– Auto restart watch-dog option

• Redundant backbone routers

– DMVPN implementation

– RIP routing protocol

• Gradual evolution to fiber backhauling where possible

• Cyber security considerations

– IPSec VPN using AES256 encryption with X.509 key management

– Future distributed SCADA firewall for DA services



Case-study – Gas drilling sites

-27-

• Remote management from LA control center to ND

drilling sites

– Connecting RTUs and CCTV from each site

• Main access via private fiber ring + leased-line with

backup over cellular

– Data Encryption over public network

– Validation of SCADA ModBus sessions

– Network resiliency – Fiber and Cellular

– Ruggedized system with Serial, ETH and PoE ports

Public Carrier



Smart-City network infrastructure

• Compact ruggedized switch for smart-city cabinets

– Ethernet with PoE for CCTV

– Serial and discrete I/O ports for simple

automation devices

– Cellular modem for zero-investment

deployment

• Integrated security mechanisms

– IPSec VPN for public network

– SCADA firewall for automation devices

• Integration with Security control center

-28-

Traffic Control

Messageboard

Smart-City

cabinet

CCTV

Control

Center



Summary

• Modern distributed automation applications use IP networks

– Intra-network security is mandatory

• Radiflow Service-aware Industrial security solution

– Unique distributed service-aware IPS/IDS

– Integrated defense-in-depth tool-set

– Optimize CapEx and OpEx

-29-

For more details:

www.safy.cz

www.radiflow.com

mailto:[email protected]

http://www.radiflow.com/

Documents

Zajištění bezpečnosti v sítích dispečerského řízení a sběru dat … · 2016-05-17 · Ing. Radek Sazama SAFY Global s.r.o. Výhradní distributor společnosti Radiflow