More Related Content
Similar to [CLASS 2014] Palestra Técnica - Ilan Barda (20)
[CLASS 2014] Palestra Técnica - Ilan Barda
- 1. Holistic Security for Critical Infrastructure
Ilan Barda
SCADA Security conference
November 2014, Brasil
- 2. RADiFlow - Overview
•Utilities deploy modern Distributed Automation devices connecting Remote locations over large-scale IP networks
•Exposing Critical assets to Cyber Security Attacks
- 2 -
© Copyright 2014, RADiFlow Ltd.
RADiFlow provides cyber security solutions
for critical distributed automation networks
- 4. Cyber Security deployments are lagging
•Multiple cases of breaches in critical infrastructure
•Multiple studies identified the critical gaps in cyber security
•There is a hype of discussions and interest
•… but deployments are lagging
–Lack of strict regulations
–Lack of financial incentives
–Lack of blue-print solutions
© Copyright 2014, RADiFlow Ltd.
- 5. Current OT Cyber Security practices
•A Separate operation network is not necessarily secure
•L2/L3 security is not sufficient
–IP spoofing
–VLAN hopping
•Security in the control-center can be bypassed
–Field to Field attack
–Man-in-the-Middle attack
- 5 -
“smart grid cyber-security guidelines did not address an important element… risk of attacks that use both cyber and physical means”
Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011
© Copyright 2014, RADiFlow Ltd.
A Holistic Security Solution is Required
- 6. Protecting Distributed SCADA from Insider Attacks
Attack vector
• Control-Center malware
• Field-site breach
• Man-in-the-Middle
• Maintenance access
Security Measure
• Service-aware firewall
• Distributed firewalls
• Encryption
• Identity Management
© Copyright 2014, RADiFlow Ltd.
HMI Engineering
Station
Controller1 Controller2
Dev1.2
Dev2.1
Dev2.2
Dev1.1
Facility1 Facility2
Control Center
-6-
- 7. Distributed IPS for ICS networks
• Per-user role-based validation of
SCADA sessions
– Applied to both IP & Serial devices
• Deployment next to each end-point
– Inline IPS or Virtual IDS
• End-to-End support logic
– Intuitive provisioning based on auto-learning
– Event log with SOC tools integration
-7-
© Copyright 2014, RADiFlow Ltd.
Protocol
Header
Function
Code
Function
Parameters
Ethernet & IP
Header
- 8. Firewall use-case – Power meter logic
•A field attack from a Smart- Grid site on other sites
•SCADA firewall enables all monitoring commands
- 8 -
© Copyright 2014, RADiFlow Ltd.
Data Center
Control
Center
- 9. Firewall use-case – RTU software update
•The technician laptop infects the Engineering station in the control center
•The Engineering station downloads new software to the field RTUs
•Distributed SCADA firewall blocks access to the firmware address-range
•Stuxnet scenario can be prevented
- 9 -
Eng. Station
Sub-Station
Control Center
S.S.
RTU
Facility
RTU
IEC61850 IEDs
Technician
© Copyright 2014, RADiFlow Ltd.
- 10. Physical & Cyber security – Integrated solution
•Correlate SCADA access rights to physical access-control indications
•Validate user operations using DPI of SCADA commands
•SCADA DPI integrated in field routers enabling distributed IPS deployment
•Automatic learning of the normal traffic patterns of SCADA application
•Integration with SIEM tool for roles provisioning and activity log
- 10 -
© Copyright 2014, RADiFlow Ltd.
Restricted user operations in the cyber corridors of Distributed automation networks
- 11. Physical & IT & OT security – Integrated solution
- 11 -
© Copyright 2014, RADiFlow Ltd.
Correlation of security events – PACS, IT, OT Detecting APT patterns
Active Directory
- 12. Integrated security in a Ruggedized site gateway
- 12 -
Multi- Service
Resilient
Network
Ruggedized
System
Secure Access
Service Validation
Service
Management
Operational Simplicity
Defense-in-depth solution
Solid infrastructure
© Copyright 2014, RADiFlow Ltd.
- 13. Security solution validated by US Research Labs
•Role Based IPS/IDS for SCADA Protocols
•Securing Data Traffic (Legacy or IP)
•Secure Authentication
•Persistent, Reliable Logging
•Integration with SOC tools
- 13 -
© Copyright 2014, RADiFlow Ltd.
- 14. Focus applications
•Power T&D (Smart-Grid, Sub-station automation)
© Copyright 2014, RADiFlow Ltd.
•Smart-City, Safety and Security
•Intelligent Transportation (Railways, Highways)
•Drilling and Pipelines (Water, Oil & Gas)
•Out-of-Band Maintenance (Telco, CATV)
- 15. Case Study – Sub-station LAN
- 15 -
Router + Firewall 1
Router +
Firewall 2
High Availability VRRP
Sub station LAN
Primary Sub-Station
MPLS PE 1
MPLS PE 2
Power
Monitoring
Serial RTU
VoIP GW
•IEC61850-3 compliant switch/router
•IEC104/61850 Firewall
•Inter-site IPSec VPN
•Integration with PSIM
MPLS carrier 1
Backbone
MPLS Carrier 2 Backbone
ETH RTU
© Copyright 2014, RADiFlow Ltd.
CCTV
- 16. Case Study – Consolidated Smart-Grid network
•Mix of fiber and cellular backhauling
•Regulation for Separate VPNs for AMI and DA
- 16 -
•Implementation highlights
−Service-aware VPN functionality
−IEC101/104 SCADA firewall
−Fiber or cellular uplinks
−Service-aware QoS for cellular network
© Copyright 2014, RADiFlow Ltd.
- 17. Smart-City network infrastructure
•Compact ruggedized switch for smart-city cabinets
–Ethernet with PoE for CCTV
–Serial and discrete I/O ports for simple
automation devices
–Cellular modem for backup
•Integrated security mechanisms
–IPSec VPN for public network
–ModBus Firewall for automation devices
•Integration with PSIM in control center
- 17 -
Traffic Control
Message board
Smart-City cabinet
CCTV
Control Center
© Copyright 2014, RADiFlow Ltd.
- 18. Case Study – Highway automation & monitoring
-18-
Ring 1
Ring 6
Ring 1
Ring 6
Central site
1588
clock
RS-232/485
Remote site
Traffic control Security
cameras
Tetra base
Message stations
boards
PoE 1588 clock
sync
QoS
• Large-scale transportation control applications require
– Scalable & resilient network architecture
– Mixture of Ethernet, Serial & Discrete devices
– ModBus firewall for critical automation services
– PoE support for CCTV cameras
– IEEE15888v2 support for radio synchronization
© Copyright 2014, RADiFlow Ltd.
- 19. Case-study – Gas drilling sites
- 19 -
•Remote management from across the US
–Connecting RTUs, CCTV and user LAN from each site
•Main access via private fiber ring + leased-line with backup over cellular
–Data Encryption over public network
–Validation of SCADA ModBus sessions
–Network resiliency – Fiber and Cellular
–Compact Ruggedized system with Serial, ETH and PoE
Public Carrier
© Copyright 2014, RADiFlow Ltd.
- 20. •Operators need to establish new remote POPs
–CATV, FTTH, Satellite, Campus WiFi, LTE micro-cell
•Normal management use in-band network
•Out-Of-Band management use alternative physical media
Cost-effective Out-Of-Band connectivity
–NO need for wired infrastructure
–EASY ESTABLISHMENT over LTE/3G
–RESILIENT CONNECTIVITY by 2 SIM cards
–SECURE connections by IPSec and Firewall
–LAN PORTS for seamless LAN connectivity
–TERMINAL SERVER for CONSOLE PORT
–DISCRETE IO for alarm forwarding
Separate Out-Of-Band Network
Control Center
In-band Management
Out-Of-Band Management
Network Elements
© Copyright 2014, RADiFlow Ltd.
Case-study – Out-of-Band maintenance
- 21. Summary
•Modern critical infrastructure deployments use Ethernet
–A holistic security solution is mandatory
•RADiFlow Secure communication solution
–Unique distributed service-aware firewall by the network
–Integrated defense-in-depth tool-set
–Optimize CapEx and OpEx
- 21 -
© Copyright 2014, RADiFlow Ltd.
For more details:
info@radiflow.com
www.radiflow.com