SlideShare a Scribd company logo
A Community of Practice 
A natural way of building 
Tuesday August 27, 2014
Vision 
To create a mass movement that will transform how 
security is designed in and how the management of 
intelligent devices operate within a common operating 
environment. 
Mission 
To build a community of practicing professionals who are 
committed to achieving end to end security within the 
ecosystem of all critical infrastructure by shaping the 
security fabric reference architecture as an interoperable 
system of systems. 
8/27/20 
“Community of Practice “ 14 2
Our strategy is to provide certified interoperability 
to the key devices controlling the grid. 
All points must connect to each other in an 
end-to-end system. 
Our solution would be embedded at each critical point in the energy infrastructure. 
8/27/20 
“Community of Practice” 14” 3 
Management Agents
Introduction to the 
Security Fabric Alliance 
The Security Fabric Alliance is a working association dedicated to 
practical deployment of the power grid and critical infrastructure 
complex system solution in the United States: 
Utilities and telecommunications providers 
Systems integrators 
Manufacturers 
Technology partners 
National certification and interoperability entity 
The alliance is intended to give the CEO of a utility the purview of 
up-to-the moment knowledge of the options available to make 
wise investment decisions regarding infrastructure deployment 
for optimal returns. 
The variation includes the proper orientation for large, medium, and small utilities. 
“Community of Practice”
Semantics 
• Security Fabric Products 
• Security Fabric Architecture 
• Security Fabric Alliance 
“Community of Practice” 5 
8/27/20 
14 
The embedded security system solution is 
composed of an interlocking arrangement of 
framework options 
The framework of embedded system components 
that provide the basis for end-to-end security and 
remote device management 
The Security Fabric Alliance is an informal 
collection of companies, organizations, and 
individuals that have through discussions 
designed conceptual reference architecture called 
the “Security Fabric”.
These are the seven tenets of security 
as described in the NIST-IR 7628 GuidelinesIST-IR 
7628 Guidelines. 
4. Audit 
– Records noteworthy events for later 
analysis 
5. Confidentiality 
– Encrypts sensitive data for matters of 
privacy. 
6. Integrity 
– Ensures that messages have not been 
altered. 
7. Availability 
– Prevents denial of service attacks 
1. Identity Management 
– Ensures the device identity is established 
genuinely 
2. Mutual Authentication 
– Allows both the Device Node and the 
Controller to verify the trustworthiness 
their identity to each other. 
3. Authorization 
– Manages permission to proceed with 
specific operations. 
To establish the secure communications from the Controller to the Device Node 
using the Security Fabric elements, you need to do all seven… not just some.
SFA Reference 
Builds 
The OMG is planning to standardize 
the Security Fabric 
for all critical infrastructure. 
The OMG process is more about establishing markets 
as opposed to just setting standards. 
Certification of 
Conformance & 
Interoperability
There are many participants at different levels 
in the Security Fabric Alliance. 
Utility Integration Research 
Customers 
• Integrated Architectures – SEIT 
• MACE Fusion - DoD 
• Kryptos Logic – Red Team Certification 
• M2M Dynamics 
• Drummond Group – C&IT 
• Intel Security - Distribution 
Subsystems Products Components 
• Intel – servers with Quark + TPM 
• Wind River – Security Connect 
• Middleware 
• RTI – DDS 
• GridStat 
• Indra - iSpeed 
• MultiSpeak 
• TeamF1 – Secure Communications 
• Secure Crossing – Protocol Whitelisting 
• PsiNaptic – Secure Service Distribution 
• SNMP Research – SNMP Agent 
• Freescale – HSM w/Vybrid SoC 
• Xilinx – CompactRIO SOC 
• Green Hills Software - INTEGRITY 
• Altera - tamper proofing 
• Microsoft – Active Directory 
• Red Hat – Auth Hub 
• General Electric – EMS 
• Alstom Grid – EMS 
• Viridity Energy – DR + DER 
+ Microgrid 
• Energy One 
• Lemko – LTE systems 
• Intel Security – SIEM + GTI 
• Intel – Encanto 
+ silicon support 
• Sypris – Supply 
Chain Root of Trust 
• TCIPG 
• EPRI – CIM Standards 
• MIT – Security & 
Privacy Standards 
• EPG – Phasor Data Portfolio 
• GridSense– NAN & Line Sensors 
• S&C IntelliTeam 
• SafeNet – Secure Key Management 
• Heart - Transverter 
• Freescale One Box 
• Cisco Cloud-in-a-Box 
...First Stage…… 
• ERCOT 
• ONCOR 
• AEP 
• NRECA 
• NRTC 
Suppliers 
• Verizon 
• Level3 
• AT&T 
• Internet2 
• BT 
• ViaSat 
• Comcast 
• ARINC 
• Stratus 
• Symmetricom 
…Second Stage…… 
• APPA 
• SDG&E 
• PJM 
• NYISO 
• Southern Company 
• Duke Energy 
• CAISO 
• Pecan Street 
• Mueller Community 
• Pike Powers 
• PNNL – CyberSecurity 
Test Center 
• Lincoln Labs 
• OMG SIG 
• Industrial Intrnet 
Managed Services 
• Tazca – Connect 
• CSG International 
• Digi International 
• N-Dimension 
• SETI 
• Lockheed Martin 
• SAIC 
• Threat Connect
What is being asked for is a secure system of systems that 
blankets the complexity and delivers it autonomically. 
Security Fabric 
Interoperable 
Embedded 
Distributed 
This is the embedded side of the operation 
in addition to the companion enterprise side.
Separation of the Industrial Internet 
from the Generic Internet 
The Core Network 
Generic Internet 
Carrier Ethernet 
With Routing 
DWDM Isolation 
Core City Cooperative Control Centers 
Node 
Enterprise Systems 
Industrial Devices 
Substation Nodes 
Router+ 
Substation 
Controller 
Router+ 
Carrier Ethernet 
Isolation 
HAN Nodes 
Transverter 
Gateway 
NAN Nodes 
Wireless LTE 
700 MHz? 
Wireless LTE 
PicoCell 2.5 GHz? 
Sensor 
We will eventually use 
a combination of DWDM separation 
plus Carrier Ethernet separation.
The policy logic is actually spread to each major active 
element. 
Understanding 
Information 
Decision 
Data in – Action out 
But sometimes semi-autonomic policy decisions 
are made and executed in the field. 
(at the small, the medium, and the large) 
MultiSpeak 
Initiative
The new Content Aware Firewall ( Secure Crossing) needs to be 
aware of what is flowing through the pipe(s). 
Transport Plugins 
Content Aware Firewall – 
Layers 4-6 
IP Communications Stack – 
Layers 2-3 
IPsec 
VPN 
Ethernet 
Controller 
UDPv4 
UDPv6 
Data Routing Services deals with: 
• Connections + 
• Sessions 
All packet prioritization and 
flow control are performed by 
Data Routing Services. 
The Content Aware Firewall deals with 
multiple layers and is state sensitive.
The Content Aware Firewall ( Secure Crossing )needs to be aware of: 
the Layer 6 socket level interface, 
as well as the intended sessions that will be flowing over it at Layer 5, 
so that it can use UDP connections at Layer 4, 
so that it can use the IPsec VPN to control encryption on the transport. 
Content Aware Firewall 
Layers 4-6 
IP Communications Stack – Layers 2- 
3 
IPsec VPN 
Connections 
UDPv6 
UDPv4 
Sessions 
• Kerberos Get Credentials + Tickets 
• Get Extended Credentials 
• Kerberos Mutual Authentication 
• Get Precision Time 
• Register for Management + 
Configuration Synchronization 
• Service Locator 
• Service Provider 
• Multicast Alert 
• Unicast Command 
• Event Notification 
• SNMP Get/Set 
• Application Event: Send and Receive: 
• High Priority 
• Medium Priority 
• Low Priority 
Interface A 
Interface B 
The detailed requirements will be determined 
during the requirements assessment phase.
There are servers and agents in the 
industrial environment.
How does the Security Fabric 
work?
Essentially, the Security Fabric is an 
end-to-end approach to things. 
The Security Fabric is a semi-autonomous embedded device 
management agent and communications protocol set along with 
a central system and network management subsystem 
that bring security and other controls to the embedded world. 
Syxstem & 
Network 
Management 
Controller 
Device 
Device 
The 
Security 
Fabric 
Let’s build this as if we were building a house.
There are obviously going to need to be several 
different devices involved. 
Controller 
Device 
Device 
Our agent will be hidden 
right beside the application. 
We want to add our security agent to each of them to do what we will do.
The devices need to be able to talk to each other 
securely, and trust each other on a limited basis. 
Controller 
Device 
Device 
This means that the solution will need to be a system as opposed to a piece part. 
Intel and McAfee Confidential 
The agents talk to one another 
in a resilient middleware..
And all systems need to be administered relative to 
the configuration and policies that control them. 
Syxstem & 
Network 
Management 
Controller 
These three ingredients are the soul of the Security Fabric. 
Device The 
Tailored 
Trustworthy 
Space 
Device
The Security Fabric follows the guidelines required 
by the NIST 7628 for the Department of Energy. 
Syxstem & 
Network 
Management 
Controller 
Device The 
Security 
Fabric 
Device 
The industry as a whole is applauding this solution.
We always start by separating the management 
control agent from the payload application. 
Managed Device 
Device Application 
Management
The management agent always uses 
defense in depth. 
Managed Device 
Applications 
Device 
Management 
Communications 
Secure 
Secure 
Storage 
Policy Management 
Personal Data Vault
Close-up on Partition Structure 
Security Management 
Hypervisor 
DDS Routing Services 
Ethernet 
Controller 
Policy Management 
DDS Subagent 
Device Application 
Threads 
DDS Subagent 
Connection Connection 
Operating 
System. 
Transport Plugins 
Ring 1: Security – 
HSM Interface 
Ring 2: Policy 
Management 
Participant: 
Management 
Configuration 
& Route Mapping 
Ring 1: Data 
Reader 
Ring 1: Data 
Writer 
Routing Services is our inter-system + intra-device middleware; 
The DDS Subagent controls the private paths between 
processes. 
Secure 
IP I/O 
Driver UDPv4 
UDPv6 
GridStat 
Intra-Device 
DDS Subagent 
Connection 
Participant: 
Management 
Ring 2: Data 
Reader 
Ring 2: Data 
Writer 
Change 
Managem 
ent 
Problem 
Managem 
ent 
HSM 
Interface 
Kerberos 
Client 
+ 
Session 
Key 
Manage 
ment 
Security Protocols 
Policy 
Execution 
Environment
What is really unfolding with the rise of the Internet of Things is the need for 
The Semi-Autonomous Policy Management Agent 
Each of the four compositions 
of rulesets is administered 
centrally and released to the 
remote device securely. 
The rulesets contain profiles, 
provisioned data, and 
Java-based rules. 
All distribution bundles are 
signed and are subject to 
local attestation and 
transition control. 
Autonomous 
Policy Management 
Agent 
IBM Autonomic Computing Model
The control of the smart grid is all about 
managing semi-autonomous devices. 
The Security Fabric is all about safely deploying this concept. 
The customer has to be able to delegate responsibility in small increments 
to the remote device to avoid the problem of unintended consequences.
Designed in 
Security Discussion 
www.securityfabricalliance.org
Sfa community of practice  a natural way of building

More Related Content

What's hot

TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryUKTI2014
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
InnoTech
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
Westermo Network Technologies
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
Ivan Carmona
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
Syed Ubaid Ali Jafri
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
Alan Tatourian
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial  systemsCybersecurity for modern industrial  systems
Cybersecurity for modern industrial systems
Itex Solutions
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
csandit
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Lancope, Inc.
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
Julien Vermillard
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
Robb Boyd
 
Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014
iotisrael
 

What's hot (20)

TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th January
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial  systemsCybersecurity for modern industrial  systems
Cybersecurity for modern industrial systems
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISETechWiseTV Workshop: Cisco Stealthwatch and ISE
TechWiseTV Workshop: Cisco Stealthwatch and ISE
 
Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014Securing Critical Iot Infrastructure, IoT Israel 2014
Securing Critical Iot Infrastructure, IoT Israel 2014
 

Viewers also liked

Innovative lesson plan
Innovative lesson planInnovative lesson plan
Innovative lesson plan
Jishad Salam
 
ใบงานที่ 8
ใบงานที่ 8ใบงานที่ 8
ใบงานที่ 8
Alee Instance
 
Gasification
GasificationGasification
Gasification
WebmasterRS21
 
Zoom in your life
Zoom in your lifeZoom in your life
Zoom in your life
SriHarsha adusumalli
 
Hashup slide share_standard
Hashup slide share_standardHashup slide share_standard
Hashup slide share_standard
Bryon Shannon
 
Hashup Overview
Hashup OverviewHashup Overview
Hashup Overview
Bryon Shannon
 
Google drive ana
Google drive anaGoogle drive ana
Google drive ana
Ana Mile Carrillo Robles
 
Casia tapmi agons
Casia tapmi agonsCasia tapmi agons
Casia tapmi agons
tapmiagons
 
Jfe technip brazil generic vf2
Jfe technip brazil generic vf2Jfe technip brazil generic vf2
Jfe technip brazil generic vf2
WebmasterRS21
 
Voces de mando
Voces de mandoVoces de mando
Voces de mando
Jenny Johanna
 
Modul Delphi ,buat pemula
Modul Delphi ,buat pemulaModul Delphi ,buat pemula
Modul Delphi ,buat pemula
Muhammad Hambali
 
Adaptaciones Curriculares
Adaptaciones CurricularesAdaptaciones Curriculares
Adaptaciones Curriculares
Jenny Johanna
 
Kom igång med content marketing
Kom igång med content marketingKom igång med content marketing
Kom igång med content marketing
Kristofer Sandberg
 
jabatan fungsional umum
jabatan fungsional umumjabatan fungsional umum
jabatan fungsional umum
Jodha Akbar
 
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
fujifilmdiosynth
 
TeachMeet Gloucestershire Presenter Slides
TeachMeet Gloucestershire Presenter SlidesTeachMeet Gloucestershire Presenter Slides
TeachMeet Gloucestershire Presenter Slides
baldwj
 
Gasification
GasificationGasification
Gasification
WebmasterRS21
 

Viewers also liked (18)

Innovative lesson plan
Innovative lesson planInnovative lesson plan
Innovative lesson plan
 
ใบงานที่ 8
ใบงานที่ 8ใบงานที่ 8
ใบงานที่ 8
 
Gasification
GasificationGasification
Gasification
 
Ap
ApAp
Ap
 
Zoom in your life
Zoom in your lifeZoom in your life
Zoom in your life
 
Hashup slide share_standard
Hashup slide share_standardHashup slide share_standard
Hashup slide share_standard
 
Hashup Overview
Hashup OverviewHashup Overview
Hashup Overview
 
Google drive ana
Google drive anaGoogle drive ana
Google drive ana
 
Casia tapmi agons
Casia tapmi agonsCasia tapmi agons
Casia tapmi agons
 
Jfe technip brazil generic vf2
Jfe technip brazil generic vf2Jfe technip brazil generic vf2
Jfe technip brazil generic vf2
 
Voces de mando
Voces de mandoVoces de mando
Voces de mando
 
Modul Delphi ,buat pemula
Modul Delphi ,buat pemulaModul Delphi ,buat pemula
Modul Delphi ,buat pemula
 
Adaptaciones Curriculares
Adaptaciones CurricularesAdaptaciones Curriculares
Adaptaciones Curriculares
 
Kom igång med content marketing
Kom igång med content marketingKom igång med content marketing
Kom igång med content marketing
 
jabatan fungsional umum
jabatan fungsional umumjabatan fungsional umum
jabatan fungsional umum
 
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
Reducing Timelines & Increasing Titres by Host Cell Lines with Improved Chara...
 
TeachMeet Gloucestershire Presenter Slides
TeachMeet Gloucestershire Presenter SlidesTeachMeet Gloucestershire Presenter Slides
TeachMeet Gloucestershire Presenter Slides
 
Gasification
GasificationGasification
Gasification
 

Similar to Sfa community of practice a natural way of building

Aca presentation arm_
Aca presentation arm_Aca presentation arm_
Aca presentation arm_
Mudassar Mehmud
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
International Communications Corporation
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
CloudExpoEurope
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET Journal
 
Infrastructure SecurityChapter 10Principles of Compute.docx
Infrastructure SecurityChapter 10Principles of Compute.docxInfrastructure SecurityChapter 10Principles of Compute.docx
Infrastructure SecurityChapter 10Principles of Compute.docx
annettsparrow
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
Eurotech
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
ardexateam
 
Cyber security
Cyber securityCyber security
Cyber security
Aman Pradhan
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
Charles "Chuck" Speicher Jr.
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for Shopfloor
IRJET Journal
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
HNDE Labuduwa Galle
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
Cristian Garcia G.
 

Similar to Sfa community of practice a natural way of building (20)

Agile fractal grid 7-11-14
Agile fractal grid   7-11-14Agile fractal grid   7-11-14
Agile fractal grid 7-11-14
 
Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14
 
Aca presentation arm_
Aca presentation arm_Aca presentation arm_
Aca presentation arm_
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
Infrastructure SecurityChapter 10Principles of Compute.docx
Infrastructure SecurityChapter 10Principles of Compute.docxInfrastructure SecurityChapter 10Principles of Compute.docx
Infrastructure SecurityChapter 10Principles of Compute.docx
 
Stop Wasting Energy on M2M
Stop Wasting Energy on M2MStop Wasting Energy on M2M
Stop Wasting Energy on M2M
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
 
Cyber security
Cyber securityCyber security
Cyber security
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
Software Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for ShopfloorSoftware Defined Network Based Internet on thing Eco System for Shopfloor
Software Defined Network Based Internet on thing Eco System for Shopfloor
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Sfa community of practice a natural way of building

  • 1. A Community of Practice A natural way of building Tuesday August 27, 2014
  • 2. Vision To create a mass movement that will transform how security is designed in and how the management of intelligent devices operate within a common operating environment. Mission To build a community of practicing professionals who are committed to achieving end to end security within the ecosystem of all critical infrastructure by shaping the security fabric reference architecture as an interoperable system of systems. 8/27/20 “Community of Practice “ 14 2
  • 3. Our strategy is to provide certified interoperability to the key devices controlling the grid. All points must connect to each other in an end-to-end system. Our solution would be embedded at each critical point in the energy infrastructure. 8/27/20 “Community of Practice” 14” 3 Management Agents
  • 4. Introduction to the Security Fabric Alliance The Security Fabric Alliance is a working association dedicated to practical deployment of the power grid and critical infrastructure complex system solution in the United States: Utilities and telecommunications providers Systems integrators Manufacturers Technology partners National certification and interoperability entity The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small utilities. “Community of Practice”
  • 5. Semantics • Security Fabric Products • Security Fabric Architecture • Security Fabric Alliance “Community of Practice” 5 8/27/20 14 The embedded security system solution is composed of an interlocking arrangement of framework options The framework of embedded system components that provide the basis for end-to-end security and remote device management The Security Fabric Alliance is an informal collection of companies, organizations, and individuals that have through discussions designed conceptual reference architecture called the “Security Fabric”.
  • 6. These are the seven tenets of security as described in the NIST-IR 7628 GuidelinesIST-IR 7628 Guidelines. 4. Audit – Records noteworthy events for later analysis 5. Confidentiality – Encrypts sensitive data for matters of privacy. 6. Integrity – Ensures that messages have not been altered. 7. Availability – Prevents denial of service attacks 1. Identity Management – Ensures the device identity is established genuinely 2. Mutual Authentication – Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Authorization – Manages permission to proceed with specific operations. To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, you need to do all seven… not just some.
  • 7. SFA Reference Builds The OMG is planning to standardize the Security Fabric for all critical infrastructure. The OMG process is more about establishing markets as opposed to just setting standards. Certification of Conformance & Interoperability
  • 8. There are many participants at different levels in the Security Fabric Alliance. Utility Integration Research Customers • Integrated Architectures – SEIT • MACE Fusion - DoD • Kryptos Logic – Red Team Certification • M2M Dynamics • Drummond Group – C&IT • Intel Security - Distribution Subsystems Products Components • Intel – servers with Quark + TPM • Wind River – Security Connect • Middleware • RTI – DDS • GridStat • Indra - iSpeed • MultiSpeak • TeamF1 – Secure Communications • Secure Crossing – Protocol Whitelisting • PsiNaptic – Secure Service Distribution • SNMP Research – SNMP Agent • Freescale – HSM w/Vybrid SoC • Xilinx – CompactRIO SOC • Green Hills Software - INTEGRITY • Altera - tamper proofing • Microsoft – Active Directory • Red Hat – Auth Hub • General Electric – EMS • Alstom Grid – EMS • Viridity Energy – DR + DER + Microgrid • Energy One • Lemko – LTE systems • Intel Security – SIEM + GTI • Intel – Encanto + silicon support • Sypris – Supply Chain Root of Trust • TCIPG • EPRI – CIM Standards • MIT – Security & Privacy Standards • EPG – Phasor Data Portfolio • GridSense– NAN & Line Sensors • S&C IntelliTeam • SafeNet – Secure Key Management • Heart - Transverter • Freescale One Box • Cisco Cloud-in-a-Box ...First Stage…… • ERCOT • ONCOR • AEP • NRECA • NRTC Suppliers • Verizon • Level3 • AT&T • Internet2 • BT • ViaSat • Comcast • ARINC • Stratus • Symmetricom …Second Stage…… • APPA • SDG&E • PJM • NYISO • Southern Company • Duke Energy • CAISO • Pecan Street • Mueller Community • Pike Powers • PNNL – CyberSecurity Test Center • Lincoln Labs • OMG SIG • Industrial Intrnet Managed Services • Tazca – Connect • CSG International • Digi International • N-Dimension • SETI • Lockheed Martin • SAIC • Threat Connect
  • 9. What is being asked for is a secure system of systems that blankets the complexity and delivers it autonomically. Security Fabric Interoperable Embedded Distributed This is the embedded side of the operation in addition to the companion enterprise side.
  • 10. Separation of the Industrial Internet from the Generic Internet The Core Network Generic Internet Carrier Ethernet With Routing DWDM Isolation Core City Cooperative Control Centers Node Enterprise Systems Industrial Devices Substation Nodes Router+ Substation Controller Router+ Carrier Ethernet Isolation HAN Nodes Transverter Gateway NAN Nodes Wireless LTE 700 MHz? Wireless LTE PicoCell 2.5 GHz? Sensor We will eventually use a combination of DWDM separation plus Carrier Ethernet separation.
  • 11. The policy logic is actually spread to each major active element. Understanding Information Decision Data in – Action out But sometimes semi-autonomic policy decisions are made and executed in the field. (at the small, the medium, and the large) MultiSpeak Initiative
  • 12. The new Content Aware Firewall ( Secure Crossing) needs to be aware of what is flowing through the pipe(s). Transport Plugins Content Aware Firewall – Layers 4-6 IP Communications Stack – Layers 2-3 IPsec VPN Ethernet Controller UDPv4 UDPv6 Data Routing Services deals with: • Connections + • Sessions All packet prioritization and flow control are performed by Data Routing Services. The Content Aware Firewall deals with multiple layers and is state sensitive.
  • 13. The Content Aware Firewall ( Secure Crossing )needs to be aware of: the Layer 6 socket level interface, as well as the intended sessions that will be flowing over it at Layer 5, so that it can use UDP connections at Layer 4, so that it can use the IPsec VPN to control encryption on the transport. Content Aware Firewall Layers 4-6 IP Communications Stack – Layers 2- 3 IPsec VPN Connections UDPv6 UDPv4 Sessions • Kerberos Get Credentials + Tickets • Get Extended Credentials • Kerberos Mutual Authentication • Get Precision Time • Register for Management + Configuration Synchronization • Service Locator • Service Provider • Multicast Alert • Unicast Command • Event Notification • SNMP Get/Set • Application Event: Send and Receive: • High Priority • Medium Priority • Low Priority Interface A Interface B The detailed requirements will be determined during the requirements assessment phase.
  • 14. There are servers and agents in the industrial environment.
  • 15. How does the Security Fabric work?
  • 16. Essentially, the Security Fabric is an end-to-end approach to things. The Security Fabric is a semi-autonomous embedded device management agent and communications protocol set along with a central system and network management subsystem that bring security and other controls to the embedded world. Syxstem & Network Management Controller Device Device The Security Fabric Let’s build this as if we were building a house.
  • 17. There are obviously going to need to be several different devices involved. Controller Device Device Our agent will be hidden right beside the application. We want to add our security agent to each of them to do what we will do.
  • 18. The devices need to be able to talk to each other securely, and trust each other on a limited basis. Controller Device Device This means that the solution will need to be a system as opposed to a piece part. Intel and McAfee Confidential The agents talk to one another in a resilient middleware..
  • 19. And all systems need to be administered relative to the configuration and policies that control them. Syxstem & Network Management Controller These three ingredients are the soul of the Security Fabric. Device The Tailored Trustworthy Space Device
  • 20. The Security Fabric follows the guidelines required by the NIST 7628 for the Department of Energy. Syxstem & Network Management Controller Device The Security Fabric Device The industry as a whole is applauding this solution.
  • 21. We always start by separating the management control agent from the payload application. Managed Device Device Application Management
  • 22. The management agent always uses defense in depth. Managed Device Applications Device Management Communications Secure Secure Storage Policy Management Personal Data Vault
  • 23. Close-up on Partition Structure Security Management Hypervisor DDS Routing Services Ethernet Controller Policy Management DDS Subagent Device Application Threads DDS Subagent Connection Connection Operating System. Transport Plugins Ring 1: Security – HSM Interface Ring 2: Policy Management Participant: Management Configuration & Route Mapping Ring 1: Data Reader Ring 1: Data Writer Routing Services is our inter-system + intra-device middleware; The DDS Subagent controls the private paths between processes. Secure IP I/O Driver UDPv4 UDPv6 GridStat Intra-Device DDS Subagent Connection Participant: Management Ring 2: Data Reader Ring 2: Data Writer Change Managem ent Problem Managem ent HSM Interface Kerberos Client + Session Key Manage ment Security Protocols Policy Execution Environment
  • 24. What is really unfolding with the rise of the Internet of Things is the need for The Semi-Autonomous Policy Management Agent Each of the four compositions of rulesets is administered centrally and released to the remote device securely. The rulesets contain profiles, provisioned data, and Java-based rules. All distribution bundles are signed and are subject to local attestation and transition control. Autonomous Policy Management Agent IBM Autonomic Computing Model
  • 25. The control of the smart grid is all about managing semi-autonomous devices. The Security Fabric is all about safely deploying this concept. The customer has to be able to delegate responsibility in small increments to the remote device to avoid the problem of unintended consequences.
  • 26. Designed in Security Discussion www.securityfabricalliance.org