Cyber Security for Utilities

Do Not Distribute Without Permission27-Apr-03 1

Cyber Security for UtilitiesCyber Security for Utilities

Authentication and Encryption for

SCADA Communications Channels

and Maintenance Ports


Agenda• Mykotronx introduction

• Cyber security for utilities

• Mykotronx security solutions

• Working together


Who We Are• NASDAQ (RNBO) since 1987, $128M revenue in 2002

• Top 10 Global Security Provider:– 75% for high assurance T1 & satellite link encryption

– 66% in secure Web acceleration (IDC)

– 55% market share in software security

– 55% in USB token segment (IDC)

• 480 employees in U.S., U.K., France, Netherlands, China, Taiwan, Singapore, Australia, India, Japan, Mexico and Brazil (24/7 worldwide technical support in Los Angeles, London, and Singapore)

• The two organizations within Rainbow Technologies, Inc. are:


Solutions Overview


Awards and Recognition

• More NSA certified security products than any other company

• Product awards– Secure Computing: “Pick of 2001” award for iKey – Communications News Editors Choice – VBPJ Readers Choice Award: Best Security Solution– Network Computing 2001 Editors Choice Award– Network Computing 2001 Well-Connected Award– Network World 2000 Blue Ribbon Award for CS600 – AeA 2001 High-Tech Award for CS HSM– AeA 2000 High-Tech Award CS600

• Organizational Quality and Experience– ISO 9001 certified– FIPS, Common Criteria, NIAP, CCEP evaluated and

endorsed

“Best SSL Accelerator”

90019001


Example of Our Product(s) in Action

Fortezza Plus• Key

Management• Encryption• Rated to Top

Secret


Cyber security for utilitiesCyber security for utilities


We presume you….

• Understand the threat– CIAO findings – July 1997– AGA/GTI specifications – 1998, completion: 2003– Sandia National Labs – red team assessment – July 2002– DIA Threat Assessments – August 2002 (ongoing)

• Are following national policies formulation activity– Cyberspace strategy – February 2003– Physical strategy – February 2003– Government & Industry recommended practices – ongoing

• Will participate in Department of Homeland Security initiatives– Incident reporting– Support to first responders

• You have a cyber-security policy for your operations – If not we will provide a template


The issue today is “How to”

• Ensure proper “access control” to your resources– Protect against weak access control– Protect against insider threats– Protect against nation state threats

• Eliminate “clear text” from the communications wire– Protect against eavesdropping– Protect against replay, spoofing, etc.

• Provide an “effective” secure solution– Protect high-value assets– Non-intrusive– Acceptable performance (latency)– Affordable, acceptable total cost of ownership (TCO)

• Ensure a “migration path” to future systems• “Comply” with government and association standards


Maintenance Access Configurations

Dialup

RTU or IED withembedded modem for

maintanence

FieldTechnition'sLaptop orDesktop

RTUModem

SCADAIED - Sensor

IED - Relay

IED - Valve

Modem

DialupSwitch

Mai

ntan

ence

Por

ts


Clustered

Independent


Mykotronx’ SAM – your first step

Secure Authentication Module

• Bump-in-the-wire design– Transparent security for existing maintenance dial-up lines

• No change to existing hardware• No change to existing communications infrastructure• No change to modem phone numbers or phone lines

– Will require a new dialup program at the client computer• Two-factor authentication token for operators• Digitally Signed Challenge/Response

• SAM provides strong access control and audit trail


Secure Authentication Module

• Communication ports– 2 RJ11 phone ports

• Phone line• Field device’s modem

– Internal modem to accept and authenticate originating call

– Internal relay and Ring Generator to wake-up field device’s modem

• Power– Derived from the phone line

• Environmental– IEEE 1613 (planned)

• Security standards– FIPS 140-2 Level 2– Public Key Authentication– Two-factor tokens– Signed access audit trail


Two-factor authentication

• iKey USB Authentication Tokens– Personal, portable, secure– Digital Signatures & Shared Secret– No reader required

• Two-factor authentication– Something you have – the iKey– Something you know – the PIN

• Access control examples– Local: SEAM, SAM, workstations– Remote: browser, dialup


Maintenance Access Configurations

Dialup

RTU or IED withembedded modem for

maintanence


RTUModem

SCADAIED - Sensor

IED - Relay

IED - Valve

Modem

DialupSwitch

Mai

ntan

ence

Por

ts


Clustered

Independent

iKey

iKey

SAM

SAM


AGA 12-1 SCADA Configurations

RTU

RTUModem Modem

Dialupor

Leased Wireless

RTUModem Modem

Dialupor

Leased

RTU

Modem

Leased,Wireless

orFiberOptic

RTU

Modem

RTU

Modem

RTU

Modem

RTU

Modem

SCADA Master

SCADA Master

SCADA Master

Point to point

Cascaded

Multi-drop or Multi-point


Mykotronx’ SEAM – next step

Secure Encryption and Authentication Module

• Bump-in-the-wire design– Transparent security for existing SCADA systems

• No change to existing SCADA hardware• No change to existing communications infrastructure• No change to existing SCADA protocols

– Supports bit and byte oriented protocols– Two modes: link encryptor and protocol-aware– “Modem command” pass-through

• SEAM provides strong authentication, audit trail, and encryption


SEAM Substation Device

• Communication ports– 2 Serial ports

• SCADA Field device• Communications channel

– 2 USB ports• Local management• User authentication token

– 2 Ethernet ports (version 2)• Distributed management• Field communications

• Power– External +5 to 48VDC

• Environmental– IEEE 1613 (planned)

• Security standards– FIPS 140-2 Level 2– AES Encryption– Public Key Authentication– Two-factor tokens– Signed audit trail


SEAM Control Center Device

• Communication ports– Up to 16 blades

• 2 Serial ports per blade– SCADA Master/FEP– Communications channel

• Hot-swappable blades– 2 USB ports

• Local management• User authentication token

– Ethernet ports• Administration• Future communications (2)

• Rack mount chassis– 19” chassis, 6U front panel

• Security standards– FIPS 140-2 Level 2– AES Encryption– Public Key Authentication– Two-factor tokens– Signed audit trail


AGA 12-1 SCADA Configurations

RTU

RTUModem Modem

Dialupor

Leased Wireless

RTUModem Modem

Dialupor

Leased

RTU

Modem

Leased,Wireless

orFiberOptic

RTU

Modem

RTU

Modem

RTU

Modem

RTU

Modem

SCADA Master

SCADA Master

SCADA Master

Point to point

Cascaded

Multi-drop or Multi-point

SEAM

SEAM SEAM

SEAM SEAM

SEAM

SEAM

SEAM

SEAM

SEAM


SEAM, SAM & iKey Management

• Life cycle management– CKTO Management Unit

• Centralized Configuration, Key, Token & Operator Management• Automated in-band, on-the-fly refresh• Browser-based operator interface• Signed audit trails

• Security– FIPS 140-2 Level 3 certification– Public Key Cryptography for operator authentication– AES for confidentiality– Two factor authentication tokens required for operators

• Future functionality– Upgradeable firmware/software– Intrusion Detection System


ModemRack

SCADA Control Center(Primary or Secondary)

FEPSCADAMaster

RTUModem

SCADAIED - Sensor

IED - Relay

IED - Valve

Modem

DialupSwitch

Mai

ntan

ence

Por

ts

FieldTechnition's

Laptop

Admin Network

Admin

Management Configuration

IntranetPage

Modem

SEAM SEAM

SAM

CKTO Management


Wrap-upWrap-up


Why is Mykotronx here?

• Our mission is protecting information– Extensive relationships with government agencies - intelligence,

defense and civilian – Introduced to the utility need by government agencies– Active members of multiple utility standards organizations – Extensive commercial customers, including utilities

• Our expertise is appropriate for the need– High-assurance & high-performance cryptography

• User authentication• Confidentiality• Communications – Dialup, T1, Satellite, Internet, Voice, Video

– Experienced in Vulnerability, Threat & Risk Assessments, Security Policy, Business Continuity and Disaster Recovery planning


The security solutions

• Strong cryptography for SCADA and maintenance communications– Public Key Cryptography-based– Robust trust relationships methodology for SEAM/SAM and operators– Two-factor authentication tokens for operators– AES-based, AGA 12-1

• Life cycle management– Device configuration, keys, two-factor tokens– In-band real-time SEAM/SAM management– Browser-based operator and token management– Intrusion Detection System (future)

• Protect your investment– Migration path from legacy channels to Ethernet-based channels


Points of Contact

Mykotronx, Inc.357 Van Ness Way, Suite 200Torrance, CA 90501Phone: (310) 533-8100Fax: (310) 533-0527STU III: (310) 533-0738 [Secret]

(310) 787-2799 [Top Secret]Home page: http://www.mykotronx.com

Brad Beutlich Paul Blomgren, CISSPDirector, Commercial System’s Security Architect Business Development Business DevelopmentPhone (310) 533-8100 x6285 Phone: (310) 533-8100 x6254E-mail: [email protected] E-mail: [email protected]

Documents

Cyber Security for Utilities