[CLASS 2014] Palestra Técnica - Ilan Barda

Holistic Security

for

Critical Infrastructure

Ilan Barda

SCADA Security conference

November 2014, Brasil

RADiFlow - Overview

• Utilities deploy modern Distributed Automation devices

connecting Remote locations over large-scale IP networks

• Exposing Critical assets to Cyber Security Attacks

-2- © Copyright 2014, RADiFlow Ltd.

RADiFlow provides cyber security solutions

for critical distributed automation networks

Growing Install-base


Cyber Security deployments are lagging

• Multiple cases of breaches in

critical infrastructure

• Multiple studies identified the

critical gaps in cyber security

• There is a hype of

discussions and interest

• … but deployments are lagging

– Lack of strict regulations

– Lack of financial incentives

– Lack of blue-print solutions

© Copyright 2014, RADiFlow Ltd.

Current OT Cyber Security practices

• A Separate operation network is not necessarily secure

• L2/L3 security is not sufficient

– IP spoofing

– VLAN hopping

• Security in the control-center can be bypassed

– Field to Field attack

– Man-in-the-Middle attack

-5-

“smart grid cyber-security guidelines did not address an important

element… risk of attacks that use both cyber and physical means” Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011


A Holistic Security Solution is Required

Protecting Distributed SCADA from Insider Attacks

Attack vector

• Control-Center malware

• Field-site breach

• Man-in-the-Middle

• Maintenance access

Security Measure

• Service-aware firewall

• Distributed firewalls

• Encryption

• Identity Management


HMI Engineering

Station

Controller1 Controller2

Dev1.2

Dev2.1

Dev2.2

Dev1.1

Facility1 Facility2

Control Center

-6-

Distributed IPS for ICS networks

• Per-user role-based validation of

SCADA sessions

– Applied to both IP & Serial devices

• Deployment next to each end-point

– Inline IPS or Virtual IDS

• End-to-End support logic

– Intuitive provisioning based on auto-learning

– Event log with SOC tools integration


Protocol

Header

Function

Code

Function

Parameters

Ethernet & IP

Header

Firewall use-case – Power meter logic

• A field attack from a Smart-

Grid site on other sites

• SCADA firewall enables all

monitoring commands


Data

Center

Control

Center

Firewall use-case – RTU software update

• The technician laptop infects

the Engineering station in

the control center

• The Engineering station

downloads new software to

the field RTUs

• Distributed SCADA firewall

blocks access to the

firmware address-range

• Stuxnet scenario can be

prevented

-9-

Eng. Station

Sub-Station

Control Center

S.S.

RTU

Facility

RTU

IEC61850 IEDs

Technician


Physical & Cyber security – Integrated solution

• Correlate SCADA access rights to

physical access-control indications

• Validate user operations using DPI of

SCADA commands

• SCADA DPI integrated in field routers

enabling distributed IPS deployment

• Automatic learning of the normal

traffic patterns of SCADA application

• Integration with SIEM tool for roles

provisioning and activity log


Restricted user operations in the cyber corridors of

Distributed automation networks

Physical & IT & OT security – Integrated solution


Correlation of security events – PACS, IT, OT

Detecting APT patterns

Active Directory

Integrated security in a Ruggedized site gateway

-12-

Multi-

Service

Resilient

Network

Ruggedized

System

Secure

Access

Service

Validation

Service

Management Operational Simplicity

Defense-in-depth solution

Solid infrastructure


Security solution validated by US Research Labs

• Role Based IPS/IDS for SCADA Protocols

• Securing Data Traffic (Legacy or IP)

• Secure Authentication

• Persistent, Reliable Logging

• Integration with SOC tools


Focus applications

• Power T&D (Smart-Grid, Sub-station automation)


• Smart-City, Safety and Security

• Intelligent Transportation (Railways, Highways)

• Drilling and Pipelines (Water, Oil & Gas)

• Out-of-Band Maintenance (Telco, CATV)

Case Study – Sub-station LAN

-15-

Router +

Firewall 1 Router +

Firewall 2 High Availability VRRP

Sub station LAN

Primary Sub-Station

MPLS PE 1 MPLS PE 2

Power Monitoring

Serial RTU

VoIP GW

• IEC61850-3 compliant

switch/router

• IEC104/61850 Firewall

• Inter-site IPSec VPN

• Integration with PSIM

MPLS carrier 1

Backbone

MPLS Carrier 2

Backbone

ETH RTU


CCTV

Case Study – Consolidated Smart-Grid network

• Mix of fiber and cellular backhauling

• Regulation for Separate VPNs for AMI and DA

-16-

• Implementation highlights − Service-aware VPN functionality

− IEC101/104 SCADA firewall

− Fiber or cellular uplinks

− Service-aware QoS for cellular network


Smart-City network infrastructure

• Compact ruggedized switch for smart-city cabinets

– Ethernet with PoE for CCTV

– Serial and discrete I/O ports for simple

automation devices

– Cellular modem for backup

• Integrated security mechanisms

– IPSec VPN for public network

– ModBus Firewall for automation devices

• Integration with PSIM in control center

-17-

Traffic Control

Message board

Smart-City

cabinet

CCTV

Control

Center


Case Study – Highway automation & monitoring

-18-

Ring 1

Ring 6

Ring 1

Ring 6

Central site

1588 clock

RS-232/485

Remote site

Traffic control Security cameras

Tetra basestationsMessage

boards

PoE 1588 clock sync

QoS

• Large-scale transportation control applications require

– Scalable & resilient network architecture

– Mixture of Ethernet, Serial & Discrete devices

– ModBus firewall for critical automation services

– PoE support for CCTV cameras

– IEEE15888v2 support for radio synchronization


Case-study – Gas drilling sites

-19-

• Remote management from across the US

– Connecting RTUs, CCTV and user LAN from each site

• Main access via private fiber ring + leased-line with

backup over cellular

– Data Encryption over public network

– Validation of SCADA ModBus sessions

– Network resiliency – Fiber and Cellular

– Compact Ruggedized system with Serial, ETH and PoE

Public Carrier


• Operators need to establish new remote POPs

– CATV, FTTH, Satellite, Campus WiFi, LTE micro-cell

• Normal management use in-band network

• Out-Of-Band management use alternative physical media

Cost-effective Out-Of-Band connectivity

– NO need for wired infrastructure

– EASY ESTABLISHMENT over LTE/3G

– RESILIENT CONNECTIVITY by 2 SIM cards

– SECURE connections by IPSec and Firewall

– LAN PORTS for seamless LAN connectivity

– TERMINAL SERVER for CONSOLE PORT

– DISCRETE IO for alarm forwarding

Separate Out-Of-Band

Network

Control Center

In-band Management

Out-Of-Band Management

Network Elements


Case-study – Out-of-Band maintenance

Summary

• Modern critical infrastructure deployments use Ethernet

– A holistic security solution is mandatory

• RADiFlow Secure communication solution

– Unique distributed service-aware firewall by the network

– Integrated defense-in-depth tool-set

– Optimize CapEx and OpEx


For more details:

[email protected]

www.radiflow.com

mailto:[email protected]

http://www.radiflow.com/

Technology

[CLASS 2014] Palestra Técnica - Ilan Barda