THESE Anne-Laurence Margérard PR. DANIEL GUINET, université ...
SECURITY SOLUTION FOR CRITICAL INFRASTRUCTURE · Erez Segev [email protected]. Title:...
Transcript of SECURITY SOLUTION FOR CRITICAL INFRASTRUCTURE · Erez Segev [email protected]. Title:...
ECI Proprietary
SECURITY SOLUTION FOR CRITICAL INFRASTRUCTURE
Erez Segev - ECI
ECI Proprietary 2
AGENDA
Critical Infrastructure
Solution Architecture
NFV Challenges “The single biggest existential threat that's out there, I think, is cyber.,,”
Michael Mullen, former Chairman Joint Chiefs of Staff
ECI Proprietary 3
CORPORATIONS WERE THE INITIAL TARGET
IP
Customer data theft
Intellectual property theft
Financial damage
Infrastructure damage
Corporate resources
Brand damage
CYBER ATTACKS ARE ALSO AIMED AT CRITICAL INFRASTRUCTURE
CI CYBER ATTACKS ARE A WEAPON OF MASS
DESTRUCTION!
Power Oil & Gas Pipelines
Military & Government
Transportation Public Safety
ECI Proprietary 4
UKRAINE UTILITIES OUTAGEMULTI-VECTOR ATTACK!
Penetrated Breach in the segregation of OT/IT Update of an HMI SCADA software
Lateral Movement Compromising remote access
Software for backdoor and C&C Spreading to multiple servers
Prevented Reporting Call center DDoS attack Customers could not get through
Could have been detected and prevented with multi-dimensional OT-IT-Transport security
ECI Proprietary 5
Multiple Points of AttackHackers seek out weakest links
IT/OT Convergence & Industrial IoTNew types of threats and vulnerabilities
Migration to IP Network; Smart GridSecurity lags new infrastructure
Aging Network InfrastructureFilled with Security Vulnerabilities
CYBER THREATS ON C.I. ARE EXPECTED TO GROW
Aging Networks
Distributed Infra-
structure
Industrial automation
Modern-ization
ECI Proprietary 6
THE SOLUTION - PROTECT THE OT
Sub-Station LAN
Transport
NPT NPT
NPT
RTUs
IT
Internet
Sub-StationSub-
StationSub-StationSub-
Station
Command & Control
ECI Proprietary 7
CONNECTIVITY PROTECTION
Sub-Station LAN
Transport
NPT NPT
NPT
RTUs
IT
Internet
Sub-StationSub-
StationSub-StationSub-
Station
Command & Control
Attack Origin Transport network
Attack Vector Man in the Middle (MitM)
Solution Encryption
ECI Proprietary 8
DATA PROTECTION
Sub-Station LAN
Transport
NPT NPT
NPT
RTUs
IT
Internet
Sub-StationSub-
StationSub-StationSub-
Station
Command & Control Attack Origin
ANY LAN (OT/IT)
Attack Vector Data Exfiltration Sabotage
Solution Secured GW
Preventing propagating attacks Protecting network side attacks Network to Network atacks OT to/from IT
ECI Proprietary 9
SECURED GW – FUNCTIONS FOR OT Firewall
Provide gateway security and identity awareness, controls incoming and outgoing network traffic, based on an applied set of rules.
Application Control Enables teams to easily create granular policies —
based on users or groups — to identify, block or limit usage of applications
IPS Network protection against malicious and unwanted
network traffic,.
Anti-Malware Stops spread malicious files throughout the network.
Anit-Bot Detects bot-infected machines, prevents bot damages by
blocking bot C&C communications
Anti Spam & Email Security Protection for an organization's messaging infrastructure
Identity Awareness Granular visibility of users, groups and machines, providing
unmatched application and access control through the creation of accurate, identity based policies
URL Filtering Allowing unified enforcement and management of all aspects of
Web security.
Data Loss Prevention Pre-emptively protect sensitive information from unintentional
loss, educating users on proper data handling policies and empowering them to remediate incidents in real-time
ECI Proprietary 10
ZERO-DAY PROTECTION
Sub-Station LAN
Transport
NPT NPT
NPT
RTUs
IT
Internet
Sub-StationSub-
StationSub-StationSub-
Station
Command & Control
Attack Origin Specific sub-Station/C&C LAN
Attack Vector Sabotage D-DOS
Solution SCADA Anomaly Detection
Zero interruption to operations – Works in mirroring mode
Device auto discovery
Detects cyber-security & operational incidents
Discovery of 0-day vulnerabilities
ECI Proprietary 11
Substation
Generation Operations & Control
SOLUTION ARCHITECTURE
SoC
LightSEC SHIELDTM
LightSEC COMPASSTM
Sec-GW
Anomaly detection
Network Service Enc.
Mitigation ServiceTrafficControl
Analytics Engine
Presentation Layer
NFV
Pinpoints the Sources of Attack
ECI Proprietary 12
MANAGEMENT TOPOLOGY & HARDWARE
Plug in Blade
Security Appliance
ECI Proprietary 13
NFV SECURITY CHALLENGES
MANO framework Protection
- Guard VNF Catalogue- VNFs Digital Signatures- Securing Openstack
- reducing attack surfaces- Following Openstack Security Guide
Protect Interfaces
- REST over HTTPS- OSS NFVO- NFVO VIM- VIM Hosts- EMS VNF
- AAA Protection
HW Protection - Applying TPM – Trusted Platform Module
- Used for secure HW & SW components by integrating cryptographic keys into the device
- Has internal HW RNG to create strong secured keys
- Together with intel TXT (Trusted Execution Technology) creates a chain of trust platform
- The chain of trust is based on CRTM (Core Root of Trust Measurement)
- Based on attestation process- challenge to add virtual entities to TPM
ECI Proprietary 14
RECAP…BEFORE AND AFTER
Sub-Station LAN
Transport
NPT NPT
NPT
RTUs
IT
Internet
Sub-Station
LightSECSHIELD™
LightSECCOMPASS™
Sub-StationSub-StationSub-
Station
Command & Control
NFV