ECI Proprietary

SECURITY SOLUTION FOR CRITICAL INFRASTRUCTURE

Erez Segev - ECI

ECI Proprietary 2

AGENDA

Critical Infrastructure

Solution Architecture

NFV Challenges “The single biggest existential threat that's out there, I think, is cyber.,,”

Michael Mullen, former Chairman Joint Chiefs of Staff

ECI Proprietary 3

CORPORATIONS WERE THE INITIAL TARGET

IP

Customer data theft

Intellectual property theft

Financial damage

Infrastructure damage

Corporate resources

Brand damage

CYBER ATTACKS ARE ALSO AIMED AT CRITICAL INFRASTRUCTURE

CI CYBER ATTACKS ARE A WEAPON OF MASS

DESTRUCTION!

Power Oil & Gas Pipelines

Military & Government

Transportation Public Safety

ECI Proprietary 4

UKRAINE UTILITIES OUTAGEMULTI-VECTOR ATTACK!

Penetrated Breach in the segregation of OT/IT Update of an HMI SCADA software

Lateral Movement Compromising remote access

Software for backdoor and C&C Spreading to multiple servers

Prevented Reporting Call center DDoS attack Customers could not get through

Could have been detected and prevented with multi-dimensional OT-IT-Transport security

ECI Proprietary 5

Multiple Points of AttackHackers seek out weakest links

IT/OT Convergence & Industrial IoTNew types of threats and vulnerabilities

Migration to IP Network; Smart GridSecurity lags new infrastructure

Aging Network InfrastructureFilled with Security Vulnerabilities

CYBER THREATS ON C.I. ARE EXPECTED TO GROW

Aging Networks

Distributed Infra-

structure

Industrial automation

Modern-ization

ECI Proprietary 6

THE SOLUTION - PROTECT THE OT

Sub-Station LAN

Transport

NPT NPT

NPT

RTUs

IT

Internet

Sub-StationSub-

StationSub-StationSub-

Station

Command & Control

ECI Proprietary 7

CONNECTIVITY PROTECTION

Sub-Station LAN

Transport

NPT NPT

NPT

RTUs

IT

Internet

Sub-StationSub-

StationSub-StationSub-

Station

Command & Control

Attack Origin Transport network

Attack Vector Man in the Middle (MitM)

Solution Encryption

ECI Proprietary 8

DATA PROTECTION

Sub-Station LAN

Transport

NPT NPT

NPT

RTUs

IT

Internet

Sub-StationSub-

StationSub-StationSub-

Station

Command & Control Attack Origin

ANY LAN (OT/IT)

Attack Vector Data Exfiltration Sabotage

Solution Secured GW

Preventing propagating attacks Protecting network side attacks Network to Network atacks OT to/from IT

ECI Proprietary 9

SECURED GW – FUNCTIONS FOR OT Firewall

Provide gateway security and identity awareness, controls incoming and outgoing network traffic, based on an applied set of rules.

Application Control Enables teams to easily create granular policies —

based on users or groups — to identify, block or limit usage of applications

IPS Network protection against malicious and unwanted

network traffic,.

Anti-Malware Stops spread malicious files throughout the network.

Anit-Bot Detects bot-infected machines, prevents bot damages by

blocking bot C&C communications

Anti Spam & Email Security Protection for an organization's messaging infrastructure

Identity Awareness Granular visibility of users, groups and machines, providing

unmatched application and access control through the creation of accurate, identity based policies

URL Filtering Allowing unified enforcement and management of all aspects of

Web security.

Data Loss Prevention Pre-emptively protect sensitive information from unintentional

loss, educating users on proper data handling policies and empowering them to remediate incidents in real-time

ECI Proprietary 10

ZERO-DAY PROTECTION

Sub-Station LAN

Transport

NPT NPT

NPT

RTUs

IT

Internet

Sub-StationSub-

StationSub-StationSub-

Station

Command & Control

Attack Origin Specific sub-Station/C&C LAN

Attack Vector Sabotage D-DOS

Solution SCADA Anomaly Detection

Zero interruption to operations – Works in mirroring mode

Device auto discovery

Detects cyber-security & operational incidents

Discovery of 0-day vulnerabilities

ECI Proprietary 11

Substation

Generation Operations & Control

SOLUTION ARCHITECTURE

SoC

LightSEC SHIELDTM

LightSEC COMPASSTM

Sec-GW

Anomaly detection

Network Service Enc.

Mitigation ServiceTrafficControl

Analytics Engine

Presentation Layer

NFV

Pinpoints the Sources of Attack

ECI Proprietary 12

MANAGEMENT TOPOLOGY & HARDWARE

Plug in Blade

Security Appliance

ECI Proprietary 13

NFV SECURITY CHALLENGES

MANO framework Protection

- Guard VNF Catalogue- VNFs Digital Signatures- Securing Openstack

- reducing attack surfaces- Following Openstack Security Guide

Protect Interfaces

- REST over HTTPS- OSS NFVO- NFVO VIM- VIM Hosts- EMS VNF

- AAA Protection

HW Protection - Applying TPM – Trusted Platform Module

- Used for secure HW & SW components by integrating cryptographic keys into the device

- Has internal HW RNG to create strong secured keys

- Together with intel TXT (Trusted Execution Technology) creates a chain of trust platform

- The chain of trust is based on CRTM (Core Root of Trust Measurement)

- Based on attestation process- challenge to add virtual entities to TPM

ECI Proprietary 14

RECAP…BEFORE AND AFTER

Sub-Station LAN

Transport

NPT NPT

NPT

RTUs

IT

Internet

Sub-Station

LightSECSHIELD™

LightSECCOMPASS™

Sub-StationSub-StationSub-

Station

Command & Control

NFV

ECI Proprietary

THANK YOU!

Erez SegevErez.Segev@ecitele.com