Zajištění bezpečnosti v sítích dispečerského řízení a sběru dat … · 2016-05-17 ·...
Transcript of Zajištění bezpečnosti v sítích dispečerského řízení a sběru dat … · 2016-05-17 ·...
Ing. Radek Sazama
SAFY Global s.r.o.
Výhradní distributor společnosti Radiflow pro Českou
a Slovenskou republiku
Zajištění bezpečnosti v sítích
dispečerského řízení a sběru dat
(SCADA)
technologií RadiFlow
© Copyright 2015, Radiflow Ltd.
The market – Securing the Industrial IoT
-2-
© Copyright 2015, Radiflow Ltd.
Radiflow - Overview
• Utilities deploy modern Distributed Automation devices
connecting Remote locations over large-scale IP networks
• Exposing Critical applications to Cyber Security Attacks
-3-
Radiflow provides Cyber Security solutions
for Critical Distributed Automation networks
© Copyright 2015, Radiflow Ltd.
Growing Install-base
-4-
© Copyright 2015, Radiflow Ltd.
Growing rate of cyber-attacks on SCADA systems
-5-
© Copyright 2015, Radiflow Ltd.
… and the industry is finally waking-up
-6-
© Copyright 2015, Radiflow Ltd.
Control center
PLC PLC
OT network
Attack Vectors on Critical Distributed Automation
Computer
Malware
Man in-the
Middle
Rogue
Device
Abused
Access
Need to validate the M2M and H2M sessions
© Copyright 2015, Radiflow Ltd.
Securing the Distributed SCADA operations
Defense MethodAttack Vector
SCADA Deep-Packet-Inspection to block
unauthorized traffic from the SCADA server
Malware in the SCADA
Computers
IPS/IDS (Intrusion Prevention/Detection) for
behavioral analysis of distributed automation
Compromised Field
Device
Encrypted VPN tunnels over the untrusted linksMan in the Middle
Restricted access to the critical assets using user-
based and task-based policies
Excess Access Rights in
Remote site
-8-
© Copyright 2015, Radiflow Ltd.
Radiflow Products
Secure
Gateway / TAP
• Distributed inline/TAP• SCADA DPI Engine• VPN
IDS & NAS
Server
• Central Server• Monitor network traffic• Network-Access-Control
Security Software
Packages
• SCADA White-listing• SCADA Anomaly Detection• Task-based Access-control• Physical-Cyber integration
© Copyright 2015, Radiflow Ltd.
Integrated Physical & Cyber security
• Distributed SCADA IPS in each site
• Correlation with physical security systems
for dynamic user authentication
• Validate per-user SCADA operations
• Integration with central SIEM tool
-10-
Restricted user operations in the Cyber corridors
of Distributed automation networks
© Copyright 2015, Radiflow Ltd.
VPN over public network
-11-© Copyright 2014, RADiFlow Ltd.
• Connecting private sub-networks over a public network
• Remote site connection using Hub & Spoke GRE tunnels
• IP Sec used to encrypt the GRE tunnels
• Certificates used to authenticate remote parties
• L2 or L3 VPN modes available
Cell site
ISP #1
NAT
router
Cell site
ISP #2
Primary
SIM
Secondary
SIM
ACTIVE
OFFINTERNET
IPSec tunnel
IPSec tunnel
© Copyright 2015, Radiflow Ltd.
Security solution validated by US Research Labs
• Role Based IPS/IDS for SCADA Protocols
• Securing Data Traffic (Legacy or IP)
• Secure Authentication
• Persistent, Reliable Logging
-12-
© Copyright 2015, Radiflow Ltd.
3180 – Secure Utility Gateway
-13-© Copyright 2015, RADiFlow Ltd.
• 8/16xETH 10/100BaseT
• 4xRS-232
• Dual-SIM 2G/3G Cellular modem
• 2+2 Discrete I/O
• ETH switching & IP routing
• SCADA security tool-set
• SCADA Gateway
© Copyright 2015, Radiflow Ltd.
Portfolio Overview
• Industrial design
• Modular DIN rail switches (7 I/O slots) or Compact system
• Harsh environment - IP30, - 40 ÷ +75° C, IEC 61850-3 EMI
• ETH or RS-232/RS-485 serial interface modules
• Networking
• Advanced Ethernet switching and IP routing functionality
• Serial Tunneling or Service translation
• Physical Interface :
• Copper – Fast Ethernet / Gigabit Ethernet
• Fiber – Single Mode / Multi Mode.
• Cellular – GPRS /UMTS
• Integrated security mechanisms
• MAC/IP filtering per port
• Distributed app-aware firewall
• Remote access and Inter-site connectivity
© Copyright 2015, RADiFlow Ltd.-14-
1031
3180
3700
© Copyright 2015, Radiflow Ltd.
Secure Utility Gateway - 1031
• Interfaces
– 1xETH 10/100BaseT
– 1xETH100/1000 SFP (second phase)
– 1xRS-232/RS-485 + 1xRS-232
– Dual SIM 2G/3G Cellular modem
– 2+2 Discrete I/O
• Dimensions (HxWxD) [mm] - 110x45x120
-15-
© Copyright 2015, Radiflow Ltd.
Secure Utility Gateway - 1031
– Dynamic & Static Routing
– Transparent Serial Tunneling
– Terminal Server
– SCADA Gateway
– SCADA Firewall
– L2 VPN
– L3 VPN
– IPSec
– NAT
– OSPF
– RIP
– Protection of dual SIM
-16-
– L3-24 ACLs
– Telnet Server & Client
– SSH Server & Client *
– NTP*
– Counters and Statistics
– LEDs
– TFTP /SFTP*
– Discrete Channels
– Auto Crossing
– Auto Negotiation
– Time conditioned reload
– Ping
– Rmon*
© Copyright 2015, Radiflow Ltd.
Messageboard
Model-Based IDS/IPS
• Learns the network and builds a model of network behavior:
o Connections between stations
o Network hierarchy (Servers and clients, controllers and IO devices)
o Sequence of commands, Memory and IO access, etc
o Commands rates
• Anomaly detection compared to baseline
• Network info collection
• Distributed TAPs
• Our gateways
• Interface to network taps/firewalls and SIEM tools
• Intuitive GUI
© Copyright 2015, Radiflow Ltd.
Anomaly Detection
• Learning the Network Topology: Devices, Links
– Detecting new devices
– Detecting topology changes
• Learning device Sampling time
• Passive Machine Profiling
– Detecting out-of-order commands
– Detecting PLC scanning attacks
• Detecting abnormal memory access to devices
• Preventing un-authorized Firmware upgrade.
-18-
© Copyright 2015, Radiflow Ltd.
Measuring Operational Behavior
• Focusing on communication problems
• Detecting abnormal Delays in the link.
• Detecting abnormal rate of packet dropping.
• Detecting abnormal rate of retransmit
-19-
© Copyright 2015, Radiflow Ltd.
Integrated security in a Ruggedized switch
-20-
Multi-
Service
Resilient
Network
Ruggedized
System
Secure
Access
Service
Validation
Service
ManagementOperational Simplicity
Defense-in-depth solution
Solid infrastructure
© Copyright 2015, RADiFlow Ltd.
© Copyright 2015, Radiflow Ltd.
SCADA Behavioral
Detection Server
Secure Utility
Gateway/Router
SCADA
IPS/IDS
RADiFlow Portfolio Evolution
Physical & Cyber
Integration
Identity
Management
© Copyright 2015, Radiflow Ltd.
Focus Applications
• Power T&D (Smart-Grid, Sub-station automation)
• Smart-City, Safety and Security
• Intelligent Transportation (Railways, Highways)
• Drilling and Pipelines (Water, Oil & Gas)
© Copyright 2015, Radiflow Ltd.
Case Study – Substation secure gateway
-23-
© Copyright 2015, Radiflow Ltd.
Case study – Securing Renewable plants
-24-
© Copyright 2015, Radiflow Ltd.
Case Study – Consolidated Smart-Grid network
• Mix of fiber and cellular backhauling
• Regulation for Separate VPNs for AMI and DA
-25-
• Implementation highlights− Service-aware VPN functionality
− SCADA firewall
− Fiber or cellular uplinks
− Service-aware QoS for cellular
network
− Serial interfaces with protocol gateway
− Zero-touch provisioning for mass
deployment
© Copyright 2014, RADiFlow Ltd.
© Copyright 2015, Radiflow Ltd.
Case study – Resilient Smart-Grid network
• 2 mobile operators, switch-over based on:
– RSSI degradation
– PPP keep-alive
– Periodic ICMP ping
– Auto restart watch-dog option
• Redundant backbone routers
– DMVPN implementation
– RIP routing protocol
• Gradual evolution to fiber backhauling where possible
• Cyber security considerations
– IPSec VPN using AES256 encryption with X.509 key management
– Future distributed SCADA firewall for DA services
-26-© Copyright 2014, RADiFlow Ltd.
© Copyright 2015, Radiflow Ltd.
Case-study – Gas drilling sites
-27-
• Remote management from LA control center to ND
drilling sites
– Connecting RTUs and CCTV from each site
• Main access via private fiber ring + leased-line with
backup over cellular
– Data Encryption over public network
– Validation of SCADA ModBus sessions
– Network resiliency – Fiber and Cellular
– Ruggedized system with Serial, ETH and PoE ports
Public Carrier
© Copyright 2014, RADiFlow Ltd.
© Copyright 2015, Radiflow Ltd.
Smart-City network infrastructure
• Compact ruggedized switch for smart-city cabinets
– Ethernet with PoE for CCTV
– Serial and discrete I/O ports for simple
automation devices
– Cellular modem for zero-investment
deployment
• Integrated security mechanisms
– IPSec VPN for public network
– SCADA firewall for automation devices
• Integration with Security control center
-28-
Traffic Control
Messageboard
Smart-City
cabinet
CCTV
Control
Center
© Copyright 2014, RADiFlow Ltd.
© Copyright 2015, Radiflow Ltd.
Summary
• Modern distributed automation applications use IP networks
– Intra-network security is mandatory
• Radiflow Service-aware Industrial security solution
– Unique distributed service-aware IPS/IDS
– Integrated defense-in-depth tool-set
– Optimize CapEx and OpEx
-29-
For more details:
www.safy.cz
www.radiflow.com