RADs Offering for Power Utilities Service Assured Networking
RADs Offering for Power Utilities Service Assured Networking Solutions Your Networks Edge Dave Thomas Critical Infrastructure LOB Manager SAN for Power Utilities Presentation Slide1 RAD at a Glance Telecommunications service assured networking solutions specialist Addresses service providers, power utilities, transportation and government Provides resilient and secure evolution to modern and efficient NGN Founded in 1981, privately owned Anchor of the $1.2 billion RAD Group 31 offices, sales channels in more than 150 countries RADs Headquarters ~ 4,500 employees Over 12 million units installed worldwide SAN for Power Utilities Presentation Slide2 Our Offering for Power Utilities Multiservice Substation Operational Network Secure IEC 61850-3
Substation Network Voice, data, Teleprotection, 61850-3 switch/router SCADA protocols conversion SCADA firewall LAN, Virtualization Hybrid connectivity with Traffic Duplication Carrier-grade Ethernet SONET/SDH Distribution Automation, and Smart Meter Backhaul Distance and Differential Protection Communications Teleprotection over PDH, SDH/ Over cellular, P2P/P2MP, radio and fiber Integrated encryption and firewall SONET and PSN SAN for Power Utilities Presentation Slide3 RADs Complete Service Assured Networking Solutions
Multiservice Multiservice & & Teleprotection Teleprotection Connectivity Connectivity Operational Operational WAN WAN Central Central Site Site Substation Substation RTU TPR SCADA Server LAN SONET RV-EMS Analog
Data Center Traffic Traffic Duplication Duplication Network Network Management Management Carrier-grade Carrier-grade Ethernet Ethernet LV LV Transformer Transformer Substation Substation Camera RTU RTU Secure Secure 61850-3 61850-3 Ethernet Ethernet
IED Meter C. Smart Smart Meters Meters & & Distribution Distribution Automation Automation BH BH SAN for Power Utilities Presentation Slide4 Service Assured Networking Solution Building Blocks SecFlow Megaplex-4 Multiservice Access Platform ETX Service-Aware Secure Ethernet Switch Airmux Multiservice Aggregation Platform
High Capacity Wireless System RADview Network Management SAN for Power Utilities Presentation Slide5 Megaplex Multi-service Connectivity and Mission Critical Reliability over Packet Networks and SDH/SONET Sub Sub 2ms 2ms latency, latency, Teleprotection Teleprotection Serial Serial SCADA SCADA NN xx 64kbps 64kbps >> OC-12 OC-12 Digital Digital CrossCrossConnect Connect Sub-50 Sub-50 mS mS
Restoration Restoration Analog Analog and and Digital Digital Voice Voice Megaplex-4 Multiservice Access Platform Sync-E, Sync-E, IEEE IEEE 1588 1588 PTP PTP PoE PoE 10/100/1000 10/100/1000 Mbps Mbps CarrierCarrierGrade Grade Ethernet Ethernet NVF, NVF, Firewall,
Firewall, Router.. Router.. Traffic Traffic Duplication Duplication Network Network Management Management Relay/Alarms Relay/Alarms SAN for Power Utilities Presentation Slide6 SecFlow -- Integrated Functionality for Automation Networking and Critical Infrastructure Protection L2, L2, L3 L3 VPNs VPNs PoE PoE 1588 1588 Clocking Clocking
Protocol Conversion Conversion Router Router Serial Serial Interfaces Interfaces SAN for Power Utilities Presentation Slide7 Airmux Wireless Broadband for Fixed, Nomadic and High-Speed Mobility Communications Guaranteed Guaranteed Bandwidth Bandwidth & & SLAs SLAs Low Low & & Fixed Fixed Latency Latency & & Jitter Jitter Native
Native Ethernet Ethernet & & TDM TDM Diverse sub-6 GHz Bands Unique Unique BS/Mobile BS/Mobile Unit Unit for for Rail/Highway Rail/Highway Point-to-Point Point-to-Point & & Point-toPoint-toMultipoint Multipoint Long Long Range Range & & Wide Wide Coverage Coverage Area Area
Up Up to to 250 250 Mbps Mbps Throughput Throughput Broadband Broadband Mobility Mobility at at 250Km/h 250Km/h Airmux High Capacity Wireless System OFDM, OFDM, MIMO, MIMO, Diversity Diversity nLOS, nLOS, NLOS NLOS Smart Smart Network
Network && Performance Performance Management Management Sophisticated Wireless RF Planner SAN for Power Utilities Presentation Slide8 ETX Aggregation Platform for Service Assured Core Operational Networks FE/GbE/10 FE/GbE/10 GbE GbE and and SDH/SONET SDH/SONET Highly Highly Accurate Accurate Timing Timing and and Synchronization Synchronization CE CE 2.0
2.0 Certified Certified Carrier-Grade Carrier-Grade Platform Platform ETX Multiservice Aggregation Platform Compact Compact 3U 3U Shelf Shelf with with High High Port Port Density Density High High Resiliency Resiliency and and Availability Availability Various Various Network Network
Topologies Topologies Self-Healing Self-Healing Carrier Carrier Ethernet Ethernet Rings Rings SAN for Power Utilities Presentation Slide9 RADview Highly Scalable Integrated Network Management System for Service Assurance Point Point and and Click Click Operations Operations Service Service Creation Creation & & Testing Testing Performance Performance Monitoring Monitoring RADview
User User Friendly Friendly GUI GUI Secure Secure Access Access Network & Service Management Zero-Touch Zero-Touch Provisioning Provisioning Element Element and and Network Network Management Management High High Availability Availability && Disaster Disaster recovery recovery
SAN for Power Utilities Presentation Slide10 Cyber-threat for automation networks Anonymous Lulzec SAN for Power Utilities Presentation Slide11 What is NERC CIP? CIP = Critical Infrastructure Protection The North American Electric Reliability Corporation (NERC) has created NERC 1300 standard. The newest version of NERC 1300 is called CIP-002 through CIP-011 CIP represents efforts to prevent, detect, and correct (recover) from attacks. The current most updated version of NERC CIP is version 5, which will come into effect in 2015 (Q2) Version 5 deals with securing BES Bulk Electric Systems above 100KV NERC will conduct annual compliance tests and will impose financial fines starting 2016 Version 6 planned for 2017 to include low impact (<100KV) and transient devices SAN for Power Utilities Presentation Slide15 NERC CIP Guidelines CIP Critical Infrastructure Protection NERC - CIPs (002 011) 002: Critical Cyber Assets
011: Information Protection 103 Compliance Criteria Annually Inspected Fines Applied from 2016 SAN for Power Utilities Presentation Slide16 NERC CIP Terms and Highlights BES - Bulk Electric System Electrical generation resources, transmission lines, interconnections and associated equipment, operated at voltages of 100 kV or higher. BCS - BES Cyber System Logically grouped Cyber Assets (which may cause damage if non operational for 15 min) assigned to perform reliability tasks. BCA - Cyber Asset Programmable electronic devices, including the hardware, software, and data in those devices that are critical for electrical supply reliability that can be accessed via routable protocol ESP Electronic Security Perimeter The logical electronic boundary surrounding Cyber Assets inside which all Critical Cyber
Assets reside Complete Listing of terms: http://www.nerc.com/files/glossary_of_terms.pdf SAN for Power Utilities Presentation Slide17 More NERC CIP Terms and Highlights BROS BES Reliability Operating Service BCAs (Cyber Asset) that perform a function that would affect the reliable operation of the BES Utilities are responsible for defining these Asset(s) Bottom up or Top down methodology Bottom up entails Utility to identify BCAs then work up to BROS Top down identify BROS and work down to BCAs Programmable and affect the reliable operation of the BES NERC doesnt really define what programmable means but leaves it to the utility to develop a definition affect the reliable operation of the BES is the most important language describing a Cyber Asset Facilities vs Assets. Medium impact vs. Low impact
Complete Listing of terms: http://www.nerc.com/files/glossary_of_terms.pdf SAN for Power Utilities Presentation Slide18 ESP Electronic Security Perimeter(s) The Responsible Entity shall: Ensure that every Critical Cyber Asset resides within an Electronic Security Perimeter. Identify and document the Electronic Security Perimeter(s) and all access points to the perimeter(s) and all cyber assets within the Perimeter(s) ESP BES Installation Access Point Utility Broadband Network HV/MV Substation SAN for Power Utilities Presentation Slide21 HV/MV Substation = BES Cyber System HV Connection Bars HV Input High Voltage Entry to Substation (160kV/120 kV/69kV HV Protection Relays Switching/Breakers
MV Feeders MV Output Substation Control Room Communications Equipment Measurement IEDs Local RTUs/IEDs Teleprotection Local Control SCADA HV/MV Transformers MV Feeders Medium Voltage Switching 11kV/13 kV MV Connection Bars SAN for Power Utilities Presentation Slide22 Substation Cyber Protection Protecting IEDs from Unauthorized Access It is important to ensure that all messages to and from the substation are genuine, sent from authorized sources and do not carry malware The messages must be communicated securely, and their integrity has to be properly reconfirmed Protecting HV IEDs from unauthorized access is a challenging task in order to protect the operation of the entire transmission grid RADs solution:
Encryption and integrity for all communications outside the substation Application (SCADA) aware firewall in each substation Logging all connection events Record/monitor all device connections in substations SAN for Power Utilities Presentation Slide23 RADs Multi-Layer Security by Design IPSec Encryption and Integrity SAN for Power Utilities Presentation Slide24 Versatile Add-On Functions Virtualization at the Substation NFV Virtualization of network functions Networking functions performed by software hosted on standard computer servers, replacing vendor-specific hardware SAN for Power Utilities Presentation Slide25 Distributed SCADA Defense Substation SCADA Control Center
SCADA RTU Metering Data Center OT Core Backbone IED Meter SAN for Power Utilities Presentation Slide26 Device Connection Control SAN for Power Utilities Presentation Slide27 Device Connection Control Well established Security domain within Enterprise IT Many attacks can be instigated (intentionally or not) by connecting rogue devices from the inside by authorized (or not) personnel The assumption is that anything that plugs into the network (PCs, cameras, switches, routers, other) by means of any interface (Ethernet port, USB, serial port, wireless) anywhere in the network is suspect unless proven otherwise Possible risks adding access points via rogue devices, worms and virus infections, DOS and other inside attacks, unauthorized data collection/distortion
Illuminating all data network connections (BCS or Networking Devices) Alerting on network access changes: who, what, when, from where Apply rules for alerts and actions SAN for Power Utilities Presentation Slide28 Intermediate System SAN for Power Utilities Presentation Slide29 Intermediate System PSP High BCS WAN Medium BCS ESP EAP Encryption Protocol break Logging
server Multi-Factor Auth Auth server PACS Intermediate System EACMS Non-ESP Protocol Break Multi-Factor Authentication Encryption SAN for Power Utilities Presentation Slide30 Modern Cyber Attacks and the Sense-of-Security Illusion First inflection point can be physically on the core network (man-in-themiddle), inside the substation (rogue person or rogue PC or camera), inside new equipment or patches deployed to equipment Attacker, first finds a way in, then proves to himself he can cause damage on a single location, then proliferates the potential attack to multitudes of locations in the OT (Operational Network) The attack itself may come months or years later Physical protection (barbed wires and bolted doors) may be a security illusion and the same could be said about no suspicious network activity thresholds crossed
SAN for Power Utilities Presentation Slide32 MPLS Man in the Middle Attack CE can block this attack by using MACSecs integrity check Central Site DMS/EMS PE Data Plane Data Center MPLS Core Substation LSP LS LSP P RTU TPR PE LSP
LAN MPLS has no integrity mechanisms to detect tampering Tampering means falsifying SCADA RTU/IED control station data Result can be power disruption and/or physical damage to equipment Can be implemented by owning the switch or by inserting an Evil SFP into a port SAN for Power Utilities Presentation Slide33 The Power of Encryption Encryption is not just Confidentiality Encryption is a 1-1 trusted tunnel between two points A and B (e.g. a control center and a substation) There might be dozens of network nodes and hundreds of miles of fiber/copper/wireless paths between A and B (over private or public networks) Even if all of them are compromised (MITM), the existence of the Encrypted tunnels creates a situation as if they were not there and points A and B are inches apart in the same physically protected environment By paving 1-1 encrypted tunnels you are guarantying that only that path of communication between point A and B exists Identify all your legal 1-1 communication paths Set an encrypted tunnel on all of them SAN for Power Utilities Presentation Slide34 MacSec vs. IPSec
MacSec is layer 2 (by Mac Address), IPSec is layer 3 (by IP Address) Both ensure that data exchanging entities are authenticated to each other Both have encryption according to same ciphers and key options IPSec has 40% bandwidth overhead, MacSec much less MacSec delay is measured in single digit microseconds (HW), IPSec has much more significant delays MacSec can fit Teleprotection while IPSec may not The MacSec that RAD is implementing is end-to-end - among Megaplex nodes - regardless of whats in the middle whether it is ETX or 3 rd party (even MPLS core) MACSec is ideal for Substation Communications (including Teleprotection) IPSec is perfect for DA and AMI Backhauling SAN for Power Utilities Presentation Slide35 MacSec Encrypted Tunnels Data encryption according to IEEE Std 802.1AE-2006 NERC-CIP Directive and 802.1AEbn-2011 (256-bit) Hop by Hop and End to End support between any 2 Megaplex regardless of core Encryption can also be provided with IPSec (SecFlow or VF) or PacketLight For each Electronic Security Perimeter, provide the following evidence: Megaplex-4100 Documentation of the configuration of Interactive Remote Access for
this ESP. This documentation should describe how encryption is MACSEC Tunnel employed for the Interactive Remote Access session, and the ETX-5 termination points of that encryption. G.8032 1 GbE Ring G.8032 1 GbE Ring G.8032 10 GbE Ring E1/T1 RS-322 TP MACSEC Tunnel ETX-5 E1/T1 RS-422 RS-232 E1/T1 RS-422 Megaplex-4100
ETX-5 Megaplex-4100 TP RADIUS Server SAN for Power Utilities Presentation Slide36 Cyber Assets in a HV Substation (BES Cyber System) Layers of Cyber-Defense Required to Protect Cyber Assets IEC 61850 DNP 3.0 over IP IEC 60870-5-104 Net Access Control A&B RS-232 Transformer Protection Overcurrent Protection Distance Protection Substation
RTU control (DI/DO/AI/AO) Loading and Power Quality IP/MPLS or CE 2.0 RADview MODBUS Over RS-485 NMS MacSec, IPSec Tunneling PM SM SysLog, SEIM Net Access Control 37 SAN for Power Utilities Presentation Slide37 Summary NERC CIP requires Utilities to define BROS, BCAs, ESPs, etc Distributed Firewalls in all Electronically Secured Perimeters (ESP) Encryption is important especially for leased service and private IP/MPLS
backhaul Log everything The trend is rapidly sweeping the world as state-sponsored attacks have become more common and in the news Cyber-Secure Substation Multiservice Operational Network SAN for Power Utilities Presentation Slide38 Key Takeaways Complete Service Assured Networking Solutions Any application, deployment mode and access Addressing pain-points: reliability, migration, security, operation cost State-of-the-art: virtualization, cyber security Multi-access: Fiber, DSL, TDM, wireless Profound understanding of customer needs Over 30 years of ongoing teamwork with customers and partners Global presence and local support Fine-tuned to be Your Networks Edge SAN for Power Utilities Presentation Slide39 Thank You For Your Attention Your Networks Edge
www.rad.com Dave Dave Thomas, Thomas, LOB LOB Manager, Manager, Critical Critical Infrastructure Infrastructure [email protected][email protected] SAN for Power Utilities Presentation Slide40
Comprehensive Environmental Response, Compensation, and Liability Act Aka: CERLA or Superfund. 1980. Provides a Federal "Superfund" to clean up uncontrolled or abandoned hazardous-waste sites as well as accidents, spills, Gives EPA power to find parties responsible and assure their cooperation...
Windows Mobile 2003 and PocketPC. Comwar. Overview: History. Cabir - worm, bluetooth, proof of concept that had source published and copied. The root of many families for symbian. Nokia N-Gage. ComWar - first to spread via MMS, expensive virus for...
Add 4 cups of ice and 4 tbls of salt to a gallon-sized bag. Take temperature of ice cream mixture and place ice cream mixture into gallon-sized bag and zip. Start timer. After five minutes check the temperature of the...
… allergies resulting from plaintiff's use of Mr. B in the enclosed EOC space, in this context, impose an undue hardship on other employees who use the space, and on defendant because it would be prohibitively expensive to build a...
Literally, we are evaluating the module, as if we'd typed them into our file. Python's Standard Library Python has an extensive library of modules that come with it. The Python standard library includes modules that allow us to access the...
RCC or FCC- Accuplacer will be administered at RHS. CSU or UC - SAT and ACT exams must be taken by December 2016. ... UNX, UNV, TRU, UIS. 90% attendance to walk at graduation. Walking is a privilege. If you...
Geoff Salmon Monia Ghobadi Yashar Ganjali Martin Labrecque Gregory Steffan ECE Dept. CS Dept. University of Toronto Real-Life Customers Hardware: NetFPGA board, 4 GigE ports, Virtex 2 Pro FPGA Collaboration with CS researchers Interested in performing network experiments Not in...
The After Testing column will be available closer to the start of the Fall EOC test window. Most tasks will only require two clicks to access. Users will expand the main task menu on the home page and then select...
Ready to download the document? Go ahead and hit continue!