secflow2013 slide 1 secflow overview. secflow2013 slide 2 u&t target market segments utilities...
TRANSCRIPT
SecFlow2013 Slide1
SecFlow Overview
SecFlow2013 Slide2
U&T Target Market Segments
Utilities
Power
Water
Oil & Gas
Mining
Transportation
Railways
Motorways
Air Traffic Control
Maritime
SecFlow2013 Slide3
Power Utilities Trends
The power utilities communication needs are in evolution phase:
• Migration to Packet in various parts of the network:– Replacement of SDH/PDH core to Ethernet/IP/MPLS – Replacement of old Substation technology to IEC 61850 based
solution which are consist of Ethernet “LAN” and packet signaling– Migration of old SCADA/RTU’s from Serial to IP based
• Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters
• Growing need for Cyber & Physical security solutions
SecFlow2013 Slide4
Challenges Of Power Utilities Communication Networks
• Evolution in the Substation– Migration to PSN in the Substation while supporting multi services– Teleprotection connectivity over SDH and PSN– Substation Automation and Cyber security
• Smart Grid – Secured backhaul solutions for Smart Meters
• Growth in Bandwidth– Transitioning the operational network to PSN while maintaining
reliability, security & simplicity– Clock Synchronization over the PSN network
• Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base
SecFlow2013 Slide5
Industrial Control Systems
• Industrial control systems used to monitor and remotely control critical industrial processes– SCADA systems– Distributed Control Systems (DCS)– Programmable Logic Controllers (PLC)
• Highly distributed• Geographically separated assets• Centralized data acquisition and
control are critical– Oil and gas pipelines– Electrical power grids– Railway transportation systems
SecFlow2013 Slide6
SCADA System
• Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are:– Central device
• Central Master Station – Supervisory system, gathering data on the process and sending action commands.
– Remote devices• Programmable Logic Controller (PLC) and
Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system.
• Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.
SecFlow2013 Slide7
Supervisory Control and Data Acquisition (SCADA), System Overview
Source: http://en.wikipedia.org/wiki/File:DNP-overview.png
• RTUs• PLCs• IEDs
SCADA communication Protocols • Modbus• DNP3• IEC101, IEC104
SecFlow2013 Slide8
IEC 61850
• International standard for substation automation systems developed to create an open communication environment
• IEC 61850 provides interconnection of substation devices on high speed Ethernet network
• IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10
• IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements:– Electromagnetic Interference (EMI), immunity –
Strong electromagnetic compatibility (EMC) design to protect against EMI
– Operating temperature -40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C
SecFlow2013 Slide9
SecFlow Portfolio Overview
• SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families:– SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router– SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router
SecFlow2013 Slide10
SecFlow Main Features
Industrial Design• Harsh environmental• DIN-rail mount• IP 30• -40°C to +75°C w/o
fans • EMI immunity• IEC 61850-3• IEEE 1613• EN 50121-4
Multiservice Gateway• Utilize both
Ethernet ports and Serial interfaces
• Serial Tunneling or Service translation
• IEC101 to IEC104
Integrated Security• L-2/3/4 ACL• MAC/IP filtering
per port• SCADA-Aware
firewall• L2/L3 VPN w/IPsec• 802.1X• RADIUS/TACACS
Resiliency• Ethernet rings per
ITU-T G.8032• RSTP, MSTP• Cellular 2G/3G
modem uplink for maximum service continuation
SecFlow2013 Slide11
SecFlow-2Access and Network Interfaces
USB
DI/DO Power
ConsoleFE PortsFE 0/1-8 with optional PoE
RS 232port 1 - 4
SIM CardPorts 1,2
Dual GPRS/UMTS
Modem
SFPGbE1, GbE2
SecFlow2013 Slide12
SecFlow-4Access and Network Interfaces
Dual Power Supplies 7 I/O slots
Service and MNG module
SecFlow2013 Slide13
SecFlow-4 Modules
Module Description
SF4-M-4GBE Gigabit Ethernet module with four UTP or four SFP ports
SF4-M-Serial Serial interface module with four RS-232 ports
SF4-M-Service Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces
SF4-M-MNG Central processing and management module with local terminal and out-of-band management ports
SF4-PS-24VDC Power supply module for 24 VDC input
SF4-PS-48VDC Power supply module for 48 VDC input
SecFlow2013 Slide14
SecFlow-2/4 v3.1Main Features
Features Description Customer Benefits
SecFlow-2 InterfacesEthernet Interfaces
• 2×100/1000BaseFX
• Up to 16×10/100BaseT• Resilient redundant networking over various WAN
infrastructuresSerial Interfaces • UP to 4×RS-232 • Multiservice support in a compact single deviceCellular Interface • Dual SIM GPRS/UMTS cellular modem • Utilizes cellular network for main link
• Improves link resiliency and service continuity using cellular backup links
SecFlow-4 Interfaces
Ethernet Module
SF4-M-4GbE
• 4×100/1000BaseT, optional PoE
• 4×100/1000BaseFX
• 4 GbE interfaces per module that provide a maximum of 28 GbEs per chassis for multiple Ethernet connections
Serial Module
SF4-M-Serial
• 4×RS-232 • 4 serial interfaces for legacy connectivity with up to 28 serial ports per chassis
• The serial module combined with the Ethernet module provides multiservice support for various applications
Central Processing Module
SF4-M-MNG
• Central processing and management module with local terminal and out-of-band management ports
• The module is supplied with the SecFlow-4 chassis, providing the Layer-2 functionality
Service Module
SF4-M-Service
(Optional)
• Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces hardware-ready only
• Security, routing and gateway functionalities
SecFlow2013 Slide15
SecFlow-2/4 v3.1Main Features
Features Description Customer Benefits
Protocol Gateway • IEC-101 to IEC-104 conversion
• Enables seamless communication from the IP SCADA to both the legacy and new RTUs, featuring a single box for multiservice application and smooth migration to all IP networks
SCADA-Aware Firewall
• SCADA-aware firewall monitors SCADA commands using deep packet inspection to validate intended application purpose
• Supported SCADA protocols: IEC-104, Modbus and DNP 3.0
• Syslog support for IEC 104 firewall
• Provides distributed network security from the substation, enabling only authorized traffic to access the network according to the user defined access rules
VPN Gateway with IPSec
• Layer 2 GRE VPN
• Layer 3 multipoint GRE Dynamic Multipoint-VPN
• Layer 3 IPSec VPN
• IPSec encryption per 3DES or AES
• X.509 certified with SHA256 and SHA512 for Phase1/Phase2 and AES 256 support
• Secured interconnection of remote sites over public networks, using Layer-2or Layer-3 VPN with encryption
• Supports large scale networks
QoS • Port limit
• Ingress policing
• Strict priority
• Weighted Round Robin (WRR)
• Egress traffic shaping
• Higher and lower priority traffic separation into 8 queues for prioritizing the user traffic and allowing mission critical applications to be served first
SecFlow2013 Slide16
SecFlow-2/4 v3.1Main Features
Features Description Customer Benefits
Ethernet OAM • Single segment (link) OAM according to IEEE ‑802.3-2005 (formerly 802.3ah)
• End to end connectivity OAM based on IEEE 802‑ ‑
• End to end service and performance monitoring ‑ ‑based on ITU T Y.1731. ‑
• Guaranteed SLA (Service level Agreement) of contracted services
• Standard Ethernet OAM for easy interoperability with 3rd party equipment
• Monitors network faults, performs measurements and gathers statistics
Jumbo Frames • SecFlow-2 Supports 9K bytes jumbo frames
• SecFlow-4 Supports 12K bytes jumbo frames• Improves efficiency and increases performance in GbE
networksEthernet Ring Protection
• Ethernet ring protection switching per G.8032v2
• RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree Protocol) per IEEE 802.1D
• Link resiliency for high survivability and service continuity
• 50-ms failure detection and switchover to the alternate link without service interruption
Link Aggregation
• Link aggregation per 802.3ad with configurable LACP
• Up to 8 LAGs
• Up to 8 ports in LAG
• Provides increased bandwidth and high availability links
• LACP ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links
Terminal Server and Serial Tunneling
• Embedded terminal server
• Transparent serial tunneling • Connects multiple devices with serial interfaces over IP
• Provides point-to-point or point-to-multipoint transparent serial tunneling
PoE • Configurable PoE (enable/disable and force mode)
• 30W max per port
• Max 120W per device for 48 VDC power supply or 220 VAC
• Max 80W per device for 24V DC power supply
• Easily feeds third party equipment or peripheral devices such as IP cameras, using power over Ethernet
• SecFlow-2/4 can feed RAD’s Airmux outdoor device eliminating the need for an Airmux indoor unit
SecFlow2013 Slide17
SecFlow-2/4 v3.1Main Features
Features Description Customer BenefitsAccess Control List
• Access control lists according to Layer-2, -3 and -4 criteria
• Enhanced ACL mechanism to filter user traffic according to variety of traffic criteria
• Better security and control on authorized traffic
Network Management
• SNMP: V1,V2,V3 (V3 only in SecFlow-2)
• RADview
• SecFlow Network Manager
• SSH: V2.0
• CLI
• RADIUS, TACACS
• TFTP Client
• Syslog, SNTP
• SecFlow-2 can be managed by a variety of management tools including: CLI, WEB interface and RADview SNMP-based management system
• SecFlow-2 can also be managed by SecFlow Network Manager, integrated in the RADview EMS server, to provide an end-to-end management system
Switching • Auto Crossing
• Autonegotiation per IEEE 802.3ab
• Port-based Network Access Control (PNAC) per IEEE 802.1x
• MAC list
• VLAN segregation tagging per IEEE 802.1q , 4K VLANs
• Multicast Groups
• IGMP snooping v1,v2,v3
• MAC limiting per port
• LLDP, DHCP client, DHCP relay, option 82
• Set of Layer-2 features for traffic management and security
SecFlow2013 Slide18
SecFlow-2/4 Main FeaturesFeatures Description Customer BenefitsTiming
• Local time settings
• NTP v2
• PTP transparent clock per 1588v2
• Flexible clock distribution and network synchronization based on different clock sources
Routing • IPv4
• Static routing
• OSPF v2, v3
• RIPv2
• A single-box solution that provides both Layer-2 features and Layer-3 routing capabilities
Diagnostics
• Counters and statistics per port
• LED diagnostics: main switching units (Alarm |Run | Ethernet)
• LED diagnostics: application interfaces (Cellular | Serial )
• Ping
• Trace route
• Port mirroring
• RMON v1
• Provides extensive diagnostic tools to assist operators in fault monitoring
SecFlow2013 Slide19
Legacy Migration
• Integrated serial interfaces in switches with 3 operational modes– Tunneling between serial segments
• Byte / Bit-stream• Multipoint support• Service-aware security for serial tunnels
– Gateway connecting serial devices to matching Ethernet devices• Currently supports IEC-101 to IEC-104
– Terminal Server connecting a computer to serial devices
RS-232/RS-485 link
Ethernet link
Serial Tunnel
Gateway service
SecFlow 2
SecFlow 2SecFlow 2
SecFlow 2
SecFlow2013 Slide20
Protocol Gateway
IEC-101 to IEC-104 conversion using protocol gateway functionality
IEC 104UDP/IP
SSH (T. Server)
Serial Master 1Remote Site B
Central Site
PSNSerial Master 2
SCADA
RS-232
RS-232
RS-232
RS-232
RS-232Console
V.Com portIEC104
LAN
IEC 101
Remote Site A
IEC 104
IEC 101 RTU
SecFlow 4
SecFlow 2
SecFlow 2
SecFlow2013 Slide21
Cyber Security Threats to Utilities
Distributed SCADA IPS Deployment– Role-based validation of SCADA
commands– Deployment at each end-point– Used for both IP & Serial devices
Attack vector• Control-Center malware• Field-site breach• Man-in-the-Middle• Remote maintenance
Security Measure• Service-aware firewall• Distributed firewalls• Encryption• Secure remote access
SecFlow2013 Slide22
SecFlow 4
Distributed Firewall
SCADA-aware firewall for Modbus and IEC 101/104
IEC 104UDP/IP
SSH (T. Server)
104 ClientModbus Client Remote Site B
Central Site
PSN
SCADA
IEC 101
ID 11
Remote Site A
Modbus
NMS
Modbus
Modbus RTUs
Modbus
ASDU1
ASDU2
ASDU3
IEC 101
IEC 101
ID 12
ID 13
Modbus RTU
Modbus RTU
Modbus RTU
SecFlow 2
SecFlow 2
SecFlow2013 Slide23
Security Features • 802.1X – IEEE Standard for port-based Network
Access Control (PNAC), authentication and protection against DoS attacks
• Access Control List – Traffic filtering according to layer 2/3/4 criteria
• RADIUS and TACACS+ based centralized user authentication and authorization
• L2/L3 VPN, using IPSEC encryption– User policy for traffic type, IKE, AES or 3DES
encryption, dynamic key • Secure Telnet access, using SSH• SCADA firewall per port (Modbus, IEC-104, DNP3.0)
SecFlow2013 Slide24
Integrated Defense-in-Depth Tool-Set
• Advanced security measures integrated in the switch using a dedicated service-engine
• Enable easy deployment of an extensive defense-in-depth solution
SecFlow2013 Slide25
Multi-Service Transport
• Utility networks do not have 100% fiber connectivity• SecFlow switches support alternative transport infrastructures
– GPRS/UMTS – Cellular coverage with 2 operators– Radio links using RAD’s Airmux wireless solution– SHDSL – Private copper lines*
• Used with integrated security mechanisms
Private ETHNetwork
Private ETHNetwork
Internet
SecFlow 2SecFlow 2
FiberFiber
SHDSL
Ethernet Ringover
Mixed medias
*roadmap
SecFlow2013 Slide26
Resilient Cellular Connection to Remote Sites
• GPRS/UMTS support• Link resiliency using 2 SIM cards with continuous check of operator link quality• Multiple remote spokes connecting to Hub over encrypted IPSec tunnels
– NHRP used for dynamic IP address resolution assigned to cellular spokes– L2 VPN using transparent GRE tunnels over IPSec– L3 VPN using DMVPN
WANFO | Cellular
LAN
SecFlow2013 Slide27
Applications
SecFlow2013 Slide28
Smart-Grid Distribution Network
• Modern secondary sub-station requiring:– Encrypted tunnels when using a public network– Firewall for uplink protocols (IEC 104, IEC 61850, Modbus)– Gateway for serial IEDs
SecFlow switch integrates all the functions
“New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation”
RTU
PowerMonitoring
MetersConcentrator
Secondary Sub-Station
Network(Secondary
Sub-Stations)
CellularAntenna
AutomationControl Center
MeteringData Center
SecFlow 2
Smart Meters
*Medium Voltage/Low Voltage
SecFlow2013 Slide29
Migration to IP-based SCADA at Sub-stations
• Connectivity of sub-station devices to new IP-based SCADA– Per-site firewall for industrial automation protocols– Secure terminal server for maintenance sessions– Encrypted tunnels when using wireless links– Serial to ETH protocol gateway
Control CenterSub-Station
RS-232IEC-101
ETHIED
IP SCADA
LAN ManagementRTU
Ring
Sub-Station
Sub-Station
SecFlow2013 Slide30
Connecting the Sub-station LANs – Current Status
Network Limitations• SCADA direct access to S.S. IEDs• Field technician access to:
– Other sub-stations– Central storage– Facility RTU
• Remote technician access to RTUs and IEDs in all S.Ss
• Data-sharing between S.Ss
Need a unified sub-station LAN with secure inter-site connectivity
SDH/PacketNetwork
Sub-Station
Control Center
Sub-station IEDs
SCADA Storage
Sub-stationRTU
FieldTechnician
RemoteTechnician
Internet
FacilityRTU
SecFlow2013 Slide31
SecFlow 4
Connecting the Sub-station LANs – Future Evolution
Use a secure switch connecting the LAN devices to the backbone• Network segmentation using
VLANs/Subnets• App-aware firewall per-device• Secure remote access• Serial-to-ETH protocol gateway
SDH/PacketNetwork
Sub-Station
Control Center
FieldTechnician
RemoteTechnician
Internet
Sub-station IEDsSub-stat.RTU
FacilityRTU
SCADA Storage
SecFlow2013 Slide32
Metro Subway Control Network• Metro subway control applications require communication with smart
devices in each station– Ethernet access switches connected to IP/MPLS backbone using VLANs as
service ID– Mixture of Ethernet, Serial & Discrete devices with secure access using a
distributed ModBus firewall– Secure mobile access from trains to control center using distributed device
authentication methods
IP/MPLS Backbone
Control Center
MeteringData Center
RTU
IED
SecFlow switches build a secure subway network
SecFlow2013 Slide33
Smart/Safe City End Points Communication
• Compact Industrial switch for Smart/Safe-city cabinets– Ethernet with PoE– Serial and discrete I/O ports for simple automation devices– Diverse means of communication:
• Integrated dual-SIM cellular modem• Fiber Optic with protected Ring Support (G.8032)• SHDSL*
– Integrated security mechanisms• IPSec VPN• SCADA firewall
P2P & P2MP Radio
FO
Dual 2G/3GCommunications
WiFi*
Tamper Switch
RS-232
ETH PoE
ETH
DryContact
Display Board
SecFlow 2
*roadmap
PSN
SecFlow2013 Slide34
ETH Ring ETH Ring
Case Study of a Highway Security Infrastructure – Italy Autostarda
ETHRing
1588 Clock
Central Site
Ring 1
Ring 6
Ring 7
Ring 12
RS-232/485
Remote Site
Traffic Control Security Cameras
Tetra BaseStations
Message Boards
PoE 1588 clock syncQoSRS-232/485
Remote Site
Traffic Control Security Cameras
Tetra BaseStations
Message Boards
PoE 1588 clock syncQoS
SecFlow2013 Slide35
Ordering Options SecFlow-2
• Two ordering options:– Advanced mode – SecFlow-2 is provided with security features,
routing, switching and gateway functionalities.– Basic mode – SecFlow 2 is provided with switching and gateway
functionality only. Limited ordering options and cannot upgraded to advanced mode
Mode PN Description
Basic
SF2/B/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
SF2/B/48VDC/2GE8UTP/PoE 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
Advanced
SF2/S/48VDC/2GE8UTP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports
SF2/S/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
SF2/S/AC/2GE8UTP/PoE4AM AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP ports for Airmux products
SF2/S/48VDC/2GE16UTP 48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports
SF2/S/48VDC/2GE8UTP8SFP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8 ×100 FX SFP
SecFlow2013 Slide36
Ordering Options SecFlow-2
PN Description
Chassis
SF4/48VDCR SecFlow-4 chassis, central processing and management module, dual 48 VDC power Supply
SF4/24VDCR SecFlow-4 chassis, central processing and management module, dual 24 VDC power Supply
Modules
SF4-M-4GBE-U SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports
SF4-M-4GBE-POE SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE
SF4-M-4GBE-S SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports
SF4-M-4RS232 SecFlow-4 module with four RS-232 serial ports
SF4-PS-24VDC 24 VDC power supply
SF4-PS-48VDC 48 VDC power supply
SecFlow2013 Slide37
Management
BROAD PERSPECTIVE. DIRECT CONTROL.
RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In
addition, it features third-party device monitoring capabilities
SecFlow2013 Slide38
Management, Benefits & Features
●Turnkey system including hardware and software!
●Fully compliant with TMN standards
●Client/server architecture with multi-user support
●Interoperable with third-party NMS and leading OSS systems
●IBM Tivoli’s Netcool®/OMNIbus™ plug-in
●Minimize integrations costs associated with new NE
Benefits
●Ensures device health and congestion control
●Topology maps and network inventory
●Advanced FCAPS functionality
●Software & configuration management
●Business continuity - High-Availability and Disaster Recovery
●Handover between operators
Key features
SecFlow2013 Slide39
RADview-EMS advanced FCAPS
• Detects and isolates faults in network devices, initiates remedial actions and distributes alarm messages to other management entities in the network.
Fault management
• Enables operators to configure, install and distribute software to all devices across the network. In addition, the system tracks version changes and maintains software configuration history
Configuration management
• Manages individual and group user accounts and passwords, generating network usage reports to monitor user activities.
Accounting management
• Supports real-time monitoring of QoS and CoS, producing real-time and periodic statistics. The statistics collector compresses data to minimize bandwidth use for management traffic and exports CSV files to OSS or third-party management systems
Performance management
• Allows network administrators to track user activities and control the access to network resources with a choice of security features
Security management
SecFlow2013 Slide40
Device Management
●SNMP v1, v2, v3 (v3
only in SF-2)
●CLI
●WEB
●SNTP
●RADIUS
●TACACS
●TFTP
●Syslog
SecFlow-2/4Device Management
SecFlow2013 Slide41
RADview – SecFlow Network Manager
• SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: – Automatic discovery of SecFlow network switches – Network topology management – End-to-end service provisioning – Security rules configuration – Aggregated network fault monitoring – Network performance analysis – Operator authorization levels
SecFlow2013 Slide42
www.rad.com
Thank You For Your Attention