SecFlow2013 Slide1

SecFlow Overview

SecFlow2013 Slide2

U&T Target Market Segments

Utilities

Power

Water

Oil & Gas

Mining

Transportation

Railways

Motorways

Air Traffic Control

Maritime

SecFlow2013 Slide3

Power Utilities Trends

The power utilities communication needs are in evolution phase:

• Migration to Packet in various parts of the network:– Replacement of SDH/PDH core to Ethernet/IP/MPLS – Replacement of old Substation technology to IEC 61850 based

solution which are consist of Ethernet “LAN” and packet signaling– Migration of old SCADA/RTU’s from Serial to IP based

• Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters

• Growing need for Cyber & Physical security solutions

SecFlow2013 Slide4

Challenges Of Power Utilities Communication Networks

• Evolution in the Substation– Migration to PSN in the Substation while supporting multi services– Teleprotection connectivity over SDH and PSN– Substation Automation and Cyber security

• Smart Grid – Secured backhaul solutions for Smart Meters

• Growth in Bandwidth– Transitioning the operational network to PSN while maintaining

reliability, security & simplicity– Clock Synchronization over the PSN network

• Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base

SecFlow2013 Slide5

Industrial Control Systems

• Industrial control systems used to monitor and remotely control critical industrial processes– SCADA systems– Distributed Control Systems (DCS)– Programmable Logic Controllers (PLC)

• Highly distributed• Geographically separated assets• Centralized data acquisition and

control are critical– Oil and gas pipelines– Electrical power grids– Railway transportation systems

SecFlow2013 Slide6

SCADA System

• Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are:– Central device

• Central Master Station – Supervisory system, gathering data on the process and sending action commands.

– Remote devices• Programmable Logic Controller (PLC) and

Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system.

• Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.

SecFlow2013 Slide7

Supervisory Control and Data Acquisition (SCADA), System Overview

Source: http://en.wikipedia.org/wiki/File:DNP-overview.png

• RTUs• PLCs• IEDs

SCADA communication Protocols • Modbus• DNP3• IEC101, IEC104

SecFlow2013 Slide8

IEC 61850

• International standard for substation automation systems developed to create an open communication environment

• IEC 61850 provides interconnection of substation devices on high speed Ethernet network

• IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10

• IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements:– Electromagnetic Interference (EMI), immunity –

Strong electromagnetic compatibility (EMC) design to protect against EMI

– Operating temperature -40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C

SecFlow2013 Slide9

SecFlow Portfolio Overview

• SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families:– SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router– SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router

SecFlow2013 Slide10

SecFlow Main Features

Industrial Design• Harsh environmental• DIN-rail mount• IP 30• -40°C to +75°C w/o

fans • EMI immunity• IEC 61850-3• IEEE 1613• EN 50121-4

Multiservice Gateway• Utilize both

Ethernet ports and Serial interfaces

• Serial Tunneling or Service translation

• IEC101 to IEC104

Integrated Security• L-2/3/4 ACL• MAC/IP filtering

per port• SCADA-Aware

firewall• L2/L3 VPN w/IPsec• 802.1X• RADIUS/TACACS

Resiliency• Ethernet rings per

ITU-T G.8032• RSTP, MSTP• Cellular 2G/3G

modem uplink for maximum service continuation

SecFlow2013 Slide11

SecFlow-2Access and Network Interfaces

USB

DI/DO Power

ConsoleFE PortsFE 0/1-8 with optional PoE

RS 232port 1 - 4

SIM CardPorts 1,2

Dual GPRS/UMTS

Modem

SFPGbE1, GbE2

SecFlow2013 Slide12

SecFlow-4Access and Network Interfaces

Dual Power Supplies 7 I/O slots

Service and MNG module

SecFlow2013 Slide13

SecFlow-4 Modules

Module Description

SF4-M-4GBE Gigabit Ethernet module with four UTP or four SFP ports

SF4-M-Serial Serial interface module with four RS-232 ports

SF4-M-Service Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces

SF4-M-MNG Central processing and management module with local terminal and out-of-band management ports

SF4-PS-24VDC Power supply module for 24 VDC input

SF4-PS-48VDC Power supply module for 48 VDC input

SecFlow2013 Slide14

SecFlow-2/4 v3.1Main Features

Features Description Customer Benefits

SecFlow-2 InterfacesEthernet Interfaces

• 2×100/1000BaseFX

• Up to 16×10/100BaseT• Resilient redundant networking over various WAN

infrastructuresSerial Interfaces • UP to 4×RS-232 • Multiservice support in a compact single deviceCellular Interface • Dual SIM GPRS/UMTS cellular modem • Utilizes cellular network for main link

• Improves link resiliency and service continuity using cellular backup links

SecFlow-4 Interfaces

Ethernet Module

SF4-M-4GbE

• 4×100/1000BaseT, optional PoE

• 4×100/1000BaseFX

• 4 GbE interfaces per module that provide a maximum of 28 GbEs per chassis for multiple Ethernet connections

Serial Module

SF4-M-Serial

• 4×RS-232 • 4 serial interfaces for legacy connectivity with up to 28 serial ports per chassis

• The serial module combined with the Ethernet module provides multiservice support for various applications

Central Processing Module

SF4-M-MNG

• Central processing and management module with local terminal and out-of-band management ports

• The module is supplied with the SecFlow-4 chassis, providing the Layer-2 functionality

Service Module

SF4-M-Service

(Optional)

• Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces hardware-ready only

• Security, routing and gateway functionalities

SecFlow2013 Slide15

SecFlow-2/4 v3.1Main Features

Features Description Customer Benefits

Protocol Gateway • IEC-101 to IEC-104 conversion

• Enables seamless communication from the IP SCADA to both the legacy and new RTUs, featuring a single box for multiservice application and smooth migration to all IP networks

SCADA-Aware Firewall

• SCADA-aware firewall monitors SCADA commands using deep packet inspection to validate intended application purpose

• Supported SCADA protocols: IEC-104, Modbus and DNP 3.0

• Syslog support for IEC 104 firewall

• Provides distributed network security from the substation, enabling only authorized traffic to access the network according to the user defined access rules

VPN Gateway with IPSec

• Layer 2 GRE VPN

• Layer 3 multipoint GRE Dynamic Multipoint-VPN

• Layer 3 IPSec VPN

• IPSec encryption per 3DES or AES

• X.509 certified with SHA256 and SHA512 for Phase1/Phase2 and AES 256 support

• Secured interconnection of remote sites over public networks, using Layer-2or Layer-3 VPN with encryption

• Supports large scale networks

QoS • Port limit

• Ingress policing

• Strict priority

• Weighted Round Robin (WRR)

• Egress traffic shaping

• Higher and lower priority traffic separation into 8 queues for prioritizing the user traffic and allowing mission critical applications to be served first

SecFlow2013 Slide16

SecFlow-2/4 v3.1Main Features

Features Description Customer Benefits

Ethernet OAM • Single segment (link) OAM according to IEEE ‑802.3-2005 (formerly 802.3ah)

• End to end connectivity OAM based on IEEE 802‑ ‑

• End to end service and performance monitoring ‑ ‑based on ITU T Y.1731. ‑

• Guaranteed SLA (Service level Agreement) of contracted services

• Standard Ethernet OAM for easy interoperability with 3rd party equipment

• Monitors network faults, performs measurements and gathers statistics

Jumbo Frames • SecFlow-2 Supports 9K bytes jumbo frames

• SecFlow-4 Supports 12K bytes jumbo frames• Improves efficiency and increases performance in GbE

networksEthernet Ring Protection

• Ethernet ring protection switching per G.8032v2

• RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree Protocol) per IEEE 802.1D

• Link resiliency for high survivability and service continuity

• 50-ms failure detection and switchover to the alternate link without service interruption

Link Aggregation

• Link aggregation per 802.3ad with configurable LACP

• Up to 8 LAGs

• Up to 8 ports in LAG

• Provides increased bandwidth and high availability links

• LACP ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links

Terminal Server and Serial Tunneling

• Embedded terminal server

• Transparent serial tunneling • Connects multiple devices with serial interfaces over IP

• Provides point-to-point or point-to-multipoint transparent serial tunneling

PoE • Configurable PoE (enable/disable and force mode)

• 30W max per port

• Max 120W per device for 48 VDC power supply or 220 VAC

• Max 80W per device for 24V DC power supply

• Easily feeds third party equipment or peripheral devices such as IP cameras, using power over Ethernet

• SecFlow-2/4 can feed RAD’s Airmux outdoor device eliminating the need for an Airmux indoor unit

SecFlow2013 Slide17

SecFlow-2/4 v3.1Main Features

Features Description Customer BenefitsAccess Control List

• Access control lists according to Layer-2, -3 and -4 criteria

• Enhanced ACL mechanism to filter user traffic according to variety of traffic criteria

• Better security and control on authorized traffic

Network Management

• SNMP: V1,V2,V3 (V3 only in SecFlow-2)

• RADview

• SecFlow Network Manager

• SSH: V2.0

• CLI

• RADIUS, TACACS

• TFTP Client

• Syslog, SNTP

• SecFlow-2 can be managed by a variety of management tools including: CLI, WEB interface and RADview SNMP-based management system

• SecFlow-2 can also be managed by SecFlow Network Manager, integrated in the RADview EMS server, to provide an end-to-end management system

Switching • Auto Crossing

• Autonegotiation per IEEE 802.3ab

• Port-based Network Access Control (PNAC) per IEEE 802.1x

• MAC list

• VLAN segregation tagging per IEEE 802.1q , 4K VLANs

• Multicast Groups

• IGMP snooping v1,v2,v3

• MAC limiting per port

• LLDP, DHCP client, DHCP relay, option 82

• Set of Layer-2 features for traffic management and security

SecFlow2013 Slide18

SecFlow-2/4 Main FeaturesFeatures Description Customer BenefitsTiming

• Local time settings

• NTP v2

• PTP transparent clock per 1588v2

• Flexible clock distribution and network synchronization based on different clock sources

Routing • IPv4

• Static routing

• OSPF v2, v3

• RIPv2

• A single-box solution that provides both Layer-2 features and Layer-3 routing capabilities

Diagnostics

• Counters and statistics per port

• LED diagnostics: main switching units (Alarm |Run | Ethernet)

• LED diagnostics: application interfaces (Cellular | Serial )

• Ping

• Trace route

• Port mirroring

• RMON v1

• Provides extensive diagnostic tools to assist operators in fault monitoring

SecFlow2013 Slide19

Legacy Migration

• Integrated serial interfaces in switches with 3 operational modes– Tunneling between serial segments

• Byte / Bit-stream• Multipoint support• Service-aware security for serial tunnels

– Gateway connecting serial devices to matching Ethernet devices• Currently supports IEC-101 to IEC-104

– Terminal Server connecting a computer to serial devices

RS-232/RS-485 link

Ethernet link

Serial Tunnel

Gateway service

SecFlow 2

SecFlow 2SecFlow 2

SecFlow 2

SecFlow2013 Slide20

Protocol Gateway

IEC-101 to IEC-104 conversion using protocol gateway functionality

IEC 104UDP/IP

SSH (T. Server)

Serial Master 1Remote Site B

Central Site

PSNSerial Master 2

SCADA

RS-232

RS-232

RS-232

RS-232

RS-232Console

V.Com portIEC104

LAN

IEC 101

Remote Site A

IEC 104

IEC 101 RTU

SecFlow 4

SecFlow 2

SecFlow 2

SecFlow2013 Slide21

Cyber Security Threats to Utilities

Distributed SCADA IPS Deployment– Role-based validation of SCADA

commands– Deployment at each end-point– Used for both IP & Serial devices

Attack vector• Control-Center malware• Field-site breach• Man-in-the-Middle• Remote maintenance

Security Measure• Service-aware firewall• Distributed firewalls• Encryption• Secure remote access

SecFlow2013 Slide22

SecFlow 4

Distributed Firewall

SCADA-aware firewall for Modbus and IEC 101/104

IEC 104UDP/IP

SSH (T. Server)

104 ClientModbus Client Remote Site B

Central Site

PSN

SCADA

IEC 101

ID 11

Remote Site A

Modbus

NMS

Modbus

Modbus RTUs

Modbus

ASDU1

ASDU2

ASDU3

IEC 101

IEC 101

ID 12

ID 13

Modbus RTU

Modbus RTU

Modbus RTU

SecFlow 2

SecFlow 2

SecFlow2013 Slide23

Security Features • 802.1X – IEEE Standard for port-based Network

Access Control (PNAC), authentication and protection against DoS attacks

• Access Control List – Traffic filtering according to layer 2/3/4 criteria

• RADIUS and TACACS+ based centralized user authentication and authorization

• L2/L3 VPN, using IPSEC encryption– User policy for traffic type, IKE, AES or 3DES

encryption, dynamic key • Secure Telnet access, using SSH• SCADA firewall per port (Modbus, IEC-104, DNP3.0)

SecFlow2013 Slide24

Integrated Defense-in-Depth Tool-Set

• Advanced security measures integrated in the switch using a dedicated service-engine

• Enable easy deployment of an extensive defense-in-depth solution

SecFlow2013 Slide25

Multi-Service Transport

• Utility networks do not have 100% fiber connectivity• SecFlow switches support alternative transport infrastructures

– GPRS/UMTS – Cellular coverage with 2 operators– Radio links using RAD’s Airmux wireless solution– SHDSL – Private copper lines*

• Used with integrated security mechanisms

Private ETHNetwork

Private ETHNetwork

Internet

SecFlow 2SecFlow 2

FiberFiber

SHDSL

Ethernet Ringover

Mixed medias

*roadmap

SecFlow2013 Slide26

Resilient Cellular Connection to Remote Sites

• GPRS/UMTS support• Link resiliency using 2 SIM cards with continuous check of operator link quality• Multiple remote spokes connecting to Hub over encrypted IPSec tunnels

– NHRP used for dynamic IP address resolution assigned to cellular spokes– L2 VPN using transparent GRE tunnels over IPSec– L3 VPN using DMVPN

WANFO | Cellular

LAN

SecFlow2013 Slide27

Applications

SecFlow2013 Slide28

Smart-Grid Distribution Network

• Modern secondary sub-station requiring:– Encrypted tunnels when using a public network– Firewall for uplink protocols (IEC 104, IEC 61850, Modbus)– Gateway for serial IEDs

SecFlow switch integrates all the functions

“New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation”

RTU

PowerMonitoring

MetersConcentrator

Secondary Sub-Station

Network(Secondary

Sub-Stations)

CellularAntenna

AutomationControl Center

MeteringData Center

SecFlow 2

Smart Meters

*Medium Voltage/Low Voltage

SecFlow2013 Slide29

Migration to IP-based SCADA at Sub-stations

• Connectivity of sub-station devices to new IP-based SCADA– Per-site firewall for industrial automation protocols– Secure terminal server for maintenance sessions– Encrypted tunnels when using wireless links– Serial to ETH protocol gateway

Control CenterSub-Station

RS-232IEC-101

ETHIED

IP SCADA

LAN ManagementRTU

Ring

Sub-Station

Sub-Station

SecFlow2013 Slide30

Connecting the Sub-station LANs – Current Status

Network Limitations• SCADA direct access to S.S. IEDs• Field technician access to:

– Other sub-stations– Central storage– Facility RTU

• Remote technician access to RTUs and IEDs in all S.Ss

• Data-sharing between S.Ss

Need a unified sub-station LAN with secure inter-site connectivity

SDH/PacketNetwork

Sub-Station

Control Center

Sub-station IEDs

SCADA Storage

Sub-stationRTU

FieldTechnician

RemoteTechnician

Internet

FacilityRTU

SecFlow2013 Slide31

SecFlow 4

Connecting the Sub-station LANs – Future Evolution

Use a secure switch connecting the LAN devices to the backbone• Network segmentation using

VLANs/Subnets• App-aware firewall per-device• Secure remote access• Serial-to-ETH protocol gateway

SDH/PacketNetwork

Sub-Station

Control Center

FieldTechnician

RemoteTechnician

Internet

Sub-station IEDsSub-stat.RTU

FacilityRTU

SCADA Storage

SecFlow2013 Slide32

Metro Subway Control Network• Metro subway control applications require communication with smart

devices in each station– Ethernet access switches connected to IP/MPLS backbone using VLANs as

service ID– Mixture of Ethernet, Serial & Discrete devices with secure access using a

distributed ModBus firewall– Secure mobile access from trains to control center using distributed device

authentication methods

IP/MPLS Backbone

Control Center

MeteringData Center

RTU

IED

SecFlow switches build a secure subway network

SecFlow2013 Slide33

Smart/Safe City End Points Communication

• Compact Industrial switch for Smart/Safe-city cabinets– Ethernet with PoE– Serial and discrete I/O ports for simple automation devices– Diverse means of communication:

• Integrated dual-SIM cellular modem• Fiber Optic with protected Ring Support (G.8032)• SHDSL*

– Integrated security mechanisms• IPSec VPN• SCADA firewall

P2P & P2MP Radio

FO

Dual 2G/3GCommunications

WiFi*

Tamper Switch

RS-232

ETH PoE

ETH

DryContact

Display Board

SecFlow 2

*roadmap

PSN

SecFlow2013 Slide34

ETH Ring ETH Ring

Case Study of a Highway Security Infrastructure – Italy Autostarda

ETHRing

1588 Clock

Central Site

Ring 1

Ring 6

Ring 7

Ring 12

RS-232/485

Remote Site

Traffic Control Security Cameras

Tetra BaseStations

Message Boards

PoE 1588 clock syncQoSRS-232/485

Remote Site

Traffic Control Security Cameras

Tetra BaseStations

Message Boards

PoE 1588 clock syncQoS

SecFlow2013 Slide35

Ordering Options SecFlow-2

• Two ordering options:– Advanced mode – SecFlow-2 is provided with security features,

routing, switching and gateway functionalities.– Basic mode – SecFlow 2 is provided with switching and gateway

functionality only. Limited ordering options and cannot upgraded to advanced mode

Mode PN Description

Basic

SF2/B/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports

SF2/B/48VDC/2GE8UTP/PoE 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports

Advanced

SF2/S/48VDC/2GE8UTP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports

SF2/S/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports

SF2/S/AC/2GE8UTP/PoE4AM AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP ports for Airmux products

SF2/S/48VDC/2GE16UTP 48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports

SF2/S/48VDC/2GE8UTP8SFP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8 ×100 FX SFP

SecFlow2013 Slide36

Ordering Options SecFlow-2

PN Description

Chassis

SF4/48VDCR SecFlow-4 chassis, central processing and management module, dual 48 VDC power Supply

SF4/24VDCR SecFlow-4 chassis, central processing and management module, dual 24 VDC power Supply

Modules

SF4-M-4GBE-U SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports

SF4-M-4GBE-POE SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE

SF4-M-4GBE-S SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports

SF4-M-4RS232 SecFlow-4 module with four RS-232 serial ports

SF4-PS-24VDC 24 VDC power supply

SF4-PS-48VDC 48 VDC power supply

SecFlow2013 Slide37

Management

BROAD PERSPECTIVE. DIRECT CONTROL.

RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In

addition, it features third-party device monitoring capabilities

SecFlow2013 Slide38

Management, Benefits & Features

●Turnkey system including hardware and software!

●Fully compliant with TMN standards

●Client/server architecture with multi-user support

●Interoperable with third-party NMS and leading OSS systems

●IBM Tivoli’s Netcool®/OMNIbus™ plug-in

●Minimize integrations costs associated with new NE

Benefits

●Ensures device health and congestion control

●Topology maps and network inventory

●Advanced FCAPS functionality

●Software & configuration management

●Business continuity - High-Availability and Disaster Recovery

●Handover between operators

Key features

SecFlow2013 Slide39

RADview-EMS advanced FCAPS

• Detects and isolates faults in network devices, initiates remedial actions and distributes alarm messages to other management entities in the network.

Fault management

• Enables operators to configure, install and distribute software to all devices across the network. In addition, the system tracks version changes and maintains software configuration history

Configuration management

• Manages individual and group user accounts and passwords, generating network usage reports to monitor user activities.

Accounting management

• Supports real-time monitoring of QoS and CoS, producing real-time and periodic statistics. The statistics collector compresses data to minimize bandwidth use for management traffic and exports CSV files to OSS or third-party management systems

Performance management

• Allows network administrators to track user activities and control the access to network resources with a choice of security features

Security management

SecFlow2013 Slide40

Device Management

●SNMP v1, v2, v3 (v3

only in SF-2)

●CLI

●WEB

●SNTP

●RADIUS

●TACACS

●TFTP

●Syslog

SecFlow-2/4Device Management

SecFlow2013 Slide41

RADview – SecFlow Network Manager

• SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: – Automatic discovery of SecFlow network switches – Network topology management – End-to-end service provisioning – Security rules configuration – Aggregated network fault monitoring – Network performance analysis – Operator authorization levels

SecFlow2013 Slide42

www.rad.com

Thank You For Your Attention