A Community of PracticeA natural way of building

Tuesday August 27, 2014

Vision

8/27/2014

“Community of Practice “ 2

To create a mass movement that will transform howsecurity is designed in and how the management ofintelligent devices operate within a common operatingenvironment.

Mission

To build a community of practicing professionals who arecommitted to achieving end to end security within theecosystem of all critical infrastructure by shaping thesecurity fabric reference architecture as an interoperablesystem of systems.

Our strategy is to provide certified interoperability to the key devices controlling the grid.

8/27/2014”

“Community of Practice” 3

Our solution would be embedded at each critical point in the energy infrastructure.

All points must connect to each other in an end-to-end system.

Management Agents

Introduction to the Security Fabric Alliance

The Security Fabric Alliance is a working association dedicated to practical deployment of the power grid and critical infrastructure complex system solution in the United States:

Utilities and telecommunications providers

Systems integrators

Manufacturers

Technology partners

National certification and interoperability entity

The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns.

The variation includes the proper orientation for large, medium, and small utilities.

“Community of Practice”

Semantics

• Security Fabric Products

• Security Fabric Architecture

• Security Fabric Alliance

8/27/2014

“Community of Practice” 5

The embedded security system solution is composed of an interlocking arrangement of framework options

The framework of embedded system components that provide the basis for end-to-end security and remote device management

The Security Fabric Alliance is an informal collection of companies, organizations, and individuals that have through discussions designed conceptual reference architecture called the “Security Fabric”.

To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, you need to do all seven… not just some.

4. Audit

– Records noteworthy events for later analysis

5. Confidentiality

– Encrypts sensitive data for matters of privacy.

6. Integrity

– Ensures that messages have not been altered.

7. Availability

– Prevents denial of service attacks

1. Identity Management

– Ensures the device identity is established genuinely

2. Mutual Authentication

– Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other.

3. Authorization

– Manages permission to proceed with specific operations.

These are the seven tenets of security as described in the NIST-IR 7628 Guidelines\IST-IR

7628 Guidelines.

The OMG process is more about establishing marketsas opposed to just setting standards.

SFA ReferenceBuilds

Certification ofConformance &Interoperability

The OMG is planning to standardizethe Security Fabric

for all critical infrastructure.

There are many participants at different levelsin the Security Fabric Alliance.

ComponentsProductsSubsystems

ResearchIntegrationUtility

Customers

• Intel – servers with Quark + TPM • Wind River – Security Connect• Middleware

• RTI – DDS• GridStat • Indra - iSpeed• MultiSpeak

• TeamF1 – Secure Communications• Secure Crossing – Protocol Whitelisting• PsiNaptic – Secure Service Distribution• SNMP Research – SNMP Agent• Freescale – HSM w/Vybrid SoC• Xilinx – CompactRIO SOC• Green Hills Software - INTEGRITY• Altera - tamper proofing• Microsoft – Active Directory• Red Hat – Auth Hub

• General Electric – EMS• Alstom Grid – EMS • Viridity Energy – DR + DER

+ Microgrid • Energy One• Lemko – LTE systems• Intel Security – SIEM + GTI

• Intel – Encanto+ silicon support

• Sypris – Supply Chain Root of Trust

• TCIPG• EPRI – CIM Standards• MIT – Security &

Privacy Standards

• EPG – Phasor Data Portfolio• GridSense– NAN & Line Sensors• S&C IntelliTeam• SafeNet – Secure Key Management• Heart - Transverter• Freescale One Box• Cisco Cloud-in-a-Box

• Integrated Architectures – SEIT• MACE Fusion - DoD• Kryptos Logic – Red Team Certification• M2M Dynamics• Drummond Group – C&IT• Intel Security - Distribution

...First Stage……• ERCOT• ONCOR• AEP• NRECA• NRTC

Suppliers

• Verizon• Level3• AT&T• Internet2• BT

• ViaSat• Comcast• ARINC• Stratus• Symmetricom

…Second Stage……• APPA• SDG&E• PJM• NYISO• Southern Company• Duke Energy• CAISO

• Pecan Street• Mueller Community• Pike Powers

• PNNL – CyberSecurityTest Center

• Lincoln Labs• OMG SIG• Industrial Intrnet

Managed Services

• Tazca – Connect• CSG International• Digi International• N-Dimension

• SETI• Lockheed Martin• SAIC• Threat Connect

What is being asked for is a secure system of systems that blankets the complexity and delivers it autonomically.

Security Fabric

Interoperable

Embedded

Distributed

This is the embedded side of the operation in addition to the companion enterprise side.

Separation of the Industrial Internetfrom the Generic Internet

The Core Network

Generic Internet

Carrier EthernetWith Routing

DWDM Isolation

Cooperative Control CentersCore CityNode

Enterprise Systems

Industrial Devices

Substation Nodes

Router+

SubstationController

Ro

ute

r+

Carrier Ethernet Isolation

NAN Nodes

HAN Nodes

Wireless LTE700 MHz?

Wireless LTE2.5 GHz?PicoCell

Gateway

Sensor

Transverter

We will eventually use a combination of DWDM separation

plus Carrier Ethernet separation.

Understanding

Information

Decision

Data in – Action out

But sometimes semi-autonomic policy decisionsare made and executed in the field.

(at the small, the medium, and the large)

The policy logic is actually spread to each major active element.

MultiSpeakInitiative

The new Content Aware Firewall ( Secure Crossing) needs to be aware of what is flowing through the pipe(s).

Transport Plugins

Co

nte

nt

Aw

are

Fir

ew

all

–L

aye

rs 4

-6

IP C

om

mu

nic

ati

on

s S

tac

k –

La

ye

rs 2

-3IPsecVPN

EthernetController

UDPv4

UDPv6

Data Routing Services deals with:• Connections +

• Sessions

All packet prioritization andflow control are performed byData Routing Services.

The Content Aware Firewall deals with multiple layers and is state sensitive.

The Content Aware Firewall ( Secure Crossing )needs to be aware of: the Layer 6 socket level interface,

as well as the intended sessions that will be flowing over it at Layer 5,so that it can use UDP connections at Layer 4,

so that it can use the IPsec VPN to control encryption on the transport.

Co

nte

ntA

ware

Fir

ew

all

Layers

4-6

IP C

om

mu

nic

ati

on

s S

tack –

Layers

2-

3

IPsec V

PN

UDPv4

UDPv6

Connections

• Kerberos Get Credentials + Tickets• Get Extended Credentials• Kerberos Mutual Authentication• Get Precision Time• Register for Management +

Configuration Synchronization• Service Locator• Service Provider• Multicast Alert• Unicast Command• Event Notification• SNMP Get/Set• Application Event: Send and Receive:

• High Priority• Medium Priority• Low Priority

Sessions

The detailed requirements will be determinedduring the requirements assessment phase.

Inte

rface A

Inte

rface B

There are servers and agents in the industrial environment.

How does the Security Fabric work?

Essentially, the Security Fabric is an end-to-end approach to things.

xSystem &Network

Management

Controller

Device

DeviceThe

SecurityFabric

The Security Fabric is a semi-autonomous embedded devicemanagement agent and communications protocol set along witha central system and network management subsystemthat bring security and other controls to the embedded world.

Let’s build this as if we were building a house.

There are obviously going to need to be several different devices involved.

Controller

Device

Device

We want to add our security agent to each of them to do what we will do.

Our agent will be hidden right beside the application.

The devices need to be able to talk to each other securely, and trust each other on a limited basis.

Controller

Device

Device

This means that the solution will need to be a system as opposed to a piece part.

Intel and McAfee Confidential

The agents talk to one anotherin a resilient middleware..

And all systems need to be administered relative to the configuration and policies that control them.

xSystem &Network

Management

Controller

Device

DeviceThe

TailoredTrustworthy

Space

These three ingredients are the soul of the Security Fabric.

The Security Fabric follows the guidelines required by the NIST 7628 for the Department of Energy.

xSystem &Network

Management

Controller

Device

Device TheSecurityFabric

The industry as a whole is applauding this solution.

Managed Device

ApplicationDevice

Management

We always start by separating the management control agent from the payload application.

Managed Device

Applications

DeviceManagement

Secu

reC

om

mu

nic

atio

ns

Secu

reSt

ora

ge

Po

licy

Man

age

me

nt

Pe

rso

nal

Dat

a V

ault

The management agent always uses defense in depth.

Security Management

Hypervisor

Close-up on Partition Structure

DDS Routing Services

EthernetController

Policy Management

DDS Subagent

Device Application Threads

DDS Subagent

Connection Connection

OperatingSystem.

Transport Plugins

Ring 1: Security –HSM Interface

Ring 2: Policy Management

Participant:Management

Configuration& Route Mapping

Ring 1: DataReader

Ring 1: DataWriter

Routing Services is our inter-system + intra-device middleware;The DDS Subagent controls the private paths between

processes.

SecureIP I/ODriver UDPv4

UDPv6

GridStat

Intra-Device

DDS Subagent

Connection

Participant:Management

Ring 2: DataReader

Ring 2: DataWriter

ChangeManagem

ent

ProblemManagem

ent

HSMInterface

KerberosClient

+Session

KeyManage

ment

Security Protocols

PolicyExecution

Environment

What is really unfolding with the rise of the Internet of Things is the need for

The Semi-Autonomous Policy Management Agent

Each of the four compositionsof rulesets is administeredcentrally and released to theremote device securely.

The rulesets contain profiles,provisioned data, and Java-based rules.

All distribution bundles are signed and are subject tolocal attestation andtransition control.

AutonomousPolicy Management

Agent

IBM Autonomic Computing Model

The control of the smart grid is all about managing semi-autonomous devices.

The Security Fabric is all about safely deploying this concept.

The customer has to be able to delegate responsibility in small incrementsto the remote device to avoid the problem of unintended consequences.

www.securityfabricalliance.org

Designed in Security Discussion