avoiding pitfalls in industrial iot (iiot) communications...secure iiot backhaul 18 built-in...
TRANSCRIPT
Avoiding Pitfalls in Industrial IoT (IIoT) Communications IIoT Webinar May 2018
Alex GrinshteinBusiness Development Director CI LoB
2Secure IIoT Backhaul
Agenda
• IIoT Market Segments and Trends
• Use Cases
• Challenges & Requirements
• Deploying Secure Industrial IIoT Communications
3Secure IIoT Backhaul
Industrial IoT (IIoT): What is it?
• Enables digital transformation across all industrial and critical
infrastructure sectors.
• “ By 2020, IIoT is expected to be a $225 billion market,
encompassing many thousands of highly distributed
intelligent devices” www.ioti.com
4Secure IIoT Backhaul
IIoT in Energy Sector
Source: World market
Energy Infrastructure IoT is set to Double in the coming years
$0
$20,000
$40,000
$60,000
$80,000
$100,000
$120,000
$140,000
$160,000
2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
$ M
ILLI
ON
S
IoT Revenue by Type
Commercial
Residential
Energy Infrastructure
5Secure IIoT Backhaul
IoT Segments
Smart City, Energy and Industry are about 40% of IoT projects
6Secure IIoT Backhaul
Power Utilities
Gas Utilities
Water Utilities
Transportation Connected Industry
(Smart Factory)
Smart Cities
Re-closers Flow meters Flow control Traffic controlProduction floor monitoring
Smart parking
Load breakers Volume sensors Quality Info boardsRemote PLC control
Traffic monitoring & control
SCADA/MiniSCADA/FRTU
Pressure sensorsLeakage detection
KiosksAutomated quality control
Bike sharing
Secondary substations
Level sensors Pump/valve control
Smart lighting
Meters Meters Public safety
Main IIoT Applications
Use Cases
8Secure IIoT Backhaul
Utilities - From Automation to Industrial IoT
Industrial‘Internet of Things’
• Renewable Energy
• Mostly TCP/IP
• Cloud
• Internet-enabled
• SCADA
• On-premise
• No internet
“Protect the Production Line” “Fast Time to Market”
Legacy M2M
9Secure IIoT Backhaul
Connected Industry (“Smart Factory”)
• Real-time monitoring of production flow – saves time and work on the inventory process
• Inventory management – real time inventory monitoring and tracking
• Remote process automation and optimization
• Quality control automation
Challenges & Requirements
11Secure IIoT Backhaul
IIoT Communications and Operations –Main Challenges
• From private networks to untrusted public networks• Millions of new IP devices, exposed to attacks from the internet
Cyber Security
• Thousands of new edge devices increase deployment and maintenance cost
Operations
• Lack of connectivity to many new locations • In some cases only public mobile is an option – security
and reliability challenges
Service Reach
• Massive traffic growth is expected, resulting from numerous new devices
• Fog applications – help to reduce traffic and improve delay/jitter with some critical real-time apps
Data Usability
12Secure IIoT Backhaul
Industrial IoT Backhaul Hub & spoke / star topology
IIoT Gateway
• Ethernet• Serial
FW config, Security mng, PKI Enrollment, CA
Zero Touch ServerWireless/Fiber Links3rd-Party Network
IIoT Gateway
Security Gateway
IIoT Backhaul Key Requirements
• Reliable! Ruggedized for outdoor installations
• Secure! Encrypted VPN tunnels and firewall
• Low TCO – easy installation, provisioning and maintenance
• Ubiquitous communications - over private and cellular networks
• Supports legacy and new communications protocols and devices
• Hub and spoke topology
Hub & Spoke
Cyber Security
Plug & PlayInstallation
Always-OnCommunication
Legacy & New Protocols
About RAD
14RAD Proprietary and Confidential Company Presentation 2018
RAD in Numbers
19
>3716
220
800
15RAD Proprietary and Confidential Company Presentation 2018
Evolve Any Service Over Any Network for Critical Infrastructure
Assuring Network Performance and User Experience
Se
rv
ice
Ev
olu
tio
n
Packet
TDM
D-NFV/FOG
N e t w o r k E v o l u t i o n
TDM Packet
OT/ITConvergenc
e
TDM Hybrid Migration
OT/IT Convergence
Packet OWAN/IIOT
IIOT
Obsolete Equipment
Replacement
• Decouple service evolution from network evolution, migrate at a pace that is right for you
• Leverage your existing resources (networks, spectrum, expertise, operational practices)
• Prolong use of a large variety of existing legacy interfaces and equipment
• Maintain network performance, service level and guarantee user experience
RAD’s Unique Solution for Secure Industrial IIoT Communications
17Secure IIoT Backhaul
• End-to-end solution (hub & spoke and network management)
• Full suite of security tools-specifically designed for secure communications, especially over cellular
• Security Information and Event Management (SIEM)
• Zero-touch provisioning over public cellular – low OpEx and secure
Industrial IOT Backhaul – Application and RAD’s Key Advantages
IPsec VPN tunnel for SCADA and management traffic
IPsec VPN for remote management
Device Connection Control 802.1X MAC
BTS/eNB
BTS/eNB
BTS/eNB
ApplicationServer
SCEP server
Leased F.O
Security HUB
Internet
NMS
OT NetworkSecurity GW
IPsec
IPsec
Security ManagementServer (SMS)
RemoteManagement
IPsec
Cellular Network3G/LTE
Zero TouchSCEP Proxy
NMS
Zero Touch Redirect server
Smart metering/Grid/Energy
Counter
Counter
Counter
MeterConcentrator
Counter
Counter
IoT GW
IoT GW
Smart Industry
Smart City
• Secure VPN redundancy over private/public networks
• Virtual environment container for fog/edge applications
• RAD’s Security hub GW with optional HW redundancy or other 3rd party HUB (checkpoint, Fortinet, Cisco)
• Stateful L3-L4 firewall in each security GW
• Cost-effective – low TCO
18Secure IIoT Backhaul
Built-in Security Features
• End-to-end secure VPN tunnel (for any service, IP or serial)
• IPsec VPN with PKI X.509, with automated (enrolment, renewal) PKI (SCEP)
• Optional RAD CA (Certificate Authority) or SCEP client support in all solution elements
• L3/L4 stateful firewall in all solution elements managed by RADview - with centralized provisioning (firewall configurator) and SIEM for centralized monitoring
19Secure IIoT Backhaul
• Easy creation and editing of firewall rules using the firewall configurator
– Cyber securing the communications device and customer traffic
• Cluster based firewall configuration with scheduling
• Security Information and Event Management
Security and operations events reporting
• User defined dashboard
– Cyber events – reporting attacks on network elements
RADview Security Features
20Secure IIoT Backhaul
Secure zero-touch (ZT) configuration over public networks - reducing cyber vulnerability with minimal OpEx
• Supports SecFlow devices with dynamic or static IP provided by the cellular operator
• No manual configuration on-site – Plug & Play
• Fast deployment with less mistakes (lower TCO)
• Easy device replacement – configuration automatically restored on new devices
• Each device will be redirected to the customer’s bootstrap server (located in its DMZ) for configuration download (secure connection)
• Secure automated configuration and auto-registration by the RADview server
Secure Zero-Touch Provisioning
BTS/eNB
BTS/eNB
BTS/eNB
ApplicationServer
SCEP server
Internet
RADview
OT Network Security ManagementServer (SMS)
End UserDevicesSerial/IP
SecFlow
Cellular Network3G/LTE
Configuration ServerSCEP ProxyNMS
DMZ
SGW
Organizational Firewall
Zero TouchServer
21Secure IIoT Backhaul
Aggregation and data processing from multiple on premise devices
• On-premise processing:
• Standard connection to IoT clouds, protocol translation, analytics on the edge
• Reduce data (BW) before sending to higher levels in your network
• Minimize latency and maximize the efficiency of your network investment
• LXD engine for running multiple applications using Linux containers – similar to VM
• Secure by design w/advanced resource control (CPU, memory, network I/O, block I/O…)
• Ready-made images available for a large number of Linux distributions
SecFlow-1v and Third-Party Software Support(Pushing select data processes to the edge and fog)
tps://docs.microsoft.com/en-us/azure/iot-edgehttps://linuxcontainers.org/lxd/introduction/
22Secure IIoT Backhaul
RAD’s Value Proposition
Connectivity
Security
Computing
Simplified Operation
23Secure IIoT Backhaul
Video IIoT Demo
IIoT Case studies
25Secure IIoT Backhaul
Case Study – Power Utility in APAC
• Major power distribution modernization project, connecting legacy and IP SCADA RTUs in 300 sites in 1st phase, and 3,000 sites in 2nd phase
• Cellular link is used for connectivity of all spokes to the central hub.
• SecurityGateway - central hub which aggregates IPsec VPN tunnels from remote sites, started with Checkpoint moving to RAD’s new SecurityGateway
• SecFlow connects RTUs with speeds of up to 1Mbps
• Why we won?
– Security gateway, competitive price, close relations, full solution, commitment, responsiveness
Solution
B A C K G R O U N D
Customer Type Power Utility
Country & Region APAC
Application Industrial IoT Backhaul
RTU
SecFlow-1
ISPPSN
OTNetwork
RADview
SecurityGateway
IPSec hub
BTS/eNB
Cellular Network3G/LTE
SCEP Server
Security ManagementServer (SMS)
RTU
SecFlow-1IPsec
IPsec
HMI
26Secure IIoT Backhaul
Customer Type Electric power company (GEN, TSO, DSO)
Country & Region Central America
Application Industrial IoT backhaul
Background
• Company issued a tender for the payment kiosks
(POS) management including secure
communications between the central site and the
POS’s
• Company currently has 3111 POS’s distributed in
1800 sites nationwide (1st phase of project will
include 1000 POS’s)
• There will be two Central Sites, both need secured
communications:
– Management Center: For management &
monitoring of all ATMs in the network
– Transaction Center: For registering all payments
done in all ATMs in the network
• RAD’s Main UVPs: Automated PKI, Secured VPN
via IPsec, high scalability with Fortinet, 3G/LTE
backup, redundant HUB site
Solution
Case Study: Power Utility LATAM
ONT/DSLModem
RADview
ATM Mngt.
SCEP ServerFortinetFirewall
TransactionServer
FortinetFirewall
Central NOC
Transaction Center
NID
NID
Internet
SecFlow-1ATM
Remote Site #1
Remote Site #n
SecFlow-1
SecFlow-1
ATM #1
ATM #8
NID
3G/LTE Backup Link
27Secure IIoT Backhaul
Customer type Police
Country & region MEA
Application Industrial IoT backhaul
Case Study: Police
Background
Solution
Customer:
• Police Traffic Control department
RAD’s Offering:
• SecFlow-1, IPsec VPN with X.509 over cellular network
RAD Solution Benefits
• Two cellular operators for redundancy.
• Unique requirement - dry contact for restart
Why RAD?
• Our partner relationship with end user
• Flexibility to work with any HUB aggregator
CellularAPN #2
Backup
MainETH
Dry contactCisco FW
Syslog
DBServer 02
CellularAPN #1 Police
ISP
ETH
Dry contact
28Secure IIoT Backhaul
Takeaways
IIoT – a huge growing market
IIoT introduces unique reliability, security and connectivity challenges
RAD is a leader in critical infrastructure communications with over 37 years
of experience worldwide
Thank youF o r y o u r a t t e n t i o n
Alex Grinshtein
Director of Business Development in the Critical Infrastructure Line of Business