Upload File

radiflow ot security

4
Solution Brochure o IDS & IPS with multiple deployment models o DPI of IP & Serial SCADA protocols o Model-based analytics for M2M sessions o Self-learning of application behavioral model o Signature Based detection of known vulnerabilities o Task-based validation of H2M sessions o Integration with physical security o Authentication Proxy for access to end-devices o Encrypted VPN tunnels for inter-site connectivity Radiflow OT Security Radiow OT Security Optimized Security approach for SCADA Networks

Upload: lamdan

Post on 20-Dec-2016

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Radiflow OT Security

Solution Brochure

o IDS & IPS with multiple deployment models o DPI of IP & Serial SCADA protocols o Model-based analytics for M2M sessions o Self-learning of application behavioral model o Signature Based detection of known vulnerabilities o Task-based validation of H2M sessions o Integration with physical security o Authentication Proxy for access to end-devices o Encrypted VPN tunnels for inter-site connectivity

Radiflow OT Security

Radiflow OT Security Optimized Security approach for SCADA Networks

Page 2: Radiflow OT Security

Data Sheet

Optimized Security approach for SCADA Networks

Solution Brochure

General Supervisory Control and Data Acquisition (SCADA) systems are used for controlling and monitoring remote operations in a variety of industries and infrastructures, including power utilities, oil and gas production and many more.

SCADA systems include automation devices distributed across multiple remote sites controlled from control centers where all data is clearly presented using an intuitive HMI (Human Machine Interface).

Cyber threats to SCADA systems have in recent years been on the rise. Terrorists and criminals have set their sights on critical infrastructure that utilize SCADA systems due to vulnerabilities and the huge potential to disrupt civilian life.

The Challenge Most SCADA applications utilize a dedicated operational network (OT Network) which is separated from the IT networks (the Enterprise network and the Internet). However, once an attacker gains access to the OT network from any location, there are no security measures that would prevent him from accessing the entire network and inflicting damage to any connected assets locally or at remote sites.

In many utilities, the weakest links, in terms of security, are the remote substations which are located in sparsely populated areas with limited physical security. Connecting to the network in such a remote site provides unlimited access locally and to other sites.

The SCADA networks to such remote sites suffer from several types of security problems. First, Industrial protocols were not planned with security built-in. Therefore there are no authentication methods in the protocols. Once an attacker enters the network, he can send commands to every device that he finds at the network. Another problem is the visibility of the network. In the IT network there are various monitoring tools which assist in detecting security incidents. However, these solutions fail when it comes to the OT network. OT networks have different protocols, different behavior, and even small amount of commands can cause a lot of damage.

Furthermore SCADA systems handle two different types of network traffic that should be protected in different ways: M2M (Machine to Machine) for the automation processes and H2M (Human to Machine) generated by a person inside the SCADA network, usually for maintenance, either physical (on-site) or remote.

The Security Tool-Set ANOMALY DETECTION To protect against various cyber-attacks one needs a good firewall to detect unauthorized traffic even when the attacker gained access to the network. Today there are a few levels of firewalls in the critical infrastructure space - a simple firewall can prevent unauthorized traffic by validating devices at IP level, while other firewalls are analyzing the traffic with DPI (Deep-Packet-Inspection) engines that are validating the SCADA commands in depth.

In light of the predictable nature of the M2M traffic in the SCADA networks, the traffic validation can be further enhanced with behavioral analysis algorithms deployed either in-line throughout the network (IPS – Intrusion-Prevention-System) or in a central monitoring system (IDS – Intrusion-Detection-System).

IDENTITY MANAGEMENT According to NERC CIP, before granting a physical or remote access to the network the users have to be validated. In order to verify the users there are several authentications methods, from physical authentication such as facial recognition and a magnetic card, as well as logical authentication like username and password with smart passwords management. Usually after the user authenticated he gets access to the network and each operation is recorded in a log file.

It is recommended that the access granted to the user would be limited in scope according to the specific task that he has to perform.

INTER SITE CONNECTIVITY Encrypted VPN tunnels provide secure inter-site connectivity against man-in-the-middle attacks. Such VPNs are used when trusted links, such as dedicated fibers, are not available to connect all the remote sites of the utility. There are multiple VPN methods therefore it is important to ensure its fit to the operator needs in aspects such as scalability, interoperability.

On the security plane the important aspects of the VPN are the algorithm types, key length and keys management as defined for example in the FIPS guidelines. Special care should be given to the key management of large-scale distributed VPNs - Pre-shard key is an easy and common key management but it would be better to manage keys with certificates, where the device gets the key from a central server that ensures the device is approved.

Operation use case Security risk Authentication DPI Monitoring DPI Enforcing VPN

SCADA sever devices Medium

Physical access High

Remote access High

Connection between remote sites High

How to secure common SCADA operations

Page 3: Radiflow OT Security

Deep Packet Inspection Firewall for SCADA Networks

Data Sheet Optimized Security approach

for SCADA Networks

Solution Brochure

Radiflow Solution Radiflow’s security solutions were developed especially for the critical infrastructure based on three underlying assumptions: 1. Vulnerabilities exist, whether in the end-devices or the control

systems, in the network or in the SCADA protocols used. 2. Attackers will eventually find a way to penetrate even the most

isolated network, as demonstrated in recent years. 3. The potential damage caused by attacking an infrastructure is

immense, and detection time is critical. Radiflow provides components that identify network threats, isolate malicious activities, and prevent threats from spreading across the network. These solutions are handling both the M2M and the H2M traffic sessions, each with specific tools.

These security solutions were developed using the expertise and experience of our security experts and refined in close interaction with leading SCADA vendors and operators since 2009. These solutions were further validated and endorsed by leading research labs in the U.S and are continuously enhanced based on close cooperation with the academy on new security technologies.

ANOMALY DETECTION In order to achieve maximum protection against cyber threats, Radiflow developed two types of products both utilizing the same SCADA DPI capabilities: 1. Secure ruggedized router - located in the remote sites and

includes a built-in per port SCADA DPI firewall. 2. IDS – A central server that monitors the whole network and can

detect sophisticated attacks within the SCADA network.

DISTRIBUTED DPI FIREWALL To achieve airtight protection, Radiflow developed its DPI Firewall engine for SCADA protocols (DNP3, IEC 101/104/61850, ModBus) that is implemented in distributed ruggedized routers. The distributed DPI firewall ensures that the operator has full control over the network traffic for both M2M and H2M sessions. The whitelist-based

firewall is installed at every port for both Serial and IP traffic, meaning that every access point is firewalled and each SCADA protocol packet is validated up to its function code and the command content.

Once deployed, Radiflow’s devices starts learning the network, including its topology, devices (IP, unit-ID/ASDU), p rotocols, links and valid range parameters. At the end of the learning process, the NMS (network management system) tool displays the network and application topology and suggests a whitelist based on a traffic modeling algorithm. The operator is able to choose and edit which policies to monitor or enforce in each location. The distributed firewall enables the prevention of unauthorized traffic that does not correlate with the whitelist in order to validate M2M sessions and task-based H2M sessions. The firewall is also loaded with signatures for known vulnerabilities of the network devices (e.g. Shellshock).

IDS On top of the distributed DPI deployment, Radiflow offers a complementary IDS server that monitors the network from a central location. The IDS gathers information from the entire network and uses its DPI engine to model the network and application behavior and display its structure (topology, devices, links and SCADA sessions) on an interactive map. This SCADA analysis tool creates a model which characterizes the normal behavior of the distributed SCADA application such as process sequence and device sampling time. Once the model of the normal application is learnt it is presented to the operator for approval. Once approved the network monitoring starts and the model-based IDS tool is able to detect network scanning, out of range commands and parameters and other abnormal activities. Radiflow IDS also includes has a signature based detection engine, a network traffic that correlates to a known vulnerability in one of the protocols or devices (PLC, RTU, etc.), will be detected. Once a deviation is detected an alert is reported to the operator and optionally a Syslog message is sent to a SIEM tool. The user can also drill-down into the traffic that caused the alert and decide if the baseline model should be updated to include such a network activity.

Cyber security solution for substation automation

Page 4: Radiflow OT Security

Data Sheet

Deep Packet Inspection Firewall for SCADA Networks

Optimized Security approach for SCADA Networks

Solution Brochure

IDENTITY MANAGEMENT To protect H2M processes, one of the most important requirements in NERC CIP V.5 for protecting remote sites is the capability to identify the user and create specific network privileges per identified user, prior to granting the user access to the network.

Radiflow’s device includes a built-in APA (Authentic ation Proxy Access) with smart passwords management system. Prior to granting a user network access, the user needs to log in to Radiflow’s internal authentication engine. After validating the user’s profile, specific access is granted to predefined devices and functions, and each operation is logged.

For physical access at remote sites, the Radiflow system integrates with physical identity server systems (e.g. magnetic card access control systems) and dynamically activates a set of cyber-security rules according to the user that entered the site. This adds a layer of authentication to physical (on-site) access to the network. Furthermore the solution is also integrated with video management systems using video analytics for the user authentication and for tuning of the CCTV systems based on the activities detected in the cyber space (technician connected to a specific network port, etc.)

VPN Radiflow routers ensure inter-sites secure connectivity by using L2/L3 VPN. Although there are many VPNs modes such as IPsec, DMVPN and mGRE tunnels, Radiflow routers support interoperability with most leading VPN routers for ensuring a smooth deployment.

Radiflow devices are compliant with FIPS guidelines for cryptography modules, by using recommended algorithms such as 3DES, key length of 256 bits and key management such as X.509 certificates with SCEP enrollment that authenticates the network devices with a central server before initiating the encrypted tunnel.

EASY DEPLOYMENT Radiflow provides a comprehensive SCADA security tool-set. However since security adoption in OT networks is a delicate process, special emphasis is also given to the ease of deployment: 1. Radiflow security routers combine an extensive communication

feature-set (i.e. Ethernet, PoE, Serial and Cellular interfaces) with the security capabilities for easy deployment in remote sites.

2. For the anomaly detection the normal network behavior is learnt automatically and presented to the user for approval before being deployed.

3. All the security features are managed via a central GUI tool that presents the distributed application deployment, its normal behavior baseline and any deviation that is detected.

4. Radiflow security tools provide interfaces for easy integration with other complementary security suites such as syslog reporting to SIEM tools, identity information from physical security servers, etc.

Headquarters: 31 HaBarzel Tel Aviv, 6971045

E-mail [email protected]

www.radiflow.com

North America: 900 Corporate Dr Mahwah, NJ 07430

Integrated with physical authentication solutions


Integrated IT/OT Security Events Management in QRadar · IBM QRadar and Cisco Cyber Vision Integrated IT/OT Security Events Management in QRadar The Industrial Internet is relying

Security in a Converging IT and OT World - General … · Security in a Converging IT/OT World ©2016 SANS™ Institute. ... 5 List of automation protocols:

PowerPoint PresentationSepio Systems | Start-Up Nation Finder. Vdoo | LinkedIn. Claroty - Team8. Armis Security - Crunchbase Company Profile & Funding. BlackEnergy Report. Radiflow

Graphic1 - Shubham Business Standard Bhopal... · 2019-12-27 · the Securitisation and Reconstruction ot Financial Assets and Enforcement ot Security Interest Act, 2002 (The Act)

DATAS Technology · Teradata, SAS, Backbase, Verint, OutSystems, SentinelOne, Nubo, RSA, Radiflow, ThetaRay Our partners ... • Credit process automation project «Credit Factory»

Security Best Practices for Manufacturing OT

Why a Unified Approach to IT and OT Network Security is Critical · 2019-01-03 · Skybox Security | Why a Unified Approach to IT and OT Network Security is Critical 1 ... and USB

PRESENTING OT SECURITY RISK TO THE BOARD · Presenting OT Security Risk to the Board 7 BATTLE-T ESTED INDUSTRIAL CYBERSECURIT Y 4.0 NISD is the first regulation to define “minimum

SECURITY MARKET FLASH REPORT AGC’s Information Security ... · Cloud Security Next Gen SIEM & SOC Zero Trust Digital Transformation Cyber Security Capital Markets IT/OT Convergence

THEME Name Surname, Company Twitter handle (17).pdf · Cyber Security Information Security IT Security Physical Security IoT Security OT Security Smart Grid Security Network Perimeter

Presentazione standard di PowerPoint · Technology Cyber security (INFRASTRUCTURE ORIENTED) IT vs OT. INDUSTRIAL CYBER SECURITY Today the Operation Technology is ... security awareness

ADDRESSING IT OT SECURITY INTEGRATION WITH OT Systems

Encl. switch-discon./Isolators (English - pdf - ABB Ltd · PDF fileotl, ot otl, ot ot ot ot ot ot ot ot ot ot kse kse kse kse kse kse kse kse kse kse otr otr otr otr otr otr ot ot

OT Cyber Security Test - AIVI Web TVwebtv.confindustria.vicenza.it/importedfiles/Simone Riccetti - IBM.pdf · OT Cyber Security Test TEST ENGINEERING Simone Riccetti Senior Managing

24 November 2014 - mhcirl.ie · CMHN CMHN CMHN CMHN CMHN CMHN CMHN CNS Security HCNAttnd OT Security Security sw OT sw Medic Security 48 Catherine Andrews 49 Downey, Ber 50 Goldhawk,

OT Security Maturity Check · OT Security Maturity Check in detail The results can be incorporated into a more comprehensive OT Security Risk Assessment. The Maturity Check can also

Integrated Security Management Framework · Establishing an Integrated Security Management Framework Layered and Flexible Security Architecture IT –OT Security Building Security

CYBER - Radiflow Securityradiflow.com/wp-content/uploads/2017/09/CS4CA_Europe_Brochure.pdf · previously unidentified threats in real time, powered by machine learning and mathematics

Critical Infrastructure and Industrial Automation OT Security · PDF fileCritical Infrastructure and Industrial Automation OT Security ... Industrial Control Systems (ICS)/SCADA are

Top-down security for multi-vendor OT assets · their OT and IT infrastructures. The huge benefits of such “connected operations” include improved productivity and safety that

Olympus VMF, VMT & VMZ Stereo Microscopes Repair Manual · 2020. 9. 14. · OT 0023 OT 0027 OT 0035 OT 0205 OT 0216 OT 1021 OT 1027 OT 1028 OT 1131 ... Fig . 2 Fio 3 In t h i s repai

Dept Subject Call # Level Comments - Andrews University · PDF fileOT OT General BS1110-1136 2 OT OT Introductions BS1139-1141 2 OT OT Commentaries BS1143-1158 2 OT OT Criticism &

IT vs. OT: ICS Cyber Security in TSOs

OT 3XI3/OT 6XI6 Isaiah OT 2XI3 Preaching Isaiah Using Hebrew€¦ · Isaiah OT 3XI3/OT 6XI6 McMaster Divinity College (Winter 2015) Preaching Isaiah Using Hebrew OT 2XI3 (draft) OT

The National Archives National Archives and Records ... · 667842 668228 668561 OT 21 OT 22 a-b OT 23 OT 24 OT 25 OT 26 OT 27 OT 29 OT 30 OT 36 a-b OT 41 OT 49 FT FT FT FT FT FT FT

Disruptive Ideas for IT/OT Security in Energy Systems · Disruptive Ideas for IT/OT Security in Energy Systems Author: Maurice Martin Subject: Presentation on disruptive ideas for

Introduction to Industrial Cyber Security · 2020-06-02 · Security Governance: • Drivers for separate Operational Technology (OT) governance • Policies, standards, processes

penderfund · IDEA GENERATION SECURITY ANALYSIS PENDER FILTERS PORTFOLIO MANAGEMENT Comisno,i ot SECURITY ANALYSIS §§Dynamic, unconventional thinking to obtain an edge. §§Attributes

CI Industrial Security - pccweb.com · Industrial Networking Certification Training* Secure IT / OT Collaboration Secure OT & Automation Networking ... topology, monitoring and diagnostics

Application Note Substation Security - Radiflow

Coffs Coast Surgical Services · 2016. 4. 19. · MKS OT BEL OT Networking waitlist CHHC OT 1 OT 2 OT 3 OT 4 OT 5 MHC OT 1 BHC OT 1 CHHC OT 1 OT 2 OT 3 OT 4 OT 5 First Cataract Patient

OT Cyber Security - AIChE · 2018. 5. 2. · Not one unified platform (Windows XP, Windows 7, Windows 10) Different levels of cyber security maturity among the suppliers OT System

IT/OT Security Awareness - Airbus CyberSecurity

Manufacturing security: Bridging the gap between IT and OT ...€¦ · manufacturing security solutions, IT stays in control. But OT teams get what they need, too. These solutions

SEMINAR: OT SECURITY - sec.in.tum.de€¦ · © Fraunhofer AISEC A. Giehl, P. Wagner, M. Heinl SEMINAR: OT SECURITY PRE-COURSE MEETING 29.01.2020 Alexander Giehl, Patrick Wagner,