Deploying RUGGEDCOM CROSSBOW as an Intermediate Remote Access Solution

Transcription

1 Application description Deploying RUGGEDCOM CROSSBOW as an Intermediate Remote Access Solution RUGGEDCOM CROSSBOW

2 Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Siemens Canada Ltd All rights reserved Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit Entry-ID: , 1.0 2

3 Table of Contents Table of Contents Warranty and liability Overview North American Electric Liability Corporation RUGGEDCOM CROSSBOW Secure Access Manager (SAM) RUGGEDCOM CROSSBOW as an Intermediate System Helper Applications Protocol Break Electronic Access Control or Monitoring Systems Station Access Controller (SAC) Transient Cyber Asset Summary GLOSSARY Related literature History Siemens Canada Ltd All rights reserved Entry-ID: , 1.0 3

4 1 Overview 1 Overview In its ongoing mandate to ensure the stability of the North American Bulk Electric System (BES), in November of 2013 the North American Electric Reliability Corporation (NERC) passed version 5 (v5) of the Critical Infrastructure Protection (C) standards. C v5 presents new security protections for Cyber Systems and extends its protective mandates to other systems used by electric utilities. C-005-5, which addresses Electronic Security Perimeters (ESP) and access points on the perimeter, requires that high impact and medium impact assets with external routable connectivity (ERC) utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. The purpose of this document is to provide guidance on the classification, deployment, and implementation of a Siemens RUGGEDCOM CROSSBOW solution for use as an Intermediate Remote Access System in accordance with the Reliability Standard C It details the use of RUGGEDCOM CROSSBOW as an Intermediate Remote Access System, its classification as an Electronic Access Control or Monitoring System (EACMS), and how it performs the protocol break when making a connection from the RUGGEDCOM CROSSBOW client when launching an application to the remote Intelligent Electronic Device (IED). Siemens Canada Ltd All rights reserved Entry-ID: , 1.0 4

5 2 North American Electric Liability Corporation 2 North American Electric Liability Corporation Through the issuing of standards and requirements such as Critical Infrastructure Protection (C), and by working with eight regional entities (as identified in Figure 2-1), the mission of NERC is to ensure the reliability and security of North America's Bulk Electric System (BES). The members of the regional entities come from all segments of the electric industry: investor-owned utilities federal power agencies rural electric cooperatives state, municipal and provincial utilities independent power producers power marketers end-use customers These entities account for virtually all the electricity supplied in the United States, Canada, and a portion of Baja California Norte, Mexico. Siemens Canada Ltd All rights reserved Figure 2-1: NERC Regional Entities If there is any question regarding compliance in the placement of the RUGGEDCOM CROSSBOW Secure Access Manager (SAM) or the Station Access Controller (SAC) in your application, contact the NERC Regional Entity in your area for clarification. It is recommended to regularly visit the official webpages for NERC and to obtain updates from your regional entity(s) to ensure you are following the latest C standards. NERC s website can be located at Entry-ID: , 1.0 5

6 3 RUGGEDCOM CROSSBOW Siemens Canada Ltd All rights reserved 3 RUGGEDCOM CROSSBOW Siemens RUGGEDCOM CROSSBOW is a scalable enterprise software solution tailored to provide secure, intermediate access to remote IED s. It was conceptualized and designed to implement the best practices and procedures from Information Technology (IT) and bring it to the Operation Technology (OT) environment, initially with the needs of the Electric Utilities in mind, but positioned for expansion into other security sensitive markets. Developed as a centralized solution to provide strong, two factor authentication for authorized users, it delivers cyber-secure access to remote users for the management of IED s and their associated files. Through RUGGEDCOM CROSSBOW, an IED maintenance application is allowed to remotely communicate with its associated IED s as if the users were directly connecting to the device. RUGGEDCOM CROSSBOW s client-server architecture allows large enterprises to easily manage secure, remote connectivity to its field IED s. Access to the system and devices is role based and governed by the appropriate authentication model like Active Directory and/or RSA SecureID. These are pre-configured by the system administrator with all user activity being centrally logged. RUGGEDCOM CROSSBOW provides a secure connection between the end-user and the server utilizing Transport Layer Security (TLS) encryption. The client is a thick client that can be installed either on the end user s computer or in a Citrix XenServer Desktop environment in the secure C Control Center environment. The core component of RUGGEDCOM CROSSBOW is the Secure Access Manager (SAM). It is the primary system that applies the intelligence and security by enforcing strong authentication, roles and policies for secure remote access. Beyond the core functionality of RUGGEDCOM CROSSBOW, additional functionality is available through optional RUGGEDCOM CROSSBOW Application Modules (CAM s) along with the support of automated operations including password management, firmware management, file retrieval, connectivity verification, and configuration management of IED s in the network. In addition to functionality that is provided by the SAM, the Station Access Controller (SAC) is an optional RUGGEDCOM CROSSBOW component that provides local and emergency connectivity at the local or substation level. NOTE For more details about the SAC, refer to the RUGGEDCOM CROSSBOW User Guide or contact your local Siemens Regional Sales Manager. 3.1 Secure Access Manager (SAM) As the primary component of the RUGGEDCOM CROSSBOW solution, the Secure Access Manager (SAM) is a centralized remote access enterprise server that is capable of being installed as either a simplex or high-availability redundant system. When deployed in a properly designed and secured network, it is the means in which all remote connections are made and is the only trusted client source to the IED s. As the heart of the Intermediate Remote Access System, the SAM provides user role-based access control, site, and IED access management. Once a user is authenticated and logged into the RUGGEDCOM CROSSBOW system, they are presented with the devices (and access to those devices) as provided to them via their security credentials authorized in RUGGEDCOM CROSSBOW. The SAM has the capability to build secure connections from the end-user computer to authorized remote IED s either via virtual serial port or via over a secure WAN to a substation gateway device, such as a RUGGEDCOM RX1500. Entry-ID: , 1.0 6

7 3 RUGGEDCOM CROSSBOW The gateway provides access to IED s either directly or through downstream Remote Terminal Units (RTU s) RUGGEDCOM CROSSBOW as an Intermediate System When the RUGGEDCOM CROSSBOW client is launched, it builds a secure TLS connection between the client PC and the Secure Access Manager (SAM) server. This TLS connection between the client and server helps to secure communication between the client and server and prevents any potential for a man-in-the-middle attack. After the secure TLS connection is established, RUGGEDCOM CROSSBOW prompts the user for their login credentials. RUGGEDCOM CROSSBOW then attempts to authenticate the user, utilizing one or more means of secure authentication methods configured in the server by the system administrator. If the user is authenticated to the system, the server will then populate the GUI work space in the RUGGEDCOM CROSSBOW client with the devices and information they have been allowed to access through the roles and access privileges granted to them by the system administrator. NOTE For more information on setting up the user roles and privileges, please refer to the RUGGEDCOM CROSSBOW User Guide. Siemens Canada Ltd All rights reserved If the user is not authenticated through one of the secure methods configured by the RUGGEDCOM CROSSBOW server, then access to the system will be denied and the client will prevent the user from connecting to the SAM. Each login attempt by a user in RUGGEDCOM CROSSBOW (either successful or unsuccessful), is logged within the RUGGEDCOM CROSSBOW system and can be viewed by an authorized user under Reports, from the RUGGEDCOM CROSSBOW client toolbar. In the architecture shown in Figure 3-1, the RUGGEDCOM CROSSBOW Secure Access Manager (SAM) server is the intermediate system that manages the authentication of remote access to cyber assets from only authorized users. The SAM is deployed in the utility s C environment, and must be placed outside of the Electronic Security Perimeter (ESP). Entry-ID: , 1.0 7

8 3 RUGGEDCOM CROSSBOW Figure 3-1: Secure Access Manager (SAM) Architecture Siemens Canada Ltd All rights reserved 1. Optional Citrix XenDesktop Remote Client Solution 2. PC 3. Wireless LAN Access Point 4.Tablet 5. Smartphone 6. Application Virtualization Server 7. Control Center Network 8. RUGGEDCOM CROSSBOW Secure Access Manager 9. LAN/WAN Connection Secure Remote Access (SSL) 10. Client 11. Licensed Users 12. High Availability (Optional) 13. Active Directory Server (Optional) 14. RSA Authentication Server (Optional) 15. WAN or Dial-Up Connection 16. Substation 17. Gateway with Optional Station Access Controller (SAC) 18. (Optional) RUGGEDCOM CROSSBOW Local Client 19. IEDs All communication requests are entered by the user in the client and sent to the SAM. When the SAM receives a request from the client, it determines whether the request is either: an allowed and valid request from the user not allowed and not authorized for the user If the request is deemed valid, the server then executes the request for the target device. If the user is not allowed to communicate to a specific device or run a certain command, the server will block that command and not execute it, logging the request and the fact it was blocked. A warning message is sent from the server back to the end user s client notifying them the command was not executed. This is shown in Figure 3-2. Figure 3-2: Secure Client Authentication Entry-ID: , 1.0 8

9 3 RUGGEDCOM CROSSBOW Helper Applications Siemens Canada Ltd All rights reserved When a user selects a target device, they are given the option to choose an application they would like to use when making the connection. In addition to the default applications included with the initial installation of RUGGEDCOM CROSSBOW, the administrator can define additional applications (or helper applications) that can be used to communicate with end devices. These include programs like HyperTerminal, Putty, or specific applications required by the manufacturer for communication to their devices. Once an application is selected, RUGGEDCOM CROSSBOW launches it from the client s computer and builds the connection out to the end device through the SAM Protocol Break When any communication is initiated from a user on a client to an end device, it is first sent to the RUGGEDCOM CROSSBOW SAM server. When the SAM receives the request from a client, it evaluates the request and determines if it is a valid request from the end user based upon the requester s rights and privileges. If the request is deemed to be valid by RUGGEDCOM CROSSBOW, the system will: 1) open an access point on the client machine to the SAM for the client-side application 2) open an access point on the SAM to connect to the end device RUGGEDCOM CROSSBOW then provides a simulated direct connection to the end device. To the user, their client-side application appears to be communicating directly with the end device. However, all traffic is being collected and routed through RUGGEDCOM CROSSBOW. This is true for all connection types, including serial (via a virtual port), a localhost proxy, or a real address proxy. When the traffic enters an access point on the client-side, it is collected by a RUGGEDCOM CROSSBOW process that then wraps the data in a secured network message before forwarding the data to the RUGGEDCOM CROSSBOW SAM server. Upon arrival at the server, the SAM routes the data to the device-side access point, where the RUGGEDCOM CROSSBOW wrapper is removed and the original data is forwarded on to the end device. Data flowing back from the end device uses the same process in reverse. Entry-ID: , 1.0 9

10 3 RUGGEDCOM CROSSBOW By following this process, at no time is there ever a complete, open connection between the client-side application and the end device. RUGGEDCOM CROSSBOW facilitates the connection and manages all traffic to and from external access points. As depicted in Figure 3-3, RUGGEDCOM CROSSBOW performs the protocol break through its proxy service on the SAM out to the end device. Figure 3-3: Communication Path Siemens CrossBow Secure Remote Client Server IED: Protocols & Communications Path Enterprise / IT Network Centralized DMZ Substation / OTNetwork IED Application Application Transport Layer 4 Proxy Daemon CrossBow client TLS/SSL Remote Connector Connection Manager TLS/ SSL Proxy Client Service VPN (optional ) VPN (optional ) Layer 4 IED mtce interface Layer 4 CrossBow SAC Layer 4 Layer 3 Siemens Canada Ltd All rights reserved CROSSBOW Client PC CROSSBOW client emulates direct, serial, or dial up connection for IED application DMZ Firewall Firewall rules only allow connections to CROSSBOW server from IT network TLS security authenticates the server to the client and sets up an encrypted data channel for all clientserver communication CROSSBOW Server CROSSBOW server proxies all connections from client PC to IED DMZ Firewall Firewall rules only allow connections from CROSSBOW server to substation gateways Optional VPN connection from CROSSBOW server to SS gateway provides data encryption on WAN Remote Access: CROSSBOW Client to IED Substation Gateway Substation gateway terminates VPN connection and provides routing to IEDs Also can provide serial- conversion for IEDs connected with serial i/f Automated Functions: CROSSBOW Server to IED IED CROSSBOW Station Access Controller Substation & DMZ firewall rules must allow SAC to intitiate connection to CROSSBOW server for the purposes of end user authentication Verification of this protocol break can been seen in both the RUGGEDCOM CROSSBOW SAC tool and verified from the network itself. When configuring the CrossBow Main Server via the CROSSBOW SAC tool, the parameter Server Port under Connection Configuration allows the installer to enter a port for secure communication between the RUGGEDCOM CROSSBOW Server and the RUGGEDCOM CROSSBOW clients. Figure 3-4: Configuring the Server Port via RUGGEDCOM CROSSBOW SAC From the network side, the protocol break can be verified when implementing best practices from IT and conforming to C Standards: a. C R1.2 : All External Routable Connectivity must be through an identified Electronic Access Point (EAP). An example of evidence may include, but is not limited to, network diagrams showing all external routable communication paths and the identified EAPs. Entry-ID: ,

11 3 RUGGEDCOM CROSSBOW b. C R.1.1 : Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed. By implementing both of these C requirements, traffic going from the client to the SAM will traverse across the port identified and configured during the setup of the server and client. All of the traffic to the remote station should be restricted and only allowed from a known source utilizing only known and required ports (including the traffic coming from the Intermediate Remote Access System). When configuring access through the EAP, the address from the RUGGEDCOM CROSSBOW server will need to be added along with the necessary ports required by the remote IEDs to establish a connection based upon the protocols supported by each individual IED. The ability to have an address from each individual end-user/client is removed and not required as the communication from the remote session only sees request from the SAM Electronic Access Control or Monitoring Systems Siemens Canada Ltd All rights reserved NERC defines an EACMS in C as: Electronic Access Control or Monitoring System (EACMS) Applies to each Electronic Access Control or Monitoring System associated with a referenced high impact BES Cyber System or medium impact BES Cyber System. Examples may include, but are not limited to, firewalls, authentication servers, and log monitoring and alerting systems. As the Intermediate Remote Access device used for remote access and strong two-factor authentication, the RUGGEDCOM CROSSBOW SAM is classified as an Electronic Access Control or Monitoring System (EACMS). As highlighted in Figure 3-5, the SAM and all of the components that provide the functionality of the Intermediate Remote Access (including those systems used for authentication to the Intermediate Remote Access system) are classified as EACMS s. The items classified as EACMS are called out below. Note that the optional Application Virtualization Server may or may not be classified as an EACMS depending on its location (inside or outside of the controlled C environment). Figure 3-5: EACMS Components Entry-ID: ,

12 3 RUGGEDCOM CROSSBOW Siemens Canada Ltd All rights reserved 1. Application Virtualization Server (Optional) 2. RUGGEDCOM CROSSBOW Secure Access Manager 3. High Availability (Optional) 4. Active Directory Server (Optional) 5. RSA Authentication Server (Optional) 6. Gateway with SAC C R2 states: A Cyber Asset that contains interface(s) that only perform the function of a Low Impact BES Cyber System Electronic Access Point (LEAP) does not meet the definition of Electronic Access Control or Monitoring System (EACMS) associated with medium or high impact BES Cyber Systems and is not subject to the requirements applicable to an EACMS. However, a Cyber Asset may contain some interfaces that function as a LEAP and other interfaces that function as an EAP for high or medium impact BES Cyber Systems. In this case, the Cyber Asset would also be subject to the requirements applicable to the EACMS associated with the medium or high impact BES Cyber Systems. Examples of sufficient access controls provided by NERC may include: Any Low Impact External Routable Connectivity (LERC) for the asset passes through a LEAP with explicit inbound and outbound access permissions defined, or equivalent method by which both inbound and outbound connections are confined to only those that the Responsible Entity deems necessary (e.g., addresses, ports, or services). A non-bes Cyber Asset that has been placed between the low impact BES Cyber System on the substation network and the Cyber Asset in the business network. The expectation is that the non-bes Cyber Asset has provided a protocol break so that access to the low impact BES Cyber System is only from the non-bes Cyber Asset that is located within the asset containing the low impact BES Cyber System. An example of sufficient access control breaks can be seen in Figure 3-6 below. Entry-ID: ,

13 3 RUGGEDCOM CROSSBOW Figure 3-6: RUGGEDCOM CROSSBOW as the Protocol Break 3.2 Station Access Controller (SAC) Siemens Canada Ltd All rights reserved RUGGEDCOM CROSSBOW provides local and emergency connectivity through its optional Station Access Controller (SAC), which can be installed at the local or substation level. The RUGGEDCOM CROSSBOW SAC provides the same level of command control and logging when a user is physically present in the station, even when there is loss of communication between the centralized SAM and the remote site. The data on the RUGGEDCOM CROSSBOW SAC is completely synchronized with the RUGGEDCOM CROSSBOW SAM server. The SAC may be installed directly on the RUGGEDCOM ROX II Operating System (e.g. on a RUGGEDCOM RX1500/5000 device running RUGGEDCOM ROX II), or it may run on the RUGGEDCOM RX1500 Application Processing Engine (APE) module. Since the SAC runs natively on the RUGGEDCOM ROX II operating system, no additional substation computers are required. The primary purpose of the SAC is to provide secure access controls for authorized users to devices within a substation if the WAN connection to the Control Center is lost. Through the system-to-system communication between the SAM and the SAC, when the WAN is operational, the SAC maintains an updated database of the cyber assets and authorized users of these devices, which are co-located with the SAC in the same substation. As show in Figure 3-7, when placed within the ESP, the SAC is part of the overall solution that provides secure access and a protocol break between the end user and the IED s in the substation. As such, the SAC is considered an EACMS. Entry-ID: ,

14 3 RUGGEDCOM CROSSBOW Figure 3-7: EACMS Components 1. ESP 2. Gateway with SAC Siemens Canada Ltd All rights reserved During the design of the C environment and ESP in the substation, access to the SAC should be taken into consideration. In the event the WAN connection is lost and there is a need to access the SAC to connect to the devices in the substation, the point where the end user makes the connection to access the SAC must also be defined. If the connection is made within the ESP, the device making the connection is considered a transient device. For the device to not be considered a transient device, it must make the connection from outside of the ESP. Entry-ID: ,

15 4 Transient Cyber Asset 4 Transient Cyber Asset When connecting to RUGGEDCOM CROSSBOW within the ESP to access IEDs, it is important to understand the requirements and classification from NERC for the devices making these connections. C exists as part of a suite of C Standards related to cyber security and Transient Cyber Assets which require the initial identification and categorization of BES Cyber Systems and require a minimum level of organizational, operational and procedural controls to mitigate risk to BES Cyber Systems. NERC explains that examples of Transient Cyber Assets include but are not limited to: diagnostic test equipment packet sniffers equipment used for BES Cyber System maintenance equipment used for BES Cyber System configuration equipment used to perform vulnerability assessments, which may include devices or platforms such as laptops, desktops or tablet computers which run applications that support BES Cyber Systems As stated in C Standard C-010-2: Siemens Canada Ltd All rights reserved To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to mis-operation or instability in the BES. Requirement R4 is to address FERC Order No. 791 Paragraphs 6 and 136, which require the standards to address security-related issues associated with tools specifically used for data transfer, vulnerability assessment, maintenance, or troubleshooting. These tools are potential vehicles for transporting malicious code into a facility and subsequently into Cyber Assets or BES Cyber Systems. To that end, the requirement goals are as follows: 1) Preventing unauthorized access or malware propagation to BES Cyber Systems through Transient Cyber Assets or Removable Media; and 2) Preventing unauthorized access to BES Cyber System Information through Transient Cyber Assets or Removable Media. The Standard Drafting Team (SDT) has incorporated the concepts of other requirements from FERC-approved C and C to help define the requirements for Transient Cyber Assets and Removable Media. Summary of Changes for Transient Cyber Assets in C010-2 All requirements related to Transient Devices and Removable Media are included within a single standard, C-010. Due to the newness of the requirements and definition of asset types, the SDT determined that placing the requirements in a single standard would help ensure that entities were able to quickly identify the requirements for these asset types. While the requirements are similar, they are not to the same rigor of those found in C-007 protecting the permanent assets identified by an entity. A separate standard was considered for these requirements. However, the SDT determined that these types of assets would be used in relation to change management and vulnerability assessment processes and should, therefore, be placed in the same standard as those processes. Transient Cyber Asset A Transient Cyber Asset is a Cyber Asset that is directly connected for 30 consecutive calendar days or less, to: (1) a BES Cyber Asset, (2) a network within an ESP, or (3) a Protected Cyber Asset. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes. Entry-ID: ,

16 4 Transient Cyber Asset Removable Media: Removable Media is considered portable media, connected for 30 consecutive calendar days or less, that can be used to copy, move and/or access data. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory. A Cyber Asset is not Removable Media. Exceptions: 30-day exemption removed from BES Cyber Asset and Protected Cyber Asset definitions. Siemens Canada Ltd All rights reserved Connection to the RUGGEDCOM CROSSBOW SAM in remote stations can be achieved via several scenarios. One way would be for the RUGGEDCOM CROSSBOW client to be installed permanently on a computer in the remote station. In this scenario, the computer would be considered a Cyber Asset and would need to follow all firmware and patch management requirements per NERC standards. Alternatively, the RUGGEDCOM CROSSBOW client can be installed on a Citrix XenServer Desktop as described in Section 3. The end-user would bring their laptop into the remote station and connect to the C environment. After connecting and authenticating to the C environment, the end-user would connect to the Citrix XenServer and launch the RUGGEDCOM CROSSBOW client from there. The end-user s laptop would be considered a transient device as long as it does not remain connected for an extended period of time and follows the requirements of a transient device, as defined by NERC. In this scenario the client is not considered an EACMS because there is not a direct connection to the end IED s. The RUGGEDCOM CROSSBOW server is still providing the necessary protocol break between the end user and the remote IED securing the communication, as required by NERC. Finally, an end-user could bring their laptop into the remote station, connect to the C environment, and launch the RUGGEDCOM CROSSBOW client. The RUGGEDCOM CROSSBOW client would point to the RUGGEDCOM CROSSBOW server in the C Control Center and authenticate the end-user. In this scenario the end-user s laptop would still be considered a transient device based upon the definition above. Because the RUGGEDCOM CROSSBOW server is still providing the access and authentication to the end IEDs, along with the required protocol break, it is still fulfilling the role of the Intermediate Remote Access Device and classified as an EACMS. In this scenario the client is not considered an EACMS because there is not a direct connection to the end IED s. The RUGGEDCOM CROSSBOW server is still providing the necessary protocol break between the end user and the remote IED securing the communication, as required by NERC. Entry-ID: ,

17 5 Summary Siemens Canada Ltd All rights reserved 5 Summary The RUGGEDCOM CROSSBOW SAM provides the functionality of the Intermediate Remote Access solution for securing remote IEDs. It provides the necessary protocol break between the end-user and the Cyber System IED s to ensure the communication is secured, authenticated and logged. When the EAP is configured properly, the only possibility to access remote BES Cyber Assets would be by a request initiated by an authorized user through the RUGGEDCOM CROSSBOW server to the remote IEDs. The request for access to IEDs from any other source should be denied. As NERC has defined EACMS as Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems, the RUGGEDCOM CROSSBOW SAM, the RUGGEDCOM CROSSBOW SAC and any of the systems used to provide authentication to RUGGEDCOM CROSSBOW (e.g. RSA, Active Directory) are classified as EACMS s. Because RUGGEDCOM CROSSBOW is providing the protocol break between the end-user and the remote IED s, the client used for RUGGEDCOM CROSSBOW is not classified as an EACMS. Any commands or requests made by the end-user is sent to the SAM and evaluate as being a valid command prior to the SAM executing anything. RUGGEDCOM CROSSBOW has maintained a leadership position in the market and continues to evolve in Cyber Security features and functionality for IT operations in an OT environment. RUGGEDCOM CROSSBOW provides a seamless configuration environment ensuring IED connectivity, and activity logging is maintained at the substation level by utilizing the SAC even if the connection to the central server is disabled. By ensuring that only authorized and authenticated users have access to the remote Cyber Assets, RUGGEDCOM CROSSBOW helps to provide a secure remote access solution to remote IED s. When used in combination with the RUGGEDCOM CROSSBOW Station Access Controller for local substation access, the RUGGEDCOM CROSSBOW system is an integrated and comprehensive solution for secure remote access. Entry-ID: ,

18 6 GLOSSARY 6 GLOSSARY APE BES C DMZ EACMS EAP ERC ESP IED IT Application Processing Engine Bulk Electric System Critical Infrastructure Protection Demilitarized Zone Electronic Access Control or Monitoring System Electronic Access Point External Routable Connectivity Electronic Security Perimeter Intelligent Electronic Devices Internet Protocol Information Technology Siemens Canada Ltd All rights reserved LEAP LERC NERC OT ROX RSA RTU SAC Low Impact BES Cyber System Electronic Access Point Low Impact External Routable Connectivity North American Electric Reliability Corporation Operation Technology Rugged Operating System on Linux Rivest, Shamir, and Adelman SecureID Remote Terminal Unit Station Access Controller SAM SDT TLS WAN Secure Access Manager Standard Drafting Team Transport Layer Security Wide Area Network Entry-ID: ,

19 7 Related literature 7 Related literature Table 7-1 Topic \1\ Siemens Industry Online Support \2\ Download page of this entry Title / Link History Table 8-1 Version Date Modifications V1.0 03/2016 First version Siemens AG 2016 All rights reserved Entry-ID: ,