CRITICAL INFRASTRUCTURE

Transcription

1 Owl Computing Technologies, Inc. CRITICAL INFRASTRUCTURE Securing Digital Assets Against Cyber Threats 38A Grove St, Ste 101 Ridgefield, CT 06877, USA Toll Free: Phone: Fax: Owl Computing Technologies, Inc.

2 TABLE OF CONTENTS 2... About Owl Computing Technologies, Inc Owl Computing Technologies Global Reach 4... Protecting the Networks of Critical Infrastructure 5... Critical Infrastructure Process Control Networks 6... Owl Solutions for Comprehensive Perimeter Defense Security Architecture to Permit OT & IT Efficiency 9... Customer Case Studies Use Case I: Gas Co Use Case II: Tennessee Valley Authority (TVA) Owl DualDiode Technology Benefits Perimeter Defense Product Line Current Industry Standards & Regulations

3 2 THE NEXT GENERATION OF CYBERSECURITY SOLUTIONS Owl Computing Technologies is the proven source for cybersecurity, with reliable solutions deployed globally in government, military, and critical infrastructure industry networks. Owl is the unparalleled provider of security products to protect important information and connections into and out of sensitive networks, enabling operational efficiencies and mission results. Owl solutions are a key component of your network defensein-depth security strategy. DualDiode Technology and Owl software applications integrate seamlessly into existing network infrastructures. Global Compliance & Certifications US NRC and NERC-CIP Compliant Common Criteria Certified UCDSMO Approved Configurations OPC Certified EU-TUV Compliant Owl next generation solutions enable executives to meet their responsibilties to mitigate cybersecurity threats. THE OWL ADVANTAGE Owl s advanced technology is an unparalleled, impenetrable network security solution designed for absolute network confidentiality, data integrity, and system availability. Owl DualDiode Technology, a patented data diode, coupled with Owl transfer applications for all data types results in hardware-enforced, non-routable technology enabling secure and robust information sharing. The Owl Perimeter Defense Solutions, and other Owl applications, provide corporate networks, confidential databases, plant networks, and other more isolated networks with advanced security technology. THE OWL FOCUS Mission specific and enterprise security solutions delivered ready for use US personnel and Subject Matter Experts US secure supply chain, research, development, and manufacturing Known costs with no operations and maintenance cost creep Data transfer applications integrate seamlessly using transport layer protocols Specialized application transfer products available: OPC, OSIsoft PI, Invensys ArchestrA, and others SECURITY SOLUTIONS DEPLOYED Nuclear, Fossil, and Hydro generation Oil & Gas and Mining industries US National Intelligence Community Department of Defense Telecommunications European and Asian Ministries of Defense

4 3 GLOBAL REACH SWEDEN NORWAY POLAND CANADA USA ENGLAND GERMANY FRANCE JAPAN SOUTH KOREA UAE IRAQ QATAR AFGHANISTAN SAUDI ARABIA AUSTRALIA NEW ZEALAND Patented Network Security Solutions for Government and Commercial Entities Across the Globe CRITICAL INFRASTRUCTURE DEFENSE INTELLIGENCE COMMUNITY Oil and Gas North America, Europe, and Middle East Electric and Water Utilities North America and Europe Chemicals Asia and Middle East Telecommunications North America and Europe Mining North America North America Europe Asia Middle East Australia Services Air Force, Navy, Marine Corps, Army, and Combat Commands North America Europe Asia

5 4 DEFENSE- IN-DEPTH HIGH SECURITY ENTRY-LEVEL PRICING SEAMLESS INSTALLATION INTEROPERABLE PROTECTING THE CONFIDENTIAL INFORMATION NETWORKS AND CONTENT SYSTEMS OF CRITICAL INFRASTRUCTURE Critical infrastructure supports not only the global economy but also our way of life. The fundamental need to fuel cars, power homes, and light cities is essential to industry, government and stability. Without secure network architecture, operations will be hampered in all sectors of the world s critical infrastructure if exposed to cyber attack. Divided into four areas electricity, petroleum, telecommunications, and natural gas the interdependency and reliance of the entire economy on these basic industries heightens the risk that a cyber-attack can disrupt energy supplies, cause blackouts, or worse. The critical infrastructure industries are aware of their vulnerability to cyber threats and are voluntarily taking steps to improve security and preparedness. This brochure is intended to provide critical infrastructure industries with information about advanced, proven network security technology for those industry leaders whose goal is to have the best cyber threat mitigations. THE OWL ADVANTAGE Owl s proven solutions, previously only deployed to protect the classified networks of the United States government, are now commercially available for industry.

6 5 OWL SOLUTIONS Confidential Database Protection and Secure Access Electronic Perimeter Defense for Critical Infrastructure ICS Protection and ICS Data Transfer OPC & Historian Replication Remote Monitoring Security Information and Event Management Network Health and Alarm Management Software Updates and Patch Management Secure and Automated Software Updating Industrial Control Sub Network & Insider Threat Protection SCADA Network Protection Secure Operating Systems Security Planning and Architecture Services Installation Support Product Technical Services Lifecycle and Configuration Management Services Owl Security Operations Center - Monitoring Security Systems 24/7

7 2 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS 6 OWL COMPREHENSIVE PERIMETER DEFENSE ELECTRONIC PERIMETER DEFENSE Problem: Traditional network security tools fail to establish a clear plant perimeter and are inadequate to protect against today s cybersecurity threats. Owl Solution: Owl s Perimeter Defense Solutions (OPDS) provide the plant a hardware-enforced one-way device to complement the physical plant protection against cyber attack. Incorporating Owl s DualDiode Technology isolates the plant, or subnets, mitigating network threats Transport layer protocol interfaces permit the necessary data flow from the plant for corporate use Concurrently transfers multiple data types Deep packet inspection through protocol conversion Security policies are compliant with the Center for Internet Security 1 2 HISTORIAN, ALARM, AND OTHER OPERATIONAL DATA Problem: Corporate and engineering personnel require timely operational data for the efficient management and analysis of plant operations. These information requirements create attack vectors if not transferred from the plant by secure means. Owl Solution: Owl s software applications enable the efficient transfer of plant operational data to corporate and engineering networks. OPDS natively enables the transfer of plant data from a wide variety of industrial control application and device vendors. Certain specialized applications enable historian and other data to be transferred from the plant. Owl PI Transfer Service extracts data from the OSIsoft Plant Information System on the plant network and delivers it to an OSIsoft PI System on the destination network. Similar applications are available for ArchestrA Owl OPC Server Transfer Service (OSTS) is OPC Foundation certified & enables the movement of a wide range of OPC compliant data from the plant to engineering or corporate networks 3 4 SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) Network Health & Alarm Management Problem: Collection of near real-time information about security alerts to a single point, making it easier to see trends, alerts, and improve system availability. Owl Solution: Owl s Comprehensive Perimeter Defense Solutions with Owl Performance Management Service (OPMS) application enables monitoring of the electronic perimeter. Monitoring and management of the electronic perimeter to identify attacks or security issues Real-time monitoring of the Owl Perimeter Defense Solution and selected critical network security devices Clear dashboard of information for ease of issue identification Security alerts for Electronic Security Perimeter network violations and physical substitution/bypass Red alerts on the Dashboard and alerts by or text to administrators and management History of log activity for analysis of anomalies Enables the transfer of network health data to third party SEIM applications SOFTWARE SECURITY UPDATES AND PATCH MANAGEMENT Secure Transfer of Software Updates into Plant Network Problem: Current solutions, such as walk-nets, create an attack vector and delay software updates reducing system security and functionality. Operation requirements call for the timely movement of software updates and patches into the process control network. Ad hoc transfer of other file types into the plant network supports efficient operations. Owl Solution: Secure Software Update Service is a software product that provides a controlled file transfer interface that includes state-of-the-art audit trail access and reporting, and restricts passage to one of three paths: 1. A predetermined set of while list files that are verified by hash number 2. Scanning by one or more anti-malware scanning engines 3. Both anti-malware and white list verification 5 INDUSTRIAL CONTROL SUB NETWORK AND INSIDER THREAT PROTECTION Supervisory Control and Data Acquisition (SCADA) Network Perimeter Defense Problem: Providing perimeter defense to critical sub-networks and important master programmable logic controllers (PLC) is necessary for plant network defense-in-depth. Owl Solution: Owl Perimeter Defense Solution in a DIN-rail form factor permits the advanced protection provided by Owl DualDiode Technology at the sub-network or PLC industrial control system level.

8 7 ADOPTING NEW NETWORK ARCHITECTURE SECURITY 1 TYPICAL VULNERABLE TWO-WAY NETWORK CONNECTION Operations Domain Can be 1000 s of Devices IT Domain Can be 1000 s of Clients Database Historian UDP Applications ICS Monitors Remote Screen View Network Monitoring Historian Replication ICS Space Business Space FIREWALL FIREWALL File/Directory Transfers Aggregated Sensor Data TCP/IP Applications network line File Processing Electronic Collaboration Other Networks Two-way connections between the plant and business networks Network connection supports business efficiency Networks are vulnerable to cyber attack 2 NETWORK SEPARATION Operations Domain Can be 1000 s of Devices IT Domain Can be 1000 s of Clients Database Historian UDP Applications ICS Monitors Remote Screen View Network Monitoring Historian Replication ICS Space Air Gap Business Space File/Directory Transfers Aggregated Sensor Data TCP/IP Applications network line File Processing Electronic Collaboration Other Networks Disconnection impedes business efficiency Not an operationally acceptable solution Need to strike a balance between security and efficiency

9 2 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS 8 TECHNOLOGY ST ALLOWS OT AND IT EFFICIENCY 3 PLANT NETWORK PROTECTED BUT DATA FLOWS Operations Domain Can be 1000 s of Devices IT Domain Can be 1000 s of Clients Database Historian UDP Applications ICS Monitors Network Monitoring Historian Remote Screen View Replication ICS Space Business Space File/Directory Transfers Aggregated Sensor Data TCP/IP Applications DualDiode Technology File Processing Electronic Collaboration Other Networks One-Way Data Flow Security maintains disconnected plant network Information flows to support business efficiency Better security permits OT and IT to coexist 4 EFFICIENT SECURE ARCHITECTURE Operations Domain Can be 1000 s of Devices IT Domain Can be 1000 s of Clients Database Historian UDP Applications ICS Monitors Network Monitoring Historian Remote Screen View Replication ICS Space Business Space File/Directory Transfers Aggregated Sensor Data TCP/IP Applications DualDiode Technology File Processing Electronic Collaboration Other Networks Dual Path DualDiode Data Flow Security maintains a disconnected network Information flows to support business and plant efficiency Best security permits OT and IT efficiency

10 9 CUSTOMER CASE STUDIES BRINGING THE HIGHEST STANDARDS OF GOVERNMENT CYBERSECURITY TO YOUR CRITICAL INFRASTRUCTURE. DoD SERVICES PROVIDER Single enterprise system more than doubled entire organization s capacity Provided a 50:1 footprint reduction of classified assets for customers requirements INTELLIGENCE SERVICES PROVIDER Selected Owl Computing as the preferred transfer solution provider from head-to-head competition DoD Consolidated video and file transfer solution Providing systems that allow collection to be done in unclassified domains, reducing classified footprints UTILITY CUSTOMERS Single solution protecting 22,000 critical assets Single solution consolidating 29 point-to-point links Remote monitoring reduces system maintenance costs

11 10 USE CASE 1: Gas Co. Client oversees and manages all operations associated with seven liquefied natural gas production facilities, major shipping contracts, and global commercial partnerships. PROBLEM: In August 2012, Gas Co. corporate IT, admin, and web services were compromised by a virus attack, causing its plant process network to be disconnect from its business network. EFFECT: Gas Co. needed to connect to maintain continuous operations. SOLUTION: Gas Co. successfully deployed the Owl Electronic Perimeter Defense Solution (EPDS) to bridge the air gap between the plant process network and business network. The Owl EPDS protects plant process control computers and systems while transferring data to business networks for managers, planners, and schedulers to access the data needed for decision making. Gas Co. Installation Plant Network PAS Alarms Business Network PAS Alarms PI System Server PI System Server PI System Server Send Server Owl PI Connector Receive Server Owl PI Connector PI System Server Owl Performance Management Service (OPMS) Monitoring Send and Receive Logs on Receive Side BENEFITS 1 Network security hardware 2 Seamless installation 3 enforced by Owl DualDiode Technology with ease of operation Remote role-based user authentication monitoring and management visit

12 11 USE CASE 2: Tennessee Valley Authority (TVA) TVA is the nation s fifth-largest public power supplier, serving over 150 municipalities and over 50 industries and government installations. PROBLEM: In May 2008, a GAO Audit reported that TVA needed to address weaknesses in control systems and network security. Weak separation existing between networks serving corporate and those serving more sensitive equipment were vulnerable to attack. EFFECT & THREATS: A total air gap response would prevent critical plant data from reaching corporate applications, restricting operational efficiencies and business continuity. To maintain an interconnected network, TVA faced the following threat challenges: More complex zero-day attacks Rise in growth rate of OS and application vulnerabilities Delayed patching of systems and software Potential for internal and external attacks SOLUTION: Deploying data diode one-way technology by Owl Computing Technologies, TVA successfully mitigated threats from internal and external attacks while maintaining interconnected networks. Typical Fossil Data Diode Implementation (Similar for each of 10 plants) Data Collectors PAS Alarms Plant Network Apache Web Server Business Network PI System Server Owl Performance Management Service Corp WAN PI System Server Plant Control System Firewall Firewall Dataware Clients Dataware Historian (Sender) Data Diode Send Server Data Diode Receive Server Dataware Historian (Receiver) BENEFITS 1 Secure data diode one-way 2 Increased network 3 technology separation and control of data flow Elimination of existing vulnerability to internal and external attacks visit

13 12 BENEFITS OF OWL COMPREHENSIVE PERIMETER DEFENSE SOLUTIONS WITH PATENTED DUALDIODE TECHNOLOGY Provides absolute defense against unauthorized access or commands originating from an outside network Guarantee of secure transfer of necessary operational information to and from control system network Concurrently transfer multiple data types using multiple protocols No connection to outside network via routable protocol (no MAC or IP address) Deep packet inspection through protocol conversion Global compliance and certification of products Restricted access to specified protocols and port addresses Center for Internet Security compliant security policies Role Based Access Control (RBAC) menus for administration Peace of mind: password vulnerabilities non-existent Owl DualDiode Technology stands out for its high quality of service, performance, and intensity. PROCESS CONTROL APPLICATIONS Leading Industrial Applications/Historians OSIsoft PI, PI AF, GE ihistorian, GE ifix, Scientech R*Time, Instep edna, GE OSM, Siemens: WinCC, SINAUT/Spectrum, Emerson Ovation, SQLServer, Oracle, Wonderware Historian, AspenTech, Matrikon Alert Manager Leading IT Monitoring Applications Log Transfer, SNMP, SYSLOG, CA Unicenter, CA SIM, HP OpenView, IBM Tivoli, HP ArcSight SIEM, McAfee ESM SIEM Leading Industrial Protocols OPC: DA, HDA, A&E, UA ICCP, Modbus File/Folder Mirroring Folder, tree mirroring, remote folders, (CIFS) FTP/FTFP/ SFTP/TFPS/RCP Remote Access Remote Screen ViewTM, Secure Manual Uplink Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer, Mail server/mail box replication, IBM MQ series, Microsoft MSMQ Antivirus updater, patch (WSUS) updater, Remote print service

14 13 PERIMETER DEFENSE PRODUCT LINE BASIC MID-RANGE ENTERPRISE Owl Enterprise Perimeter Defense Solution Owl s Enterprise Perimeter Defense Solution (EPDS) provides the defense wall around the plant systems. A crucial element of defense-in depth security, EPDS DualDiode Technology delivers a non-ip, non-routable protocol break across electronic security perimeters. This one-way data transfer solution is integrated into commodity Sendand Receive-only servers with Owl s proprietary DualDiode Technology communication cards, connected via fiber optic link. For EPDS, Owl offers link speeds of 155Mbps, 1.25/2.5Gbps, and 10Gbps. Owl data transfer application software is installed in each server in support of the operator s application transfer requirements. Owl Perimeter Defense Solution Multi-Purpose (OPDS-1000) Compact. Affordable Electronic Perimeter Defense. Easy To Deploy. Easy To Use. A one-way data transfer solution supporting multiple data types & formats concurrently across a compact 1U rackmountable chassis Transfer rates are 26, 52, 104, 155, 310, 630Mbps, and 1Gbps OPDS (and other Owl embedded data diode solutions) provide absolute security at the network boundary Secure one-way transfer support for a broad range of database historians Active SCADA, OPC & Modbus interfaces Single multi-function 1U 19-inch chassis Owl Perimeter Defense Solutions (OPDS-100) An OPDS family of application-specific data transfer appliances at an entry level, low cost, price point. These single-chassis, products deliver the same hardware-enforced one-way confidentiality of the proven OPDS-MP platform. Each appliance contains: Single data transfer application Independent Send-only and Receive-only servers Network isolation by Owl DualDiode Technology Owl Security Enhanced Linux Operating System OPDS-100 Support for data transfer speed up to 10Mbps Owl Perimeter Defense Solution DIN rail (OPDS-100D) High Security. Low Cost. Single Purpose. Plant Network OPC Alarms & Events OSIsoft PI System Server File Server Syslog Server Data Diode Send Server EPDS Installation Data Diode Receive Server Monitoring Send and Receive Logs on Receive Side OPDS-1000 Business Network OPC Server OSIsoft PI Server File Directory Syslog/SIM Aggregator Owl Performance Management Service (OPMS) The 100 Series is a family of application-specific one-way data transfer appliances.these singlechassis, rackmountable products deliver the same hardware-enforced one-way confidentiality of the proven OPDS-MP platform. The OPDS-100D version is a DIN rail mountable form factor. Network isolation by Owl DualDiode Technology Support for data transfer speed up to 10Mbps DIN rail

15 14 CURRENT INDUSTRY STANDARDS & REGULATIONS Owl Computing Technologies develops technology to the highest standards of security. Consequently, Owl products and solutions meet or exceed the established guidelines and specifications set forth by the following organizations: NERC CIP CYBER SECURITY NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION The North American Electric Reliability Corporation (NERC) standards set forth the planning and operating requirements for a North American Bulk-Power System. NERC compliance became mandatory in the US in 2007, and includes nine Critical Infrastructure Protection (CIP) standards that address cybersecurity and operations. With Federal Energy Regulatory Commission oversight, NERC enforces compliance standards to ensure power grid security and operability. FIPS FEDERAL INFORMATION PROCESSING STANDARDS Federal Information Processing Standards (FIPS) publications provide a guide for security requirements involving federal information and information systems. NIST NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY National Institute of Standards and Technology (NIST) Special Publications cover areas of general interest to the cybersecurity community, with particular publications including: a Guide for Developing Security Plans for Federal Information Systems, Recommended Security Controls for Federal Information Systems, and a Guide to Industrial Control Systems (ICS) Security. NIST documents are the standard for many federal cybersecurity programs. NRC US NUCLEAR REGULATORY COMMISSION In regulations like 10 CFR Protection of Digital Computer and Communication Systems and Networks and guides to its implementation, the NRC directs nuclear operators to implement cybersecurity to eliminate or mitigate vulnerabilities in the digital system that could be exploited either from outside or inside of the digital system protected area. Owl Computing Technologies closely monitors updates and news from the following organizations and policies to stay abreast of the latest regulations and rules as they pertain to cybersecurity product development and deployment: NIAP NATIONAL INFORMATION ASSURANCE PARTNERSHIP The National Information Assurance Partnership (NIAP) evaluates information technology (IT) products under the coordination of NIST and the NSA. The NIAP program helps consumers choose off-the-shelf IT products to meet their security needs, and helps manufacturers gain standing in the marketplace. PCII PROTECTED CRITICAL INFRASTRUCTURE INFORMATION PROGRAM The Protected Critical Infrastructure Information (PCII) Program is a voluntary information sharing and protection program between system operators and the government. Homeland security partners and the government use PCII for critical infrastructure security analysis, identifying system vulnerabilities, and enhancing response preparedness. PRESIDENTIAL DECISION DIRECTIVE 63 POLICY ON CRITICAL INFRASTRUCTURE PROTECTION (PDD-63) PDD-63 is the framework for critical infrastructure protection (CIP), outlining steps for coordinated efforts between the government and the private sector in protecting essential physical and cyber systems. It further established CIP as a national goal. PRESIDENTIAL POLICY DIRECTIVE CRITICAL INFRASTRUCTURE SECURITY AND RESILIENCE (PPD-21) PPD-21 is a federal directive that addresses the government s role with regard to critical infrastructure functions and responsibilities, while identifying energy systems as particularly critical due to their reach across multiple infrastructure sectors. PPD-21 also delineates the federal government s role in engaging international partners to strengthen interrelated critical infrastructure. The aims of PPD-21 are to organize infrastructure cross-functionality at the government level, allow information exchange, and aid integration and analysis functions used in planning and operations. TECHNICAL REFERENCE LIST Technical Notes on Data Integrity Verification : /technote Secure Software Update Service (SSUS ) White Paper : All Diodes Are Not Equal White Paper : TVA Case Study : /tva_casestudy

16 Cybersecurity Solutions Since 1998 OWL SALES OFFICE 8160 MAPLE LAWN BLVD, 2ND FLOOR SUITE 245 FULTON, MD USA OWL SECURITY OPERATIONS CENTER 63 COPPS HILL ROAD RIDGEFIELD, CT USA SALES & SERVICE PARTNER 4SECURE PO BOX 556 NORTHAMPTON NN3 6UN UNITED KINGDOM SALES & SERVICE PARTNER THE INNOVATIVE OPTION FOR IT SOLUTIONS FIRST STREET, DAMMAN KINGDOM OF SAUDI ARABIA v6.5