Trends, Issues, and New Standards for ICS Security

Size: px
Start display at page:

Download "Trends, Issues, and New Standards for ICS Security"

Transcription

1 Trends, Issues, and New tandards for IC ecurity David Mattes 1 * 1 Asguard Networks, Inc., 3417 Fremont Ave N, uite 221, eattle, Washington, 98103, UA (*correspondence: Tel: ) KEYWORD Cybersecurity, IC ecurity, network security, segmentation, isolation, VLAN, overlay network ABTRACT This paper is divided into three broad sections. First we will present an overview of Industrial Control ystems (IC) security issues and trends and how these affect Water / Wastewater environments. This introductory session will provide examples of IC networks and illustrate design vulnerabilities. econd we will discuss standards from IA (IA TR ), Trusted Computing Group (Metadata for IC ecurity), and Internet Engineering Task Force (Host Identity Protocol) that focus on a specific issue related to IC security: how to efficiently and flexibly enable private, secure communications for IC devices over untrusted large-scale networks. We will discuss how these standards relate to one another and their importance in providing a basis for interoperable product solutions. In the third section we will present features of a network segmentation product based on these standards. This product has been deployed in a county water / wastewater utility. We will present the water / wastewater network segmentation design, and discuss the benefits from solutions based on these standards and technology. Introduction The world s critical infrastructure is exposed, vulnerable, and fragile 1. From the top floor to the shop floor there is a growing awareness that all is not quiet on the industrial cybersecurity front. On a daily basis we are reminded of the threat of targeted attacks at critical infrastructure. Additionally, researchers are finding thousands of IC systems directly connected to the Internet. Beyond targeted attacks, many experts believe the greatest threat vectors to IC systems are vanilla malware and internal (accidental and intentional) incidents 2. We desperately need standards-based tools to help us manage the connectivity and security risks that result from adding ever increasing levels of connectivity. tandards from IA, TCG, and IETF taken together provide a compelling architecture and specification for constraining connectivity to the absolute minimum through a process known as network segmentation. This architecture allows a 1 Langner, R.; Robust Control ystem Networks ; Momentum Press; Macaulay, T. and inger, B; Cybersecurity for Industrial Control ystems, CRC Press, 2011 Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

2 Mattes 2 common core network infrastructure to be divided into tightly constrained zones, with policy enforced conduits of connectivity between the zones. When implementing a network segmentation architecture for industrial networking, the design must focus on robustness, reliability, and security. New commercial products are now available that implement advanced network segmentation capabilities,, with a novel delegated approach to managing and supporting IC network environments. This dual-view can bridge the cultural divide that often separates operational and IT organizations within an Enterprise. The evolving threat landscape for IC A variety of threat actors with a wide variety of motives makes the risk of loss of control and loss of view very real for water and wastewater organizations. Figure 1: 2010 Reported incident types (RII) Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

3 Mattes 3 Figure 2: 2010 Reported incidents by industry (RII) Figure 3: Reported IC vulnerabilities 3,4 tandards-based architecture for network segmentation The IA TR architecture is titled Backhaul Architecture Model: ecured Connectivity over Untrusted or Trusted Networks 5, and describes an overlay network concept that leverages shared data: IC and U CERT Advisories 4 McBride,.; Documenting the Lost Decade, Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

4 Mattes 4 network infrastructure to create isolated network environments for distributed components of a control system that need to communicate with one another. These overlay networks are logical constructs that can be used to enforce principles of least privilege communications across network trust boundaries. These overlay networks map directly to the IA 99 notion of zones. CMDB Web Application hared IP Network Infrastructure ecure Network Management ystem NA NA NA ecurity Boundary Private Overlay Network HMI & PLC HMI erver Valve Controller Figure 4: The IA private overlay network architecture In Figure 4, the orange line denotes a security boundary across which no communications are allowed. The green circles in Figure 4 represent Network ecurity Appliances (NAs) Backhaul Interfaces in the IA TR nomenclature that create the private overlay network. The database cylinder in Figure 4 represents a Configuration Management Database (CMDB) specifically for distributing policy and network configuration for private overlay network functionality. Along with the TCG IF-MAP base specification 6, the IF-MAP Metadata for IC ecurity specification 7 specifically addresses the CMDB component in the IA TR architecture. The TCG specifications define a publish-subscribe semantic to deliver network and policy configuration data to the network security appliances in network real-time. When the CMDB is coupled with a web-based user interface, a comprehensive ecure Network Management ystem provides complete lifecycle management of the NAs and the private overlay 5 IA Website: TCG Website: https://www.trustedcomputinggroup.org/resources/tnc_ifmap_binding_for_soap_specification 7 TCG Website: Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

5 Mattes 5 networks. The IA TR model specifies that the NAs shall implement a data caching model for the configuration and policy data so that they can continue to function and apply policies in the event that the CMDB becomes unavailable. The NA maintains a network link presence on two or more networks. One NA link is to the local control system equipment, either directly connected to a single piece of equipment or connected via intermediate network switches and/or other infrastructure. A second NA link is to the shared network infrastructure. The NA can maintain additional network links to the shared network infrastructure for e.g. different network media (802.3, , GM) or link bonding for failover connectivity to the shared network. CMDB HTTP / OAP Web Application hared IP Network Infrastructure HTTP / OAP HTTP / OAP HMI erver Figure 5: ecure communications with CMDB The NA connects to the CMDB to obtain its network security policy configuration. In order to maintain the integrity and confidentiality of this configuration data, communications with the CMDB shall be authenticated and encrypted. As shown in Figure 5, and described in the TCG IF-MAP Metadata for IC ecurity pecification, NA to CMDB communications are secured using an HTTP/OAP communications protocol. Furthermore, the CMDB shall mutually authenticate clients using PKI and only permit authorized clients to connect. The configuration and policy data that are stored in the CMDB shall follow the TCG IF-MAP Metadata for IC ecurity pecification. The manipulation of the configuration and policy data occurs through the Administrative Application. The connection between the Administrative Application and the CMDB shall be secured using HTTP communications, as shown in Figure 5. The Administrative Application shall enforce user authentication policies to restrict access to the Administrative Application. As shown in Figure 6, in response to communications from a local to remote control system component, the NA establishes an encrypted tunnel between the respective pair of NAs, based on the unique cryptographic identities within each NA. ince the NA encrypts communications, the communications of the controls systems components are hidden from the shared network and protected against network Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

6 Mattes 6 attacks. The encapsulation and encryption of communications between control systems components within the overlay network is depicted in Figure 6, and further described in the HIP VPL document 8. Figure 6: Encapsulation of control systems communications over shared network The NA shall be transparent to the existing control systems components, yet the NA shall never allow control systems communications to route across the NA and enter the shared network and vice versa. The NA shall not communicate on the local control systems network, but shall present to the local systems a virtual wired connection to the remote control systems components, as allowed by policies stored in the CMDB. ince the control systems communications are isolated from the shared network, their IP address configuration is independent from the shared network IP address space. If the shared network changes and the NAs obtain different shared network IP addresses, the control system components can retain their own independent IP addresses. From the private overlay network perspective, the NA acts as a transparent bridge to remote overlay network devices or segments. The private overlay network appears as a single IP broadcast domain to the IC components. This property allows control systems components to use protocols (e.g. broadcast and multicast) that are difficult to manage on the shared network ecure communications example As an example, consider the HMI and erver in Figure 6. When the HMI wants to communicate with the erver, the HMI sends out an ARP Request for the erver. The ARP Request asks the question: What is the MAC for the device with IP Address ? ince the ARP Request is a broadcast packet, all local devices see this packet. When the NA connected to the HMI sees this ARP Request, the NA creates an Encrypted Tunnel to the remote NA, and encapsulates and encrypts the ARP Request and sends the Encapsulated Packet to the remote NA over the hared Network. The NA connected to the erver decrypts and extracts the ARP Request and sends it out on the local network segment connected to the erver. The packet appears on the local network segment as a broadcast packet and therefore the erver sees the ARP Request. The erver responds to the ARP Request with a unicast ARP Reply. This ARP Reply is delivered to the NA on the local network segment. 8 IETF Website: Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

7 Mattes 7 The NA encrypts and encapsulates the ARP Reply and sends it to the remote NA over the hared Network. The NA connected to the HMI then decrypts and extracts the ARP Reply and sends it out on the local network segment as a unicast packet to the HMI. At this point IP traffic continues to flow between the HMI and erver in the same fashion. Any intermediate network switches between the NA and the local control system equipment perform the task of mapping flows to specific switch ports (this is the function of the switch). A foundational tool for network segmentation A commercial implementation of the IA TR and HIP VPL architecture models is now available. This product also implements the TCG IF-MAP Metadata for IC ecurity specification for the overlay network security policy configurations. Products based on these standards extend the accepted security of VPNs and Firewalls with a robust and flexible management layer, which makes the management and security of IC clear, simple, and easy to use. Using an advanced network segmentation tool, an Enterprise can provide secure private networks as an internal managed service. Administrators create individual private networks in response to requests from internal user groups (e.g. operations). A private overlay network is created simply by giving the network a unique name in the Enterprise environment. Users are then delegated to manage the configuration of the control systems components inside this network, and the security policy configuration governing connectivity between the control systems components. The ability to delegate administration of different elements of the secure industrial network is a key innovation of advanced network segmentation products. Delegation allows an Enterprise can provide secure private networks as an internal managed service. Administrators create individual private networks in response to requests from internal user groups (e.g. operations). A private overlay network is created simply by giving the network a unique name in the Enterprise environment, and assigning the private overlay network to the operations group. The operators of the control systems components are now able to control the configuration of their device connectivity, independent of the underlying network. Operators are delegated to manage the configuration of the control systems components inside this network, and the security policy configuration governing connectivity between the control systems components. While the operators have their own secure private network sandbox, the Administrators maintain governance and oversight of the entire solution. A Water / Wastewater implementation of network segmentation A county water utility in Florida has a shared county public safety network to provide robust, highlyavailable IP network communications for a variety of users. The public safety network is a combination of IP-provided MPL WAN that has redundant links tied to a microwave mesh backhaul. One user of this network is the water and wastewater operations CADA network. The CADA network is implemented as a VLAN within the public safety network, with seamless failover between the IP and microwave backhaul. Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

8 Mattes 8 With the proliferation of users and services within the public safety network, and the addition of valueadd IT services appearing within the CADA network, the CADA manager became concerned with the effectiveness of VLAN segregation for the water/wastewater CADA systems. In order to achieve an additional level of isolation and security, the utility was seeking a network segmentation solution that leverages the existing public safety network. As shown in Figure 7, the utility deployed NAs at the CADA Operations center and at each of their remote sites and lift stations. They also deployed a NA to connect Corporate Visboards to the Master Historian. Another requirement was a method of constraining Contractor access to local and remote IC equipment. Three private overlay networks were implemented on top of the public safety network. The security policies and IC network configurations are managed by the ecure Network Management ystem. CADA Overlay Visboards Overlay V Contractor Overlay C Water Plant Control Water Plant Contractor C NW witch Water Plant Water Plant Control Master Historian C NE witch econdary Historian Engineering Workstation Engineering Workstation Public afety Network CADA V A ecure Network Management ystem Figure 7: Water / Wastewater plants leverage a shared Public afety Network for secure communications ummary tuxnet was a watershed event that focused the world s attention on Industrial Control ystems. ince IC were often deployed in air-gapped environments, their vulnerable by design attributes were largely ignored. tuxnet showed that an air-gap is not secure, and increased connectivity results in a larger attack surface for IC. With all the media attention, vulnerabilities are being disclosed at staggering rates, and IC vendors are slow to catch up. Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

9 Mattes 9 Best practices suggest comprehensive risk management, tied to a defense in depth cybersecurity implementation, is the appropriate approach for securing IC. Network segmentation is a foundational building block of a defense in depth, layered security implementation. tandards from IA are focusing on network segmentation because it can be used to minimize the connectivity for IC to the absolute minimum, and protect that connectivity over shared network infrastructures. Additional standards from IETF and TCG describe how these segmented networks can be efficiently managed at scale. tandards-based commercial network segmentation products are now available that not only decouple and secure the IC communications from a shared network, but also decouple the management of the IC systems from the management of the shared network. This approach at delegated management makes it possible for an enterprise to deploy secure private networks as an internal service. A case study has been presented in which a water utility in Florida added an additional layer of security to their CADA network. The CADA network continues to leverage a robust public safety network, while remaining isolated and secured from that network. The resulting environment reduces the connectivity of the CADA components to an absolute minimum. List of Acronyms: ---- CMDB... Configuration Management Database HMI... Human Machine Interface IETF... Internet Engineering Task Force IC... Industrial Control ystem IA... International ociety of Automation NA... Network ecurity Appliance PKI... Public Key Infrastructure PLC... Programmable Logic Controller RTU... Remote Terminal Unit RII... Repository for Industrial ecurity Incidents CADA... upervisory Control and Data Acquisition TCG... Trusted Computing Group VPN... Virtual Private Network VLAN... Virtual Local Area Network ---- David Mattes is the founder and CTO of Asguard Networks. David founded Asguard Networks to create products that address the challenge of managing connectivity and information security for Industrial Control ystems (IC). Prior to Asguard Networks, David spent 13 years in Boeing s R&D organization. At Boeing, David focused on IC security issues, particularly on the challenge of segmenting connectivity for IC devices into private networks and securely connecting them to and through Boeing s Enterprise networks. David can be contacted at Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8, 2013

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems Building Security into Your Industrial Internet Phillip Allison Tempered Networks Discussion topics Threats to network security TCP/IP

More information

Technical Brief: Virtualization

Technical Brief: Virtualization Technical Brief: Virtualization Technology Overview Tempered Networks automates connectivity and network security for distributed devices over trusted and untrusted network infrastructure. The Tempered

More information

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security for. Industrial. Automation. Considering the PROFINET Security Guideline Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures

More information

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents WHITE PAPER TrustNet CryptoFlow Group Encryption Table of Contents Executive Summary...1 The Challenges of Securing Any-to- Any Networks with a Point-to-Point Solution...2 A Smarter Approach to Network

More information

SCADA/Business Network Separation: Securing an Integrated SCADA System

SCADA/Business Network Separation: Securing an Integrated SCADA System SCADA/Business Network Separation: Securing an Integrated SCADA System This white paper is based on a utility example but applies to any SCADA installation from power generation and distribution to water/wastewater

More information

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE

CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE EXECUTIVE SUMMARY This application note proposes Virtual Extensible LAN (VXLAN) as a solution technology to deliver departmental segmentation, business

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Architecting the Internal Cloud Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Building the Internal Cloud Virtualization is the Key How Virtualization Affects

More information

Cyber Security Implications of SIS Integration with Control Networks

Cyber Security Implications of SIS Integration with Control Networks Cyber Security Implications of SIS Integration with Control Networks The LOGIIC SIS Project Standards Certification Education & Training Publishing Conferences & Exhibits Presenter Zach Tudor is a Program

More information

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is 1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the

More information

Network/Cyber Security

Network/Cyber Security Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security

More information

VMware vcloud Networking and Security Overview

VMware vcloud Networking and Security Overview VMware vcloud Networking and Security Overview Networks and Security for Virtualized Compute Environments WHITE PAPER Overview Organizations worldwide have gained significant efficiency and flexibility

More information

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

ARCHITECT S GUIDE: Mobile Security Using TNC Technology ARCHITECT S GUIDE: Mobile Security Using TNC Technology December 0 Trusted Computing Group 855 SW 5rd Drive Beaverton, OR 97006 Tel (50) 69-056 Fax (50) 644-6708 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org

More information

Virtualized Security: The Next Generation of Consolidation

Virtualized Security: The Next Generation of Consolidation Virtualization. Consolidation. Simplification. Choice. WHITE PAPER Virtualized Security: The Next Generation of Consolidation Virtualized Security: The Next Generation of Consolidation As we approach the

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Securing EtherNet/IP Using DPI Firewall Technology

Securing EtherNet/IP Using DPI Firewall Technology Securing EtherNet/IP Using DPI Firewall Technology www.odva.org Technical Track About Us Erik Schweigert Leads device firmware development at Tofino Security BSc in Computer Science from VIU Michael Thomas

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Mobile Secure Network Connectivity for Industrial Control Systems

Mobile Secure Network Connectivity for Industrial Control Systems Mobile Secure Network Connectivity for Industrial Control Systems Peaceful Coexistence in Mixed Control System / IT Environments Steven C. Venema Associate Technical Fellow Architecture & Networked Systems

More information

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org

More information

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS Matt Eclavea (meclavea@brocade.com) Senior Solutions Architect, Brocade Communications Inc. Jim Allen (jallen@llnw.com) Senior Architect, Limelight

More information

Implementing Cisco IOS Network Security

Implementing Cisco IOS Network Security Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Redesigning automation network security

Redesigning automation network security White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The

More information

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

IINS Implementing Cisco Network Security 3.0 (IINS)

IINS Implementing Cisco Network Security 3.0 (IINS) IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using

More information

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges

More information

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge This paper will present a case study of Lumeta s participation in an open

More information

Firewall Environments. Name

Firewall Environments. Name Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

This is a preview - click here to buy the full publication

This is a preview - click here to buy the full publication TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Ranch Networks for Hosted Data Centers

Ranch Networks for Hosted Data Centers Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch

More information

Virtual Privacy vs. Real Security

Virtual Privacy vs. Real Security Virtual Privacy vs. Real Security Certes Networks at a glance Leader in Multi-Layer Encryption Offices throughout North America, Asia and Europe Growing installed based with customers in 37 countries Developing

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

Designing a security policy to protect your automation solution

Designing a security policy to protect your automation solution Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...

More information

VXLAN: Scaling Data Center Capacity. White Paper

VXLAN: Scaling Data Center Capacity. White Paper VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks

More information

Building Secure Networks for the Industrial World

Building Secure Networks for the Industrial World Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples

More information

Latest IT Exam Questions & Answers

Latest IT Exam Questions & Answers DumpKiller Latest IT Exam Questions & Answers http://www.dumpkiller.com No help, Full refund! Exam : 210-260 Title : Implementing Cisco Network Security Vendor : Cisco Version : DEMO 1 NO.1 Which address

More information

Overview of Routing between Virtual LANs

Overview of Routing between Virtual LANs Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0 ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1

More information

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007 SECURING AN INTEGRATED SCADA SYSTEM Network Security & SCADA Systems Whitepaper Technical Paper April 2007 Presented by: Scott Wooldridge Managing Director of Oceania Citect 1 Abstract This paper discusses

More information

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access

More information

Steelcape Product Overview and Functional Description

Steelcape Product Overview and Functional Description Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session

More information

Cyber Security Where Do I Begin?

Cyber Security Where Do I Begin? ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact ..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Innovative Defense Strategies for Securing SCADA & Control Systems

Innovative Defense Strategies for Securing SCADA & Control Systems 1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet

More information

TrustNet Group Encryption

TrustNet Group Encryption TrustNet Group Encryption Executive Summary Protecting data in motion has become a high priority for a growing number of companies. As more companies face the real and growing threat of data theft, along

More information

Logical & Physical Security

Logical & Physical Security Building a Secure Ethernet Environment By Frank Prendergast Manager, Network Certification Services Schneider Electric s Automation Business North Andover, MA The trend toward using Ethernet as the sole

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Scalable Secure Remote Access Solutions

Scalable Secure Remote Access Solutions Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

Network System Design Lesson Objectives

Network System Design Lesson Objectives Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network

More information

Policy Based Networks in Process Control Design and Deployment Techniques. Steve Hargis Enterasys Networks

Policy Based Networks in Process Control Design and Deployment Techniques. Steve Hargis Enterasys Networks Policy Based Networks in Process Control Design and Deployment Techniques Steve Hargis Enterasys Networks The Evolving Process Control Network Significant increase in use (and dependencies) on standards-based

More information

TCG Trusted Network Connect IF-MAP Metadata for ICS Security. Document Draft Comments. Prepared by Joseph J. Januszewski, III, CISSP

TCG Trusted Network Connect IF-MAP Metadata for ICS Security. Document Draft Comments. Prepared by Joseph J. Januszewski, III, CISSP TCG Trusted Network Connect IF-MAP Metadata for ICS Security Document Draft Comments Prepared by Joseph J. Januszewski, III, CISSP Comments Januszewski Page 1 Page vi: Although the document is concerned

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

Wireless Process Control Network Architecture Overview

Wireless Process Control Network Architecture Overview Wireless Process Control Network Architecture Overview Industrial Wireless Networks Gain Acceptance In Plant Floors By: Soroush Amidi, Product Manager and Alex Chernoguzov, Wireless Architect Wireless

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government

More information

WHITE PAPER. Network Virtualization: A Data Plane Perspective

WHITE PAPER. Network Virtualization: A Data Plane Perspective WHITE PAPER Network Virtualization: A Data Plane Perspective David Melman Uri Safrai Switching Architecture Marvell May 2015 Abstract Virtualization is the leading technology to provide agile and scalable

More information

VPN Technologies: Definitions and Requirements

VPN Technologies: Definitions and Requirements VPN Technologies: Definitions and Requirements 1. Introduction VPN Consortium, January 2003 This white paper describes the major technologies for virtual private networks (VPNs) used today on the Internet.

More information

OPC & Security Agenda

OPC & Security Agenda OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information

More information

Extending Networking to Fit the Cloud

Extending Networking to Fit the Cloud VXLAN Extending Networking to Fit the Cloud Kamau WangŨ H Ũ Kamau Wangũhgũ is a Consulting Architect at VMware and a member of the Global Technical Service, Center of Excellence group. Kamau s focus at

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential

More information

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.

A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014. A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC September 18, 2014 Charles Sun www.linkedin.com/in/charlessun @CharlesSun_ 1 What is SDN? Benefits

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

ITL BULLETIN FOR JANUARY 2011

ITL BULLETIN FOR JANUARY 2011 ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division

More information

Using ISA/IEC 62443 Standards to Improve Control System Security

Using ISA/IEC 62443 Standards to Improve Control System Security Tofino Security White Paper Version 1.2 Published May 2014 Using ISA/IEC 62443 Standards to Improve Control System Security Contents 1. Executive Summary... 1 2. What s New in this Version... 1 3. Why

More information

Critical Infrastructure Product Entrepreneurial Leadership Award Company of the Year Award

Critical Infrastructure Product Entrepreneurial Leadership Award Company of the Year Award 2013 2014 2014 North 2013 American North Perimeter American Network SSL Certificate Security Solutions in Critical Infrastructure Product Entrepreneurial Leadership Award Company of the Year Award Background

More information

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005 SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems

More information

Reasons Enterprises. Prefer Juniper Wireless

Reasons Enterprises. Prefer Juniper Wireless Reasons Enterprises Prefer Juniper Wireless Juniper s WLAN solution meets the mobility needs of today s enterprises by delivering the highest levels of reliability, scalability, management, and security.

More information

IT Security and OT Security. Understanding the Challenges

IT Security and OT Security. Understanding the Challenges IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

MOC 6435A Designing a Windows Server 2008 Network Infrastructure MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:

More information

Enterprise A Closer Look at Wireless Intrusion Detection:

Enterprise A Closer Look at Wireless Intrusion Detection: White Paper Enterprise A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Josh Wright Senior Security Researcher Introduction As wireless enterprise networks become

More information

Securing the Intelligent Network

Securing the Intelligent Network WHITE PAPER Securing the Intelligent Network Securing the Intelligent Network New Threats Demand New Strategies The network is the door to your organization for both legitimate users and would-be attackers.

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Networked AV Systems Pretest

Networked AV Systems Pretest Networked AV Systems Pretest Instructions Choose the best answer for each question. Score your pretest using the key on the last page. If you miss three or more out of questions 1 11, consider taking Essentials

More information

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Securing Networks with Cisco Routers and Switches 1.0 (SECURE) Securing Networks with Cisco Routers and Switches 1.0 (SECURE) Course Overview: The Securing Networks with Cisco Routers and Switches (SECURE) 1.0 course is a five-day course that aims at providing network

More information

SIMPLE NETWORKING QUESTIONS?

SIMPLE NETWORKING QUESTIONS? DECODING SDN SIMPLE NETWORKING QUESTIONS? Can A talk to B? If so which what limitations? Is VLAN Y isolated from VLAN Z? Do I have loops on the topology? SO SDN is a recognition by the Networking industry

More information

The term Virtual Private Networks comes with a simple three-letter acronym VPN

The term Virtual Private Networks comes with a simple three-letter acronym VPN Application Brief Nortel Networks Virtual Private Networking solutions for service providers Service providers addressing the market for Virtual Private Networking (VPN) need solutions that effectively

More information

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Table of Contents Introduction 3 Deployment approaches 3 Overlay monitoring 3 Integrated monitoring 4 Hybrid

More information

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

More information

CoIP (Cloud over IP): The Future of Hybrid Networking

CoIP (Cloud over IP): The Future of Hybrid Networking CoIP (Cloud over IP): The Future of Hybrid Networking An overlay virtual network that connects, protects and shields enterprise applications deployed across cloud ecosystems The Cloud is Now a Critical

More information

Network Security. A Quick Overview. Joshua Hill josh-web@untruth.org http://www.untruth.org

Network Security. A Quick Overview. Joshua Hill josh-web@untruth.org http://www.untruth.org Network Security A Quick Overview Joshua Hill josh-web@untruth.org http://www.untruth.org Security Engineering What is Security Engineering? "Security Engineering is about building systems to remain dependable

More information

Optimizing and Securing an Industrial DCS with VMware

Optimizing and Securing an Industrial DCS with VMware Optimizing and Securing an Industrial DCS with VMware Global Process Automation deploys a new DCS using VMware to create a secure and robust operating environment for operators and engineers. by Doug Clarkin

More information