HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

Transcription

1 HIGH PERFORMANCE ENCRYPTION SOLUTIONS SECURING CRITICAL NATIONAL INFRASTRUCTURE

2 CRITICAL NATIONAL INFRASTRUCTURE The UKs national infrastructure is defined by Government as those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends. National Infrastructure is divided into 9 categories: communications, emergency services, energy, financial services, food, government, health, transport and water. Assets within these categories are measured against a criticality scale and assigned a status based on the severity of impact. The implications of the growing threat to Critical National Infrastructure are wide ranging. Whilst loss or corruption of data would have negative consequences for the organisation suffering the breach, in terms of operational and financial performance, of greater concern would be the potential impact on security of supply for critical utilities and the broader themes of national security and public safety. SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) NETWORKS Supervisory Control and Data Acquisition (SCADA) networks are used to carry command data that ensures the safe and reliable operation of our nation s critical infrastructure. Essential services such as electricity, natural gas, water, waste treatment and rail services all rely on SCADA networks. Traditionally, SCADA networks have been isolated and it has been high fences and barbed wire that has kept our critical infrastructure secure. However, with the increased threat of cyber-attack, Governments and industry regulators around the world are focussing beyond physical perimeter protection to ensure the integrity of the systems used to control our critical infrastructure. It is these controlling networks that represent the greatest vulnerability to utilities and infrastructure organisations, not only from the theft of sensitive data being transmitted across their networks, but also the consequences of disruption or manipulation of these data flows as part of a malicious attack. Many SCADA systems are no longer isolated and are connected to public networks. Sometimes this is intentional, as a means of connecting to other systems, other times it can be an unintentional consequence of providing connectivity to remote locations or offices. Globally, there are mandates from the highest levels of government requiring that SCADA networks and other critical infrastructures are secure. In the UK, the Centre for the Protection of National Infrastructure (CPNI) provides advice on physical and cyber security, in the US, NERC (the organisation responsible for reliability standards for the nation s utility providers) has established a set of CIP (critical infrastructure protection) guidelines and in the EU, the European Programme for Critical Infrastructure Protection (ECPIP) provides similar doctrine. Hackers are increasingly targeting electric, natural gas and other vital utilities, threatening a disaster of epic proportions that experts say firms are doing too little to guard agains. - JAMES SAMPLE Chief Information Officer, Pacific Gas & Electric

3 WHY ENCRYPT? The rapid growth of virtualisation, data centre and cloud computing technologies means we are becoming increasingly reliant on our high-speed/high-availability data networks to deliver information when and where we need it. High-speed access is also an essential part of business continuity as it enables a robust back-up and disaster recovery strategy. Cyber-crime in the form of hacking, corporate espionage and even cyber terrorism, is on the rise. Information security threats remain commonplace and there is an increasing emphasis on organisations of all types to ensure the integrity and security of their data, both at rest and in motion. We cannot rely on the assumption that our data remains secure within the perimeter of the office environment. All organisations share systems and information that rely upon common network access and most modern businesses comprise multiple offices, some separated by a few yards, others by thousands of miles. Fibre-optic cables are used to transport Petabytes of data across private and public networks every day. Although still considered the fastest and most reliable method of moving data, Fibre networks have become increasingly vulnerable as hacking technologies become less expensive and more readily available. There is a common misconception within many organisations that a robust firewall is enough to prevent unwanted access to their network; unfortunately this is not the case. Whilst the firewall can detect and eliminate a variety of penetration or denial of service attacks, it is no protection against a physical tap either inside or outside the firewall. It is alarming that there appear to be many organisations out there who are not aware of, and do not agree on, the ever-increasing ease at which fibre optic cables can be attacked. - SANS INSTITUTE In a recent report, IDC described three simple methods hackers use to gain access to Ethernet networks: SPLICING The most common technique employed, splicing sees hackers tap into the fibre and monitor the data travelling across the network by breaking the cable at vulnerable maintenance points such as Y-bridges and splice points. SPLITTING/COUPLING Also known as micro-bending, the hacker bends the fibre-optic cable and uses a commonly available photo-detecting device to capture the light that escapes, along with the data it carries. OPTICAL TAPPING The use of an evanescent tap requires very little interference with the cable itself. The hacker places a sensitive photo detection device around the fibre and captures the data from the light that naturally radiates from the cable. Of even greater concern is the fact that if data can be removed from the network in this manner, it can also be injected. This has wide ranging implications for organisations as they not only suffer the loss of data but the repercussions of misinformation. The only fail-safe solution to ensure that your data is secure as it travels across the network is encryption. Furthermore, your encryption solution should be de-coupled from any specific network architecture and accredited against the recognised world-wide security standards.

4 LAYER 2 VS. LAYER 3 If your data is traversing a geographically diverse public or private network it is inherently insecure; this is as true for optical fibre networks as it is for other types of wired or wireless network. Given this, the question isn t whether or not encryption should be used, rather which approach to encryption offers the most secure and efficient solution. The 7-layer network model defines the stages of the process involved in transmitting data across a network. When it comes to encryption of data traversing your network, there are a number of options available. Including:»» End-to-end encryption within applications»» SSL, Layer 4 encryption»» IPSec Standard, Layer 3 encryption»» Layer 2 encryption The challenge lies in maintaining the performance and simplicity of a high-speed network whilst assuring the security and privacy of network traffic, whether voice, data or video. It is generally accepted that the lower the layer, the more comprehensive the encryption and the more efficient the process. Layer 2 and layer 3 encryption work in different ways. Layer 3 encryption devices are designed for IPSec encryption and to encrypt IP payload. IPSec tunnels the original IP packet in order to encrypt the IP header. Tunnels can result in an increase in overhead, complexity and, subsequently, processing time. If you want to encrypt an Ethernet frame, the encryptor has to first do some heavy lifting to bring the frame up to layer 3. By comparison layer 2 encryptors are optimised for Ethernet and MPLS and don t need to tunnel the original IP packets in order to encrypt, resulting in a more efficient process. Application Data Presentation Data Session Data Transport Data Network Packets Data Link Frames Physical Bits SSL Encryption IPSec Encryption Layer 2 Encryption BENEFITS OF LAYER 2 ENCRYPTION Layer 2 encryption is often referred to as a bump in the wire technology. The phrase conveys the simplicity, ease of maintenance and performance benefits of Layer 2 solutions that are designed to be transparent to end users with little or no impact on network performance. In a recent study by the Rochester Institute of Technology (RIT), it was determined that Layer 2 encryption technologies provide superior throughput and far lower latency than IPSec VPNs, which operate at Layer 3. When Building a complete end-to-end IP network, avoid using devices that use layer 3 separation. For true network isolation, use equipment that can provide isolation at layer 2. - CENTRE FOR THE PROTECTION OF NATIONAL INFRASTRUCTURE

5 CHOOSING THE RIGHT ENCRYPTION SOLUTION Due to a lack of vendor compatibility in network encryption, organisations need to find a vendor who offers a complete range of products, able to cover all their layer 2 network encryption needs. It s also essential to remember that only a dedicated appliance will provide low latency throughput and work optimally with network equipment from different vendors. Here are some factors to consider: PERFORMANCE: Adding a network encryption interface card to an existing switch may appear attractive. However, there will be a higher latency and lower throughput performance than a dedicated Layer 2 encryption device. MANAGEMENT: In some instances, using a NIC means the same switch vendor needs to be used throughout the network route and that data is decrypted and re-encrypted at each of the hops. This is a potential security risk and a major key management issue. Dedicated appliances enable the data to be encrypted throughout the whole route, irrespective of switch vendor. LIFESPAN: If a network encryption interface card (NIC) is used, the lifespan of the encryptor will be tied to the host network device and will need to be replaced when the switch is changed. CERTIFICATION: Many switch and encryption vendors are not approved to encryption standards such as Common Criteria, CAPS or FIPS Senetas encryptors are independently tested and accredited by the world s leading agencies and offer the only multi-accredited encryption solution. APPLICATIONS A firewall alone does not provide the degree of security required to protect your critical information. If your SCADA system is connected to the wider network, any communication between management systems and the SCADA endpoints needs to be secure at both ends. Further consideration should be given to the security of other sensitive data, such as employee or customer records, as they are moved around your network as a part of day-to-day operations and especially when they are backed-up to off-site storage or disaster recovery sites.

6 THE IMPLICATIONS OF SMART GRID TECHNOLOGY As utilities migrate to Smart Grid Technology, where the SCADA network effectively extends all the way to the meter in the end-user s premises, we are faced with some unique security challenges. The Smart Grid is a sophisticated communications network where data is collected remotely, then collated and analysed centrally before control commands are issued. HIGH-SPEED ENCRYPTION Encryption is a key element in ensuring the security of SCADA networks. However, in order for encryption to be most effective it needs to deliver against four criteria: Speed, Scalability, Manageability and Affordability. A SCADA network is a real-time network and as such the use of encryption has to have minimal impact on latency. Senetas CS and CN range of encryptors are specifically designed to provide high performance with latency less than 7 microseconds per unit at 1Gbps. Scalability is essential as the nature of a SCADA network means that different bandwidths are in operation at different points in the network. The Senetas CS and CN range provides a single solution to support networks operating at 10Mbps to 10Gbps. CypherManager provides secure local and remote management of the entire range of CS and CN encryptors as well as acting as the Certificate Authority (CA) within a network. An intuitive, windows-based application it allows you to configure, monitor and manage all your encryption devices. Affordability is a key consideration when it comes to retrospectively securing SCADA networks. Senetas encryption hardware provides a bump in the wire solution that can be quickly and easily retrofitted, without the need to make wholesale changes to the network.

7 THE SENETAS RANGE The Senetas CS and CN range of encryption devices provide organisations with simple to deploy, low maintenance solutions to secure data traversing both public and private networks. The latest CN6000 series supports both AC and DC hot-swappable PSUs and provides full line rate transparent encryption of either Ethernet networks in point-point, hub & spoke or meshed environments OR point-to-point Fibre Channel networks at up to 10Gbps. WHAT MAKES SENETAS ENCRYPTORS DIFFERENT? Comprehensive Range The CS and CN range of Layer 2 encryptors provides one of the broadest sets of capability able to operate at 10Mbps to 10Gbps and able to support Ethernet, Fibre Channel, SONET/SDH and LINK protocols. Local or Centralised Management Configuration can be performed locally or remotely through our intuitive Windows based CypherManager that also acts as the Certificate Authority in a network of encryptors by signing and distributing X.509 certificates. High Performance The Senetas CS and CN range are high performance encryptors operating in full-duplex mode at full line speed without loss of packets. Latency is not affected by packet size and is less than 7 microseconds per unit at 1Gbps. In summary, maximum through-put with zero protocol overhead. Easy To Install The Bump in the Wire design of the CS and CN range makes this solution very easy to install and highly effective. You simply place the appropriate CS or CN hardware device at the access point to the public or private Layer 2 Network and all data passing through the device is encrypted using an AES 256 bit encryption algorithm. Reliability Senetas encryptors are designed and manufactured to exacting standards. In addition to the high levels of security, the units conform to international requirements for safety and environmental concerns, as well as providing high availability features with % uptime. Interoperability Senetas encryptors that support the same protocol are fully interoperable. For example, locations that have minimal needs may use the CS10 encryptors which can interoperate with a CN1000 unit at a larger central site under the same CypherManager platform.

8 ABOUT SENETAS Senetas Europe is a wholly owned subsidiary of Senetas Corporation Limited (ASX:SEN), specialising in high-speed network encryption. Our Layer 2 encryptors provide the last, best line of defence for data in transit for governments, the public sector and leading commercial organisations worldwide. We manufacture the world s only triple-certified, high-speed data encryptors; certified to Common Criteria (Australia and International), FIPS (US) and CAPS (UK) as suitable for government and defence use. Our products are used to secure network data for cloud computing services, payment systems, big data applications, CCTV networks, datacentres and critical infrastructure and control systems in more than 25 countries. Senetas encryptors are suitable for networks of all types from point-to-point to fully meshed, multipoint network infrastructures. Our core products operate from 10Mbps up to 10Gbps and support Ethernet, Fibre Channel, SONET/SDH and LINK protocols. These high performance devices use AES 256bit encryption and operate in fullduplex mode at full line speed with no packet loss; delivering security without compromise. For more information on Senetas Europe visit our website: CONTACT: Gareth Jones Senetas Europe Limited Worting House, Church Lane, Basingstoke RG23 8PX E: gareth.jones@senetas-europe.com T: +44 (0)