RuggedCom Solutions for

Transcription

1 RuggedCom Solutions for NERC CIP Compliance Rev Copyright RuggedCom Inc. 1

2 RuggedCom Solutions Hardware Ethernet Switches Routers Serial Server Media Converters Wireless Embedded Software Application Software Software Network Management Software NERC-CIP Cyber Security Solution Services Professional Services Training Support Most Complete Line of Rugged Communications Devices Copyright RuggedCom Inc. 2

3 Architecture Example Copyright RuggedCom Inc. 3

4 The RuggedRouter RX1000/1100 Industrially Hardened Cyber Security Appliance Integrated Router/Firewall/VPN Rugged Operating System on Linux (ROX ) Wide Operating Temperature Range: -40 to +85C (no fans) High Immunity to EMI: Meets or exceeds IEC , IEEE 1613, NEMA TS-2 and more... Integrated Power Supplies: Low and high voltage ranges with true (N+1) redundancy option RuggedRated for Harsh Environments Modular: Various Types and Configuration of Interface Ports 5 Year Warranty Copyright RuggedCom Inc. 4

5 RX1000 / RX1100 Key Router Features Security Appliance Functions Integrated Router/Firewall/VPN Stateful Firewall with NAT Full IPSec Virtual Private Networking VPN with 3DES, DES, AES IDS Security Gateway (Gauntlet) Protocols WAN: Frame Relay, PPP, PAP, CHAP Authentication, PPPoE IP: Routing, RIP/RIPII, OSPF, DHCP Agent Traffic shaping and policing Management Tools Web Based GUI, SSH, CLI (command line interface) SNMP v2/v3 Remote Syslog Rich set of diagnostics with logging and alarming Copyright RuggedCom Inc. 5

6 Product Basket- 19 Rack Mount Switches Copyright RuggedCom Inc. 6

7 Product Basket- Din-rail and Small Form Factor Ethernet Switches Copyright RuggedCom Inc. 7

8 Product Basket- Serial Servers Copyright RuggedCom Inc. 8

9 Rugged Operating System (ROS ) Zero Collisions: IEEE 802.3x Full Duplex Operation Priority Queuing: IEEE 802.1p for high priority real-time control VLAN: IEEE 802.1q for isolating real-time traffic Enhanced IEEE 802.1D 2004Rapid Spanning Tree for fast fault recovery IGMP Snooping for multicast filtering and management Cyber Security: Multi-level level passwords, SSH/SSL encryption, enable/disable ports, 802.1x port security, Radius Network management: including SNMPv3, RMON, Port Mirroring Rich set of diagnostic tools Common firmware across all managed switches ROX ROS on Linux with all the security features of Linux. ROS and ROX Designed for Real-Time Control and Mission Critical Applications Copyright RuggedCom Inc. 9

10 Switch Security Features Multilevel User Passwords Secures switch against unauthorized configuration SSH / SSL Encryption Encryption of passwords and data as they cross the network Enable / Disable ports - Disable ports so that traffic can not pass 802.1Q VLAN (Virtual Local Area Network) - Logically segregate traffic between predefined ports on switches MAC Based Port Security - Secure ports so only specific Devices/MAC addresses can communicate via that port 802.1x Port Based Network Access Control - Lock ports to allow only authorized clients to communicate via the port Radius - Centralized password management SNMPv3 - Encrypted authentication and access security Copyright RuggedCom Inc. 10

11 RuggedCom Integrated Solutions Our Partners Teltone Gauntlet Security Gateway Functionality Dynamically Builds Firewall rules for user access Controls access to devices within security perimeter NERC CIP event logging Industrial Defender IDS Management Console (SEM) IDS Signature Management Intrusion Event Logging Network Health Monitoring i Auditing RuggedCom, Teltone, Industrial Defender A single solution with a single point of contact for sales, Implementation and support Copyright RuggedCom Inc. 11

12 RuggedCom Gauntlet Virtual Polling Controller Software component Secure user access to Command and Control Center Software component Tools for administration of substation devices user credentials, Gateway port security, and Router security Gauntlet Gateway Hardware component Line sharing switch with security enhancements RuggedRouter RX1100 Hardware component IP router with Firewall and Authentication capability Copyright RuggedCom Inc. 12

13 Industrial Defender with RX1100 Copyright RuggedCom Inc. 13

14 The Ruggedcom- Industrial Defender- Gauntlet Solution Copyright RuggedCom Inc. 14

15 NERC CIP Category Standard # Feature NERC-CIP CIP Compliance User Access and Passwords CIP-004-1: R4, 4.1, 4.2 CIP-005-1: R2.1, R2.4 CIP-007-1:R5 R5, , , Individual user accounts and passwords Required strong passwords, one-time use passwords, expiring passwords, etc. Digital g security packages Strong Two-factor authentication Access Control Management CIP-003-1: R5, 5.1, CIP-005-1: R2.1, R2.4 Electronic Security Perimeter CIP-005-1: R1, R2, R3, CIP-007-1: R2, Network / Routing Security CIP-005-1: R2, 2.1, 2.2, 2.4 CIP-007-1: R2, Centralized administration Individual administration accounts and passwords Comprehensive reports: lists of users, assets, access points, etc. Secure Access Points (Gauntlet Gateway and RX1100) Access denied by default Technical Control Methods (2-factor authentication, etc.) Electronic access monitoring and logging Appropriate use banners Enable/Disable Ethernet Ports / Services Firewall / VPN IP Access Control 802.1x Port Security / 802.1Q VLAN Intrusion Detection System Dial-up Security CIP-005-1: R1.2, R2.3, R3.1 Secure dial-up modem access control, monitoring and logging Logs, Reports and Audit Resources CIP-003-1: R5, 5.1, 5.1.1, R6 CIP-004-1: R4, 4.1 CIP-005-1: R1,1.6, R2,2.5, R3, R5 CIP-007-1: R3.1, R5.1.2, R6, R9 CIP-008-1: R2 Comprehensive reports Searchable database Detailed access logs with user, port and connection information User, Administrator and Asset and Access Point lists NERC CIP Auto Audit report Cyber incident reports Employee termination / User rights revocation CIP-004: R4, 4.1, 4.2 Account / security credential expiration Administrator initiated user rights revocation Suspended user accounts Alerts and Notifications CIP-005: R3.2 CIP-007: R6.2 Configurable system alert messages Unauthorized access attempt notification System lockout / system error notification Security Patch Management CIP-007: R3, 3.1 Published Security Patch scrubs Remote upgrades and auto-update Malicious Software Prevention CIP-007-1: R4, Anti-virus software included on RX1100 IDS system (future) Copyright RuggedCom Inc. 15

16 NERC-CIP CIP Compliance NERC CIP Category Standard # Feature User Access and Passwords CIP-004-1: R4, 4.1, 4.2 CIP-005-1: R2.1, R2.4 CIP-007-1: R5, 5.1, 5.2, 5.3 Individual user accounts and passwords Required strong passwords, one-time use passwords, expiring passwords, etc. Digital security packages Strong Two-factor authentication Access Control Management CIP-003-1: R5, 5.1, CIP-005-1: R2.1, R2.4 Centralized administration Individual id administration i ti accounts and passwords Comprehensive reports: lists of users, assets, access points, etc. Electronic Security Perimeter CIP-005-1: R1, Secure Access Points (Gauntlet Gateway and R2, R3, RX1100) Access denied by default CIP-007-1: R2, Technical Control Methods (2-factor authentication, etc.) Electronic access monitoring and logging Appropriate use banners Copyright RuggedCom Inc. 16

17 NERC-CIP CIP Compliance NERC CIP Category Standard # Feature Network / Routing Security CIP-005-1: R2, 2.1, 2.2, 2.4 CIP-007-1: R2, Enable/Disable Ethernet Ports / Services Firewall / VPN IP Access Control 802.1x Port Security / 802.1Q VLAN Intrusion Detection System Dial-up Security CIP-005-1: R1.2, R2.3, R3.1 Secure dial-up modem access control, monitoring and logging Logs, Reports and Audit Resources CIP-003-1: R5, 5.1, 5.1.1, R6 CIP-004-1: R4, 4.1 CIP-005-1: R1,1.6, R2,2.5, R3, R5 CIP-007-1: R3.1, R5.1.2, R6, R9 CIP-008-1: R2 Comprehensive reports Searchable database Detailed access logs with user, port and connection information User, Administrator and Asset and Access Point lists NERC CIP Auto Audit report Cyber incident reports Copyright RuggedCom Inc. 17

18 NERC-CIP CIP Compliance NERC CIP Category Standard # Feature Employee termination / User rights revocation CIP-004: R4, 4.1, 4.2 Alerts and Notifications CIP-005: R3.2 CIP-007: R6.2 Account / security credential expiration Administrator initiated user rights revocation Suspended user accounts Configurable system alert messages Unauthorized access attempt notification System lockout / system error notification Security Patch Management CIP-007: R3, 3.1 Published Security Patch scrubs Remote upgrades and auto-update Malicious Software Prevention CIP-007-1: R4, Anti-virus software included on RX1100 IDS system (future) Copyright RuggedCom Inc. 18

19 Securing the Substation LAN Copyright RuggedCom Inc. 19

20 Securing the Substation Network Enable / Disable ports Disable unused ports on switches and Routers Copyright RuggedCom Inc. 20

21 Securing the Substation Network - VLAN (IEEE 802.1Q) Substation Computer VLAN 1 IED 1 IED 2 IED 3 IED 4 IED 5 IED 6 IED 7 IED 8 VLAN 2 Real-time Control IEDs e.g. Relays, RTUs Data collection IEDs e.g. Meters, DFR VLAN s allows segregation of IEDs based on security and real-time traffic requirements. Copyright RuggedCom Inc. 21

22 Securing the Substation Network Port based security The ability to secure ports on a switch so only specific Devices / MAC addresses can communicate via that port. This locks the port on the switch to a specific IED. Note: It is easy to spook Mac Addresses with a typical PC. In order to effectively use this capability a network monitoring solution should be used to monitor for port status changes. Copyright RuggedCom Inc. 22

23 Securing the Substation ti Network 802.1x With 802.1x ports can be secured such that user credentials from the client device would need to be validated prior to network access. It is necessary to have a backend authentication server to store these credentials. With this capability it would not be necessary to disable unused ports. Copyright RuggedCom Inc. 23

24 Thank You! Copyright RuggedCom Inc. 24