Trends, Issues, and New Standards for ICS Security
|
|
- Mariah Summers
- 8 years ago
- Views:
Transcription
1 Trends, Issues, and New tandards for IC ecurity David Mattes 1 * 1 Asguard Networks, Inc., 3417 Fremont Ave N, uite 221, eattle, Washington, 98103, UA (*correspondence: mattes@asguardnetworks.com, Tel: ) KEYWORD Cybersecurity, IC ecurity, network security, segmentation, isolation, VLAN, overlay network ABTRACT This paper is divided into three broad sections. First we will present an overview of Industrial Control ystems (IC) security issues and trends and how these affect Water / Wastewater environments. This introductory session will provide examples of IC networks and illustrate design vulnerabilities. econd we will discuss standards from IA (IA TR ), Trusted Computing Group (Metadata for IC ecurity), and Internet Engineering Task Force (Host Identity Protocol) that focus on a specific issue related to IC security: how to efficiently and flexibly enable private, secure communications for IC devices over untrusted large-scale networks. We will discuss how these standards relate to one another and their importance in providing a basis for interoperable product solutions. In the third section we will present features of a network segmentation product based on these standards. This product has been deployed in a county water / wastewater utility. We will present the water / wastewater network segmentation design, and discuss the benefits from solutions based on these standards and technology. Introduction The world s critical infrastructure is exposed, vulnerable, and fragile 1. From the top floor to the shop floor there is a growing awareness that all is not quiet on the industrial cybersecurity front. On a daily basis we are reminded of the threat of targeted attacks at critical infrastructure. Additionally, researchers are finding thousands of IC systems directly connected to the Internet. Beyond targeted attacks, many experts believe the greatest threat vectors to IC systems are vanilla malware and internal (accidental and intentional) incidents 2. We desperately need standards-based tools to help us manage the connectivity and security risks that result from adding ever increasing levels of connectivity. tandards from IA, TCG, and IETF taken together provide a compelling architecture and specification for constraining connectivity to the absolute minimum through a process known as network segmentation. This architecture allows a 1 Langner, R.; Robust Control ystem Networks ; Momentum Press; Macaulay, T. and inger, B; Cybersecurity for Industrial Control ystems, CRC Press, 2011 Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
2 Mattes 2 common core network infrastructure to be divided into tightly constrained zones, with policy enforced conduits of connectivity between the zones. When implementing a network segmentation architecture for industrial networking, the design must focus on robustness, reliability, and security. New commercial products are now available that implement advanced network segmentation capabilities,, with a novel delegated approach to managing and supporting IC network environments. This dual-view can bridge the cultural divide that often separates operational and IT organizations within an Enterprise. The evolving threat landscape for IC A variety of threat actors with a wide variety of motives makes the risk of loss of control and loss of view very real for water and wastewater organizations. Figure 1: 2010 Reported incident types (RII) Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
3 Mattes 3 Figure 2: 2010 Reported incidents by industry (RII) Figure 3: Reported IC vulnerabilities 3,4 tandards-based architecture for network segmentation The IA TR architecture is titled Backhaul Architecture Model: ecured Connectivity over Untrusted or Trusted Networks 5, and describes an overlay network concept that leverages shared data: IC and U CERT Advisories 4 McBride,.; Documenting the Lost Decade, Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
4 Mattes 4 network infrastructure to create isolated network environments for distributed components of a control system that need to communicate with one another. These overlay networks are logical constructs that can be used to enforce principles of least privilege communications across network trust boundaries. These overlay networks map directly to the IA 99 notion of zones. CMDB Web Application hared IP Network Infrastructure ecure Network Management ystem NA NA NA ecurity Boundary Private Overlay Network HMI & PLC HMI erver Valve Controller Figure 4: The IA private overlay network architecture In Figure 4, the orange line denotes a security boundary across which no communications are allowed. The green circles in Figure 4 represent Network ecurity Appliances (NAs) Backhaul Interfaces in the IA TR nomenclature that create the private overlay network. The database cylinder in Figure 4 represents a Configuration Management Database (CMDB) specifically for distributing policy and network configuration for private overlay network functionality. Along with the TCG IF-MAP base specification 6, the IF-MAP Metadata for IC ecurity specification 7 specifically addresses the CMDB component in the IA TR architecture. The TCG specifications define a publish-subscribe semantic to deliver network and policy configuration data to the network security appliances in network real-time. When the CMDB is coupled with a web-based user interface, a comprehensive ecure Network Management ystem provides complete lifecycle management of the NAs and the private overlay 5 IA Website: TCG Website: 7 TCG Website: Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
5 Mattes 5 networks. The IA TR model specifies that the NAs shall implement a data caching model for the configuration and policy data so that they can continue to function and apply policies in the event that the CMDB becomes unavailable. The NA maintains a network link presence on two or more networks. One NA link is to the local control system equipment, either directly connected to a single piece of equipment or connected via intermediate network switches and/or other infrastructure. A second NA link is to the shared network infrastructure. The NA can maintain additional network links to the shared network infrastructure for e.g. different network media (802.3, , GM) or link bonding for failover connectivity to the shared network. CMDB HTTP / OAP Web Application hared IP Network Infrastructure HTTP / OAP HTTP / OAP HMI erver Figure 5: ecure communications with CMDB The NA connects to the CMDB to obtain its network security policy configuration. In order to maintain the integrity and confidentiality of this configuration data, communications with the CMDB shall be authenticated and encrypted. As shown in Figure 5, and described in the TCG IF-MAP Metadata for IC ecurity pecification, NA to CMDB communications are secured using an HTTP/OAP communications protocol. Furthermore, the CMDB shall mutually authenticate clients using PKI and only permit authorized clients to connect. The configuration and policy data that are stored in the CMDB shall follow the TCG IF-MAP Metadata for IC ecurity pecification. The manipulation of the configuration and policy data occurs through the Administrative Application. The connection between the Administrative Application and the CMDB shall be secured using HTTP communications, as shown in Figure 5. The Administrative Application shall enforce user authentication policies to restrict access to the Administrative Application. As shown in Figure 6, in response to communications from a local to remote control system component, the NA establishes an encrypted tunnel between the respective pair of NAs, based on the unique cryptographic identities within each NA. ince the NA encrypts communications, the communications of the controls systems components are hidden from the shared network and protected against network Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
6 Mattes 6 attacks. The encapsulation and encryption of communications between control systems components within the overlay network is depicted in Figure 6, and further described in the HIP VPL document 8. Figure 6: Encapsulation of control systems communications over shared network The NA shall be transparent to the existing control systems components, yet the NA shall never allow control systems communications to route across the NA and enter the shared network and vice versa. The NA shall not communicate on the local control systems network, but shall present to the local systems a virtual wired connection to the remote control systems components, as allowed by policies stored in the CMDB. ince the control systems communications are isolated from the shared network, their IP address configuration is independent from the shared network IP address space. If the shared network changes and the NAs obtain different shared network IP addresses, the control system components can retain their own independent IP addresses. From the private overlay network perspective, the NA acts as a transparent bridge to remote overlay network devices or segments. The private overlay network appears as a single IP broadcast domain to the IC components. This property allows control systems components to use protocols (e.g. broadcast and multicast) that are difficult to manage on the shared network ecure communications example As an example, consider the HMI and erver in Figure 6. When the HMI wants to communicate with the erver, the HMI sends out an ARP Request for the erver. The ARP Request asks the question: What is the MAC for the device with IP Address ? ince the ARP Request is a broadcast packet, all local devices see this packet. When the NA connected to the HMI sees this ARP Request, the NA creates an Encrypted Tunnel to the remote NA, and encapsulates and encrypts the ARP Request and sends the Encapsulated Packet to the remote NA over the hared Network. The NA connected to the erver decrypts and extracts the ARP Request and sends it out on the local network segment connected to the erver. The packet appears on the local network segment as a broadcast packet and therefore the erver sees the ARP Request. The erver responds to the ARP Request with a unicast ARP Reply. This ARP Reply is delivered to the NA on the local network segment. 8 IETF Website: Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
7 Mattes 7 The NA encrypts and encapsulates the ARP Reply and sends it to the remote NA over the hared Network. The NA connected to the HMI then decrypts and extracts the ARP Reply and sends it out on the local network segment as a unicast packet to the HMI. At this point IP traffic continues to flow between the HMI and erver in the same fashion. Any intermediate network switches between the NA and the local control system equipment perform the task of mapping flows to specific switch ports (this is the function of the switch). A foundational tool for network segmentation A commercial implementation of the IA TR and HIP VPL architecture models is now available. This product also implements the TCG IF-MAP Metadata for IC ecurity specification for the overlay network security policy configurations. Products based on these standards extend the accepted security of VPNs and Firewalls with a robust and flexible management layer, which makes the management and security of IC clear, simple, and easy to use. Using an advanced network segmentation tool, an Enterprise can provide secure private networks as an internal managed service. Administrators create individual private networks in response to requests from internal user groups (e.g. operations). A private overlay network is created simply by giving the network a unique name in the Enterprise environment. Users are then delegated to manage the configuration of the control systems components inside this network, and the security policy configuration governing connectivity between the control systems components. The ability to delegate administration of different elements of the secure industrial network is a key innovation of advanced network segmentation products. Delegation allows an Enterprise can provide secure private networks as an internal managed service. Administrators create individual private networks in response to requests from internal user groups (e.g. operations). A private overlay network is created simply by giving the network a unique name in the Enterprise environment, and assigning the private overlay network to the operations group. The operators of the control systems components are now able to control the configuration of their device connectivity, independent of the underlying network. Operators are delegated to manage the configuration of the control systems components inside this network, and the security policy configuration governing connectivity between the control systems components. While the operators have their own secure private network sandbox, the Administrators maintain governance and oversight of the entire solution. A Water / Wastewater implementation of network segmentation A county water utility in Florida has a shared county public safety network to provide robust, highlyavailable IP network communications for a variety of users. The public safety network is a combination of IP-provided MPL WAN that has redundant links tied to a microwave mesh backhaul. One user of this network is the water and wastewater operations CADA network. The CADA network is implemented as a VLAN within the public safety network, with seamless failover between the IP and microwave backhaul. Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
8 Mattes 8 With the proliferation of users and services within the public safety network, and the addition of valueadd IT services appearing within the CADA network, the CADA manager became concerned with the effectiveness of VLAN segregation for the water/wastewater CADA systems. In order to achieve an additional level of isolation and security, the utility was seeking a network segmentation solution that leverages the existing public safety network. As shown in Figure 7, the utility deployed NAs at the CADA Operations center and at each of their remote sites and lift stations. They also deployed a NA to connect Corporate Visboards to the Master Historian. Another requirement was a method of constraining Contractor access to local and remote IC equipment. Three private overlay networks were implemented on top of the public safety network. The security policies and IC network configurations are managed by the ecure Network Management ystem. CADA Overlay Visboards Overlay V Contractor Overlay C Water Plant Control Water Plant Contractor C NW witch Water Plant Water Plant Control Master Historian C NE witch econdary Historian Engineering Workstation Engineering Workstation Public afety Network CADA V A ecure Network Management ystem Figure 7: Water / Wastewater plants leverage a shared Public afety Network for secure communications ummary tuxnet was a watershed event that focused the world s attention on Industrial Control ystems. ince IC were often deployed in air-gapped environments, their vulnerable by design attributes were largely ignored. tuxnet showed that an air-gap is not secure, and increased connectivity results in a larger attack surface for IC. With all the media attention, vulnerabilities are being disclosed at staggering rates, and IC vendors are slow to catch up. Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
9 Mattes 9 Best practices suggest comprehensive risk management, tied to a defense in depth cybersecurity implementation, is the appropriate approach for securing IC. Network segmentation is a foundational building block of a defense in depth, layered security implementation. tandards from IA are focusing on network segmentation because it can be used to minimize the connectivity for IC to the absolute minimum, and protect that connectivity over shared network infrastructures. Additional standards from IETF and TCG describe how these segmented networks can be efficiently managed at scale. tandards-based commercial network segmentation products are now available that not only decouple and secure the IC communications from a shared network, but also decouple the management of the IC systems from the management of the shared network. This approach at delegated management makes it possible for an enterprise to deploy secure private networks as an internal service. A case study has been presented in which a water utility in Florida added an additional layer of security to their CADA network. The CADA network continues to leverage a robust public safety network, while remaining isolated and secured from that network. The resulting environment reduces the connectivity of the CADA components to an absolute minimum. List of Acronyms: ---- CMDB... Configuration Management Database HMI... Human Machine Interface IETF... Internet Engineering Task Force IC... Industrial Control ystem IA... International ociety of Automation NA... Network ecurity Appliance PKI... Public Key Infrastructure PLC... Programmable Logic Controller RTU... Remote Terminal Unit RII... Repository for Industrial ecurity Incidents CADA... upervisory Control and Data Acquisition TCG... Trusted Computing Group VPN... Virtual Private Network VLAN... Virtual Local Area Network ---- David Mattes is the founder and CTO of Asguard Networks. David founded Asguard Networks to create products that address the challenge of managing connectivity and information security for Industrial Control ystems (IC). Prior to Asguard Networks, David spent 13 years in Boeing s R&D organization. At Boeing, David focused on IC security issues, particularly on the challenge of segmenting connectivity for IC devices into private networks and securely connecting them to and through Boeing s Enterprise networks. David can be contacted at mattes@asguardnetworks.com. Presented at the 2013 IA Water/Wastewater and Automatic Controls ymposium Crowne Plaza Orlando-Universal Hotel, Orlando, Florida, UA Aug 6-8,
Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems
Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems Building Security into Your Industrial Internet Phillip Allison Tempered Networks Discussion topics Threats to network security TCP/IP
More informationSecurity for. Industrial. Automation. Considering the PROFINET Security Guideline
Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures
More informationTechnical Brief: Virtualization
Technical Brief: Virtualization Technology Overview Tempered Networks automates connectivity and network security for distributed devices over trusted and untrusted network infrastructure. The Tempered
More informationTNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is
1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the
More informationTrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents
WHITE PAPER TrustNet CryptoFlow Group Encryption Table of Contents Executive Summary...1 The Challenges of Securing Any-to- Any Networks with a Point-to-Point Solution...2 A Smarter Approach to Network
More informationSCADA/Business Network Separation: Securing an Integrated SCADA System
SCADA/Business Network Separation: Securing an Integrated SCADA System This white paper is based on a utility example but applies to any SCADA installation from power generation and distribution to water/wastewater
More informationCLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE
CLOUD NETWORKING FOR ENTERPRISE CAMPUS APPLICATION NOTE EXECUTIVE SUMMARY This application note proposes Virtual Extensible LAN (VXLAN) as a solution technology to deliver departmental segmentation, business
More informationCyber Security Implications of SIS Integration with Control Networks
Cyber Security Implications of SIS Integration with Control Networks The LOGIIC SIS Project Standards Certification Education & Training Publishing Conferences & Exhibits Presenter Zach Tudor is a Program
More informationSecurely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.
Securely Architecting the Internal Cloud Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Building the Internal Cloud Virtualization is the Key How Virtualization Affects
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationNetwork/Cyber Security
Network/Cyber Security SCAMPS Annual Meeting 2015 Joe Howland,VC3 Source: http://www.information-age.com/technology/security/123458891/how-7-year-old-girl-hacked-public-wi-fi-network-10-minutes Security
More informationVMware vcloud Networking and Security Overview
VMware vcloud Networking and Security Overview Networks and Security for Virtualized Compute Environments WHITE PAPER Overview Organizations worldwide have gained significant efficiency and flexibility
More informationARCHITECT S GUIDE: Mobile Security Using TNC Technology
ARCHITECT S GUIDE: Mobile Security Using TNC Technology December 0 Trusted Computing Group 855 SW 5rd Drive Beaverton, OR 97006 Tel (50) 69-056 Fax (50) 644-6708 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationSecuring EtherNet/IP Using DPI Firewall Technology
Securing EtherNet/IP Using DPI Firewall Technology www.odva.org Technical Track About Us Erik Schweigert Leads device firmware development at Tofino Security BSc in Computer Science from VIU Michael Thomas
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationVirtualized Security: The Next Generation of Consolidation
Virtualization. Consolidation. Simplification. Choice. WHITE PAPER Virtualized Security: The Next Generation of Consolidation Virtualized Security: The Next Generation of Consolidation As we approach the
More informationMobile Secure Network Connectivity for Industrial Control Systems
Mobile Secure Network Connectivity for Industrial Control Systems Peaceful Coexistence in Mixed Control System / IT Environments Steven C. Venema Associate Technical Fellow Architecture & Networked Systems
More informationARCHITECT S GUIDE: Comply to Connect Using TNC Technology
ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org
More informationBest Practices for Outdoor Wireless Security
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
More informationOVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS
OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS Matt Eclavea (meclavea@brocade.com) Senior Solutions Architect, Brocade Communications Inc. Jim Allen (jallen@llnw.com) Senior Architect, Limelight
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More information1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network
WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What
More informationCompany Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationRedesigning automation network security
White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationSecure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco
Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationActive Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge
Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge This paper will present a case study of Lumeta s participation in an open
More informationTech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks
Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationFirewall Environments. Name
Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationSECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007
SECURING AN INTEGRATED SCADA SYSTEM Network Security & SCADA Systems Whitepaper Technical Paper April 2007 Presented by: Scott Wooldridge Managing Director of Oceania Citect 1 Abstract This paper discusses
More informationSecure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation
Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples
More informationVirtual Privacy vs. Real Security
Virtual Privacy vs. Real Security Certes Networks at a glance Leader in Multi-Layer Encryption Offices throughout North America, Asia and Europe Growing installed based with customers in 37 countries Developing
More informationVXLAN: Scaling Data Center Capacity. White Paper
VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where
More informationBuilding Secure Networks for the Industrial World
Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data
More informationRanch Networks for Hosted Data Centers
Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationCyber Security Where Do I Begin?
ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact ..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than
More informationInnovative Defense Strategies for Securing SCADA & Control Systems
1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet
More informationnwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
More informationUnified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice
Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government
More informationLogical & Physical Security
Building a Secure Ethernet Environment By Frank Prendergast Manager, Network Certification Services Schneider Electric s Automation Business North Andover, MA The trend toward using Ethernet as the sole
More informationExtending Networking to Fit the Cloud
VXLAN Extending Networking to Fit the Cloud Kamau WangŨ H Ũ Kamau Wangũhgũ is a Consulting Architect at VMware and a member of the Global Technical Service, Center of Excellence group. Kamau s focus at
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationNetwork Security Topologies. Chapter 11
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
More informationENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0
ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationSecure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment
Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access
More informationOverview of Routing between Virtual LANs
Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information
More informationTrustNet Group Encryption
TrustNet Group Encryption Executive Summary Protecting data in motion has become a high priority for a growing number of companies. As more companies face the real and growing threat of data theft, along
More informationWHITE PAPER. Network Virtualization: A Data Plane Perspective
WHITE PAPER Network Virtualization: A Data Plane Perspective David Melman Uri Safrai Switching Architecture Marvell May 2015 Abstract Virtualization is the leading technology to provide agile and scalable
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationLatest IT Exam Questions & Answers
DumpKiller Latest IT Exam Questions & Answers http://www.dumpkiller.com No help, Full refund! Exam : 210-260 Title : Implementing Cisco Network Security Vendor : Cisco Version : DEMO 1 NO.1 Which address
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationSteelcape Product Overview and Functional Description
Steelcape Product Overview and Functional Description TABLE OF CONTENTS 1. General Overview 2. Applications/Uses 3. Key Features 4. Steelcape Components 5. Operations Overview: Typical Communications Session
More informationSecuring Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationVPN Technologies: Definitions and Requirements
VPN Technologies: Definitions and Requirements 1. Introduction VPN Consortium, January 2003 This white paper describes the major technologies for virtual private networks (VPNs) used today on the Internet.
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationUsing ISA/IEC 62443 Standards to Improve Control System Security
Tofino Security White Paper Version 1.2 Published May 2014 Using ISA/IEC 62443 Standards to Improve Control System Security Contents 1. Executive Summary... 1 2. What s New in this Version... 1 3. Why
More informationSecuring Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014
Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationCritical Infrastructure Product Entrepreneurial Leadership Award Company of the Year Award
2013 2014 2014 North 2013 American North Perimeter American Network SSL Certificate Security Solutions in Critical Infrastructure Product Entrepreneurial Leadership Award Company of the Year Award Background
More informationPolicy Based Networks in Process Control Design and Deployment Techniques. Steve Hargis Enterasys Networks
Policy Based Networks in Process Control Design and Deployment Techniques Steve Hargis Enterasys Networks The Evolving Process Control Network Significant increase in use (and dependencies) on standards-based
More informationScalable Secure Remote Access Solutions
Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationTCG Trusted Network Connect IF-MAP Metadata for ICS Security. Document Draft Comments. Prepared by Joseph J. Januszewski, III, CISSP
TCG Trusted Network Connect IF-MAP Metadata for ICS Security Document Draft Comments Prepared by Joseph J. Januszewski, III, CISSP Comments Januszewski Page 1 Page vi: Although the document is concerned
More informationSCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005
SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems
More informationWireless Process Control Network Architecture Overview
Wireless Process Control Network Architecture Overview Industrial Wireless Networks Gain Acceptance In Plant Floors By: Soroush Amidi, Product Manager and Alex Chernoguzov, Wireless Architect Wireless
More informationITL BULLETIN FOR JANUARY 2011
ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division
More informationNetwork System Design Lesson Objectives
Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network
More informationTop-Down Network Design
Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,
More informationMOC 6435A Designing a Windows Server 2008 Network Infrastructure
MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:
More informationEnterprise A Closer Look at Wireless Intrusion Detection:
White Paper Enterprise A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Josh Wright Senior Security Researcher Introduction As wireless enterprise networks become
More informationNetworked AV Systems Pretest
Networked AV Systems Pretest Instructions Choose the best answer for each question. Score your pretest using the key on the last page. If you miss three or more out of questions 1 11, consider taking Essentials
More informationOPC & Security Agenda
OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationEnterprise Data Protection
PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION
More informationSecurely Connect, Network, Access, and Visualize Your Data
Securely Connect, Network, Access, and Visualize Your Data 1 Who is Skkynet? Skkynet is the Parent company of; - Cogent Real-Time Systems Established in 1994 Focus on Industrial Automation software Cogent
More informationSecurity Orchestration with IF-MAP
Security Orchestration with IF-MAP Gary Holland, Lumeta/IMRI 2 November 2011 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Trusted Network Connect Explanation of IF-MAP
More informationA Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model
A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Table of Contents Introduction 3 Deployment approaches 3 Overlay monitoring 3 Integrated monitoring 4 Hybrid
More informationOptimizing and Securing an Industrial DCS with VMware
Optimizing and Securing an Industrial DCS with VMware Global Process Automation deploys a new DCS using VMware to create a secure and robust operating environment for operators and engineers. by Doug Clarkin
More informationCoIP (Cloud over IP): The Future of Hybrid Networking
CoIP (Cloud over IP): The Future of Hybrid Networking An overlay virtual network that connects, protects and shields enterprise applications deployed across cloud ecosystems The Cloud is Now a Critical
More informationInfor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
More informationNetwork Security. A Quick Overview. Joshua Hill josh-web@untruth.org http://www.untruth.org
Network Security A Quick Overview Joshua Hill josh-web@untruth.org http://www.untruth.org Security Engineering What is Security Engineering? "Security Engineering is about building systems to remain dependable
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationA Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.
A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC September 18, 2014 Charles Sun www.linkedin.com/in/charlessun @CharlesSun_ 1 What is SDN? Benefits
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationMeeting the Cybersecurity Standards of ANSI/ISA 62443 with Data Diodes
Meeting the Cybersecurity Standards of ANSI/ISA 62443 with Data Diodes Dennis Lanahan June 1, 2015 Securing the convergence of OT and IT with ST 1 Introduction to Owl US US Owned and & Operated Product
More informationIT Security and OT Security. Understanding the Challenges
IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control
More informationDesign and Implementation Guide. Apple iphone Compatibility
Design and Implementation Guide Apple iphone Compatibility Introduction Security in wireless LANs has long been a concern for network administrators. While securing laptop devices is well understood, new
More informationSonicWALL Check Point Firewall-1 VPN Interoperability
SonicWALL Check Point Firewall-1 VPN Interoperability A Tech Note prepared by SonicWALL, Inc. SonicWALL, Inc. 1160 Bordeaux Drive Sunnyvale, CA 94089-1209 1-888-557-6642 http://www.sonicwall.com Introduction
More informationVirtual Private Networks Secured Connectivity for the Distributed Organization
Virtual Private Networks Secured Connectivity for the Distributed Organization FORTINET VIRTUAL PRIVATE NETWORKS PAGE 2 Introduction A Virtual Private Network (VPN) allows organizations to securely connect
More information