RuggedCom Solutions for



Similar documents
1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Secure SCADA Network Technology and Methods

Magnum Network Software DX

High-performance VoIP Traffic Optimizer Client Solution

Network Security Firewall

"Charting the Course...

AT-S63 and AT-S63 NE Version Management Software for the AT-9400 Series Layer 2+ Gigabit Ethernet Switches Software Release Notes

How To Learn Cisco Cisco Ios And Cisco Vlan

SonicWALL PCI 1.1 Implementation Guide

CTS2134 Introduction to Networking. Module Network Security

IES-P3073GC Series. Industrial IEC port managed Ethernet switch with 7x10/100Base-T(X) and 3xGigabit combo ports, SFP socket.

Layer 3 Network + Dedicated Internet Connectivity

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

IES-3080/3062 Series. Industrial 8-port managed Ethernet switch. Features. Introduction

Secure Substation Automation for Operations & Maintenance

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Developing Network Security Strategies

Executive Summary and Purpose

Network Management System (NMS) FAQ

1Industrial Ethernet Switch

Gigabit Content Security Router

Supports O-Ring (recovery time < 30ms over 250 units of connection) and MSTP(RSTP/STP compatible) for Ethernet

Cyber Security Compliance (NERC CIP V5)

Perspective on secure network for control systems in SPring-8

High-performance VoIP Traffic Optimizer Client Solution

16x10/100/1000Base-T(X) ports and 8x100/1000Base-X, SFP socket

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

RGPS-7084GP-P. Industrial 12-port rack-mount managed Gigabit PoE Ethernet switch with 8x10/100/1000Base-T(X) P.S.E. ports and 4x1000Base-X, SFP socket

TP-LINK. 24-Port 10/100Mbps + 4-Port Gigabit L2 Managed Switch. Overview. Datasheet TL-SL

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

IT Security and OT Security. Understanding the Challenges

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

TP-LINK L2 Managed Switch

Network Security Guidelines. e-governance

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Introduction of Quidway SecPath 1000 Security Gateway

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Cisco RV220W Network Security Firewall

AP200 VoIP Gateway Series Design Features & Concept AddPac R&D Center

Avaya G700 Media Gateway Security - Issue 1.0

IGS-9812GP. Industrial 20-port managed Gigabit Ethernet switch with 8x10/100/1000Base-T(X) ports and 12x100/1000Base-X, SFP socket.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

CradlepointCOR IBR350Specifications

RUGGEDCOM CROSSBOW. Secure Access Management Solution. siemens.com/ruggedcom. Edition 10/2014. Brochure

Cisco RV 120W Wireless-N VPN Firewall

Gigabit SSL VPN Security Router

Cyber Security for NERC CIP Version 5 Compliance

APPENDIX 3 LOT 3: WIRELESS NETWORK

Recommended IP Telephony Architecture

JetNet 5428Gv2. Features. Industrial 24FE+4G Gigabit Managed Ethernet Switch INDUSTRIAL ETHERNET RACKMOUNT SWITCH

TK C -25 C 95% RH EMC TK701G TK701U TK704G TK704U TK704W. TK-Series Cellular Router

How To Install An At-S100 (Geo) On A Network Card (Geoswitch)

TP-LINK. 24-Port 10/100Mbps + 4-Port Gigabit L2 Managed Switch. Overview. Datasheet TL-SL5428E.

Cisco Certified Network Expert (CCNE)

Achieving PCI-Compliance through Cyberoam

P330-ML Version 4.5 Release Notes

PCI DSS Compliance and the Digi TransPort Router

Supports O-Ring (recovery time < 30ms over 250 units of connection) and MSTP(RSTP/STP compatible) for Ethernet

CCT vs. CCENT Skill Set Comparison

Tim Bovles WILEY. Wiley Publishing, Inc.

Cisco Small Business Managed Switches

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

SecFlow Security Appliance Review

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Avaya TM G700 Media Gateway Security. White Paper

Cisco RV180 VPN Router

AT-S105 Version Management Software Release Notes AT-FS750/24POE and AT-FS750/48 Fast Ethernet WebSmart Switches

TP-LINK. 24-Port Gigabit L2 Managed PoE Switch with 4 Combo SFP Slots. Overview. Datasheet TL-SG3424P.

Emerson Smart Firewall

20 GE + 4 GE Combo SFP G Slots L3 Managed Stackable Switch

Going Critical. How to Design Advanced Security Networks for the Nation s Infrastructure. w w w. G a r r e t t C o m. C o m

How To Pass A Credit Course At Florida State College At Jacksonville

B&B ELECTRONICS WHITE PAPER. Managed Ethernet Switches - Key Features for a Powerful Industrial Network

Gigabit Multi-Homing VPN Security Router

Making the most out of substation IEDs in a secure, NERC compliant manner

Introduction. Cyber Security for Industrial Applications

Implementing Cisco IOS Network Security v2.0 (IINS)

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Designing a security policy to protect your automation solution

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Cisco Virtual Office Express

ADMINISTRATION GUIDE Cisco Small Business

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

AP-GSS3000 TM 512Ch GSM SIM Server

Stratix Industrial Networks Infrastructure At-A-Glance

WAN Failover Scenarios Using Digi Wireless WAN Routers

Mira Zafirovic-Vukotic, Roger Moore, Michael Leslie, Rene Midence, Marzio Pozzuoli, RuggedCom Inc.

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

NO SPECIFICATION SPECIFICATION COMPLIANCE RESPOND PROPOSED BY VENDOR

DCRS-5650 Dual Stack Ethernet Switch Datasheet

Transcription:

RuggedCom Solutions for NERC CIP Compliance Rev 20080401 Copyright RuggedCom Inc. 1

RuggedCom Solutions Hardware Ethernet Switches Routers Serial Server Media Converters Wireless Embedded Software Application Software Software Network Management Software NERC-CIP Cyber Security Solution Services Professional Services Training Support Most Complete Line of Rugged Communications Devices Copyright RuggedCom Inc. 2

Architecture Example Copyright RuggedCom Inc. 3

The RuggedRouter RX1000/1100 Industrially Hardened Cyber Security Appliance Integrated Router/Firewall/VPN Rugged Operating System on Linux (ROX ) Wide Operating Temperature Range: -40 to +85C (no fans) High Immunity to EMI: Meets or exceeds IEC 61850-3, IEEE 1613, NEMA TS-2 and more... Integrated Power Supplies: Low and high voltage ranges with true (N+1) redundancy option RuggedRated for Harsh Environments Modular: Various Types and Configuration of Interface Ports 5 Year Warranty Copyright RuggedCom Inc. 4

RX1000 / RX1100 Key Router Features Security Appliance Functions Integrated Router/Firewall/VPN Stateful Firewall with NAT Full IPSec Virtual Private Networking VPN with 3DES, DES, AES IDS Security Gateway (Gauntlet) Protocols WAN: Frame Relay, PPP, PAP, CHAP Authentication, PPPoE IP: Routing, RIP/RIPII, OSPF, DHCP Agent Traffic shaping and policing Management Tools Web Based GUI, SSH, CLI (command line interface) SNMP v2/v3 Remote Syslog Rich set of diagnostics with logging and alarming Copyright RuggedCom Inc. 5

Product Basket- 19 Rack Mount Switches Copyright RuggedCom Inc. 6

Product Basket- Din-rail and Small Form Factor Ethernet Switches Copyright RuggedCom Inc. 7

Product Basket- Serial Servers Copyright RuggedCom Inc. 8

Rugged Operating System (ROS ) Zero Collisions: IEEE 802.3x Full Duplex Operation Priority Queuing: IEEE 802.1p for high priority real-time control VLAN: IEEE 802.1q for isolating real-time traffic Enhanced IEEE 802.1D 2004Rapid Spanning Tree for fast fault recovery IGMP Snooping for multicast filtering and management Cyber Security: Multi-level level passwords, SSH/SSL encryption, enable/disable ports, 802.1x port security, Radius Network management: including SNMPv3, RMON, Port Mirroring Rich set of diagnostic tools Common firmware across all managed switches ROX ROS on Linux with all the security features of Linux. ROS and ROX Designed for Real-Time Control and Mission Critical Applications Copyright RuggedCom Inc. 9

Switch Security Features Multilevel User Passwords Secures switch against unauthorized configuration SSH / SSL Encryption Encryption of passwords and data as they cross the network Enable / Disable ports - Disable ports so that traffic can not pass 802.1Q VLAN (Virtual Local Area Network) - Logically segregate traffic between predefined ports on switches MAC Based Port Security - Secure ports so only specific Devices/MAC addresses can communicate via that port 802.1x Port Based Network Access Control - Lock ports to allow only authorized clients to communicate via the port Radius - Centralized password management SNMPv3 - Encrypted authentication and access security Copyright RuggedCom Inc. 10

RuggedCom Integrated Solutions Our Partners Teltone Gauntlet Security Gateway Functionality Dynamically Builds Firewall rules for user access Controls access to devices within security perimeter NERC CIP event logging Industrial Defender IDS Management Console (SEM) IDS Signature Management Intrusion Event Logging Network Health Monitoring i Auditing RuggedCom, Teltone, Industrial Defender A single solution with a single point of contact for sales, Implementation and support Copyright RuggedCom Inc. 11

RuggedCom Gauntlet Virtual Polling Controller Software component Secure user access to Command and Control Center Software component Tools for administration of substation devices user credentials, Gateway port security, and Router security Gauntlet Gateway Hardware component Line sharing switch with security enhancements RuggedRouter RX1100 Hardware component IP router with Firewall and Authentication capability Copyright RuggedCom Inc. 12

Industrial Defender with RX1100 Copyright RuggedCom Inc. 13

The Ruggedcom- Industrial Defender- Gauntlet Solution Copyright RuggedCom Inc. 14

NERC CIP Category Standard # Feature NERC-CIP CIP Compliance User Access and Passwords CIP-004-1: R4, 4.1, 4.2 CIP-005-1: R2.1, R2.4 CIP-007-1:R5 R5, 51 5.1, 52 5.2, 53 5.3 Individual user accounts and passwords Required strong passwords, one-time use passwords, expiring passwords, etc. Digital g security packages Strong Two-factor authentication Access Control Management CIP-003-1: R5, 5.1, 5.1.1 CIP-005-1: R2.1, R2.4 Electronic Security Perimeter CIP-005-1: R1, 1.1 1.6 R2, 2.1 2.6 R3, 3.1 32 3.2 CIP-007-1: R2, 2.1 2.2 Network / Routing Security CIP-005-1: R2, 2.1, 2.2, 2.4 CIP-007-1: R2, 2.1 2.3 Centralized administration Individual administration accounts and passwords Comprehensive reports: lists of users, assets, access points, etc. Secure Access Points (Gauntlet Gateway and RX1100) Access denied by default Technical Control Methods (2-factor authentication, etc.) Electronic access monitoring and logging Appropriate use banners Enable/Disable Ethernet Ports / Services Firewall / VPN IP Access Control 802.1x Port Security / 802.1Q VLAN Intrusion Detection System Dial-up Security CIP-005-1: R1.2, R2.3, R3.1 Secure dial-up modem access control, monitoring and logging Logs, Reports and Audit Resources CIP-003-1: R5, 5.1, 5.1.1, R6 CIP-004-1: R4, 4.1 CIP-005-1: R1,1.6, R2,2.5, R3, R5 CIP-007-1: R3.1, R5.1.2, R6, R9 CIP-008-1: R2 Comprehensive reports Searchable database Detailed access logs with user, port and connection information User, Administrator and Asset and Access Point lists NERC CIP Auto Audit report Cyber incident reports Employee termination / User rights revocation CIP-004: R4, 4.1, 4.2 Account / security credential expiration Administrator initiated user rights revocation Suspended user accounts Alerts and Notifications CIP-005: R3.2 CIP-007: R6.2 Configurable system alert email messages Unauthorized access attempt notification System lockout / system error notification Security Patch Management CIP-007: R3, 3.1 Published Security Patch scrubs Remote upgrades and auto-update Malicious Software Prevention CIP-007-1: R4, 4.1 4.2 Anti-virus software included on RX1100 IDS system (future) Copyright RuggedCom Inc. 15

NERC-CIP CIP Compliance NERC CIP Category Standard # Feature User Access and Passwords CIP-004-1: R4, 4.1, 4.2 CIP-005-1: R2.1, R2.4 CIP-007-1: R5, 5.1, 5.2, 5.3 Individual user accounts and passwords Required strong passwords, one-time use passwords, expiring passwords, etc. Digital security packages Strong Two-factor authentication Access Control Management CIP-003-1: R5, 5.1, 5.1.1 CIP-005-1: R2.1, R2.4 Centralized administration Individual id administration i ti accounts and passwords Comprehensive reports: lists of users, assets, access points, etc. Electronic Security Perimeter CIP-005-1: R1, 1.1 1.6 Secure Access Points (Gauntlet Gateway and R2, 2.1 2.6 R3, 3.1 3.2 RX1100) Access denied by default CIP-007-1: R2, 2.1 2.2 Technical Control Methods (2-factor authentication, etc.) Electronic access monitoring and logging Appropriate use banners Copyright RuggedCom Inc. 16

NERC-CIP CIP Compliance NERC CIP Category Standard # Feature Network / Routing Security CIP-005-1: R2, 2.1, 2.2, 2.4 CIP-007-1: R2, 2.1 2.3 Enable/Disable Ethernet Ports / Services Firewall / VPN IP Access Control 802.1x Port Security / 802.1Q VLAN Intrusion Detection System Dial-up Security CIP-005-1: R1.2, R2.3, R3.1 Secure dial-up modem access control, monitoring and logging Logs, Reports and Audit Resources CIP-003-1: R5, 5.1, 5.1.1, R6 CIP-004-1: R4, 4.1 CIP-005-1: R1,1.6, R2,2.5, R3, R5 CIP-007-1: R3.1, R5.1.2, R6, R9 CIP-008-1: R2 Comprehensive reports Searchable database Detailed access logs with user, port and connection information User, Administrator and Asset and Access Point lists NERC CIP Auto Audit report Cyber incident reports Copyright RuggedCom Inc. 17

NERC-CIP CIP Compliance NERC CIP Category Standard # Feature Employee termination / User rights revocation CIP-004: R4, 4.1, 4.2 Alerts and Notifications CIP-005: R3.2 CIP-007: R6.2 Account / security credential expiration Administrator initiated user rights revocation Suspended user accounts Configurable system alert email messages Unauthorized access attempt notification System lockout / system error notification Security Patch Management CIP-007: R3, 3.1 Published Security Patch scrubs Remote upgrades and auto-update Malicious Software Prevention CIP-007-1: R4, 4.1 4.2 Anti-virus software included on RX1100 IDS system (future) Copyright RuggedCom Inc. 18

Securing the Substation LAN Copyright RuggedCom Inc. 19

Securing the Substation Network Enable / Disable ports Disable unused ports on switches and Routers Copyright RuggedCom Inc. 20

Securing the Substation Network - VLAN (IEEE 802.1Q) Substation Computer VLAN 1 IED 1 IED 2 IED 3 IED 4 IED 5 IED 6 IED 7 IED 8 VLAN 2 Real-time Control IEDs e.g. Relays, RTUs Data collection IEDs e.g. Meters, DFR VLAN s allows segregation of IEDs based on security and real-time traffic requirements. Copyright RuggedCom Inc. 21

Securing the Substation Network Port based security The ability to secure ports on a switch so only specific Devices / MAC addresses can communicate via that port. This locks the port on the switch to a specific IED. Note: It is easy to spook Mac Addresses with a typical PC. In order to effectively use this capability a network monitoring solution should be used to monitor for port status changes. Copyright RuggedCom Inc. 22

Securing the Substation ti Network 802.1x With 802.1x ports can be secured such that user credentials from the client device would need to be validated prior to network access. It is necessary to have a backend authentication server to store these credentials. With this capability it would not be necessary to disable unused ports. Copyright RuggedCom Inc. 23

Thank You! Copyright RuggedCom Inc. 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information