secflow overview
DESCRIPTION
SecFlow Overview. U&T Target Market Segments. Utilities. Transportation. Power. Railways. Water. Motorways. Oil & Gas. Air Traffic Control. Mining. Maritime. Power Utilities Trends. The power utilities communication needs are in evolution phase: - PowerPoint PPT PresentationTRANSCRIPT
SecFlow2013 Slide1
SecFlow Overview
SecFlow2013 Slide2
U&T Target Market Segments
Utilities
Power
Water
Oil & Gas
Mining
Transportation
Railways
Motorways
Air Traffic Control
Maritime
SecFlow2013 Slide3
Power Utilities Trends
The power utilities communication needs are in evolution phase:
• Migration to Packet in various parts of the network:– Replacement of SDH/PDH core to Ethernet/IP/MPLS – Replacement of old Substation technology to IEC 61850 based
solution which are consist of Ethernet “LAN” and packet signaling– Migration of old SCADA/RTU’s from Serial to IP based
• Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters
• Growing need for Cyber & Physical security solutions
SecFlow2013 Slide4
Challenges Of Power Utilities Communication Networks
• Evolution in the Substation– Migration to PSN in the Substation while supporting multi services– Teleprotection connectivity over SDH and PSN– Substation Automation and Cyber security
• Smart Grid – Secured backhaul solutions for Smart Meters
• Growth in Bandwidth– Transitioning the operational network to PSN while maintaining
reliability, security & simplicity– Clock Synchronization over the PSN network
• Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base
SecFlow2013 Slide5
Industrial Control Systems• Industrial control systems used to
monitor and remotely control critical industrial processes– SCADA systems– Distributed Control Systems (DCS)– Programmable Logic Controllers (PLC)
• Highly distributed• Geographically separated assets• Centralized data acquisition and
control are critical– Oil and gas pipelines– Electrical power grids– Railway transportation systems
SecFlow2013 Slide6
SCADA System
• Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are:– Central device
• Central Master Station – Supervisory system, gathering data on the process and sending action commands.
– Remote devices• Programmable Logic Controller (PLC) and
Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system.
• Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.
SecFlow2013 Slide7
Supervisory Control and Data Acquisition (SCADA), System Overview
Source: http://en.wikipedia.org/wiki/File:DNP-overview.png
• RTUs• PLCs• IEDs
SCADA communication Protocols • Modbus• DNP3• IEC101, IEC104
SecFlow2013 Slide8
IEC 61850• International standard for substation automation systems developed to create an
open communication environment• IEC 61850 provides interconnection of substation devices on high speed Ethernet
network • IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10
• IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements:– Electromagnetic Interference (EMI), immunity –
Strong electromagnetic compatibility (EMC) design to protect against EMI
– Operating temperature -40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C
SecFlow2013 Slide9
SecFlow Portfolio Overview
• SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families:– SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router– SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router
SecFlow2013 Slide10
SecFlow Main Features
Industrial Design• Harsh
environmental• DIN-rail mount• IP 30• -40°C to +75°C w/o
fans • EMI immunity• IEC 61850-3• IEEE 1613• EN 50121-4
Multiservice Gateway• Utilize both
Ethernet ports and Serial interfaces
• Serial Tunneling or Service translation
• IEC101 to IEC104
Integrated Security• L-2/3/4 ACL• MAC/IP filtering
per port• SCADA-Aware
firewall• L2/L3 VPN
w/IPsec• 802.1X• RADIUS/TACACS
Resiliency• Ethernet rings
per ITU-T G.8032• RSTP, MSTP• Cellular 2G/3G
modem uplink for maximum service continuation
SecFlow2013 Slide11
SecFlow-2Access and Network Interfaces
USB
DI/DO Power
ConsoleFE PortsFE 0/1-8 with optional PoE
RS 232port 1 - 4
SIM CardPorts 1,2
Dual GPRS/UMTS
Modem
SFPGbE1, GbE2
SecFlow2013 Slide12
SecFlow-4Access and Network Interfaces
Dual Power Supplies 7 I/O slots
Service and MNG module
SecFlow2013 Slide13
SecFlow-4 Modules
Module Description
SF4-M-4GBE Gigabit Ethernet module with four UTP or four SFP ports
SF4-M-Serial Serial interface module with four RS-232 ports
SF4-M-Service Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces
SF4-M-MNG Central processing and management module with local terminal and out-of-band management ports
SF4-PS-24VDC Power supply module for 24 VDC input
SF4-PS-48VDC Power supply module for 48 VDC input
SecFlow2013 Slide14
SecFlow-2/4 v3.1Main Features
Features Description Customer BenefitsSecFlow-2 InterfacesEthernet Interfaces
• 2×100/1000BaseFX
• Up to 16×10/100BaseT• Resilient redundant networking over various WAN
infrastructuresSerial Interfaces • UP to 4×RS-232 • Multiservice support in a compact single deviceCellular Interface • Dual SIM GPRS/UMTS cellular modem • Utilizes cellular network for main link
• Improves link resiliency and service continuity using cellular backup links
SecFlow-4 InterfacesEthernet ModuleSF4-M-4GbE
• 4×100/1000BaseT, optional PoE
• 4×100/1000BaseFX
• 4 GbE interfaces per module that provide a maximum of 28 GbEs per chassis for multiple Ethernet connections
Serial ModuleSF4-M-Serial
• 4×RS-232 • 4 serial interfaces for legacy connectivity with up to 28 serial ports per chassis
• The serial module combined with the Ethernet module provides multiservice support for various applications
Central Processing ModuleSF4-M-MNG
• Central processing and management module with local terminal and out-of-band management ports
• The module is supplied with the SecFlow-4 chassis, providing the Layer-2 functionality
Service ModuleSF4-M-Service(Optional)
• Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces hardware-ready only
• Security, routing and gateway functionalities
SecFlow2013 Slide15
SecFlow-2/4 v3.1Main Features
Features Description Customer Benefits
Protocol Gateway • IEC-101 to IEC-104 conversion • Enables seamless communication from the IP SCADA to
both the legacy and new RTUs, featuring a single box for multiservice application and smooth migration to all IP networks
SCADA-Aware Firewall
• SCADA-aware firewall monitors SCADA commands using deep packet inspection to validate intended application purpose
• Supported SCADA protocols: IEC-104, Modbus and DNP 3.0
• Syslog support for IEC 104 firewall
• Provides distributed network security from the substation, enabling only authorized traffic to access the network according to the user defined access rules
VPN Gateway with IPSec
• Layer 2 GRE VPN
• Layer 3 multipoint GRE Dynamic Multipoint-VPN
• Layer 3 IPSec VPN
• IPSec encryption per 3DES or AES
• X.509 certified with SHA256 and SHA512 for Phase1/Phase2 and AES 256 support
• Secured interconnection of remote sites over public networks, using Layer-2or Layer-3 VPN with encryption
• Supports large scale networks
QoS • Port limit
• Ingress policing
• Strict priority
• Weighted Round Robin (WRR)
• Egress traffic shaping
• Higher and lower priority traffic separation into 8 queues for prioritizing the user traffic and allowing mission critical applications to be served first
SecFlow2013 Slide16
SecFlow-2/4 v3.1Main Features
Features Description Customer BenefitsEthernet OAM • Single segment (link) OAM according to IEEE ‑
802.3-2005 (formerly 802.3ah)
• End to end connectivity OAM based on IEEE 802‑ ‑• End to end service and performance monitoring ‑ ‑
based on ITU T Y.1731. ‑
• Guaranteed SLA (Service level Agreement) of contracted services
• Standard Ethernet OAM for easy interoperability with 3rd party equipment
• Monitors network faults, performs measurements and gathers statistics
Jumbo Frames • SecFlow-2 Supports 9K bytes jumbo frames
• SecFlow-4 Supports 12K bytes jumbo frames• Improves efficiency and increases performance in GbE
networksEthernet Ring Protection
• Ethernet ring protection switching per G.8032v2
• RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree Protocol) per IEEE 802.1D
• Link resiliency for high survivability and service continuity
• 50-ms failure detection and switchover to the alternate link without service interruption
Link Aggregation
• Link aggregation per 802.3ad with configurable LACP
• Up to 8 LAGs
• Up to 8 ports in LAG
• Provides increased bandwidth and high availability links
• LACP ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links
Terminal Server and Serial Tunneling
• Embedded terminal server
• Transparent serial tunneling • Connects multiple devices with serial interfaces over IP
• Provides point-to-point or point-to-multipoint transparent serial tunneling
PoE • Configurable PoE (enable/disable and force mode)
• 30W max per port
• Max 120W per device for 48 VDC power supply or 220 VAC
• Max 80W per device for 24V DC power supply
• Easily feeds third party equipment or peripheral devices such as IP cameras, using power over Ethernet
• SecFlow-2/4 can feed RAD’s Airmux outdoor device eliminating the need for an Airmux indoor unit
SecFlow2013 Slide17
SecFlow-2/4 v3.1Main Features
Features Description Customer BenefitsAccess Control List
• Access control lists according to Layer-2, -3 and -4 criteria
• Enhanced ACL mechanism to filter user traffic according to variety of traffic criteria
• Better security and control on authorized traffic
Network Management
• SNMP: V1,V2,V3 (V3 only in SecFlow-2)
• RADview
• SecFlow Network Manager
• SSH: V2.0
• CLI
• RADIUS, TACACS
• TFTP Client
• Syslog, SNTP
• SecFlow-2 can be managed by a variety of management tools including: CLI, WEB interface and RADview SNMP-based management system
• SecFlow-2 can also be managed by SecFlow Network Manager, integrated in the RADview EMS server, to provide an end-to-end management system
Switching • Auto Crossing
• Autonegotiation per IEEE 802.3ab
• Port-based Network Access Control (PNAC) per IEEE 802.1x
• MAC list
• VLAN segregation tagging per IEEE 802.1q , 4K VLANs
• Multicast Groups
• IGMP snooping v1,v2,v3
• MAC limiting per port
• LLDP, DHCP client, DHCP relay, option 82
• Set of Layer-2 features for traffic management and security
SecFlow2013 Slide18
SecFlow-2/4 Main FeaturesFeatures Description Customer BenefitsTiming
• Local time settings
• NTP v2
• PTP transparent clock per 1588v2
• Flexible clock distribution and network synchronization based on different clock sources
Routing • IPv4
• Static routing
• OSPF v2, v3
• RIPv2
• A single-box solution that provides both Layer-2 features and Layer-3 routing capabilities
Diagnostics• Counters and statistics per port
• LED diagnostics: main switching units (Alarm |Run | Ethernet)
• LED diagnostics: application interfaces (Cellular | Serial )
• Ping
• Trace route
• Port mirroring
• RMON v1
• Provides extensive diagnostic tools to assist operators in fault monitoring
SecFlow2013 Slide19
Legacy Migration
• Integrated serial interfaces in switches with 3 operational modes– Tunneling between serial segments
• Byte / Bit-stream• Multipoint support• Service-aware security for serial tunnels
– Gateway connecting serial devices to matching Ethernet devices• Currently supports IEC-101 to IEC-104
– Terminal Server connecting a computer to serial devices
RS-232/RS-485 link
Ethernet link
Serial Tunnel
Gateway service
SecFlow 2
SecFlow 2SecFlow 2
SecFlow 2
SecFlow2013 Slide20
Protocol Gateway
IEC-101 to IEC-104 conversion using protocol gateway functionality
IEC 104UDP/IP
SSH (T. Server)
Serial Master 1Remote Site B
Central Site
PSNSerial Master 2
SCADA
RS-232
RS-232
RS-232
RS-232
RS-232Console
V.Com portIEC104
LAN
IEC 101
Remote Site A
IEC 104
IEC 101 RTU
SecFlow 4
SecFlow 2
SecFlow 2
SecFlow2013 Slide21
Cyber Security Threats to Utilities
Distributed SCADA IPS Deployment– Role-based validation of SCADA
commands– Deployment at each end-point– Used for both IP & Serial devices
Attack vector• Control-Center malware• Field-site breach• Man-in-the-Middle• Remote maintenance
Security Measure• Service-aware firewall• Distributed firewalls• Encryption• Secure remote access
SecFlow2013 Slide22
SecFlow 4
Distributed Firewall
SCADA-aware firewall for Modbus and IEC 101/104
IEC 104UDP/IP
SSH (T. Server)
104 ClientModbus Client Remote Site B
Central Site
PSN
SCADA
IEC 101
ID 11
Remote Site A
Modbus
NMS
Modbus
Modbus RTUs
Modbus
ASDU1
ASDU2
ASDU3
IEC 101
IEC 101
ID 12
ID 13
Modbus RTU
Modbus RTU
Modbus RTU
SecFlow 2
SecFlow 2
SecFlow2013 Slide23
Security Features • 802.1X – IEEE Standard for port-based Network
Access Control (PNAC), authentication and protection against DoS attacks
• Access Control List – Traffic filtering according to layer 2/3/4 criteria
• RADIUS and TACACS+ based centralized user authentication and authorization
• L2/L3 VPN, using IPSEC encryption– User policy for traffic type, IKE, AES or 3DES
encryption, dynamic key • Secure Telnet access, using SSH• SCADA firewall per port (Modbus, IEC-104, DNP3.0)
SecFlow2013 Slide24
Integrated Defense-in-Depth Tool-Set
• Advanced security measures integrated in the switch using a dedicated service-engine
• Enable easy deployment of an extensive defense-in-depth solution
SecFlow2013 Slide25
Multi-Service Transport
• Utility networks do not have 100% fiber connectivity• SecFlow switches support alternative transport infrastructures
– GPRS/UMTS – Cellular coverage with 2 operators– Radio links using RAD’s Airmux wireless solution– SHDSL – Private copper lines*
• Used with integrated security mechanisms
Private ETHNetwork
Private ETHNetwork
Internet
SecFlow 2SecFlow 2
FiberFiber
SHDSL
Ethernet Ringover
Mixed medias
*roadmap
SecFlow2013 Slide26
Resilient Cellular Connection to Remote Sites
• GPRS/UMTS support• Link resiliency using 2 SIM cards with continuous check of operator link quality• Multiple remote spokes connecting to Hub over encrypted IPSec tunnels
– NHRP used for dynamic IP address resolution assigned to cellular spokes– L2 VPN using transparent GRE tunnels over IPSec– L3 VPN using DMVPN
WANFO | Cellular
LAN
SecFlow2013 Slide27
Applications
SecFlow2013 Slide28
Smart-Grid Distribution Network
• Modern secondary sub-station requiring:– Encrypted tunnels when using a public network– Firewall for uplink protocols (IEC 104, IEC 61850, Modbus)– Gateway for serial IEDs
SecFlow switch integrates all the functions
“New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation”
RTU
PowerMonitoring
MetersConcentrator
Secondary Sub-Station
Network(Secondary
Sub-Stations)
CellularAntenna
AutomationControl Center
MeteringData Center
SecFlow 2
Smart Meters
*Medium Voltage/Low Voltage
SecFlow2013 Slide29
Migration to IP-based SCADA at Sub-stations
• Connectivity of sub-station devices to new IP-based SCADA– Per-site firewall for industrial automation protocols– Secure terminal server for maintenance sessions– Encrypted tunnels when using wireless links– Serial to ETH protocol gateway
Control CenterSub-Station
RS-232IEC-101
ETHIED
IP SCADA
LAN ManagementRTU
Ring
Sub-Station
Sub-Station
SecFlow2013 Slide30
Connecting the Sub-station LANs – Current Status
Network Limitations• SCADA direct access to S.S. IEDs• Field technician access to:
– Other sub-stations– Central storage– Facility RTU
• Remote technician access to RTUs and IEDs in all S.Ss
• Data-sharing between S.Ss
Need a unified sub-station LAN with secure inter-site connectivity
SDH/PacketNetwork
Sub-Station
Control Center
Sub-station IEDs
SCADA Storage
Sub-stationRTU
FieldTechnician
RemoteTechnician
Internet
FacilityRTU
SecFlow2013 Slide31
SecFlow 4
Connecting the Sub-station LANs – Future Evolution
Use a secure switch connecting the LAN devices to the backbone• Network segmentation using
VLANs/Subnets• App-aware firewall per-device• Secure remote access• Serial-to-ETH protocol gateway
SDH/PacketNetwork
Sub-Station
Control Center
FieldTechnician
RemoteTechnician
Internet
Sub-station IEDsSub-stat.RTU
FacilityRTU
SCADA Storage
SecFlow2013 Slide32
Metro Subway Control Network• Metro subway control applications require communication with smart
devices in each station– Ethernet access switches connected to IP/MPLS backbone using VLANs as
service ID– Mixture of Ethernet, Serial & Discrete devices with secure access using a
distributed ModBus firewall– Secure mobile access from trains to control center using distributed device
authentication methods
IP/MPLS Backbone
Control Center
MeteringData Center
RTU
IED
SecFlow switches build a secure subway network
SecFlow2013 Slide33
Smart/Safe City End Points Communication
• Compact Industrial switch for Smart/Safe-city cabinets– Ethernet with PoE– Serial and discrete I/O ports for simple automation devices– Diverse means of communication:
• Integrated dual-SIM cellular modem• Fiber Optic with protected Ring Support (G.8032)• SHDSL*
– Integrated security mechanisms• IPSec VPN• SCADA firewall
P2P & P2MP Radio
FO
Dual 2G/3GCommunications
WiFi*
Tamper Switch
RS-232
ETH PoE
ETH
DryContact
Display Board
SecFlow 2
*roadmap
PSN
SecFlow2013 Slide34
ETH Ring ETH Ring
Case Study of a Highway Security Infrastructure – Italy Autostarda
ETHRing
1588 Clock
Central Site
Ring 1
Ring 6
Ring 7
Ring 12
RS-232/485
Remote Site
Traffic Control Security Cameras
Tetra BaseStations
Message Boards
PoE 1588 clock syncQoSRS-232/485
Remote Site
Traffic Control Security Cameras
Tetra BaseStations
Message Boards
PoE 1588 clock syncQoS
SecFlow2013 Slide35
Ordering Options SecFlow-2
• Two ordering options:– Advanced mode – SecFlow-2 is provided with security features,
routing, switching and gateway functionalities.– Basic mode – SecFlow 2 is provided with switching and gateway
functionality only. Limited ordering options and cannot upgraded to advanced mode
Mode PN Description
Basic
SF2/B/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
SF2/B/48VDC/2GE8UTP/PoE 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
Advanced
SF2/S/48VDC/2GE8UTP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports
SF2/S/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports
SF2/S/AC/2GE8UTP/PoE4AM AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP ports for Airmux products
SF2/S/48VDC/2GE16UTP 48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports
SF2/S/48VDC/2GE8UTP8SFP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8 ×100 FX SFP
SecFlow2013 Slide36
Ordering Options SecFlow-2
PN Description
Chassis
SF4/48VDCR SecFlow-4 chassis, central processing and management module, dual 48 VDC power Supply
SF4/24VDCR SecFlow-4 chassis, central processing and management module, dual 24 VDC power Supply
Modules
SF4-M-4GBE-U SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports
SF4-M-4GBE-POE SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE
SF4-M-4GBE-S SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports
SF4-M-4RS232 SecFlow-4 module with four RS-232 serial ports
SF4-PS-24VDC 24 VDC power supply
SF4-PS-48VDC 48 VDC power supply
SecFlow2013 Slide37
Management
BROAD PERSPECTIVE. DIRECT CONTROL.
RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In
addition, it features third-party device monitoring capabilities
SecFlow2013 Slide38
Management, Benefits & Features
●Turnkey system including hardware and software!
●Fully compliant with TMN standards
●Client/server architecture with multi-user support
●Interoperable with third-party NMS and leading OSS systems
●IBM Tivoli’s Netcool®/OMNIbus™ plug-in
●Minimize integrations costs associated with new NE
Benefits
●Ensures device health and congestion control
●Topology maps and network inventory
●Advanced FCAPS functionality
●Software & configuration management
●Business continuity - High-Availability and Disaster Recovery
●Handover between operators
Key features
SecFlow2013 Slide39
RADview-EMS advanced FCAPS
• Detects and isolates faults in network devices, initiates remedial actions and distributes alarm messages to other management entities in the network.
Fault management
• Enables operators to configure, install and distribute software to all devices across the network. In addition, the system tracks version changes and maintains software configuration history
Configuration management
• Manages individual and group user accounts and passwords, generating network usage reports to monitor user activities.
Accounting management
• Supports real-time monitoring of QoS and CoS, producing real-time and periodic statistics. The statistics collector compresses data to minimize bandwidth use for management traffic and exports CSV files to OSS or third-party management systems
Performance management
• Allows network administrators to track user activities and control the access to network resources with a choice of security features
Security management
SecFlow2013 Slide40
Device Management
●SNMP v1, v2, v3 (v3
only in SF-2)
●CLI
●WEB
●SNTP
●RADIUS
●TACACS
●TFTP
●Syslog
SecFlow-2/4Device Management
SecFlow2013 Slide41
RADview – SecFlow Network Manager
• SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: – Automatic discovery of SecFlow network switches – Network topology management – End-to-end service provisioning – Security rules configuration – Aggregated network fault monitoring – Network performance analysis – Operator authorization levels
SecFlow2013 Slide42
www.rad.com
Thank You For Your Attention