Transcript Slide 1

SecFlow
Overview
SecFlow2013 Slide1
U&T Target Market Segments
Utilities
Transportation
Power
Railways
Water
Motorways
Oil & Gas
Air Traffic
Control
Mining
Maritime
SecFlow2013 Slide2
Power Utilities Trends
The power utilities communication needs are in evolution phase:
• Migration to Packet in various parts of the network:
– Replacement of SDH/PDH core to Ethernet/IP/MPLS
– Replacement of old Substation technology to IEC 61850 based
solution which are consist of Ethernet “LAN” and packet signaling
– Migration of old SCADA/RTU’s from Serial to IP based
• Smart Grid – Implementation of Demand Response
techniques for improved automation and control of the
distribution grid and deployments of Smart Meters
• Growing need for Cyber & Physical security solutions
SecFlow2013 Slide3
Challenges Of Power Utilities
Communication Networks
• Evolution in the Substation
– Migration to PSN in the Substation while supporting multi services
– Teleprotection connectivity over SDH and PSN
– Substation Automation and Cyber security
• Smart Grid
– Secured backhaul solutions for Smart Meters
• Growth in Bandwidth
– Transitioning the operational network to PSN while maintaining
reliability, security & simplicity
– Clock Synchronization over the PSN network
• Product Obsolescence – old RTUs and substation
communications PDH/SDH multiplexers are out of production
and service, however, there is still a need to maintain Legacy
equipment and installed base
SecFlow2013 Slide4
Industrial Control Systems
• Industrial control systems used to
monitor and remotely control critical
industrial processes
– SCADA systems
– Distributed Control Systems (DCS)
– Programmable Logic Controllers (PLC)
• Highly distributed
• Geographically separated assets
• Centralized data acquisition and
control are critical
– Oil and gas pipelines
– Electrical power grids
– Railway transportation systems
SecFlow2013 Slide5
SCADA System
• Supervisory Control And Data Acquisition (SCADA) – An industrial
measurement and control system. SCADA elements are:
– Central device
• Central Master Station – Supervisory system, gathering data on the process
and sending action commands.
– Remote devices
• Programmable Logic Controller (PLC) and
Remote Terminal Unit (RTU) – Connecting
to sensors in the process, converting
sensor signals to digital data and sending
digital data to the supervisory system.
• Intelligent Electronic Devices (IED) –
Microprocessor based controller which
monitor and perform proactive functions.
Designed to support substation
automation functions.
SecFlow2013 Slide6
Supervisory Control and Data Acquisition
(SCADA), System Overview
Source: http://en.wikipedia.org/wiki/File:DNP-overview.png
SCADA communication
Protocols
• Modbus
• DNP3
• IEC101, IEC104
• RTUs
• PLCs
• IEDs
SecFlow2013 Slide7
IEC 61850
• International standard for substation automation systems developed to create
an open communication environment
• IEC 61850 provides interconnection of substation devices on high speed Ethernet
network
• IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10
• IEC 61850-3 Specifies general requirements for
the hardware design must support three major
requirements:
– Electromagnetic Interference (EMI), immunity –
Strong electromagnetic compatibility (EMC)
design to protect against EMI
– Operating temperature -40° to 75°C – substation
environments can experience temperatures as
high as 75°C and as low as -40°C
SecFlow2013 Slide8
SecFlow Portfolio Overview
• SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product
families:
– SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router
– SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router
SecFlow2013 Slide9
SecFlow Main Features
Industrial Design
•
•
•
•
•
•
•
•
Harsh environmental
DIN-rail mount
IP 30
-40°C to +75°C w/o
fans
EMI immunity
IEC 61850-3
IEEE 1613
EN 50121-4
Multiservice
Gateway
Integrated
Security
• Utilize both
Ethernet ports
and Serial
interfaces
• Serial Tunneling or
Service translation
• IEC101 to IEC104
• L-2/3/4 ACL
• MAC/IP filtering
per port
• SCADA-Aware
firewall
• L2/L3 VPN w/IPsec
• 802.1X
• RADIUS/TACACS
Resiliency
• Ethernet rings per
ITU-T G.8032
• RSTP, MSTP
• Cellular 2G/3G
modem uplink for
maximum service
continuation
SecFlow2013 Slide10
SecFlow-2
Access and Network Interfaces
FE Ports
FE 0/1-8
with
optional PoE
RS 232
port 1 - 4
Console
USB
DI/DO
Power
SFP
GbE1, GbE2
SIM Card
Ports 1,2
Dual
GPRS/UMTS
Modem
SecFlow2013 Slide11
SecFlow-4
Access and Network Interfaces
Dual Power
Supplies
7 I/O slots
Service and
MNG module
SecFlow2013 Slide12
SecFlow-4 Modules
Module
Description
SF4-M-4GBE
Gigabit Ethernet module with four UTP or four SFP ports
SF4-M-Serial
Serial interface module with four RS-232 ports
SF4-M-Service
Service module with firewall, serial tunneling, VPN
functionalities and discrete input/output interfaces
SF4-M-MNG
Central processing and management module with local
terminal and out-of-band management ports
SF4-PS-24VDC
Power supply module for 24 VDC input
SF4-PS-48VDC
Power supply module for 48 VDC input
SecFlow2013 Slide13
SecFlow-2/4 v3.1
Main Features
Features
Description
Customer Benefits
SecFlow-2
Interfaces
Ethernet Interfaces
• 2×100/1000BaseFX
Serial Interfaces
Cellular Interface
• Up to 16×10/100BaseT
• UP to 4×RS-232
• Dual SIM GPRS/UMTS cellular modem
• Resilient redundant networking over various WAN
infrastructures
• Multiservice support in a compact single device
• Utilizes cellular network for main link
• Improves link resiliency and service continuity using
cellular backup links
SecFlow-4
Interfaces
Ethernet Module
• 4×100/1000BaseT, optional PoE
SF4-M-4GbE
• 4×100/1000BaseFX
Serial Module
• 4×RS-232
SF4-M-Serial
• 4 GbE interfaces per module that provide a maximum
of 28 GbEs per chassis for multiple Ethernet
connections
• 4 serial interfaces for legacy connectivity with up to 28
serial ports per chassis
• The serial module combined with the Ethernet module
provides multiservice support for various applications
Central Processing
Module
• Central processing and management module with
local terminal and out-of-band management ports
• The module is supplied with the SecFlow-4 chassis,
providing the Layer-2 functionality
• Service module with firewall, serial tunneling, VPN
functionalities and discrete input/output
interfaces hardware-ready only
• Security, routing and gateway functionalities
SF4-M-MNG
Service Module
SF4-M-Service
(Optional)
SecFlow2013 Slide14
SecFlow-2/4 v3.1
Main Features
Features
Description
Customer Benefits
• IEC-101 to IEC-104 conversion
• Enables seamless communication from the IP SCADA to
both the legacy and new RTUs, featuring a single box
for multiservice application and smooth migration to all
IP networks
• SCADA-aware firewall monitors SCADA commands
using deep packet inspection to validate intended
application purpose
• Provides distributed network security from the
substation, enabling only authorized traffic to access
the network according to the user defined access rules
Protocol Gateway
SCADA-Aware
Firewall
• Supported SCADA protocols: IEC-104, Modbus and
DNP 3.0
VPN Gateway with
IPSec
• Syslog support for IEC 104 firewall
• Layer 2 GRE VPN
• Layer 3 multipoint GRE Dynamic Multipoint-VPN
• Layer 3 IPSec VPN
• Secured interconnection of remote sites over public
networks, using Layer-2or Layer-3 VPN with encryption
• Supports large scale networks
• IPSec encryption per 3DES or AES
QoS
• X.509 certified with SHA256 and SHA512 for
Phase1/Phase2 and AES 256 support
• Port limit
• Ingress policing
• Strict priority
• Higher and lower priority traffic separation into 8
queues for prioritizing the user traffic and allowing
mission critical applications to be served first
• Weighted Round Robin (WRR)
• Egress traffic shaping
SecFlow2013 Slide15
SecFlow-2/4 v3.1
Main Features
Features
Ethernet OAM
Description
• Single-segment (link) OAM according to IEEE
802.3-2005 (formerly 802.3ah)
• End-to-end connectivity OAM based on IEEE 802
• End-to-end service and performance monitoring
based on ITU-T Y.1731.
Jumbo Frames
Ethernet Ring
Protection
Link Aggregation
• SecFlow-2 Supports 9K bytes jumbo frames
• SecFlow-4 Supports 12K bytes jumbo frames
• Ethernet ring protection switching per G.8032v2
• RSTP (Rapid Spanning Tree Protocol) and MSTP
(Multiple Spanning Tree Protocol) per IEEE 802.1D
• Link aggregation per 802.3ad with configurable
LACP
• Up to 8 LAGs
• Up to 8 ports in LAG
Customer Benefits
• Guaranteed SLA (Service level Agreement) of
contracted services
• Standard Ethernet OAM for easy interoperability with
3rd party equipment
• Monitors network faults, performs measurements and
gathers statistics
• Improves efficiency and increases performance in GbE
networks
• Link resiliency for high survivability and service
continuity
• 50-ms failure detection and switchover to the
alternate link without service interruption
• Provides increased bandwidth and high availability
links
• LACP ensures smooth and steady traffic flow by
automating the configuration and maintenance of
aggregated links
• Connects multiple devices with serial interfaces over IP
Terminal Server
and Serial
Tunneling
• Embedded terminal server
• Transparent serial tunneling
• Provides point-to-point or point-to-multipoint
transparent serial tunneling
PoE
• Configurable PoE (enable/disable and force mode)
• Easily feeds third party equipment or peripheral
devices such as IP cameras, using power over Ethernet
• 30W max per port
• Max 120W per device for 48 VDC power supply or
220 VAC
• SecFlow-2/4 can feed RAD’s Airmux outdoor device
eliminating the need for an Airmux indoor unit
• Max 80W per device for 24V DC power supply
SecFlow2013 Slide16
SecFlow-2/4 v3.1
Main Features
Features
Description
Access Control List • Access control lists according to Layer-2, -3 and -4
criteria
Customer Benefits
• Enhanced ACL mechanism to filter user traffic
according to variety of traffic criteria
• Better security and control on authorized traffic
Network
Management
• SNMP: V1,V2,V3 (V3 only in SecFlow-2)
• RADview
• SecFlow Network Manager
• SSH: V2.0
• CLI
• SecFlow-2 can be managed by a variety of
management tools including: CLI, WEB interface and
RADview SNMP-based management system
• SecFlow-2 can also be managed by SecFlow Network
Manager, integrated in the RADview EMS server, to
provide an end-to-end management system
• RADIUS, TACACS
• TFTP Client
• Syslog, SNTP
Switching
• Auto Crossing
• Autonegotiation per IEEE 802.3ab
• Set of Layer-2 features for traffic management and
security
• Port-based Network Access Control (PNAC) per
IEEE 802.1x
• MAC list
• VLAN segregation tagging per IEEE 802.1q , 4K
VLANs
• Multicast Groups
• IGMP snooping v1,v2,v3
• MAC limiting per port
• LLDP, DHCP client, DHCP relay, option 82
SecFlow2013 Slide17
SecFlow-2/4 Main Features
Features
Timing
Description
Customer Benefits
• Local time settings
• Flexible clock distribution and network synchronization
based on different clock sources
• NTP v2
• PTP transparent clock per 1588v2
Routing
• IPv4
• Static routing
• A single-box solution that provides both Layer-2
features and Layer-3 routing capabilities
• OSPF v2, v3
• RIPv2
Diagnostics
• Counters and statistics per port
• LED diagnostics: main switching units (Alarm |Run
| Ethernet)
• Provides extensive diagnostic tools to assist operators
in fault monitoring
• LED diagnostics: application interfaces (Cellular |
Serial )
• Ping
• Trace route
• Port mirroring
• RMON v1
SecFlow2013 Slide18
Legacy Migration
• Integrated serial interfaces in switches with 3 operational modes
– Tunneling between serial segments
• Byte / Bit-stream
• Multipoint support
• Service-aware security for serial tunnels
– Gateway connecting serial devices to matching Ethernet devices
• Currently supports IEC-101 to IEC-104
– Terminal Server connecting a computer to serial devices
SecFlow 2
SecFlow 2
RS-232/RS-485 link
SecFlow 2
SecFlow 2
Ethernet link
Serial Tunnel
Gateway service
SecFlow2013 Slide19
Protocol Gateway
Remote Site A
IEC 101
RTU
SecFlow 2
IEC 104
Central Site
SecFlow 4
SCADA
Serial Master 1
Serial Master 2
LAN
V.Com port
IEC104
Remote Site B
PSN
RS-232
IEC 104
UDP/IP
SSH (T. Server)
SecFlow 2
RS-232
RS-232
IEC 101
RS-232
RS-232
Console
IEC-101 to IEC-104 conversion using protocol gateway functionality
SecFlow2013 Slide20
Cyber Security Threats to Utilities
Attack vector
Security Measure
•
•
•
•
•
•
•
•
Control-Center malware
Field-site breach
Man-in-the-Middle
Remote maintenance
Service-aware firewall
Distributed firewalls
Encryption
Secure remote access
Distributed SCADA IPS Deployment
– Role-based validation of SCADA
commands
– Deployment at each end-point
– Used for both IP & Serial devices
SecFlow2013 Slide21
Distributed Firewall
Remote Site A
SecFlow 2
Modbus
RTUs
Modbus
Modbus
Central Site
NMS
SCADA
Modbus
104 Client
Modbus Client
Remote Site B
PSN
ASDU1
SecFlow 4
IEC 101
ASDU2
IEC 104
UDP/IP
SSH (T. Server)
SecFlow 2
IEC 101
ASDU3
IEC 101
ID 11
ID 13
ID 12
Modbus
RTU
Modbus Modbus
RTU
RTU
SCADA-aware firewall for Modbus and IEC 101/104
SecFlow2013 Slide22
Security Features
• 802.1X – IEEE Standard for port-based Network
Access Control (PNAC), authentication and
protection against DoS attacks
• Access Control List – Traffic filtering according to
layer 2/3/4 criteria
• RADIUS and TACACS+ based centralized user
authentication and authorization
• L2/L3 VPN, using IPSEC encryption
– User policy for traffic type, IKE, AES or 3DES
encryption, dynamic key
• Secure Telnet access, using SSH
• SCADA firewall per port (Modbus, IEC-104, DNP3.0)
SecFlow2013 Slide23
Integrated Defense-in-Depth
Tool-Set
• Advanced security measures integrated in the switch using
a dedicated service-engine
• Enable easy deployment of an extensive defense-in-depth
solution
SecFlow2013 Slide24
Multi-Service Transport
• Utility networks do not have 100% fiber connectivity
• SecFlow switches support alternative transport infrastructures
– GPRS/UMTS – Cellular coverage with 2 operators
– Radio links using RAD’s Airmux wireless solution
– SHDSL – Private copper lines*
• Used with integrated security mechanisms
Fiber
Fiber
Ethernet Ring
over
Mixed medias
Internet
SHDSL
SecFlow 2
Private ETH
Network
*roadmap
SecFlow 2
Private ETH
Network
SecFlow2013 Slide25
Resilient Cellular Connection to
Remote Sites
• GPRS/UMTS support
• Link resiliency using 2 SIM cards with continuous check of operator link quality
• Multiple remote spokes connecting to Hub over encrypted IPSec tunnels
– NHRP used for dynamic IP address resolution assigned to cellular spokes
– L2 VPN using transparent GRE tunnels over IPSec
– L3 VPN using DMVPN
LAN
FO |
Cellular
WAN
SecFlow2013 Slide26
Applications
SecFlow2013 Slide27
Smart-Grid Distribution Network
“New intelligent MV-LV* transformation centres with metering, power
monitoring and capacity automation”
• Modern secondary sub-station requiring:
– Encrypted tunnels when using a public network
– Firewall for uplink protocols (IEC 104, IEC 61850, Modbus)
– Gateway for serial IEDs
Secondary Sub-Station
Power
Monitoring
Automation
Control Center
Cellular
Antenna
Network
(Secondary
Metering
Data Center
*Medium Voltage/Low Voltage
Sub-Stations)
RTU
Smart
Meters
Meters
Concentrator
SecFlow 2
SecFlow switch integrates all the functions
SecFlow2013 Slide28
Migration to IP-based SCADA at
Sub-stations
Sub-Station
Sub-Station
Control Center
IED
ETH
IP SCADA
Ring
LAN Management
RS-232
IEC-101
RTU
Sub-Station
• Connectivity of sub-station devices to new IP-based SCADA
– Per-site firewall for industrial automation protocols
– Secure terminal server for maintenance sessions
– Encrypted tunnels when using wireless links
– Serial to ETH protocol gateway
SecFlow2013 Slide29
Connecting the Sub-station LANs –
Current Status
Control Center
SCADA Storage
Network Limitations
Remote
Technician
• SCADA direct access to S.S. IEDs
• Field technician access to:
Internet
– Other sub-stations
– Central storage
– Facility RTU
• Remote technician access to RTUs and
IEDs in all S.Ss
• Data-sharing between S.Ss
Sub-Station
Facility
RTU
SDH/Packet
Network
Sub-station
RTU
Field
Technician
Sub-station IEDs
Need a unified sub-station LAN with secure inter-site connectivity
SecFlow2013 Slide30
Connecting the Sub-station LANs –
Future Evolution
Control Center
SCADA Storage
Use a secure switch connecting
the LAN devices to the backbone
Remote
Technician
• Network segmentation using
VLANs/Subnets
Internet
• App-aware firewall per-device
• Secure remote access
Sub-Station
• Serial-to-ETH protocol gateway
SDH/Packet
Network
SecFlow 4
Field
Facility Sub-stat. Sub-station IEDs
Technician
RTU
RTU
SecFlow2013 Slide31
Metro Subway Control Network
• Metro subway control applications require communication with smart
devices in each station
– Ethernet access switches connected to IP/MPLS backbone using VLANs as
service ID
– Mixture of Ethernet, Serial & Discrete devices with secure access using a
distributed ModBus firewall
– Secure mobile access from trains to control center using distributed device
authentication methods
Control Center
RTU
IP/MPLS
Backbone
IED
Metering
Data Center
SecFlow switches build a secure subway network
SecFlow2013 Slide32
Smart/Safe City
End Points Communication
• Compact Industrial switch for Smart/Safe-city cabinets
– Ethernet with PoE
– Serial and discrete I/O ports for simple automation devices
– Diverse means of communication:
• Integrated dual-SIM cellular modem
• Fiber Optic with protected Ring Support (G.8032)
• SHDSL*
– Integrated security mechanisms
• IPSec VPN
• SCADA firewall
Dual 2G/3G
Communications
P2P & P2MP
Radio WiFi*
Display Board
ETH
RS-232
FO
PSN
SecFlow 2
ETH PoE
*roadmap
Dry Tamper Switch
Contact
SecFlow2013 Slide33
Case Study of a Highway Security
Infrastructure – Italy Autostarda
Traffic Control
Message Boards
Security
Cameras
Tetra Base
Stations
Traffic Control
Security
Cameras
QoS
PoE
Message Boards
RS-232/485
Tetra Base
Stations
RS-232/485
QoS
PoE
1588 clock
sync
Remote Site
1588 clock
sync
Remote Site
Ring 6
Ring 12
Ring 1
Ring 7
ETH Ring
ETH Ring
ETH
Ring
1588
Clock
Central Site
SecFlow2013 Slide34
Ordering Options SecFlow-2
• Two ordering options:
– Advanced mode – SecFlow-2 is provided with security features,
routing, switching and gateway functionalities.
– Basic mode – SecFlow 2 is provided with switching and gateway
functionality only. Limited ordering options and cannot upgraded to
advanced mode
Mode
Basic
Advanced
PN
Description
SF2/B/AC/2GE8UTP/PoE
AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP
ports
SF2/B/48VDC/2GE8UTP/PoE
48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8
UTP ports
SF2/S/48VDC/2GE8UTP
48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports
SF2/S/AC/2GE8UTP/PoE
AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP
ports
SF2/S/AC/2GE8UTP/PoE4AM
AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP
ports for Airmux products
SF2/S/48VDC/2GE16UTP
48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports
SF2/S/48VDC/2GE8UTP8SFP
48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8
×100 FX SFP
SecFlow2013 Slide35
Ordering Options SecFlow-2
Chassis
Modules
PN
Description
SF4/48VDCR
SecFlow-4 chassis, central processing and management module, dual 48 VDC power
Supply
SF4/24VDCR
SecFlow-4 chassis, central processing and management module, dual 24 VDC power
Supply
SF4-M-4GBE-U
SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports
SF4-M-4GBE-POE
SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE
SF4-M-4GBE-S
SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports
SF4-M-4RS232
SecFlow-4 module with four RS-232 serial ports
SF4-PS-24VDC
24 VDC power supply
SF4-PS-48VDC
48 VDC power supply
SecFlow2013 Slide36
Management
RADview-EMS is a unified carrier-class management platform for RAD devices using a
variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In
addition, it features third-party device monitoring capabilities
SecFlow2013 Slide37
Management, Benefits & Features
Benefits
● Turnkey system including hardware and software!
● Fully compliant with TMN standards
● Client/server architecture with multi-user support
● Interoperable with third-party NMS and leading OSS systems
● IBM Tivoli’s Netcool®/OMNIbus™ plug-in
● Minimize integrations costs associated with new NE
Key features
● Ensures device health and congestion control
● Topology maps and network inventory
● Advanced FCAPS functionality
● Software & configuration management
● Business continuity - High-Availability and Disaster Recovery
● Handover between operators
SecFlow2013 Slide38
RADview-EMS advanced FCAPS
Fault management
• Detects and isolates faults in network devices, initiates remedial actions and
distributes alarm messages to other management entities in the network.
Configuration management
• Enables operators to configure, install and distribute software to all devices across the
network. In addition, the system tracks version changes and maintains software
configuration history
Accounting management
• Manages individual and group user accounts and passwords, generating network
usage reports to monitor user activities.
Performance management
• Supports real-time monitoring of QoS and CoS, producing real-time and periodic
statistics. The statistics collector compresses data to minimize bandwidth use for
management traffic and exports CSV files to OSS or third-party management systems
Security management
• Allows network administrators to track user activities and control the access to
network resources with a choice of security features
SecFlow2013 Slide39
Device Management
SecFlow-2/4
Device Management
● SNMP v1, v2, v3 (v3
only in SF-2)
● CLI
● WEB
● SNTP
● RADIUS
● TACACS
● TFTP
● Syslog
SecFlow2013 Slide40
RADview –
SecFlow Network Manager
• SecFlow Network Manager is an End-to-End network
management of the SecFlow devices featuring:
–
–
–
–
–
–
–
Automatic discovery of SecFlow network switches
Network topology management
End-to-end service provisioning
Security rules configuration
Aggregated network fault monitoring
Network performance analysis
Operator authorization levels
SecFlow2013 Slide41
Thank You
For Your
Attention
www.rad.com
SecFlow2013 Slide42