1 / 42

SecFlow Overview

SecFlow Overview. U&T Target Market Segments. Utilities. Transportation. Power. Railways. Water. Motorways. Oil & Gas. Air Traffic Control. Mining. Maritime. Power Utilities Trends. The power utilities communication needs are in evolution phase:

leona
Download Presentation

SecFlow Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecFlow Overview

  2. U&T Target Market Segments • Utilities • Transportation • Power • Railways • Water • Motorways • Oil & Gas • Air Traffic Control • Mining • Maritime

  3. Power Utilities Trends The power utilities communication needs are in evolution phase: • Migration to Packet in various parts of the network: • Replacement of SDH/PDH core to Ethernet/IP/MPLS • Replacement of old Substation technology to IEC 61850 based solution which are consist of Ethernet “LAN” and packet signaling • Migration of old SCADA/RTU’s from Serial to IP based • Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters • Growing need for Cyber & Physical security solutions

  4. Challenges Of Power Utilities Communication Networks • Evolution in the Substation • Migration to PSN in the Substation while supporting multi services • Teleprotection connectivity over SDH and PSN • Substation Automation and Cyber security • Smart Grid • Secured backhaul solutions for Smart Meters • Growth in Bandwidth • Transitioning the operational network to PSN while maintaining reliability, security & simplicity • Clock Synchronization over the PSN network • Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base

  5. Industrial Control Systems • Industrial control systems used to monitor and remotely control critical industrial processes • SCADA systems • Distributed Control Systems (DCS) • Programmable Logic Controllers (PLC) • Highly distributed • Geographically separated assets • Centralized data acquisition and control are critical • Oil and gas pipelines • Electrical power grids • Railway transportation systems

  6. SCADA System • Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are: • Central device • Central Master Station – Supervisory system, gathering data on the process and sending action commands. • Remote devices • Programmable Logic Controller (PLC) and Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system. • Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.

  7. Supervisory Control and Data Acquisition (SCADA), System Overview Source: http://en.wikipedia.org/wiki/File:DNP-overview.png • SCADA communication Protocols • Modbus • DNP3 • IEC101, IEC104 • RTUs • PLCs • IEDs

  8. IEC 61850 • International standard for substation automation systems developed to create an open communication environment • IEC 61850 provides interconnection of substation devices on high speed Ethernet network • IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10 • IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements: • Electromagnetic Interference (EMI), immunity – Strong electromagnetic compatibility (EMC) design to protect against EMI • Operating temperature-40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C

  9. SecFlow Portfolio Overview • SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families: • SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router • SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router

  10. SecFlow Main Features

  11. SecFlow-2Access and Network Interfaces Console USB FE Ports FE 0/1-8 with optional PoE RS 232 port 1 - 4 SFP GbE1, GbE2 SIM Card Ports 1,2 DI/DO Power Dual GPRS/UMTS Modem

  12. SecFlow-4Access and Network Interfaces Service and MNG module Dual Power Supplies 7 I/O slots

  13. SecFlow-4 Modules

  14. SecFlow-2/4 v3.1Main Features

  15. SecFlow-2/4 v3.1Main Features

  16. SecFlow-2/4 v3.1Main Features

  17. SecFlow-2/4 v3.1Main Features

  18. SecFlow-2/4 Main Features

  19. Legacy Migration • Integrated serial interfaces in switches with 3 operational modes • Tunneling between serial segments • Byte / Bit-stream • Multipoint support • Service-aware security for serial tunnels • Gateway connecting serial devices to matching Ethernet devices • Currently supports IEC-101 to IEC-104 • Terminal Server connecting a computer to serial devices SecFlow 2 SecFlow 2 SecFlow 2 SecFlow 2 RS-232/RS-485 link Ethernet link Serial Tunnel Gateway service

  20. Protocol Gateway IEC 101 RTU Remote Site A IEC-101 to IEC-104 conversion using protocol gateway functionality IEC 104 Central Site SCADA Serial Master 1 Remote Site B Serial Master 2 LAN RS-232 PSN V.Com port IEC104 IEC 104 UDP/IP SSH (T. Server) RS-232 RS-232 RS-232 IEC 101 SecFlow 4 SecFlow 2 SecFlow 2 RS-232 Console

  21. Cyber Security Threats to Utilities • Security Measure • Service-aware firewall • Distributed firewalls • Encryption • Secure remote access • Attack vector • Control-Center malware • Field-site breach • Man-in-the-Middle • Remote maintenance Distributed SCADA IPS Deployment • Role-based validation of SCADA commands • Deployment at each end-point • Used for both IP & Serial devices

  22. Distributed Firewall Modbus RTUs Remote Site A SCADA-aware firewall for Modbus and IEC 101/104 Modbus Modbus RTU Modbus RTU Modbus RTU Modbus Central Site Modbus SCADA NMS 104 Client Modbus Client Remote Site B ASDU1 ASDU2 ASDU3 PSN IEC 101 IEC 104 UDP/IP SSH (T. Server) IEC 101 IEC 101 SecFlow 2 ID 11 ID 13 SecFlow 2 ID 12 SecFlow 4

  23. Security Features • 802.1X – IEEE Standard for port-based Network Access Control (PNAC), authentication and protection against DoS attacks • Access Control List – Traffic filtering according to layer 2/3/4 criteria • RADIUS and TACACS+ based centralized user authentication and authorization • L2/L3 VPN, using IPSEC encryption • User policy for traffic type, IKE, AES or 3DES encryption, dynamic key • Secure Telnet access, using SSH • SCADA firewall per port (Modbus, IEC-104, DNP3.0)

  24. Integrated Defense-in-Depth Tool-Set • Advanced security measures integrated in the switch using a dedicated service-engine • Enable easy deployment of an extensive defense-in-depth solution

  25. Multi-Service Transport • Utility networks do not have 100% fiber connectivity • SecFlow switches support alternative transport infrastructures • GPRS/UMTS – Cellular coverage with 2 operators • Radio links using RAD’s Airmux wireless solution • SHDSL – Private copper lines* • Used with integrated security mechanisms SecFlow 2 SecFlow 2 Private ETH Network Private ETH Network Internet *roadmap

  26. Resilient Cellular Connection to Remote Sites • GPRS/UMTS support • Link resiliency using 2 SIM cards with continuous check of operator link quality • Multiple remote spokes connecting to Hub over encrypted IPSec tunnels • NHRP used for dynamic IP address resolution assigned to cellular spokes • L2 VPN using transparent GRE tunnels over IPSec • L3 VPN using DMVPN LAN WAN FO | Cellular

  27. Applications

  28. Smart-Grid Distribution Network “New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation” • Modern secondary sub-station requiring: • Encrypted tunnels when using a public network • Firewall for uplink protocols (IEC 104, IEC 61850, Modbus) • Gateway for serial IEDs Automation Control Center Metering Data Center Secondary Sub-Station PowerMonitoring Smart Meters RTU Cellular Antenna Network(Secondary Sub-Stations) Meters Concentrator SecFlow 2 SecFlow switch integrates all the functions *Medium Voltage/Low Voltage

  29. Migration to IP-based SCADA at Sub-stations Sub-Station Sub-Station RTU IED • Connectivity of sub-station devices to new IP-based SCADA • Per-site firewall for industrial automation protocols • Secure terminal server for maintenance sessions • Encrypted tunnels when using wireless links • Serial to ETH protocol gateway Control Center IP SCADA ETH LAN Management Ring RS-232 IEC-101 Sub-Station

  30. Connecting the Sub-station LANs – Current Status Control Center Remote Technician Network Limitations • SCADA direct access to S.S. IEDs • Field technician access to: • Other sub-stations • Central storage • Facility RTU • Remote technician access to RTUs and IEDs in all S.Ss • Data-sharing between S.Ss SCADA Storage Internet Sub-Station FacilityRTU Sub-station RTU SDH/Packet Network Field Technician Sub-station IEDs Need a unified sub-station LAN with secure inter-site connectivity

  31. Connecting the Sub-station LANs – Future Evolution Control Center Remote Technician Use a secure switch connecting the LAN devices to the backbone • Network segmentation using VLANs/Subnets • App-aware firewall per-device • Secure remote access • Serial-to-ETH protocol gateway SCADA Storage Internet Sub-Station SecFlow 4 SDH/Packet Network Sub-station IEDs Sub-stat. RTU FacilityRTU Field Technician

  32. Metro Subway Control Network • Metro subway control applications require communication with smart devices in each station • Ethernet access switches connected to IP/MPLS backbone using VLANs as service ID • Mixture of Ethernet, Serial & Discrete devices with secure access using a distributed ModBus firewall • Secure mobile access from trains to control center using distributed device authentication methods Metering Data Center Control Center RTU IED IP/MPLS Backbone SecFlow switches build a secure subway network

  33. Smart/Safe City End Points Communication • Compact Industrial switch for Smart/Safe-city cabinets • Ethernet with PoE • Serial and discrete I/O ports for simple automation devices • Diverse means of communication: • Integrated dual-SIM cellular modem • Fiber Optic with protected Ring Support (G.8032) • SHDSL* • Integrated security mechanisms • IPSec VPN • SCADA firewall P2P & P2MP Radio Dual 2G/3G Communications Display Board ETH WiFi* RS-232 FO SecFlow 2 PSN Dry Contact Tamper Switch ETH PoE *roadmap

  34. Case Study of a Highway Security Infrastructure – Italy Autostarda Tetra BaseStations Tetra BaseStations Traffic Control Traffic Control Security Cameras Security Cameras Message Boards Message Boards RS-232/485 RS-232/485 1588 clock sync 1588 clock sync PoE PoE QoS QoS Remote Site Remote Site ETH Ring ETH Ring Ring 6 Ring 12 Ring 1 Ring 7 ETH Ring 1588 Clock Central Site

  35. Ordering Options SecFlow-2 • Two ordering options: • Advanced mode – SecFlow-2 is provided with security features, routing, switching and gateway functionalities. • Basic mode – SecFlow 2 is provided with switching and gateway functionality only. Limited ordering options and cannot upgraded to advanced mode

  36. Ordering Options SecFlow-2

  37. Management RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In addition, it features third-party device monitoring capabilities Broad Perspective. Direct Control.

  38. Management, Benefits & Features Benefits • Turnkey system including hardware and software! • Fully compliant with TMN standards • Client/server architecture with multi-user support • Interoperable with third-party NMS and leading OSS systems • IBM Tivoli’s Netcool®/OMNIbus™ plug-in • Minimize integrations costs associated with new NE Key features • Ensures device health and congestion control • Topology maps and network inventory • Advanced FCAPS functionality • Software & configuration management • Business continuity - High-Availability and Disaster Recovery • Handover between operators

  39. RADview-EMS advanced FCAPS

  40. Device Management SecFlow-2/4 Device Management • SNMP v1, v2, v3 (v3 only in SF-2) • CLI • WEB • SNTP • RADIUS • TACACS • TFTP • Syslog

  41. RADview – SecFlow Network Manager • SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: • Automatic discovery of SecFlow network switches • Network topology management • End-to-end service provisioning • Security rules configuration • Aggregated network fault monitoring • Network performance analysis • Operator authorization levels

More Related