430 likes | 730 Views
SecFlow Overview. U&T Target Market Segments. Utilities. Transportation. Power. Railways. Water. Motorways. Oil & Gas. Air Traffic Control. Mining. Maritime. Power Utilities Trends. The power utilities communication needs are in evolution phase:
E N D
U&T Target Market Segments • Utilities • Transportation • Power • Railways • Water • Motorways • Oil & Gas • Air Traffic Control • Mining • Maritime
Power Utilities Trends The power utilities communication needs are in evolution phase: • Migration to Packet in various parts of the network: • Replacement of SDH/PDH core to Ethernet/IP/MPLS • Replacement of old Substation technology to IEC 61850 based solution which are consist of Ethernet “LAN” and packet signaling • Migration of old SCADA/RTU’s from Serial to IP based • Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters • Growing need for Cyber & Physical security solutions
Challenges Of Power Utilities Communication Networks • Evolution in the Substation • Migration to PSN in the Substation while supporting multi services • Teleprotection connectivity over SDH and PSN • Substation Automation and Cyber security • Smart Grid • Secured backhaul solutions for Smart Meters • Growth in Bandwidth • Transitioning the operational network to PSN while maintaining reliability, security & simplicity • Clock Synchronization over the PSN network • Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base
Industrial Control Systems • Industrial control systems used to monitor and remotely control critical industrial processes • SCADA systems • Distributed Control Systems (DCS) • Programmable Logic Controllers (PLC) • Highly distributed • Geographically separated assets • Centralized data acquisition and control are critical • Oil and gas pipelines • Electrical power grids • Railway transportation systems
SCADA System • Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are: • Central device • Central Master Station – Supervisory system, gathering data on the process and sending action commands. • Remote devices • Programmable Logic Controller (PLC) and Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system. • Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.
Supervisory Control and Data Acquisition (SCADA), System Overview Source: http://en.wikipedia.org/wiki/File:DNP-overview.png • SCADA communication Protocols • Modbus • DNP3 • IEC101, IEC104 • RTUs • PLCs • IEDs
IEC 61850 • International standard for substation automation systems developed to create an open communication environment • IEC 61850 provides interconnection of substation devices on high speed Ethernet network • IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10 • IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements: • Electromagnetic Interference (EMI), immunity – Strong electromagnetic compatibility (EMC) design to protect against EMI • Operating temperature-40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C
SecFlow Portfolio Overview • SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families: • SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router • SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router
SecFlow-2Access and Network Interfaces Console USB FE Ports FE 0/1-8 with optional PoE RS 232 port 1 - 4 SFP GbE1, GbE2 SIM Card Ports 1,2 DI/DO Power Dual GPRS/UMTS Modem
SecFlow-4Access and Network Interfaces Service and MNG module Dual Power Supplies 7 I/O slots
Legacy Migration • Integrated serial interfaces in switches with 3 operational modes • Tunneling between serial segments • Byte / Bit-stream • Multipoint support • Service-aware security for serial tunnels • Gateway connecting serial devices to matching Ethernet devices • Currently supports IEC-101 to IEC-104 • Terminal Server connecting a computer to serial devices SecFlow 2 SecFlow 2 SecFlow 2 SecFlow 2 RS-232/RS-485 link Ethernet link Serial Tunnel Gateway service
Protocol Gateway IEC 101 RTU Remote Site A IEC-101 to IEC-104 conversion using protocol gateway functionality IEC 104 Central Site SCADA Serial Master 1 Remote Site B Serial Master 2 LAN RS-232 PSN V.Com port IEC104 IEC 104 UDP/IP SSH (T. Server) RS-232 RS-232 RS-232 IEC 101 SecFlow 4 SecFlow 2 SecFlow 2 RS-232 Console
Cyber Security Threats to Utilities • Security Measure • Service-aware firewall • Distributed firewalls • Encryption • Secure remote access • Attack vector • Control-Center malware • Field-site breach • Man-in-the-Middle • Remote maintenance Distributed SCADA IPS Deployment • Role-based validation of SCADA commands • Deployment at each end-point • Used for both IP & Serial devices
Distributed Firewall Modbus RTUs Remote Site A SCADA-aware firewall for Modbus and IEC 101/104 Modbus Modbus RTU Modbus RTU Modbus RTU Modbus Central Site Modbus SCADA NMS 104 Client Modbus Client Remote Site B ASDU1 ASDU2 ASDU3 PSN IEC 101 IEC 104 UDP/IP SSH (T. Server) IEC 101 IEC 101 SecFlow 2 ID 11 ID 13 SecFlow 2 ID 12 SecFlow 4
Security Features • 802.1X – IEEE Standard for port-based Network Access Control (PNAC), authentication and protection against DoS attacks • Access Control List – Traffic filtering according to layer 2/3/4 criteria • RADIUS and TACACS+ based centralized user authentication and authorization • L2/L3 VPN, using IPSEC encryption • User policy for traffic type, IKE, AES or 3DES encryption, dynamic key • Secure Telnet access, using SSH • SCADA firewall per port (Modbus, IEC-104, DNP3.0)
Integrated Defense-in-Depth Tool-Set • Advanced security measures integrated in the switch using a dedicated service-engine • Enable easy deployment of an extensive defense-in-depth solution
Multi-Service Transport • Utility networks do not have 100% fiber connectivity • SecFlow switches support alternative transport infrastructures • GPRS/UMTS – Cellular coverage with 2 operators • Radio links using RAD’s Airmux wireless solution • SHDSL – Private copper lines* • Used with integrated security mechanisms SecFlow 2 SecFlow 2 Private ETH Network Private ETH Network Internet *roadmap
Resilient Cellular Connection to Remote Sites • GPRS/UMTS support • Link resiliency using 2 SIM cards with continuous check of operator link quality • Multiple remote spokes connecting to Hub over encrypted IPSec tunnels • NHRP used for dynamic IP address resolution assigned to cellular spokes • L2 VPN using transparent GRE tunnels over IPSec • L3 VPN using DMVPN LAN WAN FO | Cellular
Smart-Grid Distribution Network “New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation” • Modern secondary sub-station requiring: • Encrypted tunnels when using a public network • Firewall for uplink protocols (IEC 104, IEC 61850, Modbus) • Gateway for serial IEDs Automation Control Center Metering Data Center Secondary Sub-Station PowerMonitoring Smart Meters RTU Cellular Antenna Network(Secondary Sub-Stations) Meters Concentrator SecFlow 2 SecFlow switch integrates all the functions *Medium Voltage/Low Voltage
Migration to IP-based SCADA at Sub-stations Sub-Station Sub-Station RTU IED • Connectivity of sub-station devices to new IP-based SCADA • Per-site firewall for industrial automation protocols • Secure terminal server for maintenance sessions • Encrypted tunnels when using wireless links • Serial to ETH protocol gateway Control Center IP SCADA ETH LAN Management Ring RS-232 IEC-101 Sub-Station
Connecting the Sub-station LANs – Current Status Control Center Remote Technician Network Limitations • SCADA direct access to S.S. IEDs • Field technician access to: • Other sub-stations • Central storage • Facility RTU • Remote technician access to RTUs and IEDs in all S.Ss • Data-sharing between S.Ss SCADA Storage Internet Sub-Station FacilityRTU Sub-station RTU SDH/Packet Network Field Technician Sub-station IEDs Need a unified sub-station LAN with secure inter-site connectivity
Connecting the Sub-station LANs – Future Evolution Control Center Remote Technician Use a secure switch connecting the LAN devices to the backbone • Network segmentation using VLANs/Subnets • App-aware firewall per-device • Secure remote access • Serial-to-ETH protocol gateway SCADA Storage Internet Sub-Station SecFlow 4 SDH/Packet Network Sub-station IEDs Sub-stat. RTU FacilityRTU Field Technician
Metro Subway Control Network • Metro subway control applications require communication with smart devices in each station • Ethernet access switches connected to IP/MPLS backbone using VLANs as service ID • Mixture of Ethernet, Serial & Discrete devices with secure access using a distributed ModBus firewall • Secure mobile access from trains to control center using distributed device authentication methods Metering Data Center Control Center RTU IED IP/MPLS Backbone SecFlow switches build a secure subway network
Smart/Safe City End Points Communication • Compact Industrial switch for Smart/Safe-city cabinets • Ethernet with PoE • Serial and discrete I/O ports for simple automation devices • Diverse means of communication: • Integrated dual-SIM cellular modem • Fiber Optic with protected Ring Support (G.8032) • SHDSL* • Integrated security mechanisms • IPSec VPN • SCADA firewall P2P & P2MP Radio Dual 2G/3G Communications Display Board ETH WiFi* RS-232 FO SecFlow 2 PSN Dry Contact Tamper Switch ETH PoE *roadmap
Case Study of a Highway Security Infrastructure – Italy Autostarda Tetra BaseStations Tetra BaseStations Traffic Control Traffic Control Security Cameras Security Cameras Message Boards Message Boards RS-232/485 RS-232/485 1588 clock sync 1588 clock sync PoE PoE QoS QoS Remote Site Remote Site ETH Ring ETH Ring Ring 6 Ring 12 Ring 1 Ring 7 ETH Ring 1588 Clock Central Site
Ordering Options SecFlow-2 • Two ordering options: • Advanced mode – SecFlow-2 is provided with security features, routing, switching and gateway functionalities. • Basic mode – SecFlow 2 is provided with switching and gateway functionality only. Limited ordering options and cannot upgraded to advanced mode
Management RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In addition, it features third-party device monitoring capabilities Broad Perspective. Direct Control.
Management, Benefits & Features Benefits • Turnkey system including hardware and software! • Fully compliant with TMN standards • Client/server architecture with multi-user support • Interoperable with third-party NMS and leading OSS systems • IBM Tivoli’s Netcool®/OMNIbus™ plug-in • Minimize integrations costs associated with new NE Key features • Ensures device health and congestion control • Topology maps and network inventory • Advanced FCAPS functionality • Software & configuration management • Business continuity - High-Availability and Disaster Recovery • Handover between operators
Device Management SecFlow-2/4 Device Management • SNMP v1, v2, v3 (v3 only in SF-2) • CLI • WEB • SNTP • RADIUS • TACACS • TFTP • Syslog
RADview – SecFlow Network Manager • SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: • Automatic discovery of SecFlow network switches • Network topology management • End-to-end service provisioning • Security rules configuration • Aggregated network fault monitoring • Network performance analysis • Operator authorization levels