SecFlow Overview

SecFlow2013 Slide 1

U&T Target Market Segments

Utilities Transportation Power Railways Water Oil & Gas Mining Motorways Air Traffic Control Maritime

SecFlow2013 Slide 2

Power Utilities Trends

The power utilities communication needs are in evolution phase: • Migration to Packet in various parts of the network: – Replacement of SDH/PDH core to Ethernet/IP/MPLS – Replacement of old Substation technology to IEC 61850 based solution which are consist of Ethernet “LAN” and packet signaling – Migration of old SCADA/RTU’s from Serial to IP based •

Smart Grid – Implementation of Demand Response

techniques for improved automation and control of the distribution grid and deployments of Smart Meters • Growing need for Cyber & Physical security solutions SecFlow2013 Slide 3

Challenges Of Power Utilities Communication Networks

•

Evolution in the Substation

– Migration to PSN in the Substation while supporting multi services – Teleprotection connectivity over SDH and PSN – Substation Automation and Cyber security •

Smart Grid

– Secured backhaul solutions for Smart Meters •

Growth in Bandwidth

– Transitioning the operational network to PSN while maintaining reliability, security & simplicity – Clock Synchronization over the PSN network • Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base SecFlow2013 Slide 4

Industrial Control Systems

• Industrial control systems used to monitor and remotely control critical industrial processes – SCADA systems – Distributed Control Systems (DCS) – Programmable Logic Controllers (PLC) • Highly distributed • Geographically separated assets • Centralized data acquisition and control are critical – Oil and gas pipelines – Electrical power grids – Railway transportation systems SecFlow2013 Slide 5

SCADA System

• Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are: – Central device • Central Master Station – Supervisory system, gathering data on the process and sending action commands. – Remote devices • Programmable Logic Controller (PLC) and Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system.

• Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.

SecFlow2013 Slide 6

Supervisory Control and Data Acquisition (SCADA), System Overview

Source: http://en.wikipedia.org/wiki/File:DNP-overview.png

SCADA communication • • • Protocols Modbus DNP3 IEC101, IEC104 • • • RTUs PLCs IEDs SecFlow2013 Slide 7

IEC 61850

• International standard for substation automation systems developed to create an open communication environment • IEC 61850 provides interconnection of substation devices on high speed Ethernet network • IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10 • IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements: – Electromagnetic Interference (EMI), immunity – Strong electromagnetic compatibility (EMC) design to protect against EMI – Operating temperature -40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C SecFlow2013 Slide 8

SecFlow Portfolio Overview

• SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families: – SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router – SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router SecFlow2013 Slide 9

SecFlow Main Features

Industrial Design

• Harsh environmental • DIN-rail mount • IP 30 • -40°C to +75°C w/o fans • EMI immunity • IEC 61850-3 • IEEE 1613 • EN 50121-4

Multiservice Gateway

• Utilize both Ethernet ports and Serial interfaces • Serial Tunneling or Service translation • IEC101 to IEC104

Integrated Security

• L-2/3/4 ACL • MAC/IP filtering per port • SCADA-Aware firewall • L2/L3 VPN w/IPsec • 802.1X

• RADIUS/TACACS

Resiliency

• Ethernet rings per ITU-T G.8032

• RSTP, MSTP • Cellular 2G/3G modem uplink for maximum service continuation SecFlow2013 Slide 10

SecFlow-2 Access and Network Interfaces

RS 232 port 1 - 4 SIM Card Ports 1,2 Dual GPRS/UMTS Modem FE Ports FE 0/1-8 with optional PoE SFP GbE1, GbE2 Console USB DI/DO Power

SecFlow2013 Slide 11

SecFlow-4 Access and Network Interfaces

Dual Power Supplies 7 I/O slots Service and MNG module SecFlow2013 Slide 12

SecFlow-4 Modules

Module

SF4-M-4GBE SF4-M-Serial SF4-M-Service SF4-M-MNG SF4-PS-24VDC SF4-PS-48VDC

Description

Gigabit Ethernet module with four UTP or four SFP ports Serial interface module with four RS-232 ports Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces Central processing and management module with local terminal and out-of-band management ports Power supply module for 24 VDC input Power supply module for 48 VDC input SecFlow2013 Slide 13

SecFlow-2/4 v3.1

Main Features

Description Features SecFlow-2 Interfaces Ethernet Interfaces Serial Interfaces Cellular Interface

• • • • 2×100/1000BaseFX Up to 16×10/100BaseT UP to 4×RS-232 Dual SIM GPRS/UMTS cellular modem

Customer Benefits

• • • • Resilient redundant networking over various WAN infrastructures Multiservice support in a compact single device Utilizes cellular network for main link Improves link resiliency and service continuity using cellular backup links

SecFlow-4 Interfaces Ethernet Module SF4-M-4GbE

• • 4 4 × × 100/1000BaseT, optional PoE 100/1000BaseFX • 4 GbE interfaces per module that provide a maximum of 28 GbEs per chassis for multiple Ethernet connections

Serial Module SF4-M-Serial Central Processing Module SF4-M-MNG

• 4 × RS-232 • Central processing and management module with local terminal and out-of-band management ports • • 4 serial interfaces for legacy connectivity with up to 28 serial ports per chassis The serial module combined with the Ethernet module provides multiservice support for various applications • The module is supplied with the SecFlow-4 chassis, providing the Layer-2 functionality

Service Module SF4-M-Service (Optional)

• Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces hardware-ready only • Security, routing and gateway functionalities SecFlow2013 Slide 14

SecFlow-2/4 v3.1

Main Features

Description Features Protocol Gateway

• IEC-101 to IEC-104 conversion

Customer Benefits

• Enables seamless communication from the IP SCADA to both the legacy and new RTUs, featuring a single box for multiservice application and smooth migration to all IP networks

SCADA-Aware Firewall VPN Gateway with IPSec QoS

• • • • • • • • • • • • • SCADA-aware firewall monitors SCADA commands using deep packet inspection to validate intended application purpose Supported SCADA protocols: IEC-104, Modbus and DNP 3.0

• Syslog support for IEC 104 firewall Layer 2 GRE VPN Layer 3 multipoint GRE Dynamic Multipoint-VPN Layer 3 IPSec VPN IPSec encryption per 3DES or AES X.509 certified with SHA256 and SHA512 for Phase1/Phase2 and AES 256 support Port limit Ingress policing Strict priority Weighted Round Robin (WRR) Egress traffic shaping • • • Provides distributed network security from the substation, enabling only authorized traffic to access the network according to the user defined access rules Secured interconnection of remote sites over public networks, using Layer-2or Layer-3 VPN with encryption Supports large scale networks Higher and lower priority traffic separation into 8 queues for prioritizing the user traffic and allowing mission critical applications to be served first SecFlow2013 Slide 15

SecFlow-2/4 v3.1

Main Features

Features Ethernet OAM Jumbo Frames Ethernet Ring Protection Link Aggregation Terminal Server and Serial Tunneling

• • • •

Description

• Single-segment (link) OAM according to IEEE 802.3-2005 (formerly 802.3ah) • • • • • • • End-to-end connectivity OAM based on IEEE 802 End-to-end service and performance monitoring based on ITU-T Y.1731. SecFlow-2 Supports 9K bytes jumbo frames SecFlow-4 Supports 12K bytes jumbo frames Ethernet ring protection switching per G.8032v2

RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree Protocol) per IEEE 802.1D

Link aggregation per 802.3ad with configurable LACP Up to 8 LAGs Up to 8 ports in LAG Embedded terminal server Transparent serial tunneling • •

Customer Benefits

• Guaranteed SLA (Service level Agreement) of contracted services • Standard Ethernet OAM for easy interoperability with 3rd party equipment • Monitors network faults, performs measurements and gathers statistics • Improves efficiency and increases performance in GbE networks • Link resiliency for high survivability and service continuity • • 50-ms failure detection and switchover to the alternate link without service interruption Provides increased bandwidth and high availability links • LACP ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links Connects multiple devices with serial interfaces over IP Provides point-to-point or point-to-multipoint transparent serial tunneling

PoE

• • • • Configurable PoE (enable/disable and force mode) 30W max per port Max 120W per device for 48 VDC power supply or 220 VAC Max 80W per device for 24V DC power supply • • Easily feeds third party equipment or peripheral devices such as IP cameras, using power over Ethernet SecFlow-2/4 can feed RAD’s Airmux outdoor device eliminating the need for an Airmux indoor unit SecFlow2013 Slide 16

SecFlow-2/4 v3.1

Main Features

Features Access Control List Network Management

• • • • • • • •

Description

• Access control lists according to Layer-2, -3 and -4 criteria SNMP: V1,V2,V3 (V3 only in SecFlow-2) RADview SecFlow Network Manager SSH: V2.0

CLI RADIUS, TACACS TFTP Client Syslog, SNTP

Customer Benefits

• Enhanced ACL mechanism to filter user traffic according to variety of traffic criteria • • Better security and control on authorized traffic SecFlow-2 can be managed by a variety of management tools including: CLI, WEB interface and RADview SNMP-based management system • SecFlow-2 can also be managed by SecFlow Network Manager, integrated in the RADview EMS server, to provide an end-to-end management system

Switching

• Set of Layer-2 features for traffic management and security • • • • • • • • • Auto Crossing Autonegotiation per IEEE 802.3ab

Port-based Network Access Control (PNAC) per IEEE 802.1x

MAC list VLAN segregation tagging per IEEE 802.1q , 4K VLANs Multicast Groups IGMP snooping v1,v2,v3 MAC limiting per port LLDP, DHCP client, DHCP relay, option 82 SecFlow2013 Slide 17

SecFlow-2/4 Main Features

Features Timing Routing Diagnostics Description Customer Benefits

• • • Local time settings NTP v2 PTP transparent clock per 1588v2 • • • • IPv4 Static routing OSPF v2, v3 RIPv2 • • Flexible clock distribution and network synchronization based on different clock sources A single-box solution that provides both Layer-2 features and Layer-3 routing capabilities • • • • • • • Counters and statistics per port LED diagnostics: main switching units (Alarm |Run | Ethernet) LED diagnostics: application interfaces (Cellular | Serial ) Ping Trace route Port mirroring RMON v1 • Provides extensive diagnostic tools to assist operators in fault monitoring SecFlow2013 Slide 18

Legacy Migration

• Integrated serial interfaces in switches with 3 operational modes – Tunneling between serial segments • Byte / Bit-stream • Multipoint support • Service-aware security for serial tunnels – Gateway connecting serial devices to matching Ethernet devices • Currently supports IEC-101 to IEC-104 – Terminal Server connecting a computer to serial devices

SecFlow 2 SecFlow 2 SecFlow 2 SecFlow 2

RS-232/RS-485 link Ethernet link Serial Tunnel Gateway service SecFlow2013 Slide 19

Protocol Gateway

Central Site SCADA

Serial Master 1

SecFlow 4

Serial Master 2 LAN V.Com port IEC104

Remote Site A SecFlow 2 IEC 101 RTU

IEC 104

PSN

IEC 104 UDP/IP SSH (T. Server)

Remote Site B SecFlow 2

RS-232 RS-232 IEC 101 RS-232 RS-232 RS-232 Console IEC-101 to IEC-104 conversion using protocol gateway functionality SecFlow2013 Slide 20

Cyber Security Threats to Utilities

Attack vector • • • •

Control-Center malware Field-site breach Man-in-the-Middle Remote maintenance

Security Measure • • • •

Service-aware firewall Distributed firewalls Encryption Secure remote access

Distributed SCADA IPS Deployment

– Role-based validation of SCADA commands – Deployment at each end-point – Used for both IP & Serial devices SecFlow2013 Slide 21

Distributed Firewall

Remote Site A SecFlow 2 Modbus RTUs

Modbus Modbus

Central Site NMS SCADA

104 Client Modbus Client Modbus

SecFlow 4 PSN

IEC 104 UDP/IP SSH (T. Server)

Remote Site B ASDU1

IEC 101

ASDU2 SecFlow 2

IEC 101

ASDU3

IEC 101 ID 11 ID 13 ID 12

Modbus RTU Modbus RTU Modbus RTU

SCADA-aware firewall for Modbus and IEC 101/104 SecFlow2013 Slide 22

Security Features

• 802.1X – IEEE Standard for port-based Network Access Control (PNAC), authentication and protection against DoS attacks • Access Control List – Traffic filtering according to layer 2/3/4 criteria • RADIUS and TACACS+ based centralized user authentication and authorization • L2/L3 VPN, using IPSEC encryption – User policy for traffic type, IKE, AES or 3DES encryption, dynamic key • Secure Telnet access, using SSH • SCADA firewall per port (Modbus, IEC-104, DNP3.0) SecFlow2013 Slide 23

Integrated Defense-in-Depth Tool-Set

• Advanced security measures integrated in the switch using a dedicated service-engine • Enable easy deployment of an extensive defense-in-depth solution SecFlow2013 Slide 24

*roadmap

Multi-Service Transport

• Utility networks do not have 100% fiber connectivity • SecFlow switches support alternative transport infrastructures – GPRS/UMTS – Cellular coverage with 2 operators – Radio links using RAD’s Airmux wireless solution – SHDSL – Private copper lines * • Used with integrated security mechanisms Fiber

Ethernet Ring over Mixed medias

Internet

SHDSL Fiber

Private ETH Network SecFlow 2 SecFlow 2 Private ETH Network

SecFlow2013 Slide 25

Resilient Cellular Connection to Remote Sites

• • • GPRS/UMTS support Link resiliency using 2 SIM cards with continuous check of operator link quality Multiple remote spokes connecting to Hub over encrypted IPSec tunnels – NHRP used for dynamic IP address resolution assigned to cellular spokes – L2 VPN using transparent GRE tunnels over IPSec – L3 VPN using DMVPN

LAN FO | Cellular WAN

SecFlow2013 Slide 26

Applications

SecFlow2013 Slide 27

Smart-Grid Distribution Network

“New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation”

• Modern secondary sub-station requiring: – Encrypted tunnels when using a public network – Firewall for uplink protocols (IEC 104, IEC 61850, Modbus) – Gateway for serial IEDs

Secondary Sub-Station Power Monitoring Automation Control Center RTU

Cellular Antenna

Smart Meters Metering Data Center Network ( Secondary Sub-Stations) SecFlow 2 Meters Concentrator *Medium Voltage/Low Voltage SecFlow switch integrates all the functions

SecFlow2013 Slide 28

Migration to IP-based SCADA at Sub-stations

Sub-Station Control Center IP SCADA Sub-Station

ETH

IED Ring LAN Management

RS-232 IEC-101

RTU Sub-Station

• Connectivity of sub-station devices to new IP-based SCADA – Per-site firewall for industrial automation protocols – Secure terminal server for maintenance sessions – Encrypted tunnels when using wireless links – Serial to ETH protocol gateway SecFlow2013 Slide 29

Connecting the Sub-station LANs – Current Status

Control Center SCADA Storage Network Limitations

• • • • SCADA direct access to S.S. IEDs Field technician access to: – Other sub-stations – Central storage – Facility RTU Remote technician access to RTUs and IEDs in all S.Ss

Data-sharing between S.Ss

SDH/Packet Network Internet Facility RTU Remote Technician Sub-Station Sub-station RTU Field Technician Sub-station IEDs Need a unified sub-station LAN with secure inter-site connectivity

SecFlow2013 Slide 30

Connecting the Sub-station LANs – Future Evolution

Control Center SCADA Storage

• • •

Use a secure switch connecting the LAN devices to the backbone

• Network segmentation using VLANs/Subnets App-aware firewall per-device Secure remote access Serial-to-ETH protocol gateway

Internet Remote Technician Sub-Station SecFlow 4 SDH/Packet Network Facility RTU Sub-stat.

RTU Sub-station IEDs Field Technician

SecFlow2013 Slide 31

Metro Subway Control Network

• Metro subway control applications require communication with smart devices in each station – Ethernet access switches connected to IP/MPLS backbone using VLANs as service ID – Mixture of Ethernet, Serial & Discrete devices with secure access using a distributed ModBus firewall – Secure mobile access from trains to control center using distributed device authentication methods

Control Center IP/MPLS Backbone IED RTU Metering Data Center SecFlow switches build a secure subway network

SecFlow2013 Slide 32

Smart/Safe City End Points Communication

•

Compact Industrial switch

for Smart/Safe-city cabinets – Ethernet with PoE – Serial and discrete I/O ports for simple automation devices – Diverse means of communication: • Integrated dual-SIM cellular modem • Fiber Optic with protected Ring Support (G.8032) • SHDSL* – Integrated security mechanisms • IPSec VPN • SCADA firewall Dual 2G/3G Communications

P2P & P2MP Radio WiFi*

ETH

Display Board PSN

FO

SecFlow 2

ETH PoE RS-232 Dry Contact

Tamper Switch *roadmap

SecFlow2013 Slide 33

Case Study of a Highway Security Infrastructure – Italy Autostarda

Message Boards Traffic Control Security Cameras Tetra Base Stations RS-232/485 QoS Remote Site PoE 1588 clock sync Ring 12 Ring 7 Message Boards Traffic Control Security Cameras Tetra Base Stations RS-232/485 QoS Remote Site PoE 1588 clock sync Ring 6 Ring 1 ETH Ring ETH Ring ETH Ring 1588 Clock Central Site

SecFlow2013 Slide 34

Ordering Options SecFlow-2

• Two ordering options: – Advanced mode – SecFlow-2 is provided with security features, routing, switching and gateway functionalities.

– Basic mode – SecFlow 2 is provided with switching and gateway functionality only. Limited ordering options and cannot upgraded to advanced mode

Mode PN

SF2/B/AC/2GE8UTP/PoE Basic SF2/B/48VDC/2GE8UTP/PoE SF2/S/48VDC/2GE8UTP SF2/S/AC/2GE8UTP/PoE Advanced SF2/S/AC/2GE8UTP/PoE4AM SF2/S/48VDC/2GE16UTP SF2/S/48VDC/2GE8UTP8SFP

Description

AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP ports for Airmux products 48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8 ×100 FX SFP SecFlow2013 Slide 35

Ordering Options SecFlow-2

Chassis

PN

SF4/48VDCR SF4/24VDCR Modules SF4-M-4GBE-U SF4-M-4GBE-POE SF4-M-4GBE-S SF4-M-4RS232 SF4-PS-24VDC SF4-PS-48VDC

Description

SecFlow-4 chassis, central processing and management module, dual 48 VDC power Supply SecFlow-4 chassis, central processing and management module, dual 24 VDC power Supply SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports SecFlow-4 module with four RS-232 serial ports 24 VDC power supply 48 VDC power supply SecFlow2013 Slide 36

Management

RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In addition, it features third-party device monitoring capabilities SecFlow2013 Slide 37

Management, Benefits & Features

Benefits ● Turnkey system including hardware and software!

● Fully compliant with TMN standards ● Client/server architecture with multi-user support ● Interoperable with third-party NMS and leading OSS systems ● IBM Tivoli’s Netcool®/OMNIbus™ plug-in ● Minimize integrations costs associated with new NE Key features ● Ensures device health and congestion control ● Topology maps and network inventory ● Advanced FCAPS functionality ● Software & configuration management ● Business continuity - High-Availability and Disaster Recovery ● Handover between operators SecFlow2013 Slide 38

RADview-EMS advanced FCAPS

Fault management

• Detects and isolates faults in network devices, initiates remedial actions and distributes alarm messages to other management entities in the network.

Configuration management

• Enables operators to configure, install and distribute software to all devices across the network. In addition, the system tracks version changes and maintains software configuration history

Accounting management

• Manages individual and group user accounts and passwords, generating network usage reports to monitor user activities.

Performance management

• Supports real-time monitoring of QoS and CoS, producing real-time and periodic statistics. The statistics collector compresses data to minimize bandwidth use for management traffic and exports CSV files to OSS or third-party management systems

Security management

• Allows network administrators to track user activities and control the access to network resources with a choice of security features SecFlow2013 Slide 39

Device Management

SecFlow-2/4 Device Management ● SNMP v1, v2, v3 (v3 only in SF-2) ● CLI ● WEB ● SNTP ● RADIUS ● TACACS ● TFTP ● Syslog SecFlow2013 Slide 40

RADview – SecFlow Network Manager

• SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: – Automatic discovery of SecFlow network switches – Network topology management – End-to-end service provisioning – Security rules configuration – Aggregated network fault monitoring – Network performance analysis – Operator authorization levels SecFlow2013 Slide 41

Thank You For Your Attention

www.rad.com

SecFlow2013 Slide 42