Security Fabric

advertisement
Baker Hughes Discussion
November 30, 2011
The SGSIA addresses the entire ecosystem.
• The Smart Grid Security Innovation Alliance is a working
association dedicated to practical deployment of the
smart grid complex system solution in the United States:
–
–
–
–
Utilities
Systems integrators
Manufacturers
Technology partners
– National certification and interoperability entity
• The alliance is intended to give the CEO of a utility the
purview of up-to-the moment knowledge of the options
available to make wise investment decisions regarding
infrastructure deployment for optimal returns.
The variation includes the proper orientation for large, medium, and small utilities.
Confidential McAfee Internal Use Only
Participants
• First Build
– Integrated
Architectures
– Drummond
Group
– Wurldtech
– Sypris
– SAIC
– Nakina
– OATI
– Silver Springs*
– Landis & Gyr*
– GE*
– Ecololgical
Analytics*
–
–
–
–
–
–
–
–
–
–
–
Ambient
Tibco
NitroSecurity
Pitney Bowes
McAfee (3)
Tiger’s Lair
PsiNaptic
Green Hills
TeamF1
Actiontec
Verizon
• Subsequent Builds
– Schweitzer
Engineering Labs
– RuggedCom
– Coulomb*
– Wurldtech
– OSIsoft
– SNMP Research
– Emerson Ovation
– Honeywell
– Certipath
– First Data
– Verisign
– Entrust
– SafeNet
– Thales
– Microsoft
– Telcordia
– e-Meter
– Cisco
– Motorola
– Wind River
*We will work with your incumbent smart meter provider
in conjunction with the home gateway program.
Confidential McAfee Internal Use Only
Our strategy is to provide certified interoperability to
the key devices controlling the grid.
All points must connect to each other
in an end-to-end system.
The embedded systems include:
The McAfee HSM solution would be embedded
at each critical point in the energy infrastructure.
Confidential McAfee Internal Use Only
Our analysis using the architecture model shows that of all the myriad of
elements in the functional diagrams, there are really only four recurring design
patterns that are intrinsic to the security strategy.
The SGSIA is a source of interoperable system security elements
using standardized design patterns.
Confidential McAfee Internal Use Only
These are the eight tenets of security
as described in the NIST-IR 7628 Guidelines.
1.
Identity Management
– Ensures the device identity is established
genuinely
2.
Mutual Authentication
– Allows both the Device Node and the
Controller to verify the trustworthiness their
identity to each other.
3.
Audit
Confidentiality
– Encrypts sensitive data for matters of privacy.
6.
Integrity
– Ensures that messages have not been
altered.
7.
Authorization
– Manages permission to proceed with specific
operations.
4.
5.
Availability
– Prevents denial of service attacks
8.
Non-repudiability
– Ensures that the authority for events cannot
be denied after the fact.
– Records noteworthy events for later analysis
To establish the secure communications from the Controller to the Device Node
using the Security Fabric elements, let us proceed in chronological order.
Confidential McAfee Internal Use Only
The general approach to power distribution.
Tibco “FTL”
CloudShield MPP
Nitro SIEM
RuggedCom
Application Card
Ambient
Application Card
Intel
Application Card
Central
Control
Substation
Relay
Neighborhood
Relay
Local Area
Relay
Communications /
Firewall
Communications
Communications /
Firewall
Communications /
Firewall
E&LM
E&LM
FTL (E&LM)
Master
Agent
E&LM
Posture Validation
Remediation Server
SIEM
Jini SP
“Multicast Alert Relay”
MA
Cell Manager
SA
SA
SA
SA
Sensor Mgt
SA
Meter App
“Cell Management”
SA
Meter App
SA
Meter App
“Local Management”
Confidential McAfee Internal Use Only
A tailored
trustworthy
space
(TTS)
provides
flexible,
adaptive,
A tailored
trustworthy
space
(TTS)
provides
flexible,
adaptive,
distributed trust
distributedfor
trust
environments
for a
set of devices
that
environments
a set
of devices and
applications
thatand
can applications
support functional
can support
functional
and policy
arising
from a in
wide
and policy
requirements
arising
from arequirements
wide spectrum
of activities
the face of
spectrum
of activities
in the face of an evolving range of threats.
an evolving
range
of threats.
Confidential McAfee Internal Use Only
A TTS recognizes
a device’s
A tailored trustworthy
space (TTS)
providescontext
flexible, adaptive, distributed trust
as the context
evolves. that can support functional
environments and
for aevolves
set of devices
and applications
and policy requirements arising from a wide spectrum of activities in the face of
an evolving range of threats.
Confidential McAfee Internal Use Only
Let us define the Security Fabric by building
a control system.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
In a control system, there are a controller and
several devices controlled by remote device nodes.
Controller
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Sometimes they are redundant for high availability.
Controller
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
They talk to each other using IP-based switches.
Switch
Switch
Enet
Device Node
Enet
Controller
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
They have management workstations and servers that
supervise the controller and device nodes.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Controller
Database
Server
Security
Server
Switch
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Fault Management operates from the operator workstation –
this includes surveillance + operator commands.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Controller
Database
Server
Security
Server
Switch
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Configuration Management operates form the engineering
workstation augmented by the database server –
this includes configuration parameters + the firmware repository.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Controller
Database
Server
Security
Server
Switch
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Usage and log management operates form the historian –
the event management and distribution occurs here.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Controller
Database
Server
Security
Server
Switch
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Security management is administered on the security server –
but real-time security operations happens on the domain server.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Controller
Database
Server
Security
Server
Switch
Device Node
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The Security Fabric permeates the distributed management functions, but is
mostly separate from the application functions.
Our strategy is to separate the management functions
from the application functions as much as possible…
so
that
if
the
application
becomes
compromised
or
inoperable,
The Security Fabric permeates
the management system can easily be used to remediate the problem.
the distributed management functions,
but is mostly separate from the application functions.
Confidential McAfee Internal Use Only
With this in mind, both the Controller and the Device Node
keep the management functions separate from the
application.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Security
Server
Switch
Management
Device Node
Application
Application
Management
Controller
Database
Server
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
This is done using a separation kernel to keep the application
from ever interfering with the management functions.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Switch
Management
RTOS
Application
They function like two
completely separate
machines within each
physical machine.
RTOS
The hypervisor
creates two different
virtual machines on
both the Controller
as well as the
Device Node…
Hypervisor
Hypervisor
RTOS
Device Node
RTOS
Management
Controller
Application
Security
Server
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The application in the controller monitors and controls
the application in the device node.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Switch
Management
Device Node
These use the same physical wire,
but must be securely isolated.
Application
Management
Controller
Application
Security
Server
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
And the management functions and policies in the
controller supports the management agent in
the device node.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Switch
Management
Device Node
These use the same physical wire,
but must be securely isolated.
Management
Session
Application
Management
Controller
Application
Security
Server
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
These are the eight tenets of security
as described in the NIST-IR 7628 Guidelines.
1.
Identity Management
– Ensures the device identity is established
genuinely
2.
Mutual Authentication
– Allows both the Device Node and the
Controller to verify the trustworthiness their
identity to each other.
3.
Audit
Confidentiality
– Encrypts sensitive data for matters of privacy.
6.
Integrity
– Ensures that messages have not been
altered.
7.
Authorization
– Manages permission to proceed with specific
operations.
4.
5.
Availability
– Prevents denial of service attacks
8.
Non-repudiability
– Ensures that the authority for events cannot
be denied after the fact.
– Records noteworthy events for later analysis
To establish the secure communications from the Controller to the Device Node
using the Security Fabric elements, let us proceed in chronological order.
Confidential McAfee Internal Use Only
The first order of business is for the management workstations
and servers to be powered on and ready for business.
Engineering
WS
Analysis WS
Operator WS
Fault Management
Situational Awareness
Console
Domain
Server
Historian
Switch
Database
Server
Configuration Management
Console
Security
Server
Switch
There are many small steps that occur when servers and PCs power up,
but for simplicity’s sake,
let’s assume that the devices and their applications are all powered up and initialized.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The Controller must power on
before any of the device nodes can use it.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Security
Server
Switch
Application
Management
Controller
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Identity Management is the most crucial aspect of embedded
security – we use a Hardware Security Module to protect the
unique identity of the Controller.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Security
Server
Identity
Management
Switch
Application
This is a special purpose ASIC
that is FIPS 140-2 level 3 certified.
HSM
Management
Controller
Identity
generated
& stored here
as part of the
secure supply
chain process.
(Environmentally tamper resistant)
It houses an array of crypto functions.
It self-generates and hides the
secret key that identifies the device.
It manages the public key as well as the
key management functions over the
lifetime of the device.
It also maintains the secure clock
for the device.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Step two is to use the secure identity to mutually authenticate and get
credentials from the Domain Server that uses Active Directory and its
Kerberos PKINIT service meant to support embedded devices.
Engineering
WS
Analysis WS
Operator WS
Historian
Domain
Server
Switch
Database
Server
Switch
Security
Server
• Authentication
• Authorization
Controller
HSM
• Mutual authentication occurs first
• The Controller then authorizes the download
of additional security information
Application
Management
Mutual Authentication
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Step three is to use the secure credentials exchange to determine the
authentic paths to important management servers,
and to download the up-to-date whitelist.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Auditing
Switch
Switch
Application
IPsec VPN
Application Proxy
HSM
Management
Controller
•At registration time, the Controller also verifies
the secure path to the
•Firmware repository and configuration
synchronizer on the Database Server
•Event management service on the Historian
•Secure time service on the Domain Server
•The Domain Server maintains the valid security
certificates deleting the ones that have been revoked
•It downloads the whitelist at registration
(or any time else on demand).
•The Historian records the fact that the Controller is
now operating.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Step four is to update the firmware to the latest rev
if it is out of date.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Switch
Security
Server
• Confidentiality
• If the firmware is out of date or not yet loaded.
The Change Management policies will
IPsec VPN
Application Proxy
• Download the manifest of firmware
that has been assigned for the device
Policy Management
•Change Mgt
•Problem Mgt
• Attest to the fact that the signatures are good
so that the firmware is trusted
• Store the new (as well as the old) firmware
to persistent flash memory
Flash
Application
Management
Controller
Database
Server
• Transition gracefully into production
according to the current policies.
• IPsec ensures the software cannot be monitored
and copied during downloads.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
All Device Nodes that want to be part of the Security Fabric must also
authenticate with the Domain Server (the trusted third party)
whenever they power up.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Authentication
• Authorization
Switch
Switch
Device Node
HSM
This prepares
the Device Node
to join the
tailored
trustworthy
space.
Application
Application
Management
Mutual Authentication
Management
Controller
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The authentication ticket received from the Domain Server contains a
section encrypted by the Device Node public identity key plus a section
encrypted by the Controller public identity key.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Authentication
• Authorization
Switch
Switch
Device Node
HSM
•The Device
Node also
requests a ticket
to talk to the
Controller.
•The Domain
Server encrypts
a portion using
the identity of
each of the two
machines.
Application
Application
Management
Mutual Authentication
Management
Controller
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The next step is for the Device Node to establish
secure communications with the Controller.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Authentication
• Authorization
Switch
Switch
Device Node
Mutual Authentication
• The Device
Node requests
to join the
Security Fabric
using the ticket
now also
trusted by the
Controller.
Application
Application
Management
Mutual Authentication
Management
Controller
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Once authenticated, the device node can proceed to establish two secure
paths to the Controller: one for management purposes and one for
application purposes.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Confidentiality
Switch
Switch
IPsec VPN
These use the same physical wire,
but must be securely isolated.
Management
Device Node
IPsec VPN
Management
Session
Application
Application
Management
Controller
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The small embedded firewall in the communications path
protects against denial of service attacks
as well as a number of sophisticated malware attacks.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Availability
Switch
Switch
IPsec VPN
Firewall
These use the same physical wire,
but must be securely isolated.
Management
Device Node
IPsec VPN
Firewall
Management
Session
Application
Application
Management
Controller
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The inter-process communications services of the middleware uses
messages to communicate back and forth between the
Controller and the Device Node over the secure sessions.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Security
Server
Switch
Management
Device Node
Management
Controller
Message
Inter Process
Inter Process
Application
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The inter-process communications services computes a secure message
digest and appends it to the end of each message to ensure that the
message is never altered in flight.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Database
Server
Security
Server
• Integrity
• Non-repudiability
Switch
Switch
Management
Device Node
Management
Controller
Message
Digest
Message
Inter Process
MD
Inter Process
Application
Application
Session
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
So now, the Controller and the Device Node can commence
doing real work without ever having to think about
the security aspects of the system.
Switch
Switch
Device Node
Down
Stream
Exception
Handler
Transform
Application
Session
Event Loop
Transform
Event Loop
Message
Event Loop
Exception
Handler
Event Loop
Event Loop
Event Loop
Event Loop
Event Loop
Application
Management
Management
Controller
Down
Stream
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
This entire light up sequence took
place in the twinkling of the eye.
took place in the twinkling of the eye.
This entire light up sequence
Confidential McAfee Internal Use Only
If ever an anomaly is detected the management agents can forward event
notifications to the operator workstation, the security server, and the
historian in one movement.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Switch
Device Node
Alarm
Application
Application
Policy Management
•Problem Mgt
Management
Controller
Management
Security
Server
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
Our secure silicon instrumentation can watch
the behavior of the application in ways where
the software does not even know it is being watched.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Switch
Application
Pattern
Anomaly
Observation
FPGA
Policy Management
•Problem Mgt
Management
Device Node
Management
Controller
Application
Security
Server
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
If necessary, you can have the management system automatically
download extra telemetry to monitor an attack while it is occurring or
safely download a repaired application for remediation.
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Security
Server
Switch
Application
Policy Management
•Problem Mgt
•Cgange Mgt
Management
Device Node
Application
Management
Controller
Database
Server
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The fully-assembled system looks like this.
GPS Time Sync
Engineering
WS
Analysis WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Security
Server
Switch
Down
Stream
Firewall
Policy Management
•Change Mgt
•Problem Mgt
Management
IPsec VPN
Exception
Handler
Transform
Application
Event Loop
Event Loop
Diagnostics
Event Loop
Transform
Mutual Authentication
Event Loop
Exception
Handler
Middleware
RTOS
Event Loop
Event Loop
Event Loop
Event Loop
Application
Diagnostics
Down
st
Policy Management
•Change Mgt
•Problem Mgt
Down
st
Firewall
Hypervisor
Processor Cores
Flash
FPGA
HSM
IPsec VPN
Middleware
RTOS
Management
Mutual Authentication
Flash
FPGA
HSM
Enet
Processor Cores
Hypervisor
RTOS
RTOS
Middleware
Middleware
Device Node
Enet
Controller
Down
Stream
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
The payload devices are thus fully secure with all the recommendations in the NIST-IR 7628.
But to complete the complete space, we must protect the management workstations and servers,
also.
Confidential McAfee Internal Use Only
Application whitelisting is extremely useful in locking
down the management servers and workstations.
Engineering
WS
Operator WS
Domain
Server
Historian
Switch
Database
Server
Security
Server
Switch
•Whitelisting the management servers ensures nothing runs
•on them that is not supposed to work on them.
•Firewalls in or around the switches limits who can
•connect to them.
Confidential McAfee Internal Use Only
An example of a tailored trustworthy space built using the Security Fabric components:
In Summary,
The Security Fabric
provides all the features for embedded security outlined in
the NIST-IR 7628.
This is reasonable security for all critical infrastructure.
Confidential McAfee Internal Use Only
41
*
Confidential McAfee Internal Use Only
Constructing a Supply “Chain of Trust”
Design
Checker
ProductionChecker
Red Team
V
Device
Design
Policy
Settings
Qualification
S
Certification
Maker
V
Maker
Red Team
V
Qualification
Certification
Deployment
Device
Manufacturing
S
db
Vendor
S
V
S
db
Distribution /
Inventory
Checker
S
Service
Provider
Maker
db
db
S
V
Firmware Updates
V
Final
Configuration
Red Team
V
Updates
Qualification
Certification
S
Field
V
S
Deployed
db
Embedded antitampering, anti-malware,
production control and
system security features
here.
Protect chips, boards and
devices with embedded
anti-counterfeiting, and
anti-reverse engineering IP
Track / Manage equipment
inventories, revision
control, firmware and
software version.
Verify as-built matches asdesigned
Vendor
Security Officer
Program/Configure
security policies specific
to utility. Securely
update to maintain
system and counter new
incidents and threats.
Utility
Security Officer
= Hardware Security Module
SIGN
= embedded and cryptographically secured unique IDs
Secured System
• Secure Device Mgmt
• Secure Software Upgrades
• Secure Policy
Management
VERIFY
= cryptographically secured verification protocol
Download