CRITICAL INFRASTRUCTURE
advertisement
Owl Computing Technologies, Inc. CRITICAL INFRASTRUCTURE Securing Digital Assets Against Cyber Threats 38 GROVE STREET, SUITE 101 RIDGEFIELD, CT 06877 USA TOLL FREE: 866-695-3387 PHONE: +1 203-894-9342 FAX: +1 203-894-1297 WWW.OWLCTI.COM © Owl Computing Technologies, Inc. CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS TABLE OF CONTENTS 2................................................................. About Owl Computing Technologies, Inc. 3................................................................. Owl Computing Technologies Global Reach 4................................................................. Protecting the Networks of Critical Infrastructure 5................................................................. Critical Infrastructure Process Control Networks 6................................................................. Owl Solutions for Comprehensive Perimeter Defense 7 - 8............................................................ Security Architecture to Permit OT & IT Efficiency 9................................................................. Customer Case Studies 10............................................................... Use Case I: Gas Co. 11............................................................... Use Case II: Tennessee Valley Authority (TVA) 12............................................................... Owl DualDiode Technology® Benefits 13............................................................... Perimeter Defense Product Line 14............................................................... Current Industry Standards & Regulations www.owlcti.com 22 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS THE NEXT GENERATION OF CYBERSECURITY SOLUTIONS Owl Computing Technologies is the proven source for cybersecurity, with reliable solutions deployed globally in government, military, and critical infrastructure industry networks. Owl is the unparalleled provider of security products to protect important information and connections into and out of sensitive networks, enabling operational efficiencies and mission results. Owl solutions are a key component of your network defense-indepth securit y strateg y. DualDiode Technology® and Owl software applications integrate seamlessly into existing network infrastructures. Global Compliance & Certifications US NRC and NERC-CIP Compliant Common Criteria Certified UCDSMO Approved Configurations OPC Certified EU-TUV Compliant Owl next generation solutions enable executives to meet their responsibilties to mitigate cybersecurity threats. THE OWL ADVANTAGE Owl’s advanced technology is an unparalleled, impenetrable network security solution designed for absolute network confidentiality, data integrity, and system availability. Owl DualDiode Technology®, a patented data diode, coupled with Owl transfer applications—for all data types—results in hardware-enforced, non-routable technology enabling secure and robust information sharing. The Owl Perimeter Defense Solutions, and other Owl applications, provide corporate networks, confidential databases, plant networks, and other more isolated networks with advanced security technology. THE OWL FOCUS • • • • • • Mission specific and enterprise security solutions delivered ready for use US personnel and Subject Matter Experts US secure supply chain, research, development, and manufacturing Known costs with no operations and maintenance cost creep Data transfer applications integrate seamlessly using transport layer protocols Specialized application transfer products available: OPC, OSIsoft® PI, Invensys™ ArchestrA®, and others 1500+ SECURITY SOLUTIONS DEPLOYED • Nuclear, Fossil, and Hydro generation • Oil & Gas and Mining industries • US National Intelligence Community • Department of Defense • Telecommunications • European and Asian Ministries of Defense www.owlcti.com 3 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS GLOBAL REACH SWEDEN POLAND NORWAY CANADA USA ENGLAND GERMANY FRANCE JAPAN SOUTH KOREA UAE QATAR IRAQ AFGHANISTAN AUSTRALIA SAUDI ARABIA NEW ZEALAND Patented Network Security Solutions for Government and Commercial Entities Across the Globe CRITICAL INFRASTRUCTURE • Oil and Gas North America, Europe, and Middle East DEFENSE INTELLIGENCE COMMUNITY • North America • North America • Europe • Europe • Electric and Water Utilities North America and Europe • Asia • Asia • Chemicals Asia and Middle East • Australia • Telecommunications North America and Europe • Mining North America • Middle East • Services Air Force, Navy, Marine Corps, Army, and Combat Commands www.owlcti.com 4 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS DEFENSEIN-DEPTH HIGH SECURITY ENTRY-LEVEL PRICING SEAMLESS INSTALLATION INTEROPERABLE PROTECTING THE CONFIDENTIAL INFORMATION NETWORKS AND CONTENT SYSTEMS OF CRITICAL INFRASTRUCTURE Critical infrastructure supports not only the global economy but also our way of life. The fundamental need to fuel cars, power homes, and light cities is essential to industry, government and stability. Without secure network architecture, operations will be hampered in all sectors of the world’s critical infrastructure if exposed to cyber attack. Divided into four areas – electricity, petroleum, telecommunications, and natural gas – the interdependency and reliance of the entire economy on these basic industries heightens the risk that a cyber-attack can disrupt energy supplies, cause blackouts, or worse. The critical infrastructure industries are aware of their vulnerability to cyber threats and are voluntarily taking steps to improve security and preparedness. This brochure is intended to provide critical infrastructure industries with information about advanced, proven network security technology for those industry leaders whose goal is to have the best cyber threat mitigations. THE OWL ADVANTAGE Owl‘s proven solutions, previously only deployed to protect the classified networks of the United States government, are now commercially available for industry. www.owlcti.com CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS OWL SOLUTIONS Confidential Database Protection and Secure Access Electronic Perimeter Defense for Critical Infrastructure ICS Protection and ICS Data Transfer OPC & Historian Replication Remote Monitoring Security Information and Event Management Network Health and Alarm Management Software Updates and Patch Management Secure and Automated Software Updating Industrial Control Sub Network & Insider Threat Protection SCADA Network Protection Secure Operating Systems Security Planning and Architecture Services Installation Support Product Technical Services Lifecycle and Configuration Management Services Owl Security Operations Center - Monitoring Security Systems 24/7 www.owlcti.com 5 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS 26 OWL COMPREHENSIVE PERIMETER DEFENSE 1 ELECTRONIC PERIMETER DEFENSE Problem: Traditional network security tools fail to establish a clear plant perimeter and are inadequate to protect against today’s cybersecurity threats. Owl Solution: Owl‘s Perimeter Defense Solutions (OPDS) provide the plant a hardware-enforced one-way device to complement the physical plant protection against cyber attack. • Incorporating Owl’s DualDiode Technology® isolates the plant, or subnets, mitigating network threats • Transport layer protocol interfaces permit the necessary data flow from the plant for corporate use • Concurrently transfers multiple data types • Deep packet inspection through protocol conversion • Security policies are compliant with the Center for Internet Security 2 HISTORIAN, ALARM, AND OTHER OPERATIONAL DATA Problem: Corporate and engineering personnel require timely operational data for the efficient management and analysis of plant operations. These information requirements create attack vectors if not transferred from the plant by secure means. Owl Solution: Owl‘s software applications enable the efficient transfer of plant operational data to corporate and engineering networks. OPDS natively enables the transfer of plant data from a wide variety of industrial control application and device vendors. Certain specialized applications enable historian and other data to be transferred from the plant. • Owl PI Transfer Service extracts data from the OSIsoft Plant Information System on the plant network and delivers it to an OSIsoft PI System on the destination network. Similar applications are available for ArchestrA • Owl OPC Server Transfer Service (OSTS) is OPC Foundation certified & enables the movement of a wide range of OPC compliant data from the plant to engineering or corporate networks 3 SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) Network Health & Alarm Management Problem: Collection of near real-time information about security alerts to a single point, making it easier to see trends, alerts, and improve system availability. Owl Solution: Owl‘s Comprehensive Perimeter Defense Solutions with Owl Performance Management Service (OPMS) application enables monitoring of the electronic perimeter. • Monitoring and management of the electronic perimeter to identify attacks or security issues • Real-time monitoring of the Owl Perimeter Defense Solution and selected critical network security devices • Clear “dashboard” of information for ease of issue identification • Security alerts for Electronic Security Perimeter network violations and physical substitution/bypass • Red alerts on the Dashboard and alerts by email or text to administrators and management • History of log activity for analysis of anomalies • Enables the transfer of network health data to third party SEIM applications 4 SOFTWARE SECURITY UPDATES AND PATCH MANAGEMENT Secure Transfer of Software Updates into Plant Network Problem: Current solutions, such as “walk-nets,” create an attack vector and delay software updates reducing system security and functionality. Operation requirements call for the timely movement of software updates and patches into the process control network. Ad hoc transfer of other file types into the plant network supports efficient operations. Owl Solution: Secure Software Update Service is a software product that provides a controlled file transfer interface that includes stateof-the-art audit trail access and reporting, and restricts passage to one of three paths: 1. A predetermined set of “while list” files that are verified by hash number 2. Scanning by one or more anti-malware scanning engines 3. Both anti-malware and white list verification 5 INDUSTRIAL CONTROL SUB NETWORK AND INSIDER THREAT PROTECTION Supervisory Control and Data Acquisition (SCADA) Network Perimeter Defense Problem: Providing perimeter defense to critical sub-networks and important master programmable logic controllers (PLC) is necessary for plant network defense-in-depth. Owl Solution: Owl Perimeter Defense Solution in a DIN-rail form factor permits the advanced protection provided by Owl DualDiode Technology at the sub-network or PLC industrial control system level. www.owlcti.com 7 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS ADOPTING NEW NETWORK ARCHITECTURE SECURITY 1 TYPICAL VULNERABLE TWO-WAY NETWORK CONNECTION IT Domain Can be 1000’s of Clients Operations Domain Can be 1000’s of Devices Network Monitoring UDP Applications Database Historian Remote Screen View ICS Monitors Business Space ICS Space FIREWALL File/Directory Transfers Aggregated Sensor Data Historian Replication FIREWALL TCP/IP Applications Other Networks File Processing Electronic Collaboration network line • Two-way connections between the plant and business networks • Network connection supports business efficiency • Networks are vulnerable to cyber attack 2 NETWORK SEPARATION IT Domain Can be 1000’s of Clients Operations Domain Can be 1000’s of Devices Network Monitoring UDP Applications Database Historian Air Gap ICS Space File/Directory Transfers Remote Screen View ICS Monitors Aggregated Sensor Data TCP/IP Applications Business Space Other Networks File Processing network line • Disconnection impedes business efficiency • Not an operationally acceptable solution • Need to strike a balance between security and efficiency www.owlcti.com Historian Replication Electronic Collaboration 28 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS TECHNOLOGY ST ALLOWS OT AND IT EFFICIENCY 3 PLANT NETWORK PROTECTED BUT DATA FLOWS Operations Domain Can be 1000’s of Devices IT Domain Can be 1000’s of Clients Network Monitoring UDP Applications Database Historian ICS Monitors Remote Screen View Business Space ICS Space File/Directory Transfers Aggregated Sensor Data Historian Replication DualDiode Technology ® TCP/IP Applications Other Networks File Processing Electronic Collaboration One-Way Data Flow • Security maintains “disconnected” plant network • Information flows to support business efficiency • Better security permits OT and IT to coexist 4 EFFICIENT SECURE ARCHITECTURE Operations Domain Can be 1000’s of Devices IT Domain Can be 1000’s of Clients Network Monitoring UDP Applications Database Historian ICS Monitors Remote Screen View Business Space ICS Space File/Directory Transfers Aggregated Sensor Data Historian Replication TCP/IP Applications DualDiode Technology ® Other Networks File Processing Electronic Collaboration Dual Path DualDiode Data Flow • Security maintains a “disconnected” network • Information flows to support business and plant efficiency • Best security permits OT and IT efficiency www.owlcti.com CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS CUSTOMER CASE STUDIES BRINGING THE HIGHEST STANDARDS OF GOVERNMENT CYBERSECURITY TO YOUR CRITICAL INFRASTRUCTURE. DoD SERVICES PROVIDER • Single enterprise system more than doubled entire organization’s capacity • Provided a 50:1 footprint reduction of classified assets for customers’ requirements INTELLIGENCE SERVICES PROVIDER • Selected Owl Computing as the preferred transfer solution provider from head-to-head competition DoD • Consolidated video and file transfer solution • Providing systems that allow collection to be done in unclassified domains, reducing classified footprints UTILITY CUSTOMERS • Single solution protecting 22,000 critical assets • Single solution consolidating 29 point-to-point links • Remote monitoring reduces system maintenance costs www.owlcti.com 9 10 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS USE CASE 1: Gas Co. Client oversees and manages all operations associated with seven liquefied natural gas production facilities, major shipping contracts, and global commercial partnerships. PROBLEM: In August 2012, Gas Co. corporate IT, admin, and web services were compromised by a virus attack, causing its plant process network to be disconnect from its business network. EFFECT: Gas Co. needed to connect to maintain continuous operations. SOLUTION: Gas Co. successfully deployed the Owl Electronic Perimeter Defense Solution (EPDS) to bridge the air gap between the plant process network and business network. The Owl EPDS protects plant process control computers and systems while transferring data to business networks for managers, planners, and schedulers to access the data needed for decision making. Gas Co. Installation Business Network Plant Network PAS Alarms PAS Alarms PI System Server PI System Server PI System Server Send Server Owl PI Connector Receive Server Owl PI Connector PI System Server Owl Performance Management Service (OPMS) Monitoring Send and Receive Logs on Receive Side BENEFITS 1 Network security hardware enforced by Owl DualDiode Technology® 2 Seamless installation with ease of operation visit www.owlcti.com 3 Remote role-based user authentication monitoring and management 11 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS USE CASE 2: Tennessee Valley Authority (TVA) TVA is the nation’s fifth-largest public power supplier, serving over 150 municipalities and over 50 industries and government installations. PROBLEM: In May 2008, a GAO Audit reported that TVA needed to address weaknesses in control systems and network security. Weak separation existing between networks serving corporate and those serving more sensitive equipment were vulnerable to attack. EFFECT & THREATS: A total air gap response would prevent critical plant data from reaching corporate applications, restricting operational efficiencies and business continuity. To maintain an interconnected network, TVA faced the following threat challenges: • More complex zero-day attacks • Rise in growth rate of OS and application vulnerabilities • Delayed patching of systems and software • Potential for internal and external attacks SOLUTION: Deploying data diode one-way technology by Owl Computing Technologies, TVA successfully mitigated threats from internal and external attacks while maintaining interconnected networks. Typical Fossil Data Diode Implementation (Similar for each of 10 plants) Plant Network Business Network Data Collectors Apache Web Server PAS Alarms Owl Performance Management Service PI System Server Corp WAN Plant Control System PI System Server Firewall Dataware Historian (Sender) Dataware Clients Firewall Data Diode Send Server Data Diode Receive Server Dataware Historian (Receiver) BENEFITS 1 Secure data diode one-way technology 2 Increased network separation and control of data flow www.owlcti.com 3 Elimination of existing vulnerability to internal and external attacks 12 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS BENEFITS OF OWL COMPREHENSIVE PERIMETER DEFENSE SOLUTIONS WITH PATENTED DUALDIODE TECHNOLOGY® 1 Provides absolute defense against unauthorized access or commands originating from an outside network 2 Guarantee of secure transfer of necessary operational information to and from control system network 3 Concurrently transfer multiple data types using multiple protocols 4 No connection to outside network via routable protocol (no MAC or IP address) 5 Deep packet inspection through protocol conversion 6 Global compliance and certification of products 7 Restricted access to specified protocols and port addresses 8 Center for Internet Security compliant security policies 9 Role Based Access Control (RBAC) menus for administration 10 Peace of mind: password vulnerabilities non-existent Owl DualDiode Technology® stands out for its high quality of service, performance, and intensity. PROCESS CONTROL APPLICATIONS Leading Industrial Applications/Historians Leading IT Monitoring Applications OSIsoft PI, PI AF, GE iHistorian, GE iFIX, Scientech R*Time, Instep eDNA, GE OSM, Siemens: WinCC, SINAUT/Spectrum, Emerson Ovation, SQLServer, Oracle, Wonderware Historian, AspenTech, Matrikon Alert Manager Log Transfer, SNMP, SYSLOG, CA Unicenter, CA SIM, HP OpenView, IBM Tivoli, HP ArcSight SIEM , McAfee ESM SIEM ® File/Folder Mirroring Leading Industrial Protocols Folder, tree mirroring, remote folders, (CIFS) FTP/FTFP/ SFTP/TFPS/RCP Remote Access Remote Screen ViewTM, Secure Manual Uplink OPC: DA, HDA, A&E, UA ICCP, Modbus www.owlcti.com Other connectors UDP, TCP/IP NTP, Multicast Ethernet Video/Audio stream transfer, Mail server/mail box replication, IBM MQ series, Microsoft MSMQ Antivirus updater, patch (WSUS) updater, Remote print service 13 CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS PERIMETER DEFENSE PRODUCT LINE ENTERPRISE Owl Enterprise Perimeter Defense Solution Owl’s Enterprise Perimeter Defense Solution (EPDS) provides the defense wall around the plant systems. A crucial element of defense-in depth security, EPDS’ DualDiode Technology® delivers a non-IP, non-routable protocol break across electronic security perimeters. This one-way data transfer solution is integrated into commodity Send- and Receive-only servers with Owl’s proprietary DualDiode Technology® communication cards, connected via fiber optic link. For EPDS, Owl offers link speeds of 155Mbps, 1.25/2.5Gbps, and 10Gbps. Owl data transfer application software is installed in each server in support of the operator’s application transfer requirements. Plant Network Business Network OPC Alarms & Events OPC Server OSIsoft® PI System Server OSIsoft® PI Server File Server Data Diode Send Server File Directory Data Diode Receive Server Syslog/SIM Aggregator Syslog Server EPDS Installation Owl Performance Management Service (OPMS) Monitoring Send and Receive Logs on Receive Side MID-RANGE Owl Perimeter Defense Solution Multi-Purpose (OPDS-MP) Compact. Affordable Electronic Perimeter Defense. Easy To Deploy. Easy To Use. • A one-way data transfer solution supporting multiple data types & formats concurrently across a compact 1U rackmountable chassis • Transfer rates are 26, 52, 104, 155, 310, 630Mbps, and 1Gbps • OPDS (and other Owl embedded data diode solutions) provide absolute security at the network boundary • Secure one-way transfer support for a broad range of database historians • Active SCADA, OPC & Modbus interfaces • Single multi-function 1U 19-inch chassis OPDS-MP BASIC Owl Perimeter Defense Solutions (OPDS-100) An OPDS family of application-specific data transfer appliances at an entry level, low cost, price point. These single-chassis, products deliver the same hardware-enforced one-way confidentiality of the proven OPDS-MP platform. Each appliance contains: • Single data transfer application • Independent Send-only and Receive-only servers • Network isolation by Owl DualDiode Technology® • Owl Security Enhanced Linux Operating System OPDS-100 • Support for data transfer speed up to 10Mbps Owl Perimeter Defense Solution DIN rail (OPDS-100D) High Security. Low Cost. Single Purpose. The 100 Series is a family of application-specific one-way data transfer appliances.These singlechassis, rackmountable products deliver the same hardware-enforced one-way confidentiality of the proven OPDS-MP platform. The OPDS-100D version is a DIN rail mountable form factor. • Network isolation by Owl DualDiode Technology® • Support for data transfer speed up to 10Mbps www.owlcti.com OPDS-100D CRITICAL INFRASTRUCTURE PROCESS CONTROL NETWORKS AND INDUSTRIAL CONTROL SYSTEMS 14 CURRENT INDUSTRY STANDARDS & REGULATIONS Owl Computing Technologies develops technology to the highest standards of security. Consequently, Owl products and solutions meet or exceed the established guidelines and specifications set forth by the following organizations: NERC CIP CYBER SECURITY – NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION The North American Electric Reliability Corporation (NERC) standards set forth the planning and operating requirements for a North American Bulk-Power System. NERC compliance became mandatory in the US in 2007, and includes nine Critical Infrastructure Protection (CIP) standards that address cybersecurity and operations. With Federal Energy Regulatory Commission oversight, NERC enforces compliance standards to ensure power grid security and operability. FIPS – FEDERAL INFORMATION PROCESSING STANDARDS Federal Information Processing Standards (FIPS) publications provide a guide for security requirements involving federal information and information systems. NIST – NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY National Institute of Standards and Technology (NIST) Special Publications cover areas of general interest to the cybersecurity community, with particular publications including: a Guide for Developing Security Plans for Federal Information Systems, Recommended Security Controls for Federal Information Systems, and a Guide to Industrial Control Systems (ICS) Security. NIST documents are the standard for many federal cybersecurity programs. NRC – US NUCLEAR REGULATORY COMMISSION In regulations like 10 CFR 73.54 “Protection of Digital Computer and Communication Systems and Networks“ and guides to its implementation, the NRC directs nuclear operators to implement cybersecurity to eliminate or mitigate vulnerabilities in the digital system that could be exploited either from outside or inside of the digital system protected area. Owl Computing Technologies closely monitors updates and news from the following organizations and policies to stay abreast of the latest regulations and rules as they pertain to cybersecurity product development and deployment: NIAP – NATIONAL INFORMATION ASSURANCE PARTNERSHIP The National Information Assurance Partnership (NIAP) evaluates information technology (IT) products under the coordination of NIST and the NSA. The NIAP program helps consumers choose off-the-shelf IT products to meet their security needs, and helps manufacturers gain standing in the marketplace. PCII – PROTECTED CRITICAL INFRASTRUCTURE INFORMATION PROGRAM The Protected Critical Infrastructure Information (PCII) Program is a voluntary information sharing and protection program between system operators and the government. Homeland security partners and the government use PCII for critical infrastructure security analysis, identifying system vulnerabilities, and enhancing response preparedness. PRESIDENTIAL DECISION DIRECTIVE 63 – POLICY ON CRITICAL INFRASTRUCTURE PROTECTION (PDD-63) PDD-63 is the framework for critical infrastructure protection (CIP), outlining steps for coordinated efforts between the government and the private sector in protecting essential physical and cyber systems. It further established CIP as a national goal. PRESIDENTIAL POLICY DIRECTIVE – CRITICAL INFRASTRUCTURE SECURITY AND RESILIENCE (PPD-21) PPD-21 is a federal directive that addresses the government’s role with regard to critical infrastructure functions and responsibilities, while identifying energy systems as particularly critical due to their reach across multiple infrastructure sectors. PPD-21 also delineates the federal government’s role in engaging international partners to strengthen interrelated critical infrastructure. The aims of PPD-21 are to organize infrastructure cross-functionality at the government level, allow information exchange, and aid integration and analysis functions used in planning and operations. TECHNICAL REFERENCE LIST “Secure Software Update Service (SSUS™) White Paper”: http://www.owlcti.com/whitepapers/13-9_6-B-WP.pdf “All Diodes Are Not Equal White Paper”: http://www.owlcti.com/whitepapers/13-9_6-A-WP.pdf www.owlcti.com SERVICE & SUPPORT CENTER 63 COPPS HILL ROAD RIDGEFIELD, CT 06877 USA HEADQUARTERS 38A GROVE STREET , SUITE 101 RIDGEFIELD, CT 0687 USA v7
