Security Fabric
advertisement
Baker Hughes Discussion November 30, 2011 The SGSIA addresses the entire ecosystem. • The Smart Grid Security Innovation Alliance is a working association dedicated to practical deployment of the smart grid complex system solution in the United States: – – – – Utilities Systems integrators Manufacturers Technology partners – National certification and interoperability entity • The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small utilities. Confidential McAfee Internal Use Only Participants • First Build – Integrated Architectures – Drummond Group – Wurldtech – Sypris – SAIC – Nakina – OATI – Silver Springs* – Landis & Gyr* – GE* – Ecololgical Analytics* – – – – – – – – – – – Ambient Tibco NitroSecurity Pitney Bowes McAfee (3) Tiger’s Lair PsiNaptic Green Hills TeamF1 Actiontec Verizon • Subsequent Builds – Schweitzer Engineering Labs – RuggedCom – Coulomb* – Wurldtech – OSIsoft – SNMP Research – Emerson Ovation – Honeywell – Certipath – First Data – Verisign – Entrust – SafeNet – Thales – Microsoft – Telcordia – e-Meter – Cisco – Motorola – Wind River *We will work with your incumbent smart meter provider in conjunction with the home gateway program. Confidential McAfee Internal Use Only Our strategy is to provide certified interoperability to the key devices controlling the grid. All points must connect to each other in an end-to-end system. The embedded systems include: The McAfee HSM solution would be embedded at each critical point in the energy infrastructure. Confidential McAfee Internal Use Only Our analysis using the architecture model shows that of all the myriad of elements in the functional diagrams, there are really only four recurring design patterns that are intrinsic to the security strategy. The SGSIA is a source of interoperable system security elements using standardized design patterns. Confidential McAfee Internal Use Only These are the eight tenets of security as described in the NIST-IR 7628 Guidelines. 1. Identity Management – Ensures the device identity is established genuinely 2. Mutual Authentication – Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Audit Confidentiality – Encrypts sensitive data for matters of privacy. 6. Integrity – Ensures that messages have not been altered. 7. Authorization – Manages permission to proceed with specific operations. 4. 5. Availability – Prevents denial of service attacks 8. Non-repudiability – Ensures that the authority for events cannot be denied after the fact. – Records noteworthy events for later analysis To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order. Confidential McAfee Internal Use Only The general approach to power distribution. Tibco “FTL” CloudShield MPP Nitro SIEM RuggedCom Application Card Ambient Application Card Intel Application Card Central Control Substation Relay Neighborhood Relay Local Area Relay Communications / Firewall Communications Communications / Firewall Communications / Firewall E&LM E&LM FTL (E&LM) Master Agent E&LM Posture Validation Remediation Server SIEM Jini SP “Multicast Alert Relay” MA Cell Manager SA SA SA SA Sensor Mgt SA Meter App “Cell Management” SA Meter App SA Meter App “Local Management” Confidential McAfee Internal Use Only A tailored trustworthy space (TTS) provides flexible, adaptive, A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust distributedfor trust environments for a set of devices that environments a set of devices and applications thatand can applications support functional can support functional and policy arising from a in wide and policy requirements arising from arequirements wide spectrum of activities the face of spectrum of activities in the face of an evolving range of threats. an evolving range of threats. Confidential McAfee Internal Use Only A TTS recognizes a device’s A tailored trustworthy space (TTS) providescontext flexible, adaptive, distributed trust as the context evolves. that can support functional environments and for aevolves set of devices and applications and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. Confidential McAfee Internal Use Only Let us define the Security Fabric by building a control system. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: In a control system, there are a controller and several devices controlled by remote device nodes. Controller Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Sometimes they are redundant for high availability. Controller Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: They talk to each other using IP-based switches. Switch Switch Enet Device Node Enet Controller Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: They have management workstations and servers that supervise the controller and device nodes. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Controller Database Server Security Server Switch Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Fault Management operates from the operator workstation – this includes surveillance + operator commands. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Controller Database Server Security Server Switch Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Configuration Management operates form the engineering workstation augmented by the database server – this includes configuration parameters + the firmware repository. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Controller Database Server Security Server Switch Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Usage and log management operates form the historian – the event management and distribution occurs here. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Controller Database Server Security Server Switch Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Security management is administered on the security server – but real-time security operations happens on the domain server. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Controller Database Server Security Server Switch Device Node Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions. Our strategy is to separate the management functions from the application functions as much as possible… so that if the application becomes compromised or inoperable, The Security Fabric permeates the management system can easily be used to remediate the problem. the distributed management functions, but is mostly separate from the application functions. Confidential McAfee Internal Use Only With this in mind, both the Controller and the Device Node keep the management functions separate from the application. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Security Server Switch Management Device Node Application Application Management Controller Database Server Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: This is done using a separation kernel to keep the application from ever interfering with the management functions. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Switch Management RTOS Application They function like two completely separate machines within each physical machine. RTOS The hypervisor creates two different virtual machines on both the Controller as well as the Device Node… Hypervisor Hypervisor RTOS Device Node RTOS Management Controller Application Security Server Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The application in the controller monitors and controls the application in the device node. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Switch Management Device Node These use the same physical wire, but must be securely isolated. Application Management Controller Application Security Server Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: And the management functions and policies in the controller supports the management agent in the device node. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Switch Management Device Node These use the same physical wire, but must be securely isolated. Management Session Application Management Controller Application Security Server Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: These are the eight tenets of security as described in the NIST-IR 7628 Guidelines. 1. Identity Management – Ensures the device identity is established genuinely 2. Mutual Authentication – Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Audit Confidentiality – Encrypts sensitive data for matters of privacy. 6. Integrity – Ensures that messages have not been altered. 7. Authorization – Manages permission to proceed with specific operations. 4. 5. Availability – Prevents denial of service attacks 8. Non-repudiability – Ensures that the authority for events cannot be denied after the fact. – Records noteworthy events for later analysis To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order. Confidential McAfee Internal Use Only The first order of business is for the management workstations and servers to be powered on and ready for business. Engineering WS Analysis WS Operator WS Fault Management Situational Awareness Console Domain Server Historian Switch Database Server Configuration Management Console Security Server Switch There are many small steps that occur when servers and PCs power up, but for simplicity’s sake, let’s assume that the devices and their applications are all powered up and initialized. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The Controller must power on before any of the device nodes can use it. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Security Server Switch Application Management Controller Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Identity Management is the most crucial aspect of embedded security – we use a Hardware Security Module to protect the unique identity of the Controller. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Security Server Identity Management Switch Application This is a special purpose ASIC that is FIPS 140-2 level 3 certified. HSM Management Controller Identity generated & stored here as part of the secure supply chain process. (Environmentally tamper resistant) It houses an array of crypto functions. It self-generates and hides the secret key that identifies the device. It manages the public key as well as the key management functions over the lifetime of the device. It also maintains the secure clock for the device. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Step two is to use the secure identity to mutually authenticate and get credentials from the Domain Server that uses Active Directory and its Kerberos PKINIT service meant to support embedded devices. Engineering WS Analysis WS Operator WS Historian Domain Server Switch Database Server Switch Security Server • Authentication • Authorization Controller HSM • Mutual authentication occurs first • The Controller then authorizes the download of additional security information Application Management Mutual Authentication Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Step three is to use the secure credentials exchange to determine the authentic paths to important management servers, and to download the up-to-date whitelist. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Auditing Switch Switch Application IPsec VPN Application Proxy HSM Management Controller •At registration time, the Controller also verifies the secure path to the •Firmware repository and configuration synchronizer on the Database Server •Event management service on the Historian •Secure time service on the Domain Server •The Domain Server maintains the valid security certificates deleting the ones that have been revoked •It downloads the whitelist at registration (or any time else on demand). •The Historian records the fact that the Controller is now operating. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Step four is to update the firmware to the latest rev if it is out of date. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Switch Security Server • Confidentiality • If the firmware is out of date or not yet loaded. The Change Management policies will IPsec VPN Application Proxy • Download the manifest of firmware that has been assigned for the device Policy Management •Change Mgt •Problem Mgt • Attest to the fact that the signatures are good so that the firmware is trusted • Store the new (as well as the old) firmware to persistent flash memory Flash Application Management Controller Database Server • Transition gracefully into production according to the current policies. • IPsec ensures the software cannot be monitored and copied during downloads. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: All Device Nodes that want to be part of the Security Fabric must also authenticate with the Domain Server (the trusted third party) whenever they power up. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Authentication • Authorization Switch Switch Device Node HSM This prepares the Device Node to join the tailored trustworthy space. Application Application Management Mutual Authentication Management Controller Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The authentication ticket received from the Domain Server contains a section encrypted by the Device Node public identity key plus a section encrypted by the Controller public identity key. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Authentication • Authorization Switch Switch Device Node HSM •The Device Node also requests a ticket to talk to the Controller. •The Domain Server encrypts a portion using the identity of each of the two machines. Application Application Management Mutual Authentication Management Controller Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The next step is for the Device Node to establish secure communications with the Controller. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Authentication • Authorization Switch Switch Device Node Mutual Authentication • The Device Node requests to join the Security Fabric using the ticket now also trusted by the Controller. Application Application Management Mutual Authentication Management Controller Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Once authenticated, the device node can proceed to establish two secure paths to the Controller: one for management purposes and one for application purposes. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Confidentiality Switch Switch IPsec VPN These use the same physical wire, but must be securely isolated. Management Device Node IPsec VPN Management Session Application Application Management Controller Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The small embedded firewall in the communications path protects against denial of service attacks as well as a number of sophisticated malware attacks. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Availability Switch Switch IPsec VPN Firewall These use the same physical wire, but must be securely isolated. Management Device Node IPsec VPN Firewall Management Session Application Application Management Controller Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The inter-process communications services of the middleware uses messages to communicate back and forth between the Controller and the Device Node over the secure sessions. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Security Server Switch Management Device Node Management Controller Message Inter Process Inter Process Application Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The inter-process communications services computes a secure message digest and appends it to the end of each message to ensure that the message is never altered in flight. Engineering WS Analysis WS Operator WS Domain Server Historian Database Server Security Server • Integrity • Non-repudiability Switch Switch Management Device Node Management Controller Message Digest Message Inter Process MD Inter Process Application Application Session Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: So now, the Controller and the Device Node can commence doing real work without ever having to think about the security aspects of the system. Switch Switch Device Node Down Stream Exception Handler Transform Application Session Event Loop Transform Event Loop Message Event Loop Exception Handler Event Loop Event Loop Event Loop Event Loop Event Loop Application Management Management Controller Down Stream Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: This entire light up sequence took place in the twinkling of the eye. took place in the twinkling of the eye. This entire light up sequence Confidential McAfee Internal Use Only If ever an anomaly is detected the management agents can forward event notifications to the operator workstation, the security server, and the historian in one movement. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Switch Device Node Alarm Application Application Policy Management •Problem Mgt Management Controller Management Security Server Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: Our secure silicon instrumentation can watch the behavior of the application in ways where the software does not even know it is being watched. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Switch Application Pattern Anomaly Observation FPGA Policy Management •Problem Mgt Management Device Node Management Controller Application Security Server Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: If necessary, you can have the management system automatically download extra telemetry to monitor an attack while it is occurring or safely download a repaired application for remediation. Engineering WS Analysis WS Operator WS Domain Server Historian Switch Security Server Switch Application Policy Management •Problem Mgt •Cgange Mgt Management Device Node Application Management Controller Database Server Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The fully-assembled system looks like this. GPS Time Sync Engineering WS Analysis WS Operator WS Domain Server Historian Switch Database Server Security Server Switch Down Stream Firewall Policy Management •Change Mgt •Problem Mgt Management IPsec VPN Exception Handler Transform Application Event Loop Event Loop Diagnostics Event Loop Transform Mutual Authentication Event Loop Exception Handler Middleware RTOS Event Loop Event Loop Event Loop Event Loop Application Diagnostics Down st Policy Management •Change Mgt •Problem Mgt Down st Firewall Hypervisor Processor Cores Flash FPGA HSM IPsec VPN Middleware RTOS Management Mutual Authentication Flash FPGA HSM Enet Processor Cores Hypervisor RTOS RTOS Middleware Middleware Device Node Enet Controller Down Stream Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: The payload devices are thus fully secure with all the recommendations in the NIST-IR 7628. But to complete the complete space, we must protect the management workstations and servers, also. Confidential McAfee Internal Use Only Application whitelisting is extremely useful in locking down the management servers and workstations. Engineering WS Operator WS Domain Server Historian Switch Database Server Security Server Switch •Whitelisting the management servers ensures nothing runs •on them that is not supposed to work on them. •Firewalls in or around the switches limits who can •connect to them. Confidential McAfee Internal Use Only An example of a tailored trustworthy space built using the Security Fabric components: In Summary, The Security Fabric provides all the features for embedded security outlined in the NIST-IR 7628. This is reasonable security for all critical infrastructure. Confidential McAfee Internal Use Only 41 * Confidential McAfee Internal Use Only Constructing a Supply “Chain of Trust” Design Checker ProductionChecker Red Team V Device Design Policy Settings Qualification S Certification Maker V Maker Red Team V Qualification Certification Deployment Device Manufacturing S db Vendor S V S db Distribution / Inventory Checker S Service Provider Maker db db S V Firmware Updates V Final Configuration Red Team V Updates Qualification Certification S Field V S Deployed db Embedded antitampering, anti-malware, production control and system security features here. Protect chips, boards and devices with embedded anti-counterfeiting, and anti-reverse engineering IP Track / Manage equipment inventories, revision control, firmware and software version. Verify as-built matches asdesigned Vendor Security Officer Program/Configure security policies specific to utility. Securely update to maintain system and counter new incidents and threats. Utility Security Officer = Hardware Security Module SIGN = embedded and cryptographically secured unique IDs Secured System • Secure Device Mgmt • Secure Software Upgrades • Secure Policy Management VERIFY = cryptographically secured verification protocol
