IT security for energy infrastructures

Transcription

1 IT security for energy infrastructures Next-generation firewalls made in Germany Cybersecurity

2 Because of a lack of security mechanisms at both application level and data link layer level, conventional SCADA systems are defenseless against cyber attacks. Pidikiti et al, CIS Publications, April

3 IT Security Act for the protection of critical infrastructures Like many other electricity suppliers in Germany, Stadtwerke Baden-Baden, Baden-Baden s public utility company, has been preparing for the changes in IT security legislation. Various countries worldwide are working on legal acts regulating the protection of critical energy supply infrastructures against cyber attacks. The German Act has been in force since 07/25/2015. It is assumed that compliance with and certification of processes and protective measures in accordance with ISO standards will be core aspects of further acts that will probably be added to the legal framework. Stadtwerke Baden-Baden have prepared for the new regulations in advance and, together with gateprotect, created a security concept that offers effective network protection and reliable data security to ensure compliance with the relevant ISO standards. Vulnerabilities in generic firewalls As part of these preparations, the IT managers at Stadtwerke Baden-Baden commissioned an extensive series of penetration tests. They found that the existing firewalls and intrusion prevention and anti-virus systems were ineffectual for protecting the specific systems and protocols required for operating the energy networks. This was also the case for a SCADA remote access protocol, known internationally as ICE 104*. In fact, some of the determined areas gave cause for concern. Potentially dangerous security gaps occurred for example. due to the very poor performance of systems (anti-virus, web filtering, and intrusion prevention). For some systems, the performance problem was so bad that some protection features were deactivated simply to boost network performance. Our problem was that although some of the existing solutions were well suited for the purposes originally intended, they hadn t been designed to protect critical infrastructures such as power generation and control networks, says Daniel Müller, Group Manager of the IT department, Stadtwerke Baden-Baden. Our tests revealed several potential vulnerabilities that we needed to deal with to ensure that our networks are fully protected from external threats. Following extensive research, we found the optimal solution with gateprotect. gateprotect products offers a formidable security mechanism, in particular for the multilevel protection of network segments from the office LAN through the process control network, adds Franz Schaub, Head of IT at Stadtwerke Baden-Baden. Rohde & Schwarz IT security for energy infrastructures 3

4 Recommendation of a unique solution, specially designed for the protection of critical infrastructures The system architects at gateprotect carefully examined the IT system in order to gain an understanding of the existing security issues and bottlenecks, and then recommended a new solution based on the unique features of the gateprotect next-generation firewall Network Protector+: While the existing firewall systems were left in place, a second line of defense was installed, especially designed to protect energy infrastructures. This second line of defense within the firewall intercepts all remaining threats before they can access the remote control network. The solution consists of the latest version of Network Protector+ from gateprotect combined with special features for IEC 104. These have been specifically developed to protect critical infrastructures and power generation facilities. The biggest advantage of the concept with Network Proretor+ is that data streams from and to host computers in the telecontrol stations can be evaluated in fine-grained using one of the world s fastest single-pass engines. Full positive validation is then performed to accept and pass on exclusively data and commands found to be genuine, says Andreas Schmid, IT Security Expert at Rohde & Schwarz gateprotect. Multilayer security concept Process network e.g. control and management Internet Router package filter Rohde & Schwarz gateprotect NP+ Office network(s) 4

5 Unique, sophisticated features available only with gateprotect Network Protector+ The gateprotect Network Protector+ comprises a number of sophisticated functions currently not available with any other firewall on the market. Network Protector+ is able to recognize and decode the IEC protocol commonly used in the energy sector. This enables network administrators to approve or block individual functions depending on their source and destination. With Network Protector+ you can now analyze the data stream and identify the intention behind communication between telecontrol stations and host computers, instead of relying exclusively on patterns, which may not be able to identify harmful content. Network Protector+ also offers new, external protective measures designed to ensure that individual documents or data cannot be released to the outside. Internal information, such as PDF s, can be intercepted, that contain sensitive internal information can be intercepted before they are able to leave the inner firewall ring set up by the gateprotect next-generation solution. Since gateprotect develops and produces all its firewalls in Germany and complies with the widely-accepted security principles of the German TeleTrusT, we guarantee that the next-generation firewall Network Protector+ has no backdoors for unknown external parties. Installation of gateprotect: Made in Germany In the second line of defense configuration, Stadtwerke Baden-Baden used Network Protector+, gateprotect s next-generation firewall, to perform a live test, and then went on to purchase and commercially install the second line solution. gateprotect is the first and as far as we know only company to focus on the needs of the German energy sector, and definitely the only German provider of such solutions, adds Daniel Müller from Stadtwerke Baden-Baden. This means that, on the one hand, gateprotect fully understands the technical necessity of supporting the IEC protocols used in our sector. On the other hand and this is extremely important they re highly familiar with the requirements relating to the protection of critical infrastructures stipulated by our regulatory body, the German Federal Network Agency. The security measures from gateprotect also comply with the new IT Security Act. We ve now found the perfect solution and are confident we ll achieve full ISO certification with the gateprotect solution. Rohde & Schwarz IT security for energy infrastructures 5

6 A feeling of security: The IT security concept from gateprotect In order to reduce the internal and external attack surface, connection points on the perimeter will only allow network traffic to locations and services if they are classified as valid with regard to legal and internal security policy and risk profiles. Connection points between process networks, distributed endpoints, and internal networks must therefore be limited, for example. Targeted threats within existing communication processes must be stopped so that they do not reach the recipients or systems. Only with a holistic approach can internal security policies, systems, processes, and practices be combined to achieve the best possible protection of critical infrastructures, and their operators therefore optimally prepared for the new IT Security Act. Christoph Becker, CTO of gateprotect For more information about gateprotect s unique solutions for the protection of critical infrastructures, please visit 6

7 Rohde & Schwarz gateprotect Network Protector+ Next-generation firewall for maximum protection of critical infrastructures and complex networks With a combination of port-independent application identification, traffic management, anti-virus, and malware fil-ters, as well as an intrusion prevention system and Web filters, Rohde & Schwarz gateprotect next-generation firewalls NP+ offer the perfect protection against the latest cyber threats. A highly parallelized single-pass engine, designed in Germany, allows the performance of multiple simultaneous operations on the data traffic in order to screen the contents of each individual data transfer in detail. This single-pass engine utilizes a signature database for hundreds of applications, thousands of threats, and millions of Web addresses for maximum protection of the corporate network, without impairing the firewall throughput, and thereby allowing for smooth key business processes. The innovative WebGUI displays all of the company s areas to be protected in a clear and intuitive design and can be comfortably operated over the browser on any device. The UTM+ solution has won several international awards for its user-friendliness! Rohde & Schwarz gateprotect NP+ appliances are developed and programmed in Germany. The security solutions offer future-proof protection for corporate networks, no backdoors guaranteed. Next-generation firewall NP+ at a glance IT security Made in Germany : Ultimate performance and stability for complex IT networks in larger companies. Reliable protection for IT networks, even for operators of critical infrastructures, through the decoding of SCADA protocols such as IEC State-of-the-art security functions to reliably protect the network and data from spam, viruses, and malware with features such as, portindependent application identification and single-pass technology Made in Germany Multiple award-winning easy-to-use user interface: Firewalls can be managed in the browser via a WebGUI WebGUI Rohde & Schwarz IT security for energy infrastructures 7

8 Rohde & Schwarz The Rohde & Schwarz electronics group is a leading provider of solutions in the fields of measurement systems, radio engineering, radio monitoring, radio location technology, and secure communication. Founded more than 75 years ago, the independent company is present with its services and an extensive service network in over 70 countries around the world. The company is headquartered in Germany (Munich). Rohde & Schwarz gateprotect GmbH is a leading provider of sophisticated nextgeneration and UTM firewalls. The security solutions, developed in Germany, are easy to use and manage, thanks to the patented egui technology. Rohde & Schwarz gateprotect solutions are certified in accordance with the top BSI certification level and bear the quality seal IT Security Made in Germany. gateprotect GmbH Valentinskamp 24 D Hamburg Sales-Telefon Fax sales@gateprotect.com Rohde & Schwarz GmbH & Co. KG R&S is a registered trademark of Rohde & Schwarz GmbH & Co. KG Trade names are trademarks of the owners Version Januar 2016 Data without tolerance limits is not binding Subject to change 2016 Rohde & Schwarz GmbH & Co. KG Munich, Germany