Strong encryption and superior availability at the same time. Complies with the stringent demands posed by mission-critical systems (MCS)

Transcription

1 Strong encryption and superior availability at the same time Complies with the stringent demands posed by mission-critical systems (MCS) Fanless, robust hardware integrated in the C20 platform End-to-end encryption to prevent cyber-attacks in packet-based transport networks (MPLS-TP) Random numbers generated by quantum physics (QRNG) Can be extended with a Quantum Key Distribution (QKD) server Centralized and decentralized key distribution Made and developed in Germany and Switzerland Offers security and high levels of availability

2 Solution Brief Security in mission-critical systems Security is a basic requirement of mission-critical systems. But MCS networks are at high risk due to the rising number of attacks, attempts at manipulation and espionage. Networks and dedicated lines are susceptible to attack in many ways. Optical networks in particular are not secure. Without encryption systems, these networks and lines would be easy prey to hackers. Attacks are possible with a minimum of technical expertise. The optical fibre can be cut (spliced), the splittercoupler method applied (i.e. by bending the line), or non-touching methods used where all of the data traffic is read by highly sensitive photo detectors. Afterwards all the information collated is analysed. Active attacks like denial-of-service, spoofing, forging and improper usage, viruses, worms and Trojans enhance the options of passive attacks and risk the security of the infrastructure. KEYMILE trusted security management as well as deploying encryption technology with encryption hardware as well as key management and generation. KEYMILE is a technologically leading supplier for telecommunication equipment with major facilities in Germany and in Switzerland. As a competent consultant for mission-critical networks we offer KEYMILE trusted security. This comprises complying with all applicable security requirements scoping the production facilities in Germany, security-screened and certified employees and central network KEYMILE also offers additional security improvements with its encryption card for the C20 platform. It reinforces the security mind-set of integrity, trust, authorization and authentication and ensures that data, communications, devices and services can be verified. 2

3 Very secure communications The offers encryption of infrastructure that provides mission-critical applications for controlling and monitoring energy networks, gas and oil pipelines, railway companies, local authorities, military networks and air-traffic control centres: Control and signalling in railway networks Linking branches and data centers Automating power in high-voltage lines SCADA applications for oil and gas Police and military networks Banks The C20 platform guarantees strong, trustworthy encryption with equally high levels of availability in mission-critical systems. It has been adapted to cope with these demands superbly. It offers ease of use, superior performance and is low cost, with high levels of availability at the same time. C20 platform and encryption card C20 is a hybrid multi-service access and transport platform that complies with the tough demands of mission-critical communications networks. It excels in offering top levels of availability, is robust and easy to operate and maintain. Its low energy consumption and extreme durability make it a future-proof option. By using the encryption card in the C20, SDH/PDH-based networks as well as PTN (packet-based transport networks) can be operated securely in a node. C20 Subrack ESDH Network 1PDH Network Packet Network STM-1/4 n x 2 Mbps GbE 10 GbE STSME1L4I1COGETAG1XSecured SECUEthernet GSM-R 3 rd party Router Surveillance camera WLAN Router Figure 1: Encryption of packet-based applications 3

4 The encryption card: Offers end-to-end encryption against cyberattacks in packet-based transport networks (MPLS-TP) Causes no delay in PTP (Precision Time Protocol IEEE1588) packets Offers a redundant encryption unit per card 4 x SFP+/10 GbE ports per unit It offers tamper-protected features to prevent mechanical manipulation Also comes with an integrated physical QRNG random-number generator Existing C20 MPLS-TP infrastructure can be retrofitted with the encryption solution. Advantages of Layer 2 encryption: Minor impact on network performance Low latency of under one microsecond No bandwidth losses due to overheads Transparency of voice, data, video etc. Data throughput of up to 10 Gbps Less configuration required due to low complexity Easy implementation on Layer 2 Consequently, KEYMILE offers an encryption solution that doesn t risk availability in missioncritical systems which is a crucial factor. Quantum cryptography Encryption is only as secure as the random numbers generated and the key it s accessed with. To maintain confidentiality and integrity in communications securely, the encryption technology is very important for the operators of mission-critical networks. Conventional mathematical keys are often not sufficient to guarantee adequate protection. Layer 2 encryption The KEYMILE encryption card encrypts all network traffic transparently and natively on Layer 2 in the unit. Layer 2 devices have two major advantages vis à vis Layer 3-based encryption with IPSec. These are a 62 % saving on overheads and low latency of under one microsecond instead of several milliseconds or even seconds. For the encryption card on the C20 platform, KEYMILE uses a hardware-based QRNG (Quantum Random Number Generator) to generate highly secure keys that really are random. This technology works with quantum states of photons, or light particles. In quantum physics, the occurrence of certain phenomena is truly random. In this case it s the reflection or transmission of a photon via a semi-permeable mirror. Depending on whether the photons are

5 Solution Brief reflected or let through by the mirror, a 0 or a 1 is registered. Based on its inherent randomness, this process is ideal for generating true, non-deterministic random numbers. In the case of central key management, key distribution and management is performed with a secure, hardware-based QRNG randomnumber generator via the key management server. An IDQ Quantum Key Distribution (QKD) server can be added to the C20 solution. The key exchange is executed via the QKD server which is connected via dark fibres. As a result, a man-in-the-middle attack is prevented completely, as the mere attempt at reading the key will involve a change in the polarisation condition of the photons and the attack will be noticed. The independent UNEM network management software monitors the hardware. This process merely checks the signals on the card (keep alive, alarm monitoring, checking redundancy etc.). The management software can t access the card itself directly. The keys must be distributed in a way that is highly trustworthy and protected. This can also be done by generating the keys locally. The decentralized approach specifies that all nodes must be able to communicate with one another. In decentralized systems there is no single-point-of-failure because of dependence on infrastructure. This method prevents the creation of network islands. Key management The purpose of key management is on the one hand to allocate a secret key at the beginning and on the other hand to generate and manage the master keys used. & Oil ys lwa Gas Rai C22 C22 red u Sec C Ser C22 ver 1 ETH GbE C25 RS-232 ities hor Aut C25 C22 city ctri Ele rid G e c eo Vid nferen co ing d Tra Figure 2: Secure communication in mission-critical networks 5

6 ECU1Figure 3: Encryption without changing the main assembly Solution Brief Trustworthy security State-of-the-art, verified and recommended encryption algorithms are applied to guarantee maximum security. Encryption and authentication are carried out through the most secure encryption process available at the moment which is also recommended by the BSI (Federal Office for Information Security) in the TR technical directive. The session keys are updated every 60 seconds and offer fully automatic key management based on the set and forget principle. Asymmetrical encryption processes master key (key encrypting) Algorithm ECC Elliptic Curve Diffie-Hellman ECDH Key length 521 Bit NIST P-521 defined in the FIPS standard Key replacement 60 minutes automatic/manual Authentication X.509 certificate Symmetrical encryption process session key (data encrypting) Algorithm AES-GCM (Galois/counter mode encryption and authentication) Key length 256 Bit Key replacement 60 seconds automatic Centralized and decentralized key distribution Deploy & forget Without changing the network infrastructure, the can be integrated into the existing network easily. This is called bump-in-the-wire deployment. The unit is operated in a free slot on the C20 subrack and connected with the COGE5 core unit via an SFP. As a result, no PC SIPsec C23 1Secured C25 IPsec SECU

7 changes on further end devices nor a reorganisation of the network are required. IPSec installations on the other hand are complex and time-consuming. Compatibility Encryption in the node means that existing terminal equipment that supports no or weak encryption can still be used. This saves significant network-expansion costs. The KEYMILE cyber protection solution offers highly secure end-to-end encryption for MPLS-TP-based infrastructure. Backdoor-free Failsafe operation Failsafe operation plays a vital role in missioncritical networks. Therefore, as a unit the is designed to be redundant. Two completely independent encryption units, including current and random-number generator with quantum physics (QRNG), are located on one single card. KEYMILE guarantees a backdoor- and bug-free solution. The products are made in Germany and developed in Germany and Switzerland. ISO compliant certification underpins KEYMILE s cyber security strategy. On request, KEYMILE can offer access to the encryption card s source code. Flexibility Programmable FPGAs allow maximum operational flexibility. The technology offers better customisation and is ideal for high-speed encryption with a data throughput of up to 10 Gbps. Therefore, the solution can be adapted to future changes or expansion, offering optimum, long-term protection of investments. 7

8 KEYMILE cyber security KEYMILE has redefined security in mission-critical systems (MCS) by integrating strong encryption into the C20 platform and by partnering with ID Quantique from Switzerland. IDQ is the leading manufacturer of quantum-secure network encryption. Quantum-key generation, quantum-key distribution and the Layer 2 encryption devices are certified to international FIPS, common-criteria and CAPS(UK) standards. The partnership with IDQ allows KEYMILE to offer encryption devices with data throughputs of 100 Mbps up to 10 x 10 Gbps from the CN4000-C8000 Centauris series to complement the integrated KEYMILE encryption card for the C20 at 10 Gbps. The IDQ devices are compatible with one another and can be configured and managed conveniently via the IDQ CM7 management platform. KEYMILE s cyber-security solution offers a future-proof way of safeguarding investments thanks to its robustness and ability to adapt. KEYMILE s specialists in the cyber security competence centre are on hand to support customers from the planning phase to operation of the infrastructure