Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017
Traditional Ethernet Challenges Plug-and-play Allow all ROOT D D D D Nondeterministic Reactive failover Difficult to test Lacks cybersecurity profile R A A A D D R A Blocked ports
OT Network Goals Deterministic failover with fixed latency Distribute precise time Low latency and jitter Fast fault detection, isolation, and recovery Cybersecurity designed in Continuous monitoring, self-testing, and alarming Compliant with IEEE 1613 (rugged)
SDN Basics Traditional Ethernet Switch Individual Control and Data Planes at Each Node SDN Switch Centralized Control Plane, Individual Data Planes Traditional Switch Control Plane Data Plane Centralized Control Plane SDN Switch Data Plane
Traditional SDN Real-Time Control Decisions Rule SDN Switch IT Flow Controller 10% Server Rule SDN Switch 75% Rule SDN Packet Switch IED Packet
OT SDN Operation Decisions Already Made Rule SDN Switch OT Flow Controller Server Rule SDN Switch Rule SDN Switch IED Packet IED
Proactively Engineer Traffic for Reliability SEL-5056 Flow Controller SEL SEL-3355 SEL SEL-2740S X SEL Relay SEL SEL SEL-2740S X SEL SEL-2740S SEL RTAC SEL SEL-2740S Primary Path Backup Path Secondary Path
SDN Fast Failover Is Awesome! Product Topology Healing Method Failure Point Healing Time Manufacturer Device 1 10-Node Ring STA (Rapid-PVST) L4 97 ms Manufacturer Device 2 4-Node Ring STA (RSTP) L1 or L2 60 ms SEL-2730M 10-Node Ring STA (RSTP) L4 10 ms SEL-2740S 10-Node Ring SEL SDN Fast Failover L4 <100 µs
Getting to Know SDN Terminology Flow Single communications session that matches ingress rule and has a set of forwarding instructions OpenFlow A protocol with an open source standard that defines an interoperable way for switches and flow controllers to communicate for configuration and monitoring purposes Flow controller Central controller that programs switch flow tables
How SDN Works Control plane inspects each Ethernet packet and performs the following functions Match fields Match rule based on portion of Ethernet packet Instructions Perform one or more programmed actions Counters Increment counters and send counter data to centralized point
OT SDN Redefines Ethernet for Mission-Critical Applications Fast Deterministic Secure Simple Interoperable Visible
Multilayer Matching Rules Flow rules to only forward approved packets Capture packets that do not match rules Can add time element to make temporary flows SDN Flow Match Rule Port Layer 1 Ethernet Header Layer 2 IP Header Layer 3 TCP / UDP Header Layer 4 Payload
OpenFlow Match / Action Example Ethernet Hub Physical Port ID Src MAC Dst MAC Ether Type VLAN ID IPv4 Src IPv4 Dst TCP/UDP Src TCP/UDP Dst * * * * * * * * * Action Output Forward All (Flood) Packet 2 Packet OpenFlow Middlebox Packet 1 Packet3 4
OpenFlow Match / Action Example L2 Unmanaged Switch Physical Port ID Src MAC Dst MAC Ether Type VLAN ID IPv4 Src IPv4 Dst TCP/UDP Src TCP/UDP Dst 1 * * * * * * * Action 00:30:A7:06:11:97 Output Forward Port 4 2 Packet OpenFlow Middlebox Packet 1 3 4
OpenFlow Match / Action Example L3 Forwarding Physical Port ID Src MAC Dst MAC Ether Type VLAN ID IPv4 Src IPv4 Dst TCP/UDP Src TCP/UDP Dst 1 * * * * 1.1.1.2 2.2.2.2 * * Action Output Forward Port 3 Packet 1 2 OpenFlow Middlebox Packet 3 4
OpenFlow Match / Action Example Application Specific Forwarding Physical Port ID Src MAC Dst MAC Ether Type VLAN ID IPv4 Src IPv4 Dst TCP/UDP Src TCP/UDP Dst 1 * * * * 1.1.1.2 2.2.2.2 * TCP 20000 Action Output Forward Port 4 Packet 1 2 OpenFlow Middlebox 3 Packet 4
For Attackers, a Network Straitjacket No ability to accumulate ARP knowledge No ability to scan / probe the network No ability to use protocols or reach hosts not already configured First unrecognized packet goes straight to IDS!
Cybersecurity Benefits Security model Deny-by-default Secure control plane Eliminate MAC table and BPDU spoofing Situational awareness Know what flows are on your network and where they are all the time (packet and byte awareness)
Performance Benefits Integrate seamlessly with existing infrastructure OpenFlow 1.3 support Ensure mission-critical application performance <100 µs failover Efficiency No blocked ports
Future APIs Enable Solution-Focused Applications Application Layer Control Plane OpenFlow Data Plane OAM Applications Network Visualization Configuration Programming Network Operating System Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware GUI Flow creation Visibility Continuous monitoring Policy enforcement IDS / IPS / inspection Syslog
DOE-Sponsored Application: Chess Master Deny-by-default, whitelisted traffic engineering Multiple proactively engineered security and methods to quickly transition automatically or manually OpenFlow counters to know what is on the network
Available Now www.cyberscoop.com www.linkedin.com
Accelerate Evaluation and Adoption SDN evaluation kit (Part Number 915900421) Four SEL-2740S Switches SEL-5056 Flow Controller SEL-3355 Computer Ethernet cables Application support
More Information Visit SEL in Booth 304 Website: https://selinc.com/products/2740s/ Email: security@selinc.com