OTSDN What is it? Does it help?

Similar documents
Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

Upgrading From a Successful Emergency Control System to a Complete WAMPAC System for Georgian State Energy System

Cybersecurity was nonexistent for most network data exchanges until around 1994.

SEL-5056 Software-Defined Network (SDN) Flow Controller

Lessons Learned and Successful Root Cause Analysis of Elusive Ethernet Network Failures in Installed Systems

ICS 451: Today's plan

Using Defense in Depth to Safely Present SCADA Data for Read-Only and Corporate Reporting. Rick Bryson

Switching & ARP Week 3

Enterasys K-Series. Benefits. Product Overview. There is nothing more important than our customers. DATASHEET. Operational Efficiency.

Software-Defined Networking Redefines Performance for Ethernet Control Systems

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

Chapter 8 roadmap. Network Security

2. What is a characteristic of a contention-based access method?

Software Defined Networking

Configuring Dynamic ARP Inspection

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Data Link Layer. Our goals: understand principles behind data link layer services: instantiation and implementation of various link layer technologies

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

10X: Power System Technology 10 Years Ahead of Industry International Standards- Based Communications

Designed, built, and tested for troublefree operation in extreme conditions

Software-Defined Networking (Continued)

CIT 380: Securing Computer Systems. Network Security Concepts

Importance of Interoperability in High Speed Seamless Redundancy (HSR) Communication Networks

CSE 565 Computer Security Fall 2018

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

Access Rules. Controlling Network Access

Internetwork Expert s CCNP Bootcamp. Hierarchical Campus Network Design Overview

20-CS Cyber Defense Overview Fall, Network Basics

CSCD 433/533 Advanced Networks

IP Packet Switching. Goals of Todayʼs Lecture. Simple Network: Nodes and a Link. Connectivity Links and nodes Circuit switching Packet switching

Outline. SC/CSE 3213 Winter Sebastian Magierowski York University. ICMP ARP DHCP NAT (not a control protocol) L9: Control Protocols

Fundamental Issues. System Models and Networking Chapter 2,3. System Models. Architectural Model. Middleware. Bina Ramamurthy

In modern computers data is usually stored in files, that can be small or very, very large. One might assume that, when we transfer a file from one

CMPE 150 Winter 2009

Chapter 3 Part 2 Switching and Bridging. Networking CS 3470, Section 1

Optimizing Ethernet Access Network for Internet Protocol Multi-Service Architecture

Mobile Ad-hoc Networks

Routing protocols in WSN

Configuring Dynamic ARP Inspection

Networking interview questions

Protecting the Platforms. When it comes to the cost of keeping computers in good working order, Chapter10

Introduction. Network Architecture Requirements of Data Centers in the Cloud Computing Era

Connecting to the Network

Ferdinand von Tüllenburg Layer-2 Failure Recovery Methods in Critical Communication Networks

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

THETARAY ANOMALY DETECTION ALGORITHMS ARE A GAME CHANGER

Configuring EIGRP. 2001, Cisco Systems, Inc.

VXLAN Overview: Cisco Nexus 9000 Series Switches

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

DDoS Testing with XM-2G. Step by Step Guide

IP: Addressing, ARP, Routing

Homework 3 Discussion

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

6.1.2 Repeaters. Figure Repeater connecting two LAN segments. Figure Operation of a repeater as a level-1 relay

CSE 123: Computer Networks

OPENFLOW & SOFTWARE DEFINED NETWORKING. Greg Ferro EtherealMind.com and PacketPushers.net

CIS 632 / EEC 687 Mobile Computing

Configuring IP Services

Network Layer (1) Networked Systems 3 Lecture 8

TCP/IP THE TCP/IP ARCHITECTURE

Typhoon: An SDN Enhanced Real-Time Big Data Streaming Framework

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Configuring Advanced Firewall Settings

Deterministic Communications for Protection Applications Over Packet-Based Wide-Area Networks

Understanding and Configuring Dynamic ARP Inspection

Chapter 4 Network Layer: The Data Plane

Network Security. Thierry Sans

Interconnecting Cisco Networking Devices Part1 ( ICND1) Exam.

LECTURE 9. Ad hoc Networks and Routing

Copyright Link Technologies, Inc.

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Software Defined Networking

Ethernet Network Redundancy in SCADA and real-time Automation Platforms.

SEL-2730M. Reliably Control and Monitor Your Substation and Plant Networks. Managed 24-Port Ethernet Switch

Lab 9.8.1: Address Resolution Protocol (ARP)

BGP Policy Accounting

PacketExpert PDF Report Details

Chapter 11. High Availability

CS 457 Lecture 11 More IP Networking. Fall 2011

ICS 351: Networking Protocols

CN-100 Network Analyzer Product Overview

Inter-networking. Problem. 3&4-Internetworking.key - September 20, LAN s are great but. We want to connect them together. ...

The Interconnection Structure of. The Internet. EECC694 - Shaaban

Configuring OpenFlow 1

IEC Test Equipment Requirements

Computer Science 425 Distributed Systems CS 425 / ECE 428. Fall 2013

1756-EN2TP Parallel Redundancy Protocol Module Network Redundancy

Taking Full Control of Your Process Bus LAN Using New Ethernet Packet Transport Technologies

Application of SDN: Load Balancing & Traffic Engineering

CSC 4900 Computer Networks: Network Layer

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Activating Intrusion Prevention Service

Configuring Banyan VINES

DevoFlow: Scaling Flow Management for High Performance Networks

Cisco Cisco Certified Network Associate (CCNA)

- Hubs vs. Switches vs. Routers -

The CANoe.Ethernet Solution

Transcription:

OTSDN What is it? Does it help? Dennis Gammel Schweitzer Engineering Laboratories, Inc. Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security cred-c.org

Important Aspects of Critical OT Networks Determinism and low latency Precise time Fast fault detection, isolation, and recovery Cybersecurity defense in layers Monitoring, self-testing, and alarming Maintainability, testing and diagnostics High MTBF hardware cred-c.org 2

Message Delivery Performance Criteria Defined by International Standards IED performance requirements IEC 61850, IEC 60834, IEC 15802, IEEE 802.1 Latency specifications IEC 61850, IEC 60834, IEC 15802, IEEE 802.1 Speed IEC 61850 cred-c.org 3

Message Delivery Quality Criteria Defined by International Standards Dependability and security requirements IEC 61850, IEC 60834 Availability requirements IEC 61850, IEC 60834, IEEE 802.1 Reliability metrics IEC 61850, IEEE 1613, IEC 60870 cred-c.org 4

International Standards Dictate Protection Signal Exchange Acceptance Criteria Signal < 3 ms packet transit < 1 ms 99.99% of the time Signal <18 ms packet transit <15 ms 0.01% of the time Zero dropped GOOSE messages per year, <9 extra messages every 24 hours cred-c.org 5

Challenges With Traditional Ethernet Switching Designed for plug and play Conveniently does things we don t want Reactive failover Topology dependent performance Difficult to achieve 100% test coverage cred-c.org 6

Network Healing Using IEC 62439-1 RSTA C1 IED IED C2 S1 7 RSTA 1 2 2 7 RSTA 1 S2 2 S3 RSTA 1 7 IED Peer-to-peer RSTP informs RSTA cred-c.org 7

Introducing SDN Traditional Ethernet Switch Individual Control and Data Planes Software-Defined Networking (SDN) Switch Centralized Control Plane, Individual Data Plane Traditional Eth Switch Control Plane Data Plane Centralized Control Plane SDN Ethernet Switch Data Plane cred-c.org 8

Introducing SDN and OpenFlow Application Layer OAM Applications Network Visualization Control Plane Open Flow Data Plane Configuration Programming Network Operating System Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware cred-c.org 9

How SDN Works Data plane inspects each Ethernet packet and performs one or more Match fields match rule based on first 4 layers of the Ethernet packet Instructions perform one or more programmed actions Counters increment counters and send counter data to centralized point cred-c.org 10

Multilayer Match Rules Forward Packets SDN Flow Match Rule Ethernet Header Layer 2 IP Header Layer 3 TCP / UDP Header Layer 4 Payload cred-c.org 11

OTSDN vs Traditional SDN Static vs Reactive Flows Traditional SDN uses reactive flows to dynamically respond and adapt to changes in the network and traffic Focus is on bandwidth utilization and latency rather than determinism Continuous learning and flow management Uncertain network performance at any given time SDN Controller performance bottleneck cred-c.org 12

Reactive IT SDN in Operation IT Flow Controller Rule SDN Switch Server Rule SDN Switch Rule SDN Packet Switch IED Packet cred-c.org 13

OTSDN vs Traditional SDN Static vs Reactive Flows OTSDN is uses static flows for proactive engineering of known network configuration Static flows can be used because all traffic is known Networks never have new traffic or devices without official change order New or unexpected traffic will be dropped Network state and performance is always known and as designed cred-c.org 14

Proactive OT SDN in Operation OT Flow Controller Rule SDN Switch Server Rule SDN Switch Rule SDN Switch IED Packet IED cred-c.org 15

Design Traffic Where Paths Are Based on Requirements and Applications Flow Controller Is Not Required for Network Operation SDN Switch GOOSE 2 Relay Relay SDN Switch GOOSE 1 SDN Switch Combined SCADA SDN Switch Engineering Access Rugged Computer cred-c.org 16

OTSDN - Cybersecurity at Every Network Hop Only allow traffic that is required and only to the places it is needed. No ARP Cache poisoning No Broadcast storms No BPDU attacks Hosts only see traffic for destined them and nothing else cred-c.org 17

No traffic injection from unexpected locations Locked down flows restrict what traffic is allowed on the network at every point Spoofing a device MAC/IP address is difficult Packets that match flow rules must originate from predetermined location. Any attempt to spoof a device from an alternate location raises alert and tracked cred-c.org 18

Traditional Intrusion Detection System External with Slow Action Response WAN IDS Knowledge Database Gateway Switch Alarms & events Network Sensor Analysis Engine Switch IED Switch IED Network Sensor Network Sensor Response / Action cred-c.org 19

OTSDN Intrusion Detection System Integrated With Fast Dynamic Response WAN OTSDN Switch Dynamic change of security policies IDS Application OTSDN Switch OTSDN Controller OTSDN Switch OTSDN Switch IED IED cred-c.org 20

Targeted IDS All needed traffic is engineered to go where it is needed Any unmatched traffic can be easily be discarded or sent to an IDS IDS will ONLY see the traffic that was not already engineered IDS will be burdened much less than watching all traffic More scrutiny can be given to this unwanted traffic cred-c.org 21

Targeted Deep Packet Inspection Focus DPI processing only where it is needed Individual Flow(s) from individual switch(es) can easily be sent to a DPI processor. The DPI process can determine if the packets should be allowed on the network. If allowed, send it back to the OTSDN switch for further processing, otherwise drop/log. Reduces burden on the DPI device by only processing the chosen stream of data. cred-c.org 22

Conclusion OTSDN is standard technology with different methodology Purpose engineered networks allow deny-by-default cybersecurity at every hop in the network Deterministic failover with traffic metrics New approach to IPS, IDS, and DPI Multipath capable / Application based circuits Controlled change management and network access cred-c.org 23

http://cred-c.org @credcresearch facebook.com/credcresearch/ Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback