270 likes | 505 Vues
Cyber Security for Utilities. Authentication and Encryption for SCADA Communications Channels and Maintenance Ports. Agenda. Mykotronx introduction Cyber security for utilities Mykotronx security solutions Working together. Who We Are. NASDAQ (RNBO) since 1987, $128M revenue in 2002
E N D
Cyber Security for Utilities Authentication and Encryption for SCADA Communications Channels and Maintenance Ports
Agenda • Mykotronx introduction • Cyber security for utilities • Mykotronx security solutions • Working together
Who We Are • NASDAQ (RNBO) since 1987, $128M revenue in 2002 • Top 10 Global Security Provider: • 75% for high assurance T1 & satellite link encryption • 66% in secure Web acceleration (IDC) • 55% market share in software security • 55% in USB token segment (IDC) • 480 employees in U.S., U.K., France, Netherlands, China, Taiwan, Singapore, Australia, India, Japan, Mexico and Brazil (24/7 worldwide technical support in Los Angeles, London, and Singapore) • The two organizations within Rainbow Technologies, Inc. are:
9001 “Best SSL Accelerator” Awards and Recognition • More NSA certified security products than any other company • Product awards • Secure Computing: “Pick of 2001” award for iKey • Communications News Editors Choice • VBPJ Readers Choice Award: Best Security Solution • Network Computing 2001 Editors Choice Award • Network Computing 2001 Well-Connected Award • Network World 2000 Blue Ribbon Award for CS600 • AeA 2001 High-Tech Award for CS HSM • AeA 2000 High-Tech Award CS600 • Organizational Quality and Experience • ISO 9001 certified • FIPS, Common Criteria, NIAP, CCEP evaluated and endorsed
Example of Our Product(s) in Action • Fortezza Plus • Key Management • Encryption • Rated to Top Secret
We presume you…. • Understand the threat • CIAO findings – July 1997 • AGA/GTI specifications – 1998, completion: 2003 • Sandia National Labs – red team assessment – July 2002 • DIA Threat Assessments – August 2002 (ongoing) • Are following national policies formulation activity • Cyberspace strategy – February 2003 • Physical strategy – February 2003 • Government & Industry recommended practices – ongoing • Will participate in Department of Homeland Security initiatives • Incident reporting • Support to first responders • You have a cyber-security policy for your operations • If not we will provide a template
The issue today is “How to” • Ensure proper “access control” to your resources • Protect against weak access control • Protect against insider threats • Protect against nation state threats • Eliminate “clear text” from the communications wire • Protect against eavesdropping • Protect against replay, spoofing, etc. • Provide an “effective” secure solution • Protect high-value assets • Non-intrusive • Acceptable performance (latency) • Affordable, acceptable total cost of ownership (TCO) • Ensure a “migration path” to future systems • “Comply” with government and association standards
Maintenance Access Configurations Clustered Independent
Mykotronx’ SAM – your first step Secure Authentication Module • Bump-in-the-wire design • Transparent security for existing maintenance dial-up lines • No change to existing hardware • No change to existing communications infrastructure • No change to modem phone numbers or phone lines • Will require a new dialup program at the client computer • Two-factor authentication token for operators • Digitally Signed Challenge/Response • SAM provides strong access control and audit trail
Secure Authentication Module • Security standards • FIPS 140-2 Level 2 • Public Key Authentication • Two-factor tokens • Signed access audit trail • Communication ports • 2 RJ11 phone ports • Phone line • Field device’s modem • Internal modem to accept and authenticate originating call • Internal relay and Ring Generator to wake-up field device’s modem • Power • Derived from the phone line • Environmental • IEEE 1613 (planned)
Two-factor authentication • iKey USB Authentication Tokens • Personal, portable, secure • Digital Signatures & Shared Secret • No reader required • Two-factor authentication • Something you have – the iKey • Something you know – the PIN • Access control examples • Local: SEAM, SAM, workstations • Remote: browser, dialup
Maintenance Access Configurations Clustered Independent
AGA 12-1 SCADA Configurations Point to point Cascaded Multi-drop or Multi-point
Mykotronx’ SEAM – next step Secure Encryption and Authentication Module • Bump-in-the-wire design • Transparent security for existing SCADA systems • No change to existing SCADA hardware • No change to existing communications infrastructure • No change to existing SCADA protocols • Supports bit and byte oriented protocols • Two modes: link encryptor and protocol-aware • “Modem command” pass-through • SEAM provides strong authentication, audit trail, and encryption
SEAM Substation Device • Security standards • FIPS 140-2 Level 2 • AES Encryption • Public Key Authentication • Two-factor tokens • Signed audit trail • Communication ports • 2 Serial ports • SCADA Field device • Communications channel • 2 USB ports • Local management • User authentication token • 2 Ethernet ports (version 2) • Distributed management • Field communications • Power • External +5 to 48VDC • Environmental • IEEE 1613 (planned)
SEAM Control Center Device • Rack mount chassis • 19” chassis, 6U front panel • Security standards • FIPS 140-2 Level 2 • AES Encryption • Public Key Authentication • Two-factor tokens • Signed audit trail • Communication ports • Up to 16 blades • 2 Serial ports per blade • SCADA Master/FEP • Communications channel • Hot-swappable blades • 2 USB ports • Local management • User authentication token • Ethernet ports • Administration • Future communications (2)
AGA 12-1 SCADA Configurations Point to point Cascaded Multi-drop or Multi-point
SEAM, SAM & iKey Management • Life cycle management • CKTO Management Unit • Centralized Configuration, Key, Token & Operator Management • Automated in-band, on-the-fly refresh • Browser-based operator interface • Signed audit trails • Security • FIPS 140-2 Level 3 certification • Public Key Cryptography for operator authentication • AES for confidentiality • Two factor authentication tokens required for operators • Future functionality • Upgradeable firmware/software • Intrusion Detection System
Management Configuration SEAM SEAM CKTO Management SAM
Why is Mykotronx here? • Our mission is protecting information • Extensive relationships with government agencies - intelligence, defense and civilian • Introduced to the utility need by government agencies • Active members of multiple utility standards organizations • Extensive commercial customers, including utilities • Our expertise is appropriate for the need • High-assurance & high-performance cryptography • User authentication • Confidentiality • Communications – Dialup, T1, Satellite, Internet, Voice, Video • Experienced in Vulnerability, Threat & Risk Assessments, Security Policy, Business Continuity and Disaster Recovery planning
The security solutions • Strong cryptography for SCADA and maintenance communications • Public Key Cryptography-based • Robust trust relationships methodology for SEAM/SAM and operators • Two-factor authentication tokens for operators • AES-based, AGA 12-1 • Life cycle management • Device configuration, keys, two-factor tokens • In-band real-time SEAM/SAM management • Browser-based operator and token management • Intrusion Detection System (future) • Protect your investment • Migration path from legacy channels to Ethernet-based channels
Points of Contact Mykotronx, Inc. 357 Van Ness Way, Suite 200 Torrance, CA 90501 Phone: (310) 533-8100 Fax: (310) 533-0527 STU III: (310) 533-0738 [Secret] (310) 787-2799 [Top Secret] Home page: http://www.mykotronx.com Brad Beutlich Paul Blomgren, CISSP Director, Commercial System’s Security Architect Business Development Business Development Phone (310) 533-8100 x6285 Phone: (310) 533-8100 x6254 E-mail: bbeutlich@mykotronx.com E-mail: pblomgren@mykotronx.com