Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 30, 2011 Baker Hughes Discussion. Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation.

Similar presentations


Presentation on theme: "November 30, 2011 Baker Hughes Discussion. Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation."— Presentation transcript:

1 November 30, 2011 Baker Hughes Discussion

2 Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation Alliance is a working association dedicated to practical deployment of the smart grid complex system solution in the United States: –Utilities –Systems integrators –Manufacturers –Technology partners –National certification and interoperability entity The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small utilities.

3 Confidential McAfee Internal Use Only Participants First Build –Integrated Architectures –Drummond Group –Wurldtech –Sypris –SAIC –Nakina –OATI –Silver Springs* –Landis & Gyr* –GE* –Ecololgical Analytics* Subsequent Builds –Schweitzer Engineering Labs –RuggedCom –Coulomb* –Wurldtech –OSIsoft –SNMP Research –Emerson Ovation –Honeywell –Certipath –First Data –Ambient –Tibco –NitroSecurity –Pitney Bowes –McAfee (3) –Tiger’s Lair –PsiNaptic –Green Hills –TeamF1 –Actiontec –Verizon –Verisign –Entrust –SafeNet –Thales –Microsoft –Telcordia –e-Meter –Cisco –Motorola –Wind River *We will work with your incumbent smart meter provider in conjunction with the home gateway program.

4 Confidential McAfee Internal Use Only The embedded systems include: Our strategy is to provide certified interoperability to the key devices controlling the grid. The McAfee HSM solution would be embedded at each critical point in the energy infrastructure. All points must connect to each other in an end-to-end system.

5 Confidential McAfee Internal Use Only Our analysis using the architecture model shows that of all the myriad of elements in the functional diagrams, there are really only four recurring design patterns that are intrinsic to the security strategy. The SGSIA is a source of interoperable system security elements using standardized design patterns.

6 Confidential McAfee Internal Use Only To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order. 1.Identity Management –Ensures the device identity is established genuinely 2.Mutual Authentication –Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3.Authorization –Manages permission to proceed with specific operations. 4.Audit –Records noteworthy events for later analysis 5.Confidentiality –Encrypts sensitive data for matters of privacy. 6.Integrity –Ensures that messages have not been altered. 7.Availability –Prevents denial of service attacks 8.Non-repudiability –Ensures that the authority for events cannot be denied after the fact. These are the eight tenets of security as described in the NIST-IR 7628 Guidelines.

7 Confidential McAfee Internal Use Only The general approach to power distribution. Central Control Local Area Relay Neighborhood Relay Substation Relay Tibco “FTL” CloudShield MPP Nitro SIEM RuggedCom Application Card Ambient Application Card Intel Application Card Communications / Firewall FTL (E&LM) SIEM E&LM Communications Communications / Firewall E&LM Sensor Mgt Communications / Firewall E&LM Meter App SA Cell Manager Master Agent Posture Validation Remediation Server Jini SP “Multicast Alert Relay” MASA “Cell Management” “Local Management”

8 Confidential McAfee Internal Use Only A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats.

9 Confidential McAfee Internal Use Only A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. A TTS recognizes a device’s context and evolves as the context evolves.

10 Confidential McAfee Internal Use Only Let us define the Security Fabric by building a control system. An example of a tailored trustworthy space built using the Security Fabric components:

11 Confidential McAfee Internal Use Only In a control system, there are a controller and several devices controlled by remote device nodes. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node

12 Confidential McAfee Internal Use Only Sometimes they are redundant for high availability. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node

13 Confidential McAfee Internal Use Only They talk to each other using IP-based switches. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Enet

14 Confidential McAfee Internal Use Only They have management workstations and servers that supervise the controller and device nodes. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS

15 Confidential McAfee Internal Use Only Fault Management operates from the operator workstation – this includes surveillance + operator commands. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS

16 Confidential McAfee Internal Use Only Configuration Management operates form the engineering workstation augmented by the database server – this includes configuration parameters + the firmware repository. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS

17 Confidential McAfee Internal Use Only Usage and log management operates form the historian – the event management and distribution occurs here. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS

18 Confidential McAfee Internal Use Only Security management is administered on the security server – but real-time security operations happens on the domain server. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS GPS Time Sync

19 Confidential McAfee Internal Use Only The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions. Our strategy is to separate the management functions from the application functions as much as possible… so that if the application becomes compromised or inoperable, the management system can easily be used to remediate the problem. The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions.

20 Confidential McAfee Internal Use Only With this in mind, both the Controller and the Device Node keep the management functions separate from the application. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application

21 Confidential McAfee Internal Use Only This is done using a separation kernel to keep the application from ever interfering with the management functions. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application RTOS Hypervisor RTOS Hypervisor RTOS The hypervisor creates two different virtual machines on both the Controller as well as the Device Node… They function like two completely separate machines within each physical machine.

22 Confidential McAfee Internal Use Only The application in the controller monitors and controls the application in the device node. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Application Session These use the same physical wire, but must be securely isolated.

23 Confidential McAfee Internal Use Only And the management functions and policies in the controller supports the management agent in the device node. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Application Session Management Session These use the same physical wire, but must be securely isolated.

24 Confidential McAfee Internal Use Only To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order. 1.Identity Management –Ensures the device identity is established genuinely 2.Mutual Authentication –Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3.Authorization –Manages permission to proceed with specific operations. 4.Audit –Records noteworthy events for later analysis 5.Confidentiality –Encrypts sensitive data for matters of privacy. 6.Integrity –Ensures that messages have not been altered. 7.Availability –Prevents denial of service attacks 8.Non-repudiability –Ensures that the authority for events cannot be denied after the fact. These are the eight tenets of security as described in the NIST-IR 7628 Guidelines.

25 Confidential McAfee Internal Use Only The first order of business is for the management workstations and servers to be powered on and ready for business. There are many small steps that occur when servers and PCs power up, but for simplicity’s sake, let’s assume that the devices and their applications are all powered up and initialized. An example of a tailored trustworthy space built using the Security Fabric components: Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Fault Management Situational Awareness Console Configuration Management Console

26 Confidential McAfee Internal Use Only The Controller must power on before any of the device nodes can use it. An example of a tailored trustworthy space built using the Security Fabric components: Controller Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application

27 Confidential McAfee Internal Use Only Identity Management is the most crucial aspect of embedded security – we use a Hardware Security Module to protect the unique identity of the Controller. An example of a tailored trustworthy space built using the Security Fabric components: Controller Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application HSM This is a special purpose ASIC that is FIPS level 3 certified. (Environmentally tamper resistant) It houses an array of crypto functions. It self-generates and hides the secret key that identifies the device. It manages the public key as well as the key management functions over the lifetime of the device. It also maintains the secure clock for the device. Identity generated & stored here as part of the secure supply chain process. Identity Management

28 Confidential McAfee Internal Use Only Step two is to use the secure identity to mutually authenticate and get credentials from the Domain Server that uses Active Directory and its Kerberos PKINIT service meant to support embedded devices. An example of a tailored trustworthy space built using the Security Fabric components: Controller Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application HSM Mutual Authentication Mutual authentication occurs first The Controller then authorizes the download of additional security information Authentication Authorization

29 Confidential McAfee Internal Use Only Step three is to use the secure credentials exchange to determine the authentic paths to important management servers, and to download the up-to-date whitelist. An example of a tailored trustworthy space built using the Security Fabric components: Controller Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application HSM At registration time, the Controller also verifies the secure path to the Firmware repository and configuration synchronizer on the Database Server Event management service on the Historian Secure time service on the Domain Server The Domain Server maintains the valid security certificates deleting the ones that have been revoked It downloads the whitelist at registration (or any time else on demand). The Historian records the fact that the Controller is now operating. IPsec VPN Application Proxy Auditing

30 Confidential McAfee Internal Use Only Step four is to update the firmware to the latest rev if it is out of date. An example of a tailored trustworthy space built using the Security Fabric components: Controller Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application If the firmware is out of date or not yet loaded. The Change Management policies will Download the manifest of firmware that has been assigned for the device Attest to the fact that the signatures are good so that the firmware is trusted Store the new (as well as the old) firmware to persistent flash memory Transition gracefully into production according to the current policies. IPsec ensures the software cannot be monitored and copied during downloads. IPsec VPN Application Proxy Policy Management Change Mgt Problem Mgt Flash Confidentiality

31 Confidential McAfee Internal Use Only All Device Nodes that want to be part of the Security Fabric must also authenticate with the Domain Server (the trusted third party) whenever they power up. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application HSM Mutual Authentication Authentication Authorization This prepares the Device Node to join the tailored trustworthy space.

32 Confidential McAfee Internal Use Only The authentication ticket received from the Domain Server contains a section encrypted by the Device Node public identity key plus a section encrypted by the Controller public identity key. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application HSM Mutual Authentication Authentication Authorization The Device Node also requests a ticket to talk to the Controller. The Domain Server encrypts a portion using the identity of each of the two machines.

33 Confidential McAfee Internal Use Only The next step is for the Device Node to establish secure communications with the Controller. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Mutual Authentication Authentication Authorization The Device Node requests to join the Security Fabric using the ticket now also trusted by the Controller.

34 Confidential McAfee Internal Use Only Once authenticated, the device node can proceed to establish two secure paths to the Controller: one for management purposes and one for application purposes. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Application Session Management Session These use the same physical wire, but must be securely isolated. IPsec VPN Confidentiality

35 Confidential McAfee Internal Use Only The small embedded firewall in the communications path protects against denial of service attacks as well as a number of sophisticated malware attacks. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Application Session Management Session These use the same physical wire, but must be securely isolated. IPsec VPN Availability Firewall

36 Confidential McAfee Internal Use Only The inter-process communications services of the middleware uses messages to communicate back and forth between the Controller and the Device Node over the secure sessions. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Session Inter Process Message

37 Confidential McAfee Internal Use Only The inter-process communications services computes a secure message digest and appends it to the end of each message to ensure that the message is never altered in flight. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Session Inter Process Message MD Message Digest Integrity Non-repudiability

38 Confidential McAfee Internal Use Only So now, the Controller and the Device Node can commence doing real work without ever having to think about the security aspects of the system. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Management Application Event Loop Down Stream Transform Exception Handler Event Loop Down Stream Transform Exception Handler Session Message

39 Confidential McAfee Internal Use Only This entire light up sequence took place in the twinkling of the eye.

40 Confidential McAfee Internal Use Only If ever an anomaly is detected the management agents can forward event notifications to the operator workstation, the security server, and the historian in one movement. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Policy Management Problem Mgt Alarm

41 Confidential McAfee Internal Use Only Our secure silicon instrumentation can watch the behavior of the application in ways where the software does not even know it is being watched. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Policy Management Problem Mgt FPGA Pattern Anomaly Observation

42 Confidential McAfee Internal Use Only If necessary, you can have the management system automatically download extra telemetry to monitor an attack while it is occurring or safely download a repaired application for remediation. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS Management Application Policy Management Problem Mgt Cgange Mgt

43 Confidential McAfee Internal Use Only The fully-assembled system looks like this. An example of a tailored trustworthy space built using the Security Fabric components: ControllerDevice Node Switch Enet HSM FPGA Flash Down st Enet HSM FPGA Flash Down st Processor Cores RTOS Hypervisor RTOS Middleware RTOS Middleware Mutual Authentication IPsec VPN Firewall Diagnostics Policy Management Change Mgt Problem Mgt Mutual Authentication IPsec VPN Firewall Diagnostics Policy Management Change Mgt Problem Mgt Management Application Event Loop Down Stream Transform Exception Handler Event Loop Down Stream Transform Exception Handler Operator WSHistorian Domain Server Database Server Security Server Analysis WS Engineering WS GPS Time Sync

44 Confidential McAfee Internal Use Only The payload devices are thus fully secure with all the recommendations in the NIST-IR But to complete the complete space, we must protect the management workstations and servers, also.

45 Confidential McAfee Internal Use Only Application whitelisting is extremely useful in locking down the management servers and workstations. An example of a tailored trustworthy space built using the Security Fabric components: Switch Operator WSHistorian Domain Server Database Server Security Server Engineering WS Whitelisting the management servers ensures nothing runs on them that is not supposed to work on them. Firewalls in or around the switches limits who can connect to them.

46 Confidential McAfee Internal Use Only The Security Fabric provides all the features for embedded security outlined in the NIST-IR This is reasonable security for all critical infrastructure. In Summary,

47 Confidential McAfee Internal Use Only *41

48 Constructing a Supply “Chain of Trust” SIGN = embedded and cryptographically secured unique IDs = cryptographically secured verification protocol VERIFY Embedded anti- tampering, anti-malware, production control and system security features here. Protect chips, boards and devices with embedded anti-counterfeiting, and anti-reverse engineering IP Track / Manage equipment inventories, revision control, firmware and software version. Verify as-built matches as- designed Program/Configure security policies specific to utility. Securely update to maintain system and counter new incidents and threats. Secured System Secure Device Mgmt Secure Software Upgrades Secure Policy Management Final Configuration V V db S S Deployed V V Policy Settings db S S S S Device Design db Maker Red Team Qualification Certification V V S SChecker Red Team Qualification Certification V V S SChecker Device Manufacturing Device Manufacturing V V db S SMaker Distribution / Inventory V V db S SVendorDesignProductionDeployment V V Firmware Updates ServiceProviderMaker Red Team Qualification Certification V V S SCheckerUpdates Field Vendor Vendor Security Officer Utility = Hardware Security Module


Download ppt "November 30, 2011 Baker Hughes Discussion. Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation."

Similar presentations


Ads by Google