SecFlow Overview

U&T Target Market Segments Utilities Transportation Power Water Oil & Gas Mining Railways Motorways Air Traffic Control Maritime Power: Generation, Transmission, Utelco Services: Banking, Finance, insurance, Medical.. Rail: High Speed, Light Rail, Metro, Inter City, Interlocking depts.,Infrastructure depts Motorways: Highway, Traffic Control, Tunnels, Bridges, Tolls Governments: Police, Education, Municipalities, Emergency… Defense: Army, Navy, AF, Coast Guard, International Forces, Homeland Security… Marine: Sea Ports, Shipping, Rescue, Marine Traffic Control (MTC)

Power Utilities Trends The power utilities communication needs are in evolution phase: Migration to Packet in various parts of the network: Replacement of SDH/PDH core to Ethernet/IP/MPLS Replacement of old Substation technology to IEC 61850 based solution which are consist of Ethernet “LAN” and packet signaling Migration of old SCADA/RTU’s from Serial to IP based Smart Grid – Implementation of Demand Response techniques for improved automation and control of the distribution grid and deployments of Smart Meters Growing need for Cyber & Physical security solutions

Challenges Of Power Utilities Communication Networks Evolution in the Substation Migration to PSN in the Substation while supporting multi services Teleprotection connectivity over SDH and PSN Substation Automation and Cyber security Smart Grid Secured backhaul solutions for Smart Meters Growth in Bandwidth Transitioning the operational network to PSN while maintaining reliability, security & simplicity Clock Synchronization over the PSN network Product Obsolescence – old RTUs and substation communications PDH/SDH multiplexers are out of production and service, however, there is still a need to maintain Legacy equipment and installed base

Industrial Control Systems Industrial control systems used to monitor and remotely control critical industrial processes SCADA systems Distributed Control Systems (DCS) Programmable Logic Controllers (PLC) Highly distributed Geographically separated assets Centralized data acquisition and control are critical Oil and gas pipelines Electrical power grids Railway transportation systems NIST Special Publication 800-82 focuses on Security for Industrial Control Systems. It considers SCADA systems to be a subset of ICS. The other books focus on SCADA but acknowledge the other components DCS and PLC. Last bullet emphasizes the need for public and private sector cooperation

SCADA System Supervisory Control And Data Acquisition (SCADA) – An industrial measurement and control system. SCADA elements are: Central device Central Master Station – Supervisory system, gathering data on the process and sending action commands. Remote devices Programmable Logic Controller (PLC) and Remote Terminal Unit (RTU) – Connecting to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system. Intelligent Electronic Devices (IED) – Microprocessor based controller which monitor and perform proactive functions. Designed to support substation automation functions.

Supervisory Control and Data Acquisition (SCADA), System Overview Source: http://en.wikipedia.org/wiki/File:DNP-overview.png SCADA communication Protocols Modbus DNP3 IEC101, IEC104 RTUs PLCs IEDs

IEC 61850 International standard for substation automation systems developed to create an open communication environment IEC 61850 provides interconnection of substation devices on high speed Ethernet network IEC 61850 comprises 10 separate standards IEC 61850-1 through to IEC 61850-10 IEC 61850-3 Specifies general requirements for the hardware design must support three major requirements: Electromagnetic Interference (EMI), immunity – Strong electromagnetic compatibility (EMC) design to protect against EMI Operating temperature -40° to 75°C – substation environments can experience temperatures as high as 75°C and as low as -40°C

SecFlow Portfolio Overview SecFlow – Ruggedized SCADA-Aware Ethernet Switch consist on two product families: SecFlow-2 – Ruggedized SCADA-Aware Ethernet Switch/Router SecFlow-4 – Modular Ruggedized SCADA-Aware Ethernet Switch/Router

SecFlow Main Features Industrial Design Multiservice Gateway Harsh environmental DIN-rail mount IP 30 -40°C to +75°C w/o fans EMI immunity IEC 61850-3 IEEE 1613 EN 50121-4 Multiservice Gateway Utilize both Ethernet ports and Serial interfaces Serial Tunneling or Service translation IEC101 to IEC104 Integrated Security L-2/3/4 ACL MAC/IP filtering per port SCADA-Aware firewall L2/L3 VPN w/IPsec 802.1X RADIUS/TACACS Resiliency Ethernet rings per ITU-T G.8032 RSTP, MSTP Cellular 2G/3G modem uplink for maximum service continuation

SecFlow-2 Access and Network Interfaces Console USB FE Ports FE 0/1-8 with optional PoE RS 232 port 1 - 4 SFP GbE1, GbE2 SIM Card Ports 1,2 DI/DO Power Dual GPRS/UMTS Modem

SecFlow-4 Access and Network Interfaces Dual Power Supplies 7 I/O slots Service and MNG module

SecFlow-4 Modules Module Description SF4-M-4GBE Gigabit Ethernet module with four UTP or four SFP ports SF4-M-Serial Serial interface module with four RS-232 ports SF4-M-Service Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces SF4-M-MNG Central processing and management module with local terminal and out-of-band management ports SF4-PS-24VDC Power supply module for 24 VDC input SF4-PS-48VDC Power supply module for 48 VDC input

SecFlow-2/4 v3.1 Main Features Description Customer Benefits SecFlow-2 Interfaces Ethernet Interfaces 2×100/1000BaseFX Up to 16×10/100BaseT Resilient redundant networking over various WAN infrastructures Serial Interfaces UP to 4×RS-232 Multiservice support in a compact single device Cellular Interface Dual SIM GPRS/UMTS cellular modem Utilizes cellular network for main link Improves link resiliency and service continuity using cellular backup links SecFlow-4 Interfaces Ethernet Module SF4-M-4GbE 4×100/1000BaseT, optional PoE 4×100/1000BaseFX 4 GbE interfaces per module that provide a maximum of 28 GbEs per chassis for multiple Ethernet connections Serial Module SF4-M-Serial 4×RS-232 4 serial interfaces for legacy connectivity with up to 28 serial ports per chassis The serial module combined with the Ethernet module provides multiservice support for various applications Central Processing Module SF4-M-MNG Central processing and management module with local terminal and out-of-band management ports The module is supplied with the SecFlow-4 chassis, providing the Layer-2 functionality Service Module SF4-M-Service (Optional) Service module with firewall, serial tunneling, VPN functionalities and discrete input/output interfaces hardware-ready only Security, routing and gateway functionalities

SecFlow-2/4 v3.1 Main Features Description Customer Benefits Protocol Gateway IEC-101 to IEC-104 conversion Enables seamless communication from the IP SCADA to both the legacy and new RTUs, featuring a single box for multiservice application and smooth migration to all IP networks SCADA-Aware Firewall SCADA-aware firewall monitors SCADA commands using deep packet inspection to validate intended application purpose Supported SCADA protocols: IEC-104, Modbus and DNP 3.0 Syslog support for IEC 104 firewall Provides distributed network security from the substation, enabling only authorized traffic to access the network according to the user defined access rules VPN Gateway with IPSec Layer 2 GRE VPN Layer 3 multipoint GRE Dynamic Multipoint-VPN Layer 3 IPSec VPN IPSec encryption per 3DES or AES X.509 certified with SHA256 and SHA512 for Phase1/Phase2 and AES 256 support Secured interconnection of remote sites over public networks, using Layer-2or Layer-3 VPN with encryption Supports large scale networks QoS Port limit Ingress policing Strict priority Weighted Round Robin (WRR) Egress traffic shaping Higher and lower priority traffic separation into 8 queues for prioritizing the user traffic and allowing mission critical applications to be served first

SecFlow-2/4 v3.1 Main Features Description Customer Benefits Ethernet OAM Single‑segment (link) OAM according to IEEE 802.3-2005 (formerly 802.3ah) End‑to‑end connectivity OAM based on IEEE 802 End‑to‑end service and performance monitoring based on ITU‑T Y.1731. Guaranteed SLA (Service level Agreement) of contracted services Standard Ethernet OAM for easy interoperability with 3rd party equipment Monitors network faults, performs measurements and gathers statistics Jumbo Frames SecFlow-2 Supports 9K bytes jumbo frames SecFlow-4 Supports 12K bytes jumbo frames Improves efficiency and increases performance in GbE networks Ethernet Ring Protection Ethernet ring protection switching per G.8032v2 RSTP (Rapid Spanning Tree Protocol) and MSTP (Multiple Spanning Tree Protocol) per IEEE 802.1D Link resiliency for high survivability and service continuity 50-ms failure detection and switchover to the alternate link without service interruption Link Aggregation Link aggregation per 802.3ad with configurable LACP Up to 8 LAGs Up to 8 ports in LAG Provides increased bandwidth and high availability links LACP ensures smooth and steady traffic flow by automating the configuration and maintenance of aggregated links Terminal Server and Serial Tunneling Embedded terminal server Transparent serial tunneling Connects multiple devices with serial interfaces over IP Provides point-to-point or point-to-multipoint transparent serial tunneling PoE Configurable PoE (enable/disable and force mode) 30W max per port Max 120W per device for 48 VDC power supply or 220 VAC Max 80W per device for 24V DC power supply Easily feeds third party equipment or peripheral devices such as IP cameras, using power over Ethernet SecFlow-2/4 can feed RAD’s Airmux outdoor device eliminating the need for an Airmux indoor unit

SecFlow-2/4 v3.1 Main Features Description Customer Benefits Access Control List Access control lists according to Layer-2, -3 and -4 criteria Enhanced ACL mechanism to filter user traffic according to variety of traffic criteria Better security and control on authorized traffic Network Management SNMP: V1,V2,V3 (V3 only in SecFlow-2) RADview SecFlow Network Manager SSH: V2.0 CLI RADIUS, TACACS TFTP Client Syslog, SNTP SecFlow-2 can be managed by a variety of management tools including: CLI, WEB interface and RADview SNMP-based management system SecFlow-2 can also be managed by SecFlow Network Manager, integrated in the RADview EMS server, to provide an end-to-end management system Switching Auto Crossing Autonegotiation per IEEE 802.3ab Port-based Network Access Control (PNAC) per IEEE 802.1x MAC list VLAN segregation tagging per IEEE 802.1q , 4K VLANs Multicast Groups IGMP snooping v1,v2,v3 MAC limiting per port LLDP, DHCP client, DHCP relay, option 82 Set of Layer-2 features for traffic management and security

SecFlow-2/4 Main Features Description Customer Benefits Timing Local time settings NTP v2 PTP transparent clock per 1588v2 Flexible clock distribution and network synchronization based on different clock sources Routing IPv4 Static routing OSPF v2, v3 RIPv2 A single-box solution that provides both Layer-2 features and Layer-3 routing capabilities Diagnostics Counters and statistics per port LED diagnostics: main switching units (Alarm |Run | Ethernet) LED diagnostics: application interfaces (Cellular | Serial ) Ping Trace route Port mirroring RMON v1 Provides extensive diagnostic tools to assist operators in fault monitoring

Legacy Migration Integrated serial interfaces in switches with 3 operational modes Tunneling between serial segments Byte / Bit-stream Multipoint support Service-aware security for serial tunnels Gateway connecting serial devices to matching Ethernet devices Currently supports IEC-101 to IEC-104 Terminal Server connecting a computer to serial devices SecFlow 2 SecFlow 2 RS-232/RS-485 link Ethernet link Serial Tunnel Gateway service SecFlow 2 SecFlow 2

Protocol Gateway Remote Site A IEC 101 RTU SecFlow 2 IEC 104 Central Site SCADA SecFlow 4 PSN Serial Master 1 Remote Site B Serial Master 2 LAN RS-232 V.Com port IEC104 IEC 104 UDP/IP SSH (T. Server) RS-232 SecFlow 2 RS-232 RS-232 IEC 101 RS-232 Console IEC-101 to IEC-104 conversion using protocol gateway functionality

Cyber Security Threats to Utilities Attack vector Control-Center malware Field-site breach Man-in-the-Middle Remote maintenance Security Measure Service-aware firewall Distributed firewalls Encryption Secure remote access Distributed SCADA IPS Deployment Role-based validation of SCADA commands Deployment at each end-point Used for both IP & Serial devices

Distributed Firewall SCADA-aware firewall for Modbus and IEC 101/104 Remote Site A Modbus RTUs SecFlow 2 Modbus Modbus Central Site Modbus NMS SCADA 104 Client Modbus Client PSN SecFlow 4 Remote Site B ASDU1 IEC 101 ASDU2 IEC 104 UDP/IP SSH (T. Server) IEC 101 SecFlow 2 ASDU3 IEC 101 ID 11 ID 13 ID 12 Modbus RTU Modbus RTU Modbus RTU SCADA-aware firewall for Modbus and IEC 101/104

Security Features 802.1X – IEEE Standard for port-based Network Access Control (PNAC), authentication and protection against DoS attacks Access Control List – Traffic filtering according to layer 2/3/4 criteria RADIUS and TACACS+ based centralized user authentication and authorization L2/L3 VPN, using IPSEC encryption User policy for traffic type, IKE, AES or 3DES encryption, dynamic key Secure Telnet access, using SSH SCADA firewall per port (Modbus, IEC-104, DNP3.0)

Integrated Defense-in-Depth Tool-Set Advanced security measures integrated in the switch using a dedicated service-engine Enable easy deployment of an extensive defense-in-depth solution

Multi-Service Transport Utility networks do not have 100% fiber connectivity SecFlow switches support alternative transport infrastructures GPRS/UMTS – Cellular coverage with 2 operators Radio links using RAD’s Airmux wireless solution SHDSL – Private copper lines* Used with integrated security mechanisms Internet Private ETH Network SecFlow 2 SecFlow 2 Private ETH Network *roadmap

Resilient Cellular Connection to Remote Sites GPRS/UMTS support Link resiliency using 2 SIM cards with continuous check of operator link quality Multiple remote spokes connecting to Hub over encrypted IPSec tunnels NHRP used for dynamic IP address resolution assigned to cellular spokes L2 VPN using transparent GRE tunnels over IPSec L3 VPN using DMVPN LAN FO | Cellular WAN

Applications

Smart-Grid Distribution Network “New intelligent MV-LV* transformation centres with metering, power monitoring and capacity automation” Modern secondary sub-station requiring: Encrypted tunnels when using a public network Firewall for uplink protocols (IEC 104, IEC 61850, Modbus) Gateway for serial IEDs Secondary Sub-Station Power Monitoring Automation Control Center RTU Cellular Antenna Smart Meters Network (Secondary Sub-Stations) Meters Concentrator SecFlow 2 Metering Data Center SecFlow switch integrates all the functions *Medium Voltage/Low Voltage

Migration to IP-based SCADA at Sub-stations Control Center IED ETH IP SCADA Ring LAN Management RS-232 IEC-101 RTU Sub-Station Connectivity of sub-station devices to new IP-based SCADA Per-site firewall for industrial automation protocols Secure terminal server for maintenance sessions Encrypted tunnels when using wireless links Serial to ETH protocol gateway

Connecting the Sub-station LANs – Current Status Control Center SCADA Storage Network Limitations SCADA direct access to S.S. IEDs Field technician access to: Other sub-stations Central storage Facility RTU Remote technician access to RTUs and IEDs in all S.Ss Data-sharing between S.Ss Remote Technician Internet Sub-Station SDH/Packet Network Facility RTU Sub-station RTU Field Technician Sub-station IEDs Need a unified sub-station LAN with secure inter-site connectivity

Connecting the Sub-station LANs – Future Evolution Control Center SCADA Storage Use a secure switch connecting the LAN devices to the backbone Network segmentation using VLANs/Subnets App-aware firewall per-device Secure remote access Serial-to-ETH protocol gateway Remote Technician Internet Sub-Station SDH/Packet Network SecFlow 4 Facility RTU Sub-stat. RTU Field Technician Sub-station IEDs

Metro Subway Control Network Metro subway control applications require communication with smart devices in each station Ethernet access switches connected to IP/MPLS backbone using VLANs as service ID Mixture of Ethernet, Serial & Discrete devices with secure access using a distributed ModBus firewall Secure mobile access from trains to control center using distributed device authentication methods Control Center RTU IP/MPLS Backbone IED Metering Data Center SecFlow switches build a secure subway network

Smart/Safe City End Points Communication Compact Industrial switch for Smart/Safe-city cabinets Ethernet with PoE Serial and discrete I/O ports for simple automation devices Diverse means of communication: Integrated dual-SIM cellular modem Fiber Optic with protected Ring Support (G.8032) SHDSL* Integrated security mechanisms IPSec VPN SCADA firewall P2P & P2MP Radio WiFi* Dual 2G/3G Communications Display Board ETH FO RS-232 PSN SecFlow 2 Dry Contact Tamper Switch ETH PoE *roadmap

Case Study of a Highway Security Infrastructure – Italy Autostarda Traffic Control Tetra Base Stations Tetra Base Stations Security Cameras Traffic Control Security Cameras Message Boards Message Boards RS-232/485 RS-232/485 QoS PoE 1588 clock sync QoS PoE 1588 clock sync Remote Site Remote Site Ring 6 Ring 12 Ring 1 Ring 7 ETH Ring ETH Ring ETH Ring 1588 Clock Central Site

Ordering Options SecFlow-2 Two ordering options: Advanced mode – SecFlow-2 is provided with security features, routing, switching and gateway functionalities. Basic mode – SecFlow 2 is provided with switching and gateway functionality only. Limited ordering options and cannot upgraded to advanced mode Mode PN Description Basic SF2/B/AC/2GE8UTP/PoE AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports SF2/B/48VDC/2GE8UTP/PoE 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 8 UTP ports Advanced SF2/S/48VDC/2GE8UTP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports SF2/S/AC/2GE8UTP/PoE SF2/S/AC/2GE8UTP/PoE4AM AC power supply, 2×GbE SFP ports, 8×10/100BaseT ports, PoE on 4 UTP ports for Airmux products SF2/S/48VDC/2GE16UTP 48 VDC power supply, 2×GbE SFP ports, 16×10/100BaseT UTP ports SF2/S/48VDC/2GE8UTP8SFP 48 VDC power supply, 2×GbE SFP ports, 8×10/100BaseT UTP ports, 8 ×100 FX SFP

Ordering Options SecFlow-2 PN Description Chassis SF4/48VDCR SecFlow-4 chassis, central processing and management module, dual 48 VDC power Supply SF4/24VDCR SecFlow-4 chassis, central processing and management module, dual 24 VDC power Supply Modules SF4-M-4GBE-U SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports SF4-M-4GBE-POE SecFlow-4 module with four 10/100/1000BasteT UTP Ethernet ports and 30W PoE SF4-M-4GBE-S SecFlow-4 module with four 10/100/1000BasteFx SFP Ethernet ports SF4-M-4RS232 SecFlow-4 module with four RS-232 serial ports SF4-PS-24VDC 24 VDC power supply SF4-PS-48VDC 48 VDC power supply

Broad Perspective. Direct Control. Management RADview-EMS is a unified carrier-class management platform for RAD devices using a variety of access channels as SNMPv1/3, HTTP/S, TFTP and Telnet/SSH. In addition, it features third-party device monitoring capabilities Broad Perspective. Direct Control.

Management, Benefits & Features Turnkey system including hardware and software! Fully compliant with TMN standards Client/server architecture with multi-user support Interoperable with third-party NMS and leading OSS systems IBM Tivoli’s Netcool®/OMNIbus™ plug-in Minimize integrations costs associated with new NE Key features Ensures device health and congestion control Topology maps and network inventory Advanced FCAPS functionality Software & configuration management Business continuity - High-Availability and Disaster Recovery Handover between operators

RADview-EMS advanced FCAPS Detects and isolates faults in network devices, initiates remedial actions and distributes alarm messages to other management entities in the network. Fault management Enables operators to configure, install and distribute software to all devices across the network. In addition, the system tracks version changes and maintains software configuration history Configuration management Manages individual and group user accounts and passwords, generating network usage reports to monitor user activities. Accounting management Supports real-time monitoring of QoS and CoS, producing real-time and periodic statistics. The statistics collector compresses data to minimize bandwidth use for management traffic and exports CSV files to OSS or third-party management systems Performance management Allows network administrators to track user activities and control the access to network resources with a choice of security features Security management

Device Management SecFlow-2/4 Device Management SNMP v1, v2, v3 (v3 only in SF-2) CLI WEB SNTP RADIUS TACACS TFTP Syslog

RADview – SecFlow Network Manager SecFlow Network Manager is an End-to-End network management of the SecFlow devices featuring: Automatic discovery of SecFlow network switches Network topology management End-to-end service provisioning Security rules configuration Aggregated network fault monitoring Network performance analysis Operator authorization levels