Page 26

Industrial Ethernet Book 104

Technology SDN for purpose-engineered, active-defense cyber security Software-defined networking (SDN) is revolutionizing the way industrial control system (ICS) networks are engineered, and it is enabling system designers to improve the performance and delivery quality of communications. A primary goal of any control system design is to ensure secure and reliable operations. CYBER SECURITY IS A VITAL KEY to industrial control system reliability and safety. The programmability of operational technology (OT) SDN networks opens the door for the development of new cybersecurity methods and controls to improve network performance and protection. As part of a project named Chess Master, the U.S. Department of Energy (DOE) has sponsored energy industry stakeholders to research, develop, and commercialize technology that takes advantage of these cybersecurity methods and controls. The Chess Master project is part of the Cybersecurity for Energy Delivery Systems (CEDS) program, which focuses on accelerating the commercialization of advanced cybersecurity technology. This article outlines the distinct advantages that OT SDN brings to Ethernet-based ICSs: dramatically improved packet delivery performance under normal and fault event conditions, greater cybersecurity without added complexity, centralized situational awareness, and disruptionless change control that enables safe scalability. Industrial control systems ICSs produce, manage, and monitor processes for the production of goods and services. The organizations that use these systems are constantly looking for ways to reduce workplace injuries and production losses and to increase productivity, system stability, and efficiency. Process improvements and a skilled workforce are key to achieving these goals, but technological advances contribute some of the most significant improvements. To keep an ICS operating safely and reliably, it must have cybersecurity integrity. However, successful control system cybersecurity is contingent on taking advantage of the core components of the system itself: purposebuilt, close-looped, continuously monitored, deterministic, large-scale machines. The best results occur when information technology (IT) security teams work side-by-side with OT control system engineers to design processes and policies that align with standard operating procedures and minimize training burdens. This IT-OT collaboration reduces accidental setting mistakes and oversights. SDN abstracts the control plane from the data plane and centralizes it in software. Open Flow SEL-2740S API Open Flow Open Flow SEL-2740S Open vSwitch Decisions about how to forward packets are made in centralized software (flow controller), and network switches execute the forwarding behavior dictated by the software. This simplifies the switches and allows for a multilayer inspection of each packet at each hop using simple lookup tables in the switch, which are programmed by the flow controller. The key in ICS networks is to provide this traffic engineering capability proactively (i.e., to configure the switches ahead of time for all packets that are authorized on the network and for how to react to network failures). SDN is an Ethernet technology based on the proven interoperability provided by the IEEE 802.3 standard. Ethernet has become the world’s most-used network technology, providing widespread interoperability across manufacturers. Ethernet meets business and critical infrastructure requirements when it is engineered appropriately. However, challenges arise when IT and OT control system traffic are Chess Master Project Architecture combined on the same network or when the control system networks are scaled to very large systems. The programmable nature of SDN networks enables them to be purpose-engineered to provide the repeatable results that OT control system engineers demand and the situational awareness and predefined, automated responses to incidents that cybersecurity policies require. By blending these requirements without introducing complexity, SDN allows control system security to reach safety levels at which all packets are inspected and authorized before being delivered to their destinations without trading off performance. Success criteria for cybersecurity Cybersecurity is critical to the reliability of ICS networks. Cybersecurity spans organizational policies, the procedures followed when people interact with the technology, and the technology itself. Designing and managing 26 industrial ethernet book 2.2018 SOURCE: SEL Device Man agemen t Security Zon e Man agemen t Security Policy Man agemen t Threat State Man agemen t Partner Applications Veracity Cerebellum Software (Chess Master) SEL-5056 SDN Flow Controller Open Flow Open Flow Open Flow SEL-2740S SEL-2740S Con troller Commun ication s Data Plan e Commun ication s


Industrial Ethernet Book 104
To see the actual publication please follow the link above