Page 27

Industrial Ethernet Book 104

Technology a sustainable cybersecurity program that balances all three of these aspects is key to successful long-term security and reliability. The Chess Master team identified five key criteria for ensuring reliable cybersecurity: whitelisting, situational awareness, incident response planning, business benefits, and simplicity. Whitelisting and SDN The Chess Master project team has determined that the best way to design and apply a cybersecurity program on a system is to use the system attributes as the core of the program and take advantage of the system’s operational aspects. This can only be done with a solid understanding of the system. ICSs are purpose-engineered upfront and are maintained with formal change control management. This allows for the most powerful advantage in the cybersecurity war: whitelist security management. In this approach, because the devices and what applications each of those devices is running are known, security controls can be designed to drop all other communications and devices. Devices on the ICS are typically embedded, performing a specific task for an extended period of time. Applying security controls is simple when the focus is on what each device should do, creating an enforceable, approved baseline. This approach puts the focus on enabling authorized traffic instead of finding unauthorized traffic and eliminates the need for rapid and ever-evolving signature updates for intrusion detection systems or malware protection. Change management is only needed when devices or applications are added or removed, so safe updates or outages can be scheduled well ahead of time. SDN aligns well with whitelist security management by enabling the network itself to be proactively traffic-engineered and by enforcing an approved baseline for traffic forwarding. SDN allows multilayer packet inspection in order to ensure that each packet has the approved header information before it is forwarded to its destination. This inspection happens on every hop through the network. Network performance is improved by using SDN because no ports are blocked by Rapid Spanning Tree Protocol (RSTP) loop mitigation. All ports in an SDN network can be traffic-engineered and physical path planning becomes part of the cybersecurity defensive controls. Networks can be purpose-engineered just like the rest of the ICS to improve performance and whitelist authorized traffic. Control Plane Applications Northbound API Controller Data Plane OpenFlow Switch Switch Switch Switch Switch Switch Switch Software-Defined Networking (SDN) Architectural Overview. Situational awareness There is greater situational awareness when the network topology is actively discovered. Operators have a single point from which to see all hosts and network switches on their network and manage all the switches as a single asset. OT SDN breaks from traditional network management systems in that it allows operators to see packet and byte counts throughout the network. This enables them to see where and how the traffic is flowing through the network at any given time and to quickly know the overall health of the network. The removal of the dynamic control plane traffic frees that bandwidth and prioritizes services for operational data, reducing jitter and improving efficiency. ICSs are continuously monitored via SCADA, distributed control systems (DCSs), energy management systems (EMSs), and process control systems (PCSs). Adding network monitoring is a logical step, but it is critical to ensure that the network monitoring provides information in a way that can be easily integrated into existing systems and procedures. While these systems and procedures vary between organizations, a programmable network infrastructure based on SDN can still be broadly adopted. SDN has the same architecture as SCADA, with the flow controller providing a global view of the network assets and establishing a monitoring and change management platform. The situational awareness SDN provides is greater than that of typical network management software because the packets’ paths and matching attributes—as well as the flow byte counts—are known. Incident response planning ICS operations must have well-established incident response plans and must practice those plans to ensure that all responsible parties understand and can execute them when the need arises. These response plans are typically focused on life safety and production retention, but they also apply to cybersecurity. SDN complements this approach by allowing the establishment of response plans for new or unexpected communication flows and multiple profiles for the entire network. Depending on the business situation, operators can quickly and easily change the operation of the ICS using predetermined responses or operational states. Business benefit Security controls must provide a business benefit. It is good to have negative controls (that is, cybersecurity technology that stops bad things from happening), but it is best when the cybersecurity controls bring positive SOURCE: SEL business returns as well. SDN provides the platform to do just that with more active ports and quick-healing links. Deployed assets are more efficient with all ports active and able to forward traffic. SDN performs loop mitigation via path planning rather than penalizing the entire system through trunking (as RSTP does). The largest performance advantage of SDN is that commercially available OT SDN switches heal link and switch failures in microseconds, versus RSTP performance that requires milliseconds. This massive performance advantage is maintained regardless of how large the network is, so there are no network size limitations like there are with RSTP. SDN also improves operational efficiency by helping orchestrate device outages for firmware and patch updates that do not disrupt the network. Simplicity ICS solutions must be kept simple. SDN provides simplicity by abstracting the control plane complexity out of the deployed switches and centralizing it in the flow controller. This means that deployed assets have less code, which reduces the attack surface and patch management burden. SDN is a multilayer network design that reduces the number of network appliances needed because subnetting is no longer needed. Fewer devices with less- complicated firmware increases the mean time between failures and reduces operational expenses. Removal of the dynamic control plane eliminates worries about Bridge Protocol Data Unit (BPDU) spoofing and Address Resolution Protocol (ARP) cache poisoning. Challenges The Chess Master team also identified challenges to using SDN to provide security controls in the manner described. Trust 27 2.2018 industrial ethernet book


Industrial Ethernet Book 104
To see the actual publication please follow the link above