Page 28

Industrial Ethernet Book 104

Technology Security Zone 1 Security Zone 2 HMI HMI Zone Egress SEL-2 740 S SEL-2 740 S PLC IED Source P8 P6 P5 SEL-2 740 S SEL-2 740 S P9 P8 Encrypted Tunnel SEL-2 740 S Diagram illustrates management of security zones and the addition of cryptography to a flow. management is the first hurdle to clear. How will the flow controller and cybersecurity applications trust each other? How will the orders that are sent through the network appliances be trusted? How will change control transactions be applied without having an intermediate state where undesired packet forwarding could occur? How can all of this be done without making the product technology or the process to manage the technology overly complicated, increasing potential misconfigurations, or creating overly burdensome training requirements? The Chess Master project will address each of these challenges by defining new cybersecurity controls and how to use them. Chess Master Project Scope of Work Chess Master is a two-phase project that will take place over a three-year period. The first phase is to research, develop, test, and commercialize a security validation and policy enforcement application that connects to a flow controller to centrally manage all field networks. The second phase is to field-test and demonstrate the technology in real-world ICS installations and prepare best-practice guides for testing, deployment, and long-term management of the technology. In order to sustain critical energy delivery functions during a cyber intrusion, ICS operators need the ability to automatically identify and contain affected network areas and to reroute critical information and control flows around them. To effectively do so, ICS operators need a global view of the communications flows. They also need a method to proactively determine the whitelisted communications and how to respond to communications in which adversarial behavior is detected. The Chess Master project will develop SCADA Historian Client P6 Zone Ingress SCADA Server Destination a security northbound application and standardizing the application programming interface (API) between the flow controller and a proposed security state monitoring application. The Chess Master team will research, develop, test, and release: • A security policy enforcer application that runs on the northbound interface of a flow controller. • A DIN rail-mounted SDN switch for pad- and cabinet-mounted field devices. • An ICS extension to OpenFlow standard. • Visualization tools for situational awareness with associated context metrics to help operators quickly know the threat level and exposed attack surface in all field networks. • Technology and tools to automatically enforce proactively configured security profiles and change between them for different threat state levels with increasing defensive controls. • Technology and methods to secure field networks with predefined security controls. • Best practices for system architectures and administrative processes to maximize performance, awareness, and security. • Techniques to evaluate the resiliency provided by preconfigured backup routes and response mechanisms and suggested methods to improve resiliency. Test results will detail the advances, benefits, and cost impacts for an organization to transition from traditional network technology to SDN technology with an open-source API and standards- based interoperability testing. The DIN-rail-mounted OT SDN switch developed by the Chess Master team will enable the Chess Master technology to be deployed across most applications in the energy sector. The team will also commercialize a new write action within the OpenFlow configuration, allowing cryptographic applications on a per-flow basis. This write action will automate the key management and allow the application of encryption and/ or authentication to the packets belonging to the flow. It will also allow for the distribution of the keys and the coloring of the packets after they are encrypted so that switches at intermediate hops can quickly match and forward the packets without having to decrypt them. In addition, this project will provide system operators with a single point from which to set and view field network security policies and validate that they are operational in a simplified manner. Operators will be SOURCE: SEL able to engineer the virtual circuits that communications flows travel on and monitor those communications. In addition, they will be able to preconfigure and automate response actions to events and to undesired network behavior to keep critical systems operational. The technology will provide operators with a visual representation of what happened, which communications were impacted, and how. Network engineering collaboration A key focus for the Chess Master project is operational and engineering efficiency. This efficiency will be realized via a digital peer review process for configuring security zones and security policies. This integrated approach will provide direct collaboration between OT and IT personnel, with all relevant parties receiving change notification alerts in near real time and the ability to accept or make design changes in a simplified, visual manner. Threat state model The Chess Master team is also developing a threat state model that will define distinct threat states for a system. The threat state model is divided into five categories of trust, following the defense readiness model. The development of this model will provide both internal and external triggers, via an API, for transitioning between configurable security levels. The system can be configured to determine whether a human should be alerted to recommend a transition of the state or whether predefined triggers can automatically transition the level. Each level will be assigned a predesigned security policy and a security zone plan (what trust level the device is a member of). This will result in a threat-based approach to security policies and defensive measures for a system. 28 industrial ethernet book 2.2018


Industrial Ethernet Book 104
To see the actual publication please follow the link above