Case Study 29 Prior to Active System Hack After Active System Hack Reconnaissance (network mapping; OS fingerprinting) Deliver 2.2018 industrial ethernet book Technology Industry benefits of SDN SDN is an architectural networking concept that abstracts the control plane out of the switches and centralizes it in software. This central software manages the fleet of switches in its domain. The switches become simpler once the control plane is removed. This results in less patch management and fewer errors. The Chess Master project takes advantage of this architectural change to address some of the most challenging cybersecurity issues. The goal of the Watchdog and SDN research projects was to develop and commercialize an industrially rated SDN switch and flow controller that could support the lengthy lifetimes industrial OT applications require, in many cases ten years or more. These two projects brought together industry experts from academia, a national laboratory, a manufacturer, and multiple power system owners to bring the advanced technology to the market. The results, which exceeded the expectations of the research participants, are making a significant impact in OT networking performance and security around the world. Because SDN is based on interoperable Ethernet technology, network hosts do not have to be altered to work in an SDN network. In fact, the hosts do not know if they are connected to a traditional spanning tree algorithm-based (STA-based) network or an SDN network. It is important to recognize what the implementation of SDN removes. Pure OpenFlow SDN networks no longer use STAs, so the dynamic topology discovery and loopmitigation convergence behavior are no longer required. The switches themselves do not have MAC address tables. Instead, they have flow tables that associate the packet with its application at each hop. It should be noted that OT SDN does not change the OpenFlow architecture of SDN, nor were the OpenFlow standards changed to fit OT systems. However, the way the technology is applied to OT systems is different than how it is applied in IT networks for data centers and carrier industries. Because the standards were not altered, the interoperability between different industry SDN solutions remains, which lays the foundation for rapid innovation. In OT SDN, all primary and failover paths are planned in advance to achieve the predictable and repeatable behavior desired for ICSs. This proactive traffic engineering informed how the DOE research team applied SDN to OT networks. For simplicity, only OpenFlow 1.3 switches were used instead of hybrid STA/ SDN switches. This maximized performance, minimized the cost of ownership, and reduced the attack surface of the switch. In ICSs using SDN, all communications to and from each device are purpose-engineered. The switches store the flow, group, and meter entries such that the network performance is not dependent on the flow controller being online, eliminating a potential single point of failure. The rate of change in an OT network is very low; changes are only needed when devices are added or removed, or when new applications requiring new network delivery requirements are enabled. This works well with the proactively traffic-engineered, whitelisted model of OT SDN. The Chess Master project builds on the commercially released OT SDN technology by developing new security capabilities that will allow operators to manage the security state by policy and quickly change between those policies as required by the state of the system. The project will provide security orchestration for the OT flow controller via complete network visibility, situational awareness, programmable security zones, and security policy management with whitelisting for all assets on the network. The Chess Master project will create an integrated threat management platform that can be coordinated centrally and executed in a distributed manner by policy in SDN-enabled switches, such as the SEL-2740S Software- Defined Network Switch. There is no need for ports to be dedicated as mirror ports because SDN allows packets to be sent to the controller based on the programming of the switch. The northbound interface of the flow controller extracts the relevant data needed to perform comprehensive analytics as well as core security capabilities. This distributed approach enables the dynamic isolation of assets in security zones with predefined security policies that are established by system users to reduce recovery time. Cyber threat experts and analysts, as well as system operators, will have a centralized platform to engineer their networks and define how the networks will react to events like link loss or unauthorized packets. Operators can visualize, monitor, and manage the planned recovery by controlling and managing all forensic investigations from one place. The power of visualizing the effects ahead of an attack helps avoid missteps and accelerates the triage and recovery process. Discovery of Networked Nodes One of the most critical challenges within ICS networks today is gaining visibility into what devices are on the network, what the communications partners of each device are, and what protocols are required for the machine-to-machine communications. The security state monitoring software will provide a module for identifying, managing, and determining the baseline of each asset within the system. The software will also provide a historical record of active devices on the network as well as devices that are no longer active. The historical record will aid in incident response during an investigation by providing a complete visual record of which assets were connected. The user interface for the software will provide a graphical network view with a time-based slider, allowing the user to scroll through time or enter a specific time range. The key to success is making the software easy to use, merging the physical and cyber events into an easy-to-understand visual representation of what is happening at any given time, and identifying when monitored network behavior deviates from the approved, whitelisted baseline. Critical infrastructure risk planning Energy infrastructure requires planning ahead to mitigate risks in a way that prevents system failure or the shutdown of critical parts of the infrastructure. This creates a challenge for system operators and cyber experts who must plan for various situations to ensure the operational continuity of critical infrastructure. The Chess Master project will provide a new paradigm for managing, planning, Weaponize Exploit Control Maintain Execute Adversary is on the network for 12 months on average SOURCE: SEL Current security control focus (detection and protection) Example Cyber Kill Chain.
Industrial Ethernet Book 104
To see the actual publication please follow the link above