Page 30

Industrial Ethernet Book 104

TAepcphlincoaltoiognys OT SDN vs. IT SDN Key Attribute OT SDN IT SDN Network state Persistent Dynamic Network control Purpose - engineered Traffic - reactive Controller purpose following switch deployment Monitor Control Security Deny-by-default Forward-by-default Fault -healing speed Link detect Flow setup time Network management Proactively planned Fault - reactive programming, and pre-provisioning ICS networks. Just as software developers program for exceptions and error paths in their code, the Chess Master security state monitoring software will provide the ability to program for exceptions to normal network traffic behavior. Security zone A security zone is a collection of assets (e.g., PLCs, RTUs, and SCADA) that function together based on communications flows that are grouped to form a logical enclave or zone. The grouping of these assets and their communications flows within an isolated zone creates a trusted region to keep the critical infrastructure in good health and operational by protecting it from unauthorized communications. It is very important for ICSs to have such trusted regions to keep critical assets functioning, even during adversarial activity. The ability to design and provide dynamic security zones for different threat levels gives operators a powerful tool to visually plan and manage the security needs of the ICS before an attack or cyber incident. Security operational states A security operational state is a set of rules to describe what the communications are allowed to do in a facility. One or more operational states can be associated with a security zone or across zones based on the cyber threat situation or the system-wide scope. Security policy The Chess Master security state monitoring software will allow an operator to build different operational states to develop a security management policy. Different policies can be programmed for different threat levels. A security policy describes how security is managed for critical infrastructure and how treatment changes as the threat level changes. A comprehensive policy workflow shifts the paradigm on security management from reactive analytics and detection to preplanned, pre-provisioned design for management under different situations. Security building blocks SDN provides a unique perspective on network security implementation. Security functions are the lowest-level constructs needed to implement security policies, based on higher- level constructs of security zones and security profiles. The security orchestrator separates higher-level constructs into simple, low-level building blocks and orchestrates their execution in the SDN-enabled switches using the OT flow controller. The primary objective of the orchestrator is to apply the security building blocks to realize the security objectives described by the higherlevel constructs. The security orchestrator also coordinates the dynamic transition of security policies and profiles necessitated by changes in threat levels. The security functions presented to the northbound interface of the flow controller enable the software to convert the policies into sets of configurations. New paradigm for detection Most network detective controls focus their efforts on detecting the installation of malware as early in the cyber kill chain as possible. This can allow an adversary to be present on the network for 12–18 months before they are detected. To truly reduce the attack surface, a new paradigm is required. SDN provides the foundation necessary to detect intrusion at the Reconnaissance phase. An adversary needs to understand the network and know what operating systems (OSs) and other software are used on targets in order to move into the Deliver or the Weaponize stages. The Chess Master project will provide a generic prevention mode to protect the network against an adversary attempting to learn the network by using rogue scans. All ARP traffic for the critical infrastructure is relayed to the Chess Master analytics platform, and the orchestrator provides proxy ARP services to the assets marked as critical. MAC addresses and IP addresses are masked for traffic external to security zones for critical infrastructure. All multicast and broadcast traffic outside the security zone is blocked. Conclusion SDN provides OT networks with greater performance, stronger cybersecurity, and better situational awareness than traditional networking solutions. The Chess Master team is developing technology that takes advantage of the OT SDN infrastructure to more efficiently manage the cybersecurity of the system. These new controls simplify the management, strengthen the controls, reduce the attack surface, and support the reliable operation of energy systems. The resulting technology will enable greater situational awareness, allowing for strong system-wide security policy enforcement and near real-time baselining. Having complete network visibility and control; threat-based security zones and policies; and read, readwrite, or unidirectional control over network flows represents a compelling advancement in an environment where simple visibility at the control layer is not readily available. SDN technology removes traditional network restrictions, allows networks to be purpose- engineered, and achieves performance that redefines what is possible. Programmable network infrastructure allows the creation of new best-known methods to deliver information between applications and services. SDN technology allows OT network engineers to purpose-engineer their networks to support even the most demanding applications for operating, controlling, and monitoring critical infrastructure. It allows owners to centrally monitor and deploy managed change control services without application disruption. These cybersecurity advances will require network engineers to rethink what a subnet is and how packets should be filtered through each hop. The Chess Master project is positioned to bring more advanced security controls to market that will also help improve reliability through better network performance and simplify the technology in the system at the same time. Roger Hill, Veracity Industrial Networks, Inc. and Rhett Smith, Schweitzer Engineering Laboratories, Inc. 30 industrial ethernet book 2.2018


Industrial Ethernet Book 104
To see the actual publication please follow the link above