software defined vs hardware defined networks for scada
TRANSCRIPT
Software Defined VS Hardware Defined Networks for SCADA
Introducton• Paul Myer
– CEO, Veracity Industrial Networks– Public Engines – Predictve Analytcs– M86 Security – Web, Email Security– Compaq, NEC– NOT an Engineer
2
Industrial Network SecurityIndustrial Networks
Session Agenda
• Ethernet Refresher• Hardware Defned Networking (HDN)
Overview• Sofware Defned Networking (SDN) Overview• Security Impacts of SDN for Industrial
Networks
3
Industrial Networks
Ethernet Refresher4
1st Octet
2nd Octet
3rd Octet
4th Octet
5th Octet
6th Octet
6 Octets
Organizaton Unique Identfer (OUI)
Network Interface Controller (NIC)
3 Octets 3 Octets
Media Access Control (MAC) Address
• A Ethernet Frame is a physical layer communication transmission, comprised of 6 fields which are assembled to transmit any higher layer protocol over an Ethernet fabric
• IP Packet is a formatted unit of data which can be transmitted across physical topologies (e.g. Ethernet).
CRC
Industrial Networks
Networking Basics….A Look ‘Back’ at Hubs
HubsPros: Cheap, easy to monitor
Cons: Delays as all the ports are used for every transmission. Collisions, collisions, collisions…
5
HMI PLC RTU
ENGINEERING WORKSTATION
Industrial Networks
Networking Basics…A Look at Switches
SwitchesPros: fast packet forwarding. Good for small piece of a network.
Cons: Lack of visibility
6
HMI PLC RTU
ENGINEERING WORKSTATION
Industrial Networks
How A Switch Works7
Port MAC ADDRESS5678
HMI PLC
00:00:00:00:00:01
00:00:00:00:00:03 00:00:00:00:00:02
ADDRESS FORWARDING TABLE
192.168.1.120
192.168.1.130 192.168.1.140
00:00:00:00:00:01 {ENG STN}
00:00:00:00:00:02 {PLC}
00:00:00:00:00:03 {HMI}
ARP Example:Switch updates forwarding table database based upon ARP
Who is 192.168.1.140?
Who is 192.168.1.140?
That’s Me!That’s Me!
Not Me, so ignore..
Not Me, so ignore.. That’s
Me!
Who is 192.168.1.130?
Not Me, so ignore..
Industrial Networks
HDN Device Summary8
HUB SWITCH ROUTERPhysical Layer Data Link Layer Network LayerBroadcast device Multcast Device Routng DeviceConnects devices in the same network
Connects devices in the same network
Connect two or more diferent networks
Only works in half-duplex Works in full duplex Works in full duplexDoesn’t store any data Stores/uses MAC addresses
to transfer dataUses IP Addresses to transfer data
Industrial Networks
Software-Defined Networking (SDN) – Cutting Through The Noise
• Many Vendors = Many Agendas
• Tons of value, low adoption
• Industrial networks are a sweet spot
• Bottom line: the (entire) network’s behavior is centrally defined using human-friendly abstractions (people, time, devices, places)
• No more switch-by-switch management
• Centralized policy and security
• Combine rich primitives (zones, devices) into business-oriented policies
• Entire network fabric vs. wire bumps, overlays, etc
Industrial Networks
HDN VS. SDN10
Control Plane
Data PlaneData Plane
Control Plane
Data PlaneData Plane
Control Plane
Data PlaneData Plane
Control Plane
Data PlaneData Plane Controller Agent
Data PlaneData Plane
Controller Agent
Data PlaneData Plane
Controller Agent
Data PlaneData Plane
Controller Agent
Data PlaneData Plane
SDN Controller(Logical Control Plane)
SDN Controller(Logical Control Plane)
Hardware Defned Networking
Sofware Defned NetworkingLogical separaton of the control plane to a centralized control plane. Business
ApplicatonBusiness
ApplicatonBusiness
ApplicatonBusiness
ApplicatonBusiness
ApplicatonBusiness
Applicaton
API API API
Industrial Networks
SDN Controller....Control• Switch is ‘Adopted’ by
controller• Secure Command
Channel established• ’Flow-Rules’ are
pushed to the switches
• Statstcal data/counters sent to Controller
• Network becomes ‘just a bunch of ports’
Controller Agent
Data PlaneData Plane
Controller Agent
Data PlaneData Plane
SDN Controller(Logical Control Plane)
SDN Controller(Logical Control Plane)
“Command Channel TLS Connection
“Command Channel TLS Connection
Industrial Networks
SDN Controller
SDN: Packet Forwarding Pt 1…12
HMI 1 PLC 1
Ping: PLC 1
Match ActonNo Match Found
RulePLC 1 Port 6
Unknown / New Traffic
12
3
4
Industrial Networks
SDN: Packet Forwarding Pt 2…13
HMI 1 PLC 1
Ping: PLC 1
Match ActonRule
PLC 1 Port 6
SDN ControllerKnown and Allowed Traffic
Industrial Networks
ARP Use Case: ARP Proxy
14
HMI 1
ENGINEERING WORKSTATION
Get Address of 192.168.1.130
ARP Inspecton & Response
00:00:00:00:00:03192.168.1.130
…00:03SDN Controller
Industrial Networks
ARP Use Case: ARP Scanning Preventon
15
HMI 1
ENGINEERING WORKSTATION
ARP Scanning…Subnet
ARP Scanning…Subnet
Respond with non-existng
address
ARP Scanning Detected
ARP Scanning Detected
‘Deception’
Send Alert!Send Alert!
Prevent adversary from mapping out network devices and services….SDN Controller
Industrial Networks
Known and Allowed Traffic Unknown / New Traffic
A Switch B
SDN Controller
Ping B Ping B
I know what to do with ping.
A Switch B
SDN Controller
DNP3 B DNP3 B
What do I do with DNP3
from A to B? Pass it and remember
for next tme.
”Working” traffic never leaves the switching fabric.
Security Defned Forwarding
Industrial Networks
Known and Allowed Traffic Unknown / New Traffic
A Switch B
SDN Controller
Ping B Ping B
I know what to do with ping.
A Switch B
SDN Controller
DNP3 B DNP3 B
What do I do with DNP3
from A to B? Pass it and remember
for next tme.
”Working” traffic never leaves the switching fabric.
Security Defned Forwarding
Industrial Networks
Known and Denied Traffic Known, Allowed, and Audited Traffic
A Switch B
SDN Controller
FTP B FTP B
Not allowed.
A Switch B
SDN Controller
FTP B FTP B
A is FTP’ing to B
I will alert people.
I might copy the
packets to a logger,
too.
Security Defned Forwarding Pt 2
Industrial Networks
Software-Defined Networking (SDN) – Quarantined DevicesSDN: – Quarantined Devices
Quarantined Devices (or Device Types.. Or Zones.. Or..)
A Switch B
SDN Controller
Various Various
A is trying to do things.
I will alert people.
I might copy the packets to a logger,
too.
Industrial Networks
SDN:Industrial Networks Security Implicatons
20
• 100% Visibility of devices & ‘conversatons’• Segmentaton/Security Zones on-demand by SW, executed at
frst packet forwarding device (switch)• Management of network fabric as a single device• Fast failover, network healing with mult-path detecton• ”Security-Agility” provides ability to defne
policy/segmentaton based upon threat level.• Additonal “iSecurity Controls” can be realized as ‘business
applicatons” on abstracted Northbound API
Industrial Networks
Chess Master Project Overview
Cyber Energy Delivery Systems (CEDS)
Industrial Networks
22
Invent and commercialize a solution to continually and autonomously reduce the cyber attack surface for control
systemsTopic Are of Interest 3
Chess Master Vision:
• Leverage programmable network fundamentals (SDN)• Policy based whitelist of M2M communicaton• On demand payload capture and quarantne• Platorm to Identfy, Protect, Detect, Respond & Recover• Providing a new category of Preventon• Encrypton of Network Flows
Contnuous and Autonomous Reducton of Cyber Attack Surface
Industrial Networks
Thank You – Q&A