november 30, 2011 baker hughes discussion. confidential mcafee internal use only the sgsia addresses...
TRANSCRIPT
November 30, 2011
Baker Hughes Discussion
Confidential McAfee Internal Use Only
The SGSIA addresses the entire ecosystem.
•The Smart Grid Security Innovation Alliance is a working association dedicated to practical deployment of the smart grid complex system solution in the United States:
– Utilities– Systems integrators– Manufacturers– Technology partners
– National certification and interoperability entity
•The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns.
The variation includes the proper orientation for large, medium, and small utilities.
Confidential McAfee Internal Use Only
Participants
• First Build– Integrated
Architectures– Drummond
Group– Wurldtech– Sypris– SAIC– Nakina– OATI– Silver Springs*– Landis & Gyr*– GE*– Ecololgical
Analytics*
• Subsequent Builds– Schweitzer
Engineering Labs– RuggedCom– Coulomb*– Wurldtech– OSIsoft– SNMP Research– Emerson Ovation– Honeywell– Certipath– First Data
– Ambient– Tibco– NitroSecurity– Pitney Bowes– McAfee (3)– Tiger’s Lair– PsiNaptic– Green Hills– TeamF1– Actiontec– Verizon
– Verisign– Entrust– SafeNet– Thales– Microsoft– Telcordia– e-Meter– Cisco– Motorola– Wind River
*We will work with your incumbent smart meter providerin conjunction with the home gateway program.
Confidential McAfee Internal Use Only
The embedded systems include:
Our strategy is to provide certified interoperability to the key devices controlling the grid.
The McAfee HSM solution would be embedded at each critical point in the energy infrastructure.
All points must connect to each other in an end-to-end system.
Confidential McAfee Internal Use Only
Our analysis using the architecture model shows that of all the myriad of elements in the functional diagrams, there are really only four recurring design patterns that are intrinsic to the security strategy.
The SGSIA is a source of interoperable system security elements using standardized design patterns.
Confidential McAfee Internal Use Only
To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order.
1. Identity Management– Ensures the device identity is established
genuinely
2. Mutual Authentication– Allows both the Device Node and the
Controller to verify the trustworthiness their identity to each other.
3. Authorization– Manages permission to proceed with specific
operations.
4. Audit– Records noteworthy events for later analysis
5. Confidentiality– Encrypts sensitive data for matters of privacy.
6. Integrity– Ensures that messages have not been
altered.
7. Availability– Prevents denial of service attacks
8. Non-repudiability– Ensures that the authority for events cannot
be denied after the fact.
These are the eight tenets of security
as described in the NIST-IR 7628 Guidelines.
Confidential McAfee Internal Use Only
The general approach to power distribution.
CentralControl
Local AreaRelay
NeighborhoodRelay
SubstationRelay
Tibco “FTL”CloudShield MPP
Nitro SIEMRuggedCom
Application CardAmbient
Application CardIntel
Application Card
Communications / Firewall
FTL (E&LM)
SIEM
E&LM
Communications Communications / Firewall
E&LM
Sensor Mgt
Communications / Firewall
E&LM
Meter App
Meter App
Meter App
SA SA SA
SA
SA
SA
Cell Manager
MasterAgent
Posture Validation
Remediation Server
Jini SP
“Multicast Alert Relay”MA
SA
“Cell Management”
“Local Management”
Confidential McAfee Internal Use Only
A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats.
A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats.
Confidential McAfee Internal Use Only
A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats.
A TTS recognizes a device’s context and evolves as the context evolves.
Confidential McAfee Internal Use Only
Let us define the Security Fabric by building a control system.
An example of a tailored trustworthy space built using the Security Fabric components:
Confidential McAfee Internal Use Only
In a control system, there are a controller and several devices controlled by remote device nodes.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device Node
Confidential McAfee Internal Use Only
Sometimes they are redundant for high availability.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device Node
Confidential McAfee Internal Use Only
They talk to each other using IP-based switches.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
En
et
En
et
Confidential McAfee Internal Use Only
They have management workstations and servers thatsupervise the controller and device nodes.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Confidential McAfee Internal Use Only
Fault Management operates from the operator workstation – this includes surveillance + operator commands.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Confidential McAfee Internal Use Only
Configuration Management operates form the engineering workstation augmented by the database server – this includes configuration parameters + the firmware repository.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Confidential McAfee Internal Use Only
Usage and log management operates form the historian – the event management and distribution occurs here.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Confidential McAfee Internal Use Only
Security management is administered on the security server – but real-time security operations happens on the domain server.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
GPS Time Sync
Confidential McAfee Internal Use Only
The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions.
Our strategy is to separate the management functions from the application functions as much as possible…
so that if the application becomes compromised or inoperable,the management system can easily be used to remediate the problem.
The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions.
Confidential McAfee Internal Use Only
With this in mind, both the Controller and the Device Nodekeep the management functions separate from the application.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Confidential McAfee Internal Use Only
This is done using a separation kernel to keep the applicationfrom ever interfering with the management functions.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
RT
OS
Hyp
erv
iso
r
RT
OS
Hyp
erv
iso
r
RT
OS
RT
OS
The hypervisorcreates two differentvirtual machines onboth the Controlleras well as the Device Node…
They function like twocompletely separatemachines within eachphysical machine.
Confidential McAfee Internal Use Only
The application in the controller monitors and controls the application in the device node.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
ApplicationSession
These use the same physical wire,but must be securely isolated.
Confidential McAfee Internal Use Only
And the management functions and policies in the controller supports the management agent in the device node.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
ApplicationSession
ManagementSession
These use the same physical wire,but must be securely isolated.
Confidential McAfee Internal Use Only
To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order.
1. Identity Management– Ensures the device identity is established
genuinely
2. Mutual Authentication– Allows both the Device Node and the
Controller to verify the trustworthiness their identity to each other.
3. Authorization– Manages permission to proceed with specific
operations.
4. Audit– Records noteworthy events for later analysis
5. Confidentiality– Encrypts sensitive data for matters of privacy.
6. Integrity– Ensures that messages have not been
altered.
7. Availability– Prevents denial of service attacks
8. Non-repudiability– Ensures that the authority for events cannot
be denied after the fact.
These are the eight tenets of security
as described in the NIST-IR 7628 Guidelines.
Confidential McAfee Internal Use Only
The first order of business is for the management workstations and servers to be powered on and ready for business.
There are many small steps that occur when servers and PCs power up, but for simplicity’s sake,
let’s assume that the devices and their applications are all powered up and initialized.
An example of a tailored trustworthy space built using the Security Fabric components:
Switch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Fault ManagementSituational Awareness
Console
Configuration ManagementConsole
Confidential McAfee Internal Use Only
The Controller must power on before any of the device nodes can use it.
An example of a tailored trustworthy space built using the Security Fabric components:
ControllerSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
tA
pp
lica
tio
n
Confidential McAfee Internal Use Only
Identity Management is the most crucial aspect of embedded security – we use a Hardware Security Module to protect the unique identity of the Controller.
An example of a tailored trustworthy space built using the Security Fabric components:
ControllerSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
tA
pp
lica
tio
n
HS
M
This is a special purpose ASICthat is FIPS 140-2 level 3 certified.(Environmentally tamper resistant)
It houses an array of crypto functions.
It self-generates and hides thesecret key that identifies the device.
It manages the public key as well as the key management functions over the lifetime of the device.
It also maintains the secure clockfor the device.
Identitygenerated& stored hereas part of thesecure supplychain process.
Identity Management
Confidential McAfee Internal Use Only
Step two is to use the secure identity to mutually authenticate and get credentials from the Domain Server that uses Active Directory and its Kerberos PKINIT service meant to support embedded devices.
An example of a tailored trustworthy space built using the Security Fabric components:
ControllerSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
tA
pp
lica
tio
n
HS
MMutual Authentication
•Mutual authentication occurs first•The Controller then authorizes the downloadof additional security information
•Authentication•Authorization
Confidential McAfee Internal Use Only
Step three is to use the secure credentials exchange to determine the authentic paths to important management servers, and to download the up-to-date whitelist.
An example of a tailored trustworthy space built using the Security Fabric components:
ControllerSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
tA
pp
lica
tio
n
HS
M•At registration time, the Controller also verifies the secure path to the •Firmware repository and configurationsynchronizer on the Database Server
•Event management service on the Historian•Secure time service on the Domain Server
•The Domain Server maintains the valid securitycertificates deleting the ones that have been revoked•It downloads the whitelist at registration(or any time else on demand).
•The Historian records the fact that the Controller isnow operating.
IPsec VPN
Application Proxy
•Auditing
Confidential McAfee Internal Use Only
Step four is to update the firmware to the latest rev if it is out of date.
An example of a tailored trustworthy space built using the Security Fabric components:
ControllerSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
tA
pp
lica
tio
n
•If the firmware is out of date or not yet loaded.The Change Management policies will
•Download the manifest of firmwarethat has been assigned for the device
•Attest to the fact that the signatures are goodso that the firmware is trusted
•Store the new (as well as the old) firmware to persistent flash memory
•Transition gracefully into productionaccording to the current policies.
•IPsec ensures the software cannot be monitoredand copied during downloads.
IPsec VPN
Application Proxy
Policy Management•Change Mgt•Problem Mgt
Fla
sh
•Confidentiality
Confidential McAfee Internal Use Only
All Device Nodes that want to be part of the Security Fabric must also authenticate with the Domain Server (the trusted third party) whenever they power up.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
HS
M
Mutual Authentication
•Authentication•Authorization
This prepares the Device Node to join the tailored trustworthy space.
Confidential McAfee Internal Use Only
The authentication ticket received from the Domain Server contains a section encrypted by the Device Node public identity key plus a section encrypted by the Controller public identity key.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
HS
M
Mutual Authentication
•Authentication•Authorization
•The Device Node also requests a ticketto talk to theController.
•The Domain Server encrypts a portion using the identity of each of the two machines.
Confidential McAfee Internal Use Only
The next step is for the Device Node to establish secure communications with the Controller.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Mutual AuthenticationMutual Authentication
•Authentication•Authorization
•The Device Node requests to join the Security Fabric using the ticket now also trusted by the Controller.
Confidential McAfee Internal Use Only
Once authenticated, the device node can proceed to establish two secure paths to the Controller: one for management purposes and one for application purposes.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
ApplicationSession
ManagementSession
These use the same physical wire,but must be securely isolated.
IPsec VPN IPsec VPN
•Confidentiality
Confidential McAfee Internal Use Only
The small embedded firewall in the communications path protects against denial of service attacks as well as a number of sophisticated malware attacks.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
ApplicationSession
ManagementSession
These use the same physical wire,but must be securely isolated.
IPsec VPN IPsec VPN
•Availability
Firewall Firewall
Confidential McAfee Internal Use Only
The inter-process communications services of the middleware uses messages to communicate back and forth between the Controller and the Device Node over the secure sessions.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Session
Inter Process Inter Process
Message
Confidential McAfee Internal Use Only
The inter-process communications services computes a secure message digest and appends it to the end of each message to ensure that the message is never altered in flight.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Session
Inter Process Inter Process
Message MD
MessageDigest
•Integrity•Non-repudiability
Confidential McAfee Internal Use Only
So now, the Controller and the Device Node can commence doing real work without ever having to think about the security aspects of the system.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
DownStream
Transform
ExceptionHandler
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
DownStream
Transform
ExceptionHandler
Session
Message
Confidential McAfee Internal Use Only
This entire light up sequence
took place in the twinkling of the eye.
This entire light up sequence took place in the twinkling of the eye.
Confidential McAfee Internal Use Only
If ever an anomaly is detected the management agents can forward event notifications to the operator workstation, the security server, and the historian in one movement.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Policy Management•Problem Mgt
Alarm
Confidential McAfee Internal Use Only
Our secure silicon instrumentation can watch the behavior of the application in ways where the software does not even know it is being watched.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Policy Management•Problem Mgt
FP
GAPattern
AnomalyObservation
Confidential McAfee Internal Use Only
If necessary, you can have the management system automatically download extra telemetry to monitor an attack while it is occurring or safely download a repaired application for remediation.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
Man
ag
emen
t
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Policy Management•Problem Mgt•Cgange Mgt
Confidential McAfee Internal Use Only
The fully-assembled system looks like this.
An example of a tailored trustworthy space built using the Security Fabric components:
Controller Device NodeSwitch Switch
En
etH
SM
FP
GA
Fla
sh
Do
wn
st
En
etH
SM
FP
GA
Fla
sh
Do
wn
st
Pro
cess
or
Co
res
Pro
cess
or
Co
res
RT
OS
Hyp
erv
iso
r
Hyp
erv
iso
rR
TO
SM
idd
lew
are
Mid
dle
war
e
RT
OS
RT
OS
Mid
dle
war
eM
idd
lew
are
Mutual Authentication
IPsec VPN
Firewall
Diagnostics
Policy Management•Change Mgt•Problem Mgt
Mutual Authentication
IPsec VPN
Firewall
Diagnostics
Policy Management•Change Mgt•Problem MgtM
ana
gem
ent
Man
ag
emen
t
Ap
plic
ati
on
Ap
plic
ati
on
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
DownStream
Transform
ExceptionHandler
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
Eve
nt
Lo
op
DownStream
Transform
ExceptionHandler
Operator WS HistorianDomain Server
Database Server
Security Server
Analysis WSEngineering
WS
GPS Time Sync
Confidential McAfee Internal Use Only
The payload devices are thus fully secure with all the recommendations in the NIST-IR 7628.
But to complete the complete space, we must protect the management workstations and servers, also.
Confidential McAfee Internal Use Only
Application whitelisting is extremely useful in locking down the management servers and workstations.
An example of a tailored trustworthy space built using the Security Fabric components:
Switch Switch
Operator WS HistorianDomain Server
Database Server
Security Server
Engineering WS
•Whitelisting the management servers ensures nothing runs •on them that is not supposed to work on them.
•Firewalls in or around the switches limits who can •connect to them.
Confidential McAfee Internal Use Only
The Security Fabric
provides all the features for embedded security outlined in the NIST-IR 7628.
This is reasonable security for all critical infrastructure.
In Summary,
Confidential McAfee Internal Use Only*41
Constructing a Supply “Chain of Trust”
SIGNSIGN = embedded and cryptographically secured unique IDs = cryptographically secured verification protocolVERIFYVERIFY
Embedded anti-tampering, anti-
malware, production control and system
security features here.
Protect chips, boards and devices with embedded anti-
counterfeiting, and anti-reverse engineering IP
Track / Manage equipment inventories, revision control, firmware and
software version.
Verify as-built matches as-Verify as-built matches as-designeddesigned
Program/Configure security policies
specific to utility. Securely update to
maintain system and counter new incidents
and threats.
Secured System• Secure Device Mgmt
• Secure Software Upgrades
• Secure Policy Management
Final Configuration
Final Configuration
VV
dbdb
SSDeployedDeployed
VV
Policy Settings Policy
Settings
dbdbSS
SSDevice DesignDevice Design
dbdb
MakerMaker
VV
SS
CheckerChecker
VV
SS
CheckerChecker
DeviceManufacturing
DeviceManufacturing
VV
dbdb
SS
MakerMaker
Distribution / Inventory
Distribution / Inventory
VV
dbdb
SS
VendorVendor
DesignDesign ProductionProduction DeploymentDeployment
VVFirmware UpdatesFirmware Updates
ServiceServiceProviderProviderMakerMaker
VV
SS
CheckerChecker
UpdatesUpdates
FieldField
Vendor Vendor Security OfficerSecurity Officer
UtilityUtilitySecurity OfficerSecurity Officer
= Hardware Security Module