wide-area time synchronization for protectionevery 4ms from the sel-787 to the sel-751, show that no...
TRANSCRIPT
OT-SDN
SEL-2740S
George Masters and Tim Watkins
• Software Defined Networking Terminology
• Compare IT and OT SDN
• Performance
• Security
• Demo
Agenda
OpenFlow
Open source standard defining a protocol for an
interoperable way switches and flow controller
communicate for configuration and monitoring purposes
FlowSingle communications session that matches ingress rule
and has a set of forwarding instructions
Flow controllerCentral controller that programs switch flow tables
Getting to Know SDN Terminology
Control plane inspects each Ethernet packet
and performs the following functions
SDN Terminology
Match fieldsMatch rule based on portion of Ethernet packet
InstructionsPerform one or more programmed actions
CountersIncrement counters and send counter data to centralized point
Reactive SDN in OperationIT SDN
• Dynamic flow decisions to each packet
• Flow controller always involved
• Algorithm based on current demands vs resources
• Data Centers / Internet Backbone / Youtube
Static SDN in OperationOT SDN
• Centralized traffic engineering
• Faster healing
• Predetermined failover
• Greater situational awareness
• Path and packet-level control
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationFlows are traffic engineered and
sent to switches
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationSwitches store rules and
no longer need flow controller
Rule
Rule
Rule
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationEnd devices sends packet
Packet
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationPacket is matched against
whitelisted rules
Packet
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationPacket instructed to be sent
to next switchPacket
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationPacket continues based on
match rules and instructions
Packet
SEL-3355SEL
SEL-5056 Flow
Controller
SEL-2740SSEL
SEL-2740SSEL
SEL-2740SSEL
SEL Relay
SEL
Proactive SDN in OperationPacket reaches destination
Packet
Security, Management, Engineering Access, and Testing
Benefits of SDN
Performance
Cybersecurity
Simplicity
Cybersecurity
Simplicity
True Traffic Engineering for Ethernet Standardized OpenFlow™ Protocol
Ethernet Switch
Traditional
Ethernet Switch
Individual Control and
Data Planes
Control Plane
Data Plane
Software-Defined
Networking (SDN) Switch
Centralized Control Plane,
Individual Data Plane
Ethernet Switch
Data Plane
Centralized
Control Plane
Eliminate
Blocked Ports
RSTP blocks
redundant ports,
causing abandoned
bandwidth
Switch B2
Switch B4
Switch B6
Switch B8
Switch B3
Switch B5
Switch B7
Switch B10
Switch B9
Active Network Link Hot StandbyActive Network Link Hot Standby
Root Bridge Backup Root
L10
L11
L12
L13L4
L3
L2
L1
L5
L6
L7
L8
L9
Switch B1
High-Availability Ladder Network Design
SDN Is Two Orders of Magnitude Faster!
Product Topology Healing MethodFailure
Point
Healing
Time
Manufacturer
Device 110-Node Ring STA (Rapid-PVST) L4
Manufacturer
Device 24-Node Ring STA (RSTP) L1 or L2
SEL-2730M 10-Node Ring STA (RSTP) L4
SEL-2740S 10-Node Ring SEL SDN Fast Failover L4
97 ms
60 ms
10 ms
<100 µs
Proactively Engineer Traffic for Dependability
Backup Path Secondary PathPrimary Path
SEL-2740S
SEL-2740S
SEL Relay RTAC
SEL-5056
SDN Flow
Controller
SEL-3355
SEL-2740S
SEL-2740S
Proactively Engineer Traffic for Dependability
Backup Path Secondary PathPrimary Path
SEL-2740S
SEL-2740S
SEL Relay RTAC
SEL-5056
SDN Flow
Controller
SEL-3355
SEL-2740S
SEL-2740S
Proactively Engineer Traffic for Dependability
Backup Path Secondary PathPrimary Path
SEL-2740S
SEL Relay RTAC
SEL-5056
SDN Flow
Controller
SEL-3355
SEL-2740S
SEL-2740S
SEL-2740S
Proactively Engineer Traffic for Dependability
Backup Path Secondary PathPrimary Path
SEL-2740S
SEL Relay RTAC
SEL-5056
SDN Flow
Controller
SEL-3355
SEL-2740S
SEL-2740S
SEL-2740S
LAN Security Prevents Plug-and-Play Services
Performance
Cybersecurity
Simplicity
• Ethernet assumes trust
• SDN requires preapproval
• Security is part of
every switch
• Fewer security network
devices are required
SDN Is SecureOnly Allow Data You Want Onto Your Network
Multilayer Matching Rules Forward Approved Packets
SDN Flow Match Rule
PayloadIP Header
Layer 3
Ethernet
Header
Layer 2
TCP / UDP
Header
Layer 4
Ingress
Port
Layer 1
Control Packet Forwarding by Application
SEL-5056
SDN Flow
Controller
Engineering
AccessSCADA
Combined
GOOSE 1
SEL-2740S
SEL-2740S SEL-2740S
SEL-3355
SEL Relay
SEL Relay
SEL-2740S
SEL-3355
GOOSE 2
Flow Controller Is Not Requiredfor Network Operation
Engineering
AccessSCADA
Combined
GOOSE 1
SEL-2740S
SEL-2740S SEL-2740S
SEL-3355
SEL Relay
SEL Relay
SEL-2740SGOOSE 2
Switches retain flows even after power failure
Security model
Deny by default
Secure control plane
Eliminate unauthorized reconfigurations and spoofing
Situational awareness
Know what flows are on your network and where they
are all the time; packet and byte awareness
Cybersecurity Benefits
Focus on the Benefits
Performance
Cybersecurity
Simplicity
• Monitor, meter, or
disable each flow
individually
• See communications
flows in context of
application
Application-Focused Monitoring
Complete Application and Network Visibility
Engineering
AccessSCADA
Combined
GOOSE 1
SEL-2740S
SEL-2740S SEL-2740S
SEL-3355
SEL Relay
SEL Relay
SEL-2740S
SEL-3355
GOOSE 2
SEL-5056SEL-5056
• Removal of
network restrictions
• Removal of
plug-and-play
• Freedom to
traffic-engineer
for your application
SDN Simplifies How Networks Are Engineered
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
Dragos platform is security
information and event
management solution (SIEM)
OT SDN and Dragos Combined Solution
Midpoint sensor runs on
SEL-3355-2 in substations
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
OT SDN and Dragos Combined Solution
Continuous monitoring and
security posture visualization
Event collection and
automated response
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
OT SDN and Dragos Combined Solution
Selective packet capture
historian
Advanced persistent
threat detection
OT SDN picks
up on traffic not
engineered to forward
Unauthorized Access Attempt
Alert!
Unauthorized Device
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
Unauthorized Access Attempt
Alert!
Unauthorized Device
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
SEL-5056 Controller
sends event to MPS
Drop packets sent to MPS
Dragos platform
• Provides additional alerts to
Security Operations Center
• Analyzes and
fingerprints
behavior
• Aggregates
all traffic
for historian
Unauthorized Access Attempt
Alert!
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
Unauthorized Device
SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740SSEL-3355
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
OT SDN
• Captures and
flags no-match
criteria packets
• Disables
noncritical
flows
Malicious Activity Detection
Alert!
Disable
Noncritical
Flows
Performance
Best in industry for failover performance (<100 µs)
Security
Deny-by-default architecture
Simplicity
Point-and-click creation of proactive networks with
situational awareness
Summary of SEL SDN
OT-SDN Physical Network Diagram
TrunksC3 to C3 – Primary GOOSE and IPERF 10Mbps C4 to C4 – Secondary GOOSE and IPERF 10MbpsD3 to D3 – Primary Engineering Access and IPERF 1GbpsD4 to D4 – Secondary Engineering Access and IPERF 1Gbps
Protection Flows751 to 787-4 – GOOSE 1 per second plus Aux 2787-4 to 751 – GOOSE 1 per 4 millisecond burst
Engineering Access Flows3355-2 to 787-4 -> TELNET3355-2 to 751 -> TELNET
DOS or NMAP ScansIPERF Client to Server -> IPERFIPERF Client to X -> NMAP
OT-SDN Data Flow Diagram
Use Case #1Demonstrate OT-SDN failover performance
Using GOOSE messages being sent
every 4ms from the SEL-787 to the SEL-
751, show that no dropped packets
during fast failover from C2 to C3
Use Case #2Demonstrate IPERF will compete with GOOSE
IPERF, being sent at line speed over C3,
will compete and DOS GOOSE messages
being sent every 4ms from the SEL-787
to the SEL-751
Use Case #3Demonstrate SetQueue to give GOOSE priority
IPERF, being sent at line speed over C3,
will be given a SetQueue of 1 and
GOOSE a SetQueue of 4 and no GOOSE
packets will be lost
Use Case #4Demonstrate Metering of IPERF flow
IPERF, being sent at line speed over will
be given a Meter of 10Mbps over C3;
allowing all GOOSE to transmit but a
loss of 80% of IPERF traffic
Use Case #5Move IPERF to D3
Move IPERF to D3 at 1Gbps so that it will
not complete with primary or secondary
GOOSE trunks
Use Case #6NMAP scan relays and IPERF Server
Run an NMAP scan of different devices
and demonstrate that it will only see
ports where the device has flows to
Use Case #7Demonstrate dropped packets being sent to IDS
NMAP scan with Wireshark running on
SEL 3355-2 (where dropped packets
have been sent)
Use Case #8Monitor flow statistic for abnormal behavior
Ability to reach OT-SDN flow statistics
via flow controller or ReST interface
Use Case #9New device awareness
Connect a new computer into D4 and
watch Wireshark for ARP traffic