November 30, 2011 Baker Hughes Discussion. Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation.

November 30, 2011

Baker Hughes Discussion

Confidential McAfee Internal Use Only

The SGSIA addresses the entire ecosystem.

•The Smart Grid Security Innovation Alliance is a working association dedicated to practical deployment of the smart grid complex system solution in the United States:

– Utilities– Systems integrators– Manufacturers– Technology partners

– National certification and interoperability entity

•The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns.

The variation includes the proper orientation for large, medium, and small utilities.


Participants

• First Build– Integrated

Architectures– Drummond

Group– Wurldtech– Sypris– SAIC– Nakina– OATI– Silver Springs*– Landis & Gyr*– GE*– Ecololgical

Analytics*

• Subsequent Builds– Schweitzer

Engineering Labs– RuggedCom– Coulomb*– Wurldtech– OSIsoft– SNMP Research– Emerson Ovation– Honeywell– Certipath– First Data

– Ambient– Tibco– NitroSecurity– Pitney Bowes– McAfee (3)– Tiger’s Lair– PsiNaptic– Green Hills– TeamF1– Actiontec– Verizon

– Verisign– Entrust– SafeNet– Thales– Microsoft– Telcordia– e-Meter– Cisco– Motorola– Wind River

*We will work with your incumbent smart meter providerin conjunction with the home gateway program.


The embedded systems include:

Our strategy is to provide certified interoperability to the key devices controlling the grid.

The McAfee HSM solution would be embedded at each critical point in the energy infrastructure.

All points must connect to each other in an end-to-end system.


Our analysis using the architecture model shows that of all the myriad of elements in the functional diagrams, there are really only four recurring design patterns that are intrinsic to the security strategy.

The SGSIA is a source of interoperable system security elements using standardized design patterns.


To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order.

1. Identity Management– Ensures the device identity is established

genuinely

2. Mutual Authentication– Allows both the Device Node and the

Controller to verify the trustworthiness their identity to each other.

3. Authorization– Manages permission to proceed with specific

operations.

4. Audit– Records noteworthy events for later analysis

5. Confidentiality– Encrypts sensitive data for matters of privacy.

6. Integrity– Ensures that messages have not been

altered.

7. Availability– Prevents denial of service attacks

8. Non-repudiability– Ensures that the authority for events cannot

be denied after the fact.

These are the eight tenets of security

as described in the NIST-IR 7628 Guidelines.


The general approach to power distribution.

CentralControl

Local AreaRelay

NeighborhoodRelay

SubstationRelay

Tibco “FTL”CloudShield MPP

Nitro SIEMRuggedCom

Application CardAmbient

Application CardIntel

Application Card

Communications / Firewall

FTL (E&LM)

SIEM

E&LM

Communications Communications / Firewall

E&LM

Sensor Mgt

Communications / Firewall

E&LM

Meter App

Meter App

Meter App

SA SA SA

SA

SA

SA

Cell Manager

MasterAgent

Posture Validation

Remediation Server

Jini SP

“Multicast Alert Relay”MA

SA

“Cell Management”

“Local Management”


A tailored trustworthy space (TTS) provides flexible, adaptive, distributed trust environments for a set of devices and applications that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats.




A TTS recognizes a device’s context and evolves as the context evolves.


Let us define the Security Fabric by building a control system.

An example of a tailored trustworthy space built using the Security Fabric components:


In a control system, there are a controller and several devices controlled by remote device nodes.


Controller Device Node


Sometimes they are redundant for high availability.


Controller Device Node


They talk to each other using IP-based switches.


Controller Device NodeSwitch Switch

En

et

En

et


They have management workstations and servers thatsupervise the controller and device nodes.



Operator WS HistorianDomain Server

Database Server

Security Server

Analysis WSEngineering

WS


Fault Management operates from the operator workstation – this includes surveillance + operator commands.




Database Server

Security Server


WS


Configuration Management operates form the engineering workstation augmented by the database server – this includes configuration parameters + the firmware repository.




Database Server

Security Server


WS


Usage and log management operates form the historian – the event management and distribution occurs here.




Database Server

Security Server


WS


Security management is administered on the security server – but real-time security operations happens on the domain server.




Database Server

Security Server


WS

GPS Time Sync


The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions.

Our strategy is to separate the management functions from the application functions as much as possible…

so that if the application becomes compromised or inoperable,the management system can easily be used to remediate the problem.

The Security Fabric permeates the distributed management functions, but is mostly separate from the application functions.


With this in mind, both the Controller and the Device Nodekeep the management functions separate from the application.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on


This is done using a separation kernel to keep the applicationfrom ever interfering with the management functions.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

RT

OS

Hyp

erv

iso

r

RT

OS

Hyp

erv

iso

r

RT

OS

RT

OS

The hypervisorcreates two differentvirtual machines onboth the Controlleras well as the Device Node…

They function like twocompletely separatemachines within eachphysical machine.


The application in the controller monitors and controls the application in the device node.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

ApplicationSession

These use the same physical wire,but must be securely isolated.


And the management functions and policies in the controller supports the management agent in the device node.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

ApplicationSession

ManagementSession



To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, let us proceed in chronological order.

1. Identity Management– Ensures the device identity is established

genuinely

2. Mutual Authentication– Allows both the Device Node and the

Controller to verify the trustworthiness their identity to each other.

3. Authorization– Manages permission to proceed with specific

operations.

4. Audit– Records noteworthy events for later analysis

5. Confidentiality– Encrypts sensitive data for matters of privacy.

6. Integrity– Ensures that messages have not been

altered.

7. Availability– Prevents denial of service attacks

8. Non-repudiability– Ensures that the authority for events cannot

be denied after the fact.

These are the eight tenets of security

as described in the NIST-IR 7628 Guidelines.


The first order of business is for the management workstations and servers to be powered on and ready for business.

There are many small steps that occur when servers and PCs power up, but for simplicity’s sake,

let’s assume that the devices and their applications are all powered up and initialized.


Switch Switch


Database Server

Security Server


WS

Fault ManagementSituational Awareness

Console

Configuration ManagementConsole


The Controller must power on before any of the device nodes can use it.


ControllerSwitch Switch


Database Server

Security Server


WS

Man

ag

emen

tA

pp

lica

tio

n


Identity Management is the most crucial aspect of embedded security – we use a Hardware Security Module to protect the unique identity of the Controller.




Database Server

Security Server


WS

Man

ag

emen

tA

pp

lica

tio

n

HS

M

This is a special purpose ASICthat is FIPS 140-2 level 3 certified.(Environmentally tamper resistant)

It houses an array of crypto functions.

It self-generates and hides thesecret key that identifies the device.

It manages the public key as well as the key management functions over the lifetime of the device.

It also maintains the secure clockfor the device.

Identitygenerated& stored hereas part of thesecure supplychain process.

Identity Management


Step two is to use the secure identity to mutually authenticate and get credentials from the Domain Server that uses Active Directory and its Kerberos PKINIT service meant to support embedded devices.




Database Server

Security Server


WS

Man

ag

emen

tA

pp

lica

tio

n

HS

MMutual Authentication

•Mutual authentication occurs first•The Controller then authorizes the downloadof additional security information

•Authentication•Authorization


Step three is to use the secure credentials exchange to determine the authentic paths to important management servers, and to download the up-to-date whitelist.




Database Server

Security Server


WS

Man

ag

emen

tA

pp

lica

tio

n

HS

M•At registration time, the Controller also verifies the secure path to the •Firmware repository and configurationsynchronizer on the Database Server

•Event management service on the Historian•Secure time service on the Domain Server

•The Domain Server maintains the valid securitycertificates deleting the ones that have been revoked•It downloads the whitelist at registration(or any time else on demand).

•The Historian records the fact that the Controller isnow operating.

IPsec VPN

Application Proxy

•Auditing


Step four is to update the firmware to the latest rev if it is out of date.




Database Server

Security Server


WS

Man

ag

emen

tA

pp

lica

tio

n

•If the firmware is out of date or not yet loaded.The Change Management policies will

•Download the manifest of firmwarethat has been assigned for the device

•Attest to the fact that the signatures are goodso that the firmware is trusted

•Store the new (as well as the old) firmware to persistent flash memory

•Transition gracefully into productionaccording to the current policies.

•IPsec ensures the software cannot be monitoredand copied during downloads.

IPsec VPN

Application Proxy

Policy Management•Change Mgt•Problem Mgt

Fla

sh

•Confidentiality


All Device Nodes that want to be part of the Security Fabric must also authenticate with the Domain Server (the trusted third party) whenever they power up.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

HS

M

Mutual Authentication


This prepares the Device Node to join the tailored trustworthy space.


The authentication ticket received from the Domain Server contains a section encrypted by the Device Node public identity key plus a section encrypted by the Controller public identity key.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

HS

M



•The Device Node also requests a ticketto talk to theController.

•The Domain Server encrypts a portion using the identity of each of the two machines.


The next step is for the Device Node to establish secure communications with the Controller.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Mutual AuthenticationMutual Authentication


•The Device Node requests to join the Security Fabric using the ticket now also trusted by the Controller.


Once authenticated, the device node can proceed to establish two secure paths to the Controller: one for management purposes and one for application purposes.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

ApplicationSession

ManagementSession


IPsec VPN IPsec VPN

•Confidentiality


The small embedded firewall in the communications path protects against denial of service attacks as well as a number of sophisticated malware attacks.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

ApplicationSession

ManagementSession


IPsec VPN IPsec VPN

•Availability

Firewall Firewall


The inter-process communications services of the middleware uses messages to communicate back and forth between the Controller and the Device Node over the secure sessions.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Session

Inter Process Inter Process

Message


The inter-process communications services computes a secure message digest and appends it to the end of each message to ensure that the message is never altered in flight.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Session

Inter Process Inter Process

Message MD

MessageDigest

•Integrity•Non-repudiability


So now, the Controller and the Device Node can commence doing real work without ever having to think about the security aspects of the system.



Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

DownStream

Transform

ExceptionHandler

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

DownStream

Transform

ExceptionHandler

Session

Message


This entire light up sequence

took place in the twinkling of the eye.

This entire light up sequence took place in the twinkling of the eye.


If ever an anomaly is detected the management agents can forward event notifications to the operator workstation, the security server, and the historian in one movement.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Policy Management•Problem Mgt

Alarm


Our secure silicon instrumentation can watch the behavior of the application in ways where the software does not even know it is being watched.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Policy Management•Problem Mgt

FP

GAPattern

AnomalyObservation


If necessary, you can have the management system automatically download extra telemetry to monitor an attack while it is occurring or safely download a repaired application for remediation.




Database Server

Security Server


WS

Man

ag

emen

t

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Policy Management•Problem Mgt•Cgange Mgt


The fully-assembled system looks like this.



En

etH

SM

FP

GA

Fla

sh

Do

wn

st

En

etH

SM

FP

GA

Fla

sh

Do

wn

st

Pro

cess

or

Co

res

Pro

cess

or

Co

res

RT

OS

Hyp

erv

iso

r

Hyp

erv

iso

rR

TO

SM

idd

lew

are

Mid

dle

war

e

RT

OS

RT

OS

Mid

dle

war

eM

idd

lew

are


IPsec VPN

Firewall

Diagnostics

Policy Management•Change Mgt•Problem Mgt


IPsec VPN

Firewall

Diagnostics

Policy Management•Change Mgt•Problem MgtM

ana

gem

ent

Man

ag

emen

t

Ap

plic

ati

on

Ap

plic

ati

on

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

DownStream

Transform

ExceptionHandler

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

Eve

nt

Lo

op

DownStream

Transform

ExceptionHandler


Database Server

Security Server


WS

GPS Time Sync


The payload devices are thus fully secure with all the recommendations in the NIST-IR 7628.

But to complete the complete space, we must protect the management workstations and servers, also.


Application whitelisting is extremely useful in locking down the management servers and workstations.


Switch Switch


Database Server

Security Server

Engineering WS

•Whitelisting the management servers ensures nothing runs •on them that is not supposed to work on them.

•Firewalls in or around the switches limits who can •connect to them.


The Security Fabric

provides all the features for embedded security outlined in the NIST-IR 7628.

This is reasonable security for all critical infrastructure.

In Summary,

Confidential McAfee Internal Use Only*41

Constructing a Supply “Chain of Trust”

SIGNSIGN = embedded and cryptographically secured unique IDs = cryptographically secured verification protocolVERIFYVERIFY

Embedded anti-tampering, anti-

malware, production control and system

security features here.

Protect chips, boards and devices with embedded anti-

counterfeiting, and anti-reverse engineering IP

Track / Manage equipment inventories, revision control, firmware and

software version.

Verify as-built matches as-Verify as-built matches as-designeddesigned

Program/Configure security policies

specific to utility. Securely update to

maintain system and counter new incidents

and threats.

Secured System• Secure Device Mgmt

• Secure Software Upgrades

• Secure Policy Management

Final Configuration

Final Configuration

VV

dbdb

SSDeployedDeployed

VV

Policy Settings Policy

Settings

dbdbSS

SSDevice DesignDevice Design

dbdb

MakerMaker

VV

SS

CheckerChecker

VV

SS

CheckerChecker

DeviceManufacturing

DeviceManufacturing

VV

dbdb

SS

MakerMaker

Distribution / Inventory

Distribution / Inventory

VV

dbdb

SS

VendorVendor

DesignDesign ProductionProduction DeploymentDeployment

VVFirmware UpdatesFirmware Updates

ServiceServiceProviderProviderMakerMaker

VV

SS

CheckerChecker

UpdatesUpdates

FieldField

Vendor Vendor Security OfficerSecurity Officer

UtilityUtilitySecurity OfficerSecurity Officer

= Hardware Security Module

November 30, 2011 Baker Hughes Discussion. Confidential McAfee Internal Use Only The SGSIA addresses the entire ecosystem. The Smart Grid Security Innovation.

Documents

mcafee hsm solution

security strategy

security fabric elements

tenets of security

device identity

device node

baker hughes discussion

infrastructure deployment