SlideShare une entreprise Scribd logo

Sfa community of practice a natural way of building

Charles "Chuck" Speicher Jr.
Charles "Chuck" Speicher Jr.

The Security Fabric Alliance is an informal consortium dedicated to the deployment of "designed in security" for embedded systems in critical infrastructure. It uses the NIST IR 7628 guidelines and the "tailored trustworthy space" as the basis for the Security Fabric Reference Architecture. The SFRA is discussed in detail in the slides herein.

Technologie
1  sur  27
Télécharger pour lire hors ligne
A Community of Practice A natural way of building Tuesday August 27, 2014
Vision 8/27/20 14 “Community of Practice “ 2 To create a mass movement that will transform how security is designed in and how the management of intelligent devices operate within a common operating environment. Mission To build a community of practicing professionals who are committed to achieving end to end security within the ecosystem of all critical infrastructure by shaping the security fabric reference architecture as an interoperable system of systems.
Our strategy is to provide certified interoperability to the key devices controlling the grid. 8/27/20 14” “Community of Practice” 3 Our solution would be embedded at each critical point in the energy infrastructure. All points must connect to each other in an end-to-end system. Management Agents
Introduction to the Security Fabric Alliance The Security Fabric Alliance is a working association dedicated to practical deployment of the power grid and critical infrastructure complex system solution in the United States: Utilities and telecommunications providers Systems integrators Manufacturers Technology partners National certification and interoperability entity The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small utilities. “Community of Practice”
Semantics • Security Fabric Products • Security Fabric Architecture • Security Fabric Alliance 8/27/20 14 “Community of Practice” 5 The embedded security system solution is composed of an interlocking arrangement of framework options The framework of embedded system components that provide the basis for end-to-end security and remote device management The Security Fabric Alliance is an informal collection of companies, organizations, and individuals that have through discussions designed conceptual reference architecture called the “Security Fabric”.
To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, you need to do all seven… not just some. 4. Audit – Records noteworthy events for later analysis 5. Confidentiality – Encrypts sensitive data for matters of privacy. 6. Integrity – Ensures that messages have not been altered. 7. Availability – Prevents denial of service attacks 1. Identity Management – Ensures the device identity is established genuinely 2. Mutual Authentication – Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Authorization – Manages permission to proceed with specific operations. These are the seven tenets of security as described in the NIST-IR 7628 GuidelinesIST-IR 7628 Guidelines.
The OMG process is more about establishing markets as opposed to just setting standards. SFA Reference Builds Certification of Conformance & Interoperability The OMG is planning to standardize the Security Fabric for all critical infrastructure.
There are many participants at different levels in the Security Fabric Alliance. ComponentsProductsSubsystems ResearchIntegration Utility Customers • Intel – servers with Quark + TPM • Wind River – Security Connect • Middleware • RTI – DDS • GridStat • Indra - iSpeed • MultiSpeak • TeamF1 – Secure Communications • Secure Crossing – Protocol Whitelisting • PsiNaptic – Secure Service Distribution • SNMP Research – SNMP Agent • Freescale – HSM w/Vybrid SoC • Xilinx – CompactRIO SOC • Green Hills Software - INTEGRITY • Altera - tamper proofing • Microsoft – Active Directory • Red Hat – Auth Hub • General Electric – EMS • Alstom Grid – EMS • Viridity Energy – DR + DER + Microgrid • Energy One • Lemko – LTE systems • Intel Security – SIEM + GTI • Intel – Encanto + silicon support • Sypris – Supply Chain Root of Trust • TCIPG • EPRI – CIM Standards • MIT – Security & Privacy Standards • EPG – Phasor Data Portfolio • GridSense– NAN & Line Sensors • S&C IntelliTeam • SafeNet – Secure Key Management • Heart - Transverter • Freescale One Box • Cisco Cloud-in-a-Box • Integrated Architectures – SEIT • MACE Fusion - DoD • Kryptos Logic – Red Team Certification • M2M Dynamics • Drummond Group – C&IT • Intel Security - Distribution ...First Stage…… • ERCOT • ONCOR • AEP • NRECA • NRTC Suppliers • Verizon • Level3 • AT&T • Internet2 • BT • ViaSat • Comcast • ARINC • Stratus • Symmetricom …Second Stage…… • APPA • SDG&E • PJM • NYISO • Southern Company • Duke Energy • CAISO • Pecan Street • Mueller Community • Pike Powers • PNNL – CyberSecurity Test Center • Lincoln Labs • OMG SIG • Industrial Intrnet Managed Services • Tazca – Connect • CSG International • Digi International • N-Dimension • SETI • Lockheed Martin • SAIC • Threat Connect
What is being asked for is a secure system of systems that blankets the complexity and delivers it autonomically. Security Fabric Interoperable Embedded Distributed This is the embedded side of the operation in addition to the companion enterprise side.
Separation of the Industrial Internet from the Generic Internet The Core Network Generic Internet Carrier Ethernet With Routing DWDM Isolation Cooperative Control CentersCore City Node Enterprise Systems Industrial Devices Substation Nodes Router+ Substation Controller Router+ Carrier Ethernet Isolation NAN Nodes HAN Nodes Wireless LTE 700 MHz? Wireless LTE 2.5 GHz?PicoCell Gateway Sensor Transverter We will eventually use a combination of DWDM separation plus Carrier Ethernet separation.
Understanding Information Decision Data in – Action out But sometimes semi-autonomic policy decisions are made and executed in the field. (at the small, the medium, and the large) The policy logic is actually spread to each major active element. MultiSpeak Initiative
The new Content Aware Firewall ( Secure Crossing) needs to be aware of what is flowing through the pipe(s). Transport Plugins ContentAwareFirewall– Layers4-6 IPCommunicationsStack– Layers2-3 IPsec VPN Ethernet Controller UDPv4 UDPv6 Data Routing Services deals with: • Connections + • Sessions All packet prioritization and flow control are performed by Data Routing Services. The Content Aware Firewall deals with multiple layers and is state sensitive.
The Content Aware Firewall ( Secure Crossing )needs to be aware of: the Layer 6 socket level interface, as well as the intended sessions that will be flowing over it at Layer 5, so that it can use UDP connections at Layer 4, so that it can use the IPsec VPN to control encryption on the transport. ContentAwareFirewall Layers4-6 IPCommunicationsStack–Layers2- 3 IPsecVPN UDPv4 UDPv6 Connections • Kerberos Get Credentials + Tickets • Get Extended Credentials • Kerberos Mutual Authentication • Get Precision Time • Register for Management + Configuration Synchronization • Service Locator • Service Provider • Multicast Alert • Unicast Command • Event Notification • SNMP Get/Set • Application Event: Send and Receive: • High Priority • Medium Priority • Low Priority Sessions The detailed requirements will be determined during the requirements assessment phase. InterfaceA InterfaceB
There are servers and agents in the industrial environment.
How does the Security Fabric work?
Essentially, the Security Fabric is an end-to-end approach to things. xSystem & Network Management Controller Device Device The Security Fabric The Security Fabric is a semi-autonomous embedded device management agent and communications protocol set along with a central system and network management subsystem that bring security and other controls to the embedded world. Let’s build this as if we were building a house.
There are obviously going to need to be several different devices involved. Controller Device Device We want to add our security agent to each of them to do what we will do. Our agent will be hidden right beside the application.
The devices need to be able to talk to each other securely, and trust each other on a limited basis. Controller Device Device This means that the solution will need to be a system as opposed to a piece part. Intel and McAfee Confidential The agents talk to one another in a resilient middleware..
And all systems need to be administered relative to the configuration and policies that control them. xSystem & Network Management Controller Device Device The Tailored Trustworthy Space These three ingredients are the soul of the Security Fabric.
The Security Fabric follows the guidelines required by the NIST 7628 for the Department of Energy. xSystem & Network Management Controller Device Device The Security Fabric The industry as a whole is applauding this solution.
Managed Device Application Device Management We always start by separating the management control agent from the payload application.
Managed Device Applications Device Management Secure Communications Secure Storage PolicyManagement PersonalDataVault The management agent always uses defense in depth.
Security Management Hypervisor Close-up on Partition Structure DDS Routing Services Ethernet Controller Policy Management DDS Subagent Device Application Threads DDS Subagent Connection Connection Operating System. Transport Plugins Ring 1: Security – HSM Interface Ring 2: Policy Management Participant: Management Configuration & Route Mapping Ring 1: Data Reader Ring 1: Data Writer Routing Services is our inter-system + intra-device middleware; The DDS Subagent controls the private paths between processes. Secure IP I/O Driver UDPv4 UDPv6 GridStat Intra-Device DDS Subagent Connection Participant: Management Ring 2: Data Reader Ring 2: Data Writer Change Managem ent Problem Managem ent HSM Interface Kerberos Client + Session Key Manage ment Security Protocols Policy Execution Environment
What is really unfolding with the rise of the Internet of Things is the need for The Semi-Autonomous Policy Management Agent Each of the four compositions of rulesets is administered centrally and released to the remote device securely. The rulesets contain profiles, provisioned data, and Java-based rules. All distribution bundles are signed and are subject to local attestation and transition control. Autonomous Policy Management Agent IBM Autonomic Computing Model
The control of the smart grid is all about managing semi-autonomous devices. The Security Fabric is all about safely deploying this concept. The customer has to be able to delegate responsibility in small increments to the remote device to avoid the problem of unintended consequences.
www.securityfabricalliance.org Designed in Security Discussion
Sfa community of practice a natural way of building

Recommandé

4.report (cryptography & computer network)
4.report (cryptography & computer network)4.report (cryptography & computer network)
4.report (cryptography & computer network)JIEMS Akkalkuwa
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryUKTI2014
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
SKIRE HOSTING SERVICES
SKIRE HOSTING SERVICESSKIRE HOSTING SERVICES
SKIRE HOSTING SERVICESwebhostingguy
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
Security sdn
Security sdnSecurity sdn
Security sdnPriya Singh
 

Recommandé

4.report (cryptography & computer network)
4.report (cryptography & computer network)4.report (cryptography & computer network)
4.report (cryptography & computer network)JIEMS Akkalkuwa
 
Cevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryCevn Vibert. Thales UK. 28th January
Cevn Vibert. Thales UK. 28th JanuaryUKTI2014
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
Next Generation Network: Security and Architecture
Next Generation Network: Security and ArchitectureNext Generation Network: Security and Architecture
Next Generation Network: Security and Architectureijsrd.com
 
SKIRE HOSTING SERVICES
SKIRE HOSTING SERVICESSKIRE HOSTING SERVICES
SKIRE HOSTING SERVICESwebhostingguy
 
Cloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresCloud computing security- critical infrastructures
Cloud computing security- critical infrastructuresMohammed Saqib
 
Network Security Architecture
Network Security Architecture Network Security Architecture
Network Security Architecture InnoTech
 
Security sdn
Security sdnSecurity sdn
Security sdnPriya Singh
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...www.securitysystems.best
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSPSrishti Ahuja
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Securityijtsrd
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomiIvan Carmona
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for EnterpriseCisco Russia
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsCisco Security
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagramSyed Ubaid Ali Jafri
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - KloudlearnKloudLearn
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14Charles "Chuck" Speicher Jr.
 
Agile fractal grid 7-11-14
Agile fractal grid 7-11-14Agile fractal grid 7-11-14
Agile fractal grid 7-11-14Charles "Chuck" Speicher Jr.
 

Contenu connexe

Tendances

White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...www.securitysystems.best
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSPSrishti Ahuja
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Securityijtsrd
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT securityJulien Vermillard
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomiIvan Carmona
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for EnterpriseCisco Russia
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsCisco Security
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationWestermo Network Technologies
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - KloudlearnKloudLearn
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01RoutecoMarketing
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 

Tendances (19)

White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
 
Security Architecture and Design - CISSP
Security Architecture and Design - CISSPSecurity Architecture and Design - CISSP
Security Architecture and Design - CISSP
 
A Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT SecurityA Novel SDN Architecture for IoT Security
A Novel SDN Architecture for IoT Security
 
The 5 elements of IoT security
The 5 elements of IoT securityThe 5 elements of IoT security
The 5 elements of IoT security
 
Sb fortinet-nozomi
Sb fortinet-nozomiSb fortinet-nozomi
Sb fortinet-nozomi
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
Secure Data Center for Enterprise
Secure Data Center for EnterpriseSecure Data Center for Enterprise
Secure Data Center for Enterprise
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect Assets
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 
Review of network diagram
Review of network diagramReview of network diagram
Review of network diagram
 
Build Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-SegmentationBuild Redundant and Resilient Networks with Micro-Segmentation
Build Redundant and Resilient Networks with Micro-Segmentation
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Cloud Security - Kloudlearn
Cloud Security - KloudlearnCloud Security - Kloudlearn
Cloud Security - Kloudlearn
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 

Similaire à Sfa community of practice a natural way of building

Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of buildingChuck Speicher
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET Journal
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solutionSchneider Electric India
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...Unisys Corporation
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principlesardexateam
 
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...IJERA Editor
 

Similaire à Sfa community of practice a natural way of building (20)

Sfa community of practice a natural way of building
Sfa community of practice a natural way of buildingSfa community of practice a natural way of building
Sfa community of practice a natural way of building
 
Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14Agile Fractal Grid - 7-11-14
Agile Fractal Grid - 7-11-14
 
Agile fractal grid 7-11-14
Agile fractal grid 7-11-14Agile fractal grid 7-11-14
Agile fractal grid 7-11-14
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
Aca presentation arm_
Aca presentation arm_Aca presentation arm_
Aca presentation arm_
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Cyber security
Cyber securityCyber security
Cyber security
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
ICC Networking Data Security
ICC Networking Data SecurityICC Networking Data Security
ICC Networking Data Security
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management System
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
 
IoT Agent Design Principles
IoT Agent Design PrinciplesIoT Agent Design Principles
IoT Agent Design Principles
 
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...
 

Plus de Charles "Chuck" Speicher Jr.

The Agile Fractal Grid orchestrated by a platform of platforms
The Agile Fractal Grid orchestrated by a platform of platformsThe Agile Fractal Grid orchestrated by a platform of platforms
The Agile Fractal Grid orchestrated by a platform of platformsCharles "Chuck" Speicher Jr.
 
Smart Cities link to a real operational Smart Grid
Smart Cities link to a real operational Smart GridSmart Cities link to a real operational Smart Grid
Smart Cities link to a real operational Smart GridCharles "Chuck" Speicher Jr.
 
Detroit A Smart City..... inspired by a "Community of Practice"
Detroit A Smart City..... inspired by a "Community of Practice"Detroit A Smart City..... inspired by a "Community of Practice"
Detroit A Smart City..... inspired by a "Community of Practice"Charles "Chuck" Speicher Jr.
 

Plus de Charles "Chuck" Speicher Jr. (8)

011018 afg branded 3_dfs-microgrid-presentation
011018 afg branded 3_dfs-microgrid-presentation011018 afg branded 3_dfs-microgrid-presentation
011018 afg branded 3_dfs-microgrid-presentation
 
The Agile Fractal Grid orchestrated by a platform of platforms
The Agile Fractal Grid orchestrated by a platform of platformsThe Agile Fractal Grid orchestrated by a platform of platforms
The Agile Fractal Grid orchestrated by a platform of platforms
 
Blue ocean 2
Blue ocean 2Blue ocean 2
Blue ocean 2
 
Smart Cities link to a real operational Smart Grid
Smart Cities link to a real operational Smart GridSmart Cities link to a real operational Smart Grid
Smart Cities link to a real operational Smart Grid
 
Detroit A Smart City..... inspired by a "Community of Practice"
Detroit A Smart City..... inspired by a "Community of Practice"Detroit A Smart City..... inspired by a "Community of Practice"
Detroit A Smart City..... inspired by a "Community of Practice"
 
Building the Resilient Grid NRECA SFA
Building the Resilient Grid NRECA SFABuilding the Resilient Grid NRECA SFA
Building the Resilient Grid NRECA SFA
 
2 25-2014 part 2 - nreca kickoff meeting v2a
2 25-2014 part 2 - nreca kickoff meeting v2a2 25-2014 part 2 - nreca kickoff meeting v2a
2 25-2014 part 2 - nreca kickoff meeting v2a
 
Our race with intelligent machines wh two pager
Our race with intelligent machines wh two pagerOur race with intelligent machines wh two pager
Our race with intelligent machines wh two pager
 

Dernier

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Sfa community of practice a natural way of building

  • 1. A Community of Practice A natural way of building Tuesday August 27, 2014
  • 2. Vision 8/27/20 14 “Community of Practice “ 2 To create a mass movement that will transform how security is designed in and how the management of intelligent devices operate within a common operating environment. Mission To build a community of practicing professionals who are committed to achieving end to end security within the ecosystem of all critical infrastructure by shaping the security fabric reference architecture as an interoperable system of systems.
  • 3. Our strategy is to provide certified interoperability to the key devices controlling the grid. 8/27/20 14” “Community of Practice” 3 Our solution would be embedded at each critical point in the energy infrastructure. All points must connect to each other in an end-to-end system. Management Agents
  • 4. Introduction to the Security Fabric Alliance The Security Fabric Alliance is a working association dedicated to practical deployment of the power grid and critical infrastructure complex system solution in the United States: Utilities and telecommunications providers Systems integrators Manufacturers Technology partners National certification and interoperability entity The alliance is intended to give the CEO of a utility the purview of up-to-the moment knowledge of the options available to make wise investment decisions regarding infrastructure deployment for optimal returns. The variation includes the proper orientation for large, medium, and small utilities. “Community of Practice”
  • 5. Semantics • Security Fabric Products • Security Fabric Architecture • Security Fabric Alliance 8/27/20 14 “Community of Practice” 5 The embedded security system solution is composed of an interlocking arrangement of framework options The framework of embedded system components that provide the basis for end-to-end security and remote device management The Security Fabric Alliance is an informal collection of companies, organizations, and individuals that have through discussions designed conceptual reference architecture called the “Security Fabric”.
  • 6. To establish the secure communications from the Controller to the Device Node using the Security Fabric elements, you need to do all seven… not just some. 4. Audit – Records noteworthy events for later analysis 5. Confidentiality – Encrypts sensitive data for matters of privacy. 6. Integrity – Ensures that messages have not been altered. 7. Availability – Prevents denial of service attacks 1. Identity Management – Ensures the device identity is established genuinely 2. Mutual Authentication – Allows both the Device Node and the Controller to verify the trustworthiness their identity to each other. 3. Authorization – Manages permission to proceed with specific operations. These are the seven tenets of security as described in the NIST-IR 7628 GuidelinesIST-IR 7628 Guidelines.
  • 7. The OMG process is more about establishing markets as opposed to just setting standards. SFA Reference Builds Certification of Conformance & Interoperability The OMG is planning to standardize the Security Fabric for all critical infrastructure.
  • 8. There are many participants at different levels in the Security Fabric Alliance. ComponentsProductsSubsystems ResearchIntegration Utility Customers • Intel – servers with Quark + TPM • Wind River – Security Connect • Middleware • RTI – DDS • GridStat • Indra - iSpeed • MultiSpeak • TeamF1 – Secure Communications • Secure Crossing – Protocol Whitelisting • PsiNaptic – Secure Service Distribution • SNMP Research – SNMP Agent • Freescale – HSM w/Vybrid SoC • Xilinx – CompactRIO SOC • Green Hills Software - INTEGRITY • Altera - tamper proofing • Microsoft – Active Directory • Red Hat – Auth Hub • General Electric – EMS • Alstom Grid – EMS • Viridity Energy – DR + DER + Microgrid • Energy One • Lemko – LTE systems • Intel Security – SIEM + GTI • Intel – Encanto + silicon support • Sypris – Supply Chain Root of Trust • TCIPG • EPRI – CIM Standards • MIT – Security & Privacy Standards • EPG – Phasor Data Portfolio • GridSense– NAN & Line Sensors • S&C IntelliTeam • SafeNet – Secure Key Management • Heart - Transverter • Freescale One Box • Cisco Cloud-in-a-Box • Integrated Architectures – SEIT • MACE Fusion - DoD • Kryptos Logic – Red Team Certification • M2M Dynamics • Drummond Group – C&IT • Intel Security - Distribution ...First Stage…… • ERCOT • ONCOR • AEP • NRECA • NRTC Suppliers • Verizon • Level3 • AT&T • Internet2 • BT • ViaSat • Comcast • ARINC • Stratus • Symmetricom …Second Stage…… • APPA • SDG&E • PJM • NYISO • Southern Company • Duke Energy • CAISO • Pecan Street • Mueller Community • Pike Powers • PNNL – CyberSecurity Test Center • Lincoln Labs • OMG SIG • Industrial Intrnet Managed Services • Tazca – Connect • CSG International • Digi International • N-Dimension • SETI • Lockheed Martin • SAIC • Threat Connect
  • 9. What is being asked for is a secure system of systems that blankets the complexity and delivers it autonomically. Security Fabric Interoperable Embedded Distributed This is the embedded side of the operation in addition to the companion enterprise side.
  • 10. Separation of the Industrial Internet from the Generic Internet The Core Network Generic Internet Carrier Ethernet With Routing DWDM Isolation Cooperative Control CentersCore City Node Enterprise Systems Industrial Devices Substation Nodes Router+ Substation Controller Router+ Carrier Ethernet Isolation NAN Nodes HAN Nodes Wireless LTE 700 MHz? Wireless LTE 2.5 GHz?PicoCell Gateway Sensor Transverter We will eventually use a combination of DWDM separation plus Carrier Ethernet separation.
  • 11. Understanding Information Decision Data in – Action out But sometimes semi-autonomic policy decisions are made and executed in the field. (at the small, the medium, and the large) The policy logic is actually spread to each major active element. MultiSpeak Initiative
  • 12. The new Content Aware Firewall ( Secure Crossing) needs to be aware of what is flowing through the pipe(s). Transport Plugins ContentAwareFirewall– Layers4-6 IPCommunicationsStack– Layers2-3 IPsec VPN Ethernet Controller UDPv4 UDPv6 Data Routing Services deals with: • Connections + • Sessions All packet prioritization and flow control are performed by Data Routing Services. The Content Aware Firewall deals with multiple layers and is state sensitive.
  • 13. The Content Aware Firewall ( Secure Crossing )needs to be aware of: the Layer 6 socket level interface, as well as the intended sessions that will be flowing over it at Layer 5, so that it can use UDP connections at Layer 4, so that it can use the IPsec VPN to control encryption on the transport. ContentAwareFirewall Layers4-6 IPCommunicationsStack–Layers2- 3 IPsecVPN UDPv4 UDPv6 Connections • Kerberos Get Credentials + Tickets • Get Extended Credentials • Kerberos Mutual Authentication • Get Precision Time • Register for Management + Configuration Synchronization • Service Locator • Service Provider • Multicast Alert • Unicast Command • Event Notification • SNMP Get/Set • Application Event: Send and Receive: • High Priority • Medium Priority • Low Priority Sessions The detailed requirements will be determined during the requirements assessment phase. InterfaceA InterfaceB
  • 14. There are servers and agents in the industrial environment.
  • 15. How does the Security Fabric work?
  • 16. Essentially, the Security Fabric is an end-to-end approach to things. xSystem & Network Management Controller Device Device The Security Fabric The Security Fabric is a semi-autonomous embedded device management agent and communications protocol set along with a central system and network management subsystem that bring security and other controls to the embedded world. Let’s build this as if we were building a house.
  • 17. There are obviously going to need to be several different devices involved. Controller Device Device We want to add our security agent to each of them to do what we will do. Our agent will be hidden right beside the application.
  • 18. The devices need to be able to talk to each other securely, and trust each other on a limited basis. Controller Device Device This means that the solution will need to be a system as opposed to a piece part. Intel and McAfee Confidential The agents talk to one another in a resilient middleware..
  • 19. And all systems need to be administered relative to the configuration and policies that control them. xSystem & Network Management Controller Device Device The Tailored Trustworthy Space These three ingredients are the soul of the Security Fabric.
  • 20. The Security Fabric follows the guidelines required by the NIST 7628 for the Department of Energy. xSystem & Network Management Controller Device Device The Security Fabric The industry as a whole is applauding this solution.
  • 21. Managed Device Application Device Management We always start by separating the management control agent from the payload application.
  • 23. Security Management Hypervisor Close-up on Partition Structure DDS Routing Services Ethernet Controller Policy Management DDS Subagent Device Application Threads DDS Subagent Connection Connection Operating System. Transport Plugins Ring 1: Security – HSM Interface Ring 2: Policy Management Participant: Management Configuration & Route Mapping Ring 1: Data Reader Ring 1: Data Writer Routing Services is our inter-system + intra-device middleware; The DDS Subagent controls the private paths between processes. Secure IP I/O Driver UDPv4 UDPv6 GridStat Intra-Device DDS Subagent Connection Participant: Management Ring 2: Data Reader Ring 2: Data Writer Change Managem ent Problem Managem ent HSM Interface Kerberos Client + Session Key Manage ment Security Protocols Policy Execution Environment
  • 24. What is really unfolding with the rise of the Internet of Things is the need for The Semi-Autonomous Policy Management Agent Each of the four compositions of rulesets is administered centrally and released to the remote device securely. The rulesets contain profiles, provisioned data, and Java-based rules. All distribution bundles are signed and are subject to local attestation and transition control. Autonomous Policy Management Agent IBM Autonomic Computing Model
  • 25. The control of the smart grid is all about managing semi-autonomous devices. The Security Fabric is all about safely deploying this concept. The customer has to be able to delegate responsibility in small increments to the remote device to avoid the problem of unintended consequences.