The Security Fabric Alliance is an informal consortium dedicated to the deployment of "designed in security" for embedded systems in critical infrastructure.
It uses the NIST IR 7628 guidelines and the "tailored trustworthy space" as the basis for the Security Fabric Reference Architecture. The SFRA is discussed in detail in the slides herein.
AWS Community Day CPH - Three problems of Terraform
Sfa community of practice a natural way of building
1. A Community of Practice
A natural way of building
Tuesday August 27, 2014
2. Vision
8/27/20
14
“Community of Practice “ 2
To create a mass movement that will transform how
security is designed in and how the management of
intelligent devices operate within a common operating
environment.
Mission
To build a community of practicing professionals who are
committed to achieving end to end security within the
ecosystem of all critical infrastructure by shaping the
security fabric reference architecture as an interoperable
system of systems.
3. Our strategy is to provide certified interoperability
to the key devices controlling the grid.
8/27/20
14”
“Community of Practice” 3
Our solution would be embedded at each critical point in the energy infrastructure.
All points must connect to each other in an
end-to-end system.
Management Agents
4. Introduction to the
Security Fabric Alliance
The Security Fabric Alliance is a working association dedicated to
practical deployment of the power grid and critical infrastructure
complex system solution in the United States:
Utilities and telecommunications providers
Systems integrators
Manufacturers
Technology partners
National certification and interoperability entity
The alliance is intended to give the CEO of a utility the purview of
up-to-the moment knowledge of the options available to make
wise investment decisions regarding infrastructure deployment
for optimal returns.
The variation includes the proper orientation for large, medium, and small utilities.
“Community of Practice”
5. Semantics
• Security Fabric Products
• Security Fabric Architecture
• Security Fabric Alliance
8/27/20
14
“Community of Practice”
5
The embedded security system solution is
composed of an interlocking arrangement of
framework options
The framework of embedded system components
that provide the basis for end-to-end security and
remote device management
The Security Fabric Alliance is an informal
collection of companies, organizations, and
individuals that have through discussions
designed conceptual reference architecture called
the “Security Fabric”.
6. To establish the secure communications from the Controller to the Device Node
using the Security Fabric elements, you need to do all seven… not just some.
4. Audit
– Records noteworthy events for later
analysis
5. Confidentiality
– Encrypts sensitive data for matters of
privacy.
6. Integrity
– Ensures that messages have not been
altered.
7. Availability
– Prevents denial of service attacks
1. Identity Management
– Ensures the device identity is established
genuinely
2. Mutual Authentication
– Allows both the Device Node and the
Controller to verify the trustworthiness
their identity to each other.
3. Authorization
– Manages permission to proceed with
specific operations.
These are the seven tenets of security
as described in the NIST-IR 7628 GuidelinesIST-IR
7628 Guidelines.
7. The OMG process is more about establishing markets
as opposed to just setting standards.
SFA Reference
Builds
Certification of
Conformance &
Interoperability
The OMG is planning to standardize
the Security Fabric
for all critical infrastructure.
8. There are many participants at different levels
in the Security Fabric Alliance.
ComponentsProductsSubsystems
ResearchIntegration
Utility
Customers
• Intel – servers with Quark + TPM
• Wind River – Security Connect
• Middleware
• RTI – DDS
• GridStat
• Indra - iSpeed
• MultiSpeak
• TeamF1 – Secure Communications
• Secure Crossing – Protocol Whitelisting
• PsiNaptic – Secure Service Distribution
• SNMP Research – SNMP Agent
• Freescale – HSM w/Vybrid SoC
• Xilinx – CompactRIO SOC
• Green Hills Software - INTEGRITY
• Altera - tamper proofing
• Microsoft – Active Directory
• Red Hat – Auth Hub
• General Electric – EMS
• Alstom Grid – EMS
• Viridity Energy – DR + DER
+ Microgrid
• Energy One
• Lemko – LTE systems
• Intel Security – SIEM + GTI
• Intel – Encanto
+ silicon support
• Sypris – Supply
Chain Root of Trust
• TCIPG
• EPRI – CIM Standards
• MIT – Security &
Privacy Standards
• EPG – Phasor Data Portfolio
• GridSense– NAN & Line Sensors
• S&C IntelliTeam
• SafeNet – Secure Key Management
• Heart - Transverter
• Freescale One Box
• Cisco Cloud-in-a-Box
• Integrated Architectures – SEIT
• MACE Fusion - DoD
• Kryptos Logic – Red Team Certification
• M2M Dynamics
• Drummond Group – C&IT
• Intel Security - Distribution
...First Stage……
• ERCOT
• ONCOR
• AEP
• NRECA
• NRTC
Suppliers
• Verizon
• Level3
• AT&T
• Internet2
• BT
• ViaSat
• Comcast
• ARINC
• Stratus
• Symmetricom
…Second Stage……
• APPA
• SDG&E
• PJM
• NYISO
• Southern Company
• Duke Energy
• CAISO
• Pecan Street
• Mueller Community
• Pike Powers
• PNNL – CyberSecurity
Test Center
• Lincoln Labs
• OMG SIG
• Industrial Intrnet
Managed Services
• Tazca – Connect
• CSG International
• Digi International
• N-Dimension
• SETI
• Lockheed Martin
• SAIC
• Threat Connect
9. What is being asked for is a secure system of systems that
blankets the complexity and delivers it autonomically.
Security Fabric
Interoperable
Embedded
Distributed
This is the embedded side of the operation
in addition to the companion enterprise side.
10. Separation of the Industrial Internet
from the Generic Internet
The Core Network
Generic Internet
Carrier Ethernet
With Routing
DWDM Isolation
Cooperative Control CentersCore City
Node
Enterprise Systems
Industrial Devices
Substation Nodes
Router+
Substation
Controller Router+
Carrier Ethernet
Isolation
NAN Nodes
HAN Nodes
Wireless LTE
700 MHz?
Wireless LTE
2.5 GHz?PicoCell
Gateway
Sensor
Transverter
We will eventually use
a combination of DWDM separation
plus Carrier Ethernet separation.
11. Understanding
Information
Decision
Data in – Action out
But sometimes semi-autonomic policy decisions
are made and executed in the field.
(at the small, the medium, and the large)
The policy logic is actually spread to each major active
element.
MultiSpeak
Initiative
12. The new Content Aware Firewall ( Secure Crossing) needs to be
aware of what is flowing through the pipe(s).
Transport Plugins
ContentAwareFirewall–
Layers4-6
IPCommunicationsStack–
Layers2-3 IPsec
VPN
Ethernet
Controller
UDPv4
UDPv6
Data Routing Services deals with:
• Connections +
• Sessions
All packet prioritization and
flow control are performed by
Data Routing Services.
The Content Aware Firewall deals with
multiple layers and is state sensitive.
13. The Content Aware Firewall ( Secure Crossing )needs to be aware of:
the Layer 6 socket level interface,
as well as the intended sessions that will be flowing over it at Layer 5,
so that it can use UDP connections at Layer 4,
so that it can use the IPsec VPN to control encryption on the transport.
ContentAwareFirewall
Layers4-6
IPCommunicationsStack–Layers2-
3
IPsecVPN
UDPv4
UDPv6
Connections
• Kerberos Get Credentials + Tickets
• Get Extended Credentials
• Kerberos Mutual Authentication
• Get Precision Time
• Register for Management +
Configuration Synchronization
• Service Locator
• Service Provider
• Multicast Alert
• Unicast Command
• Event Notification
• SNMP Get/Set
• Application Event: Send and Receive:
• High Priority
• Medium Priority
• Low Priority
Sessions
The detailed requirements will be determined
during the requirements assessment phase.
InterfaceA
InterfaceB
16. Essentially, the Security Fabric is an
end-to-end approach to things.
xSystem &
Network
Management
Controller
Device
Device
The
Security
Fabric
The Security Fabric is a semi-autonomous embedded device
management agent and communications protocol set along with
a central system and network management subsystem
that bring security and other controls to the embedded world.
Let’s build this as if we were building a house.
17. There are obviously going to need to be several
different devices involved.
Controller
Device
Device
We want to add our security agent to each of them to do what we will do.
Our agent will be hidden
right beside the application.
18. The devices need to be able to talk to each other
securely, and trust each other on a limited basis.
Controller
Device
Device
This means that the solution will need to be a system as opposed to a piece part.
Intel and McAfee Confidential
The agents talk to one another
in a resilient middleware..
19. And all systems need to be administered relative to
the configuration and policies that control them.
xSystem &
Network
Management
Controller
Device
Device
The
Tailored
Trustworthy
Space
These three ingredients are the soul of the Security Fabric.
20. The Security Fabric follows the guidelines required
by the NIST 7628 for the Department of Energy.
xSystem &
Network
Management
Controller
Device
Device The
Security
Fabric
The industry as a whole is applauding this solution.
23. Security Management
Hypervisor
Close-up on Partition Structure
DDS Routing Services
Ethernet
Controller
Policy Management
DDS Subagent
Device Application
Threads
DDS Subagent
Connection Connection
Operating
System.
Transport Plugins
Ring 1: Security –
HSM Interface
Ring 2: Policy
Management
Participant:
Management
Configuration
& Route Mapping
Ring 1: Data
Reader
Ring 1: Data
Writer
Routing Services is our inter-system + intra-device middleware;
The DDS Subagent controls the private paths between
processes.
Secure
IP I/O
Driver UDPv4
UDPv6
GridStat
Intra-Device
DDS Subagent
Connection
Participant:
Management
Ring 2: Data
Reader
Ring 2: Data
Writer
Change
Managem
ent
Problem
Managem
ent
HSM
Interface
Kerberos
Client
+
Session
Key
Manage
ment
Security Protocols
Policy
Execution
Environment
24. What is really unfolding with the rise of the Internet of Things is the need for
The Semi-Autonomous Policy Management Agent
Each of the four compositions
of rulesets is administered
centrally and released to the
remote device securely.
The rulesets contain profiles,
provisioned data, and
Java-based rules.
All distribution bundles are
signed and are subject to
local attestation and
transition control.
Autonomous
Policy Management
Agent
IBM Autonomic Computing Model
25. The control of the smart grid is all about
managing semi-autonomous devices.
The Security Fabric is all about safely deploying this concept.
The customer has to be able to delegate responsibility in small increments
to the remote device to avoid the problem of unintended consequences.