This document discusses how Crypto-Flow segmentation and encryption can help organizations comply with various security standards and regulations. It provides examples of how Crypto-Flow can be used to encrypt data in transit for ISO27001, PCI-DSS, IEC 62443, NESA, and the Cloud Security Alliance guidelines. It also outlines best practices for key management and testing the security of implemented encryption controls.

1. Crypto-Flow Segmentation / Encryption - Compliance
www.dts-solution.com
Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com

2. • ISO27001:2013
• PCI-DSS v3
• IEC-62443 (SCADA)
• NESA
• Cloud Security Alliance
Crypto-Flow and Compliance

3. Crypto-Flow / ISO27001:2013
• On mobile devices such as laptops and Smartphones
• For authorised use of removable media such as USB memory sticks
• Where classified data is transmitted across communications lines that extend
beyond the boundaries of the organization e.g. over the Internet, Extranet…

4. Crypto-Flow / ISO27001:2013
Process/Situation Technique Specific Guidance
E-Commerce transactions over
the Internet
Symmetric encryption using
SSL/TLS (Asymmetric
techniques used to share
session key)
RSA to be used for public key
cryptography. Certificates to be
obtained from Thawte
Protection of data on
removable media
Symmetric encryption using
TrueCrypt
AES-256 encryption to be used where
available
Protection of passwords on
systems
All passwords must be hashed
MD5 hashing to be used where
available
Email Security
Symmetric/asymmetric
encryption using S/MIME
Features available in MS Outlook
should be used to simplify the process
Remote Access
Virtual Private Network (VPN)
using SSL
A SSL VPN may be used where
permitted by the Network Security
Policy

5. Crypto-Flow / ISO27001:2013
Testing and Validation of Implemented Control Objectives;
Once deployed, it is critical that the security of the encryption be tested under as
realistic conditions as possible in order to identify any weaknesses. Such testing
should cover the use of:
• commonly-available software tools to try to break the encryption
• social engineering methods to try to discover the key
• interception of encrypted data at various points in its transmission

6. Crypto-Flow / ISO27001:2013
Key Management
• Key generation (HSM Integration)
• Distribution of keys to point of use
• Storage at point of use
• Backup as protection against loss
• Recovery in the event of loss
• Updating keys once expired
• Revoking if compromised
• Archiving once expired
• Destroying when no longer required
• Logging and auditing of key management related activities

7. Crypto-Flow / PCI-DSS v3
• Internet
• 3G / LTE
• MPLS
• VPLS
• VSAT
• IoT / M2M

8. Crypto-Flow / PCI-DSS v3
Cypto-Flow Network Segmentation
(helps reduce the scope of PCI-DSS)

9. Crypto-Flow / PCI-DSS v3
• Encryption Overlay Network
• Not the rip-replace but re-engineer existing networks to isolate CDE
• Ease of Deployment – Managed Encryption with a simple GUI-based policies
and key management server
• Certes Networks uses strong cryptography and simple and flexible policies to
isolate areas of the network without changing the physical or logical network
topology.
• This protection is stronger than traditional firewall-based approaches
because it isolates the network using encryption rather than relying only on
the packet headers.

10. Crypto-Flow / IEC62443 (SCADA)

11. Security Zone Definition
• “Security zone: grouping of logical or physical assets that
share common security requirements”. [ANSI/ISA-
99.01.01–2007- 3.2.116]
– A zone has a clearly defined border (either logical or physical),
which is the boundary between included and excluded elements.
HMI Zone
PLC Zone

12. Conduits
• A conduit is a path for the flow of data between two
zones.
– can provide the security functions that allow different zones to
communicate securely.
– Any communications between zone must have a conduit.
HMI Zone
PLC Zone
Conduit

13. Protecting the Network with Zones and Conduits
• A firewall in each conduit will allow only the MINIMUM
network traffic necessary for correct plant operation
HMI Zone
PLC Zone
Firewall

14. Shared
SCADA
Network
• Firewalls
• Deployed with equipment
• Inspects network traffic
• Challenges
• No integrity protection of data
• No protection against data
replay, injection, or modification
• Hard to dynamically adjust
policies to allow zone based
access – static configuration
• One deployed – Retained
Firewalls: Current Attempt at Security

15. Shared
SCADA
Network
VLAN 123 • VLAN
• Defined across Shared ICS Network
• Terminates at individual network ports
• High cost per managed port
• Challenges
• Security configuration embedded in core
network
• Secure perimeter - no internal security
• Security through Switching
• No visibility by users
• Change management is difficult
VLANs: Current Attempt at Isolation

16. Certes TrustNet
Manager
Certes™ Encryptors
Shared
SCADA
Network
Isolation and Flexibility, Simultaneously
Certes: Crypto Flow
HMI
PLC

17. The Purdue Model – Secure Architecture
Level 4
Level 3
Level 2
Level 1
Business Network
UPS Clients Level 3.5DMZ & Firewalls
PHD Shadow Server
Data Collector
EPKS Server DCS Servers
Data is given to the Users (PHD Clients) from the Shadow Server
PHD Buffer
Server
Collects the Data from the Experion or DCS Servers
Collects the Data from Controllers, pumps, valves etc.
Clients from the network cannot request data from the Data Collector Directly

18. Crypto-Flow / NESA

19. Crypto-Flow / NESA

20. Cloud Security Alliance
Cloud Security Alliance Guide v3
• Domain 11
• Encryption and Key Management
• Some Key Points;
• Data in Motion (not at Rest)
• Content Aware Encryption
• User Aware Encryption
• Format Preservation
• Common Use Cases;
• Cloud Hosting Provider (Public or Private Usage)
• vCEP Deployment
• User Aware Encryption
• A Virtual Encrypted Overlay from your DC to cloud

21. Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com