Cyber Security for Energy Delivery Systems NSTB What’s an ICP ? And why is it Useful for Utilities ? Dave Teumim, CISSP Teumim Technical, LLC.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Network Security.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Security at the Network Layer: IPSec
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Virtual Private Networks and IPSec
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
NetComm Wireless VPN Functionality Feature Spotlight.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 201 – Administration, Content Inspection and SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
© 2011 EnerNex. All Rights Reserved. Lemnos Interoperable Security Project Background and Benefits 8/11/2011.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Cyber Security for Energy Delivery Systems NSTB Cyber Security Interoperability Task Force UCA Iug/OpenSG/SG Security Working Group.
IPsec  IPsec (IP security)  Security for transmission over IP networks The InternetThe Internet Internal corporate IP networksInternal corporate IP.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security. P R E S E N T E D B Y ::: Semester : 8 ::: Year : 2009 Naeem Riaz Maria Shakeel Aqsa Nizam.
21 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
CCSDS IPsec Compatibility Testing 05/4/2016 CHARLES SHEEHE, CCSDS GRC POC OKECHUKWU MEZU, Test Engineer 1.
Virtual Private Networks and IPSec
Network Layer Security Update
UNIT.4 IP Security.
Virtual Private Networks
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Presentation transcript:

Cyber Security for Energy Delivery Systems NSTB What’s an ICP ? And why is it Useful for Utilities ? Dave Teumim, CISSP Teumim Technical, LLC

Cyber Security for Energy Delivery Systems NSTB Interoperable Configuration Profile ICP =

Cyber Security for Energy Delivery Systems NSTB Designing a Substation Security Gateway (Vendor’s Point of View) Operating System Communications Software (IPsec, SSH VPN’s)

Cyber Security for Energy Delivery Systems NSTB Vendor’s Choices Open Source ? Proprietary OS Proprietary Comm Stack Linux OPEN SOURCE Strongswan or Proprietary ???

Cyber Security for Energy Delivery Systems NSTB Open Source Consistently Uses IETF RFC’s (Request for Comments) Open Source IPsec RFC2401/4301 RFC3602 RFC 4308 etc. Open Source SSH RFC4250 RFC4251 RFC4252 RFC4253 etc

Cyber Security for Energy Delivery Systems NSTB Vendors Make Independent Choices ESP or AH ? Tunnel Mode or Transport Mode ? Use HMAC ? IKE Version # Diffie-Hellman Group # Key Life Settings ? Encryption Algorithms ? Hash Algorithms ? IPsec Choices, Reproduced from the book IPsec Virtual Public Network Fundamentals. Copyright [2006], Cisco Systems, Inc.

Cyber Security for Energy Delivery Systems NSTB Sample Utility Architecture Syslog server Maintenance Access (SSH) IPSEC and SSH CONNECTIONS Engineering Access (SSH) Control Room Backup Control Room SEL n-Dimension Cisco Garrettcom Encore Ruggedcom

Cyber Security for Energy Delivery Systems NSTB

Cyber Security for Energy Delivery Systems NSTB ICP’s Specify the Many Details Below the Internet Protocol/RFC Level IPSEC INTERNET PROTOCOL LEVEL RFC Lemnos ICP (Interoperable Configuration Profile) for IPsec = Parameter Level NO COMPETING DOCUMENT(S) ! Interoperability Work Done informally by Utilities Technicians and Engineers

Cyber Security for Energy Delivery Systems NSTB Basic configuration decisions included: Using ESP (Encapsulating Security Payload) Using TUNNEL mode Using HMAC for authentication and integrity Using IKE Version 1 (moving to IKE Version 2 in future) Using DH-5 (Diffie-Hellman Group 5) The specific configuration parameters for configuration the IPSec VPN tunnel are as follows: ike_life: 28,800s;(28,800 seconds life for key until exchange) ipsec_life: 3600s;( time till key re-negotiation) rekey_margin: 540s;(default value ?) rekey_fuzz: 100%;(default value ?) keyingtries: 3;(renegotiate keys 3 times) dpd_action: restart;(dead peer detection action) dpd_delay: 60s; (dead peer detection time “hello” interval in seconds) dpd_timeout: 150s;(dead peer detection time timeout interval in seconds) policy: PSK+ENCRYPT+TUNNEL+PFS+UP; Use PFS (perfect forward secrecy ); for enhanced key exchange security (Use DH5 with PFS)The following is the Required, Recommended, and Deprecated list of Cryptographic Algorithms from the reference software configuration File 000 List of registered IKE 1 Encryption Algorithms: –000 #7 OAKLEY_AES_CBC, blocksize: 128, keylen: 128(Required) –000 OAKLEY_AES_CBC,blocksize:128, keylen: 192 or 256 (Recommended) 000 List of registered IKE Hash Algorithms: –000 #1 OAKLEY_MD5, hashsize: 128 (Required) –000 OAKLEY_SHA1, hashsize 128 (Required) –000 #4 OAKLEY_SHA2_256, hashsize: 256 (Recommended ) All vendors agree to use one set of values in the ICP

Cyber Security for Energy Delivery Systems NSTB

Cyber Security for Energy Delivery Systems NSTB Lemnos Builds Interoperability Function by Function, Protocol by Protocol IPSEC SSH LDAP SYSLOG

Cyber Security for Energy Delivery Systems NSTB Scope for SSH ICP (DRAFT) Scope: For the SSH interoperability testing, a test network was created in a laboratory environment to examine the ICP. Sandia National Laboratory (SNL) created a “reference” server on the network with the SSH daemon configured according to the ICP specifications. The reference server is used to form the baseline configuration and to test client interaction with the daemon process. The participating vendors then configure the SSH daemon on their platform in accordance with the ICP. The SSH ICP is designed to allow engineering access to remote locations in a secure, compliant, and vendor-neutral manner. This is accomplished by implementing the ICP on the remote daemon (server service) in a standardized and tested configuration allowing utilities to choose from multiple vendors as they implement smart grid technologies. Previously, a utility operator needing to interact with substation equipment remotely was forced to use insecure protocols such as telnet, FTP, or an insecure proprietary protocol. Figure 2 displays an example utility implementation utilizing the SSH ICP. A control center operator is able to securely connect to a remote vendor device, presumably in a substation, via SSH

Cyber Security for Energy Delivery Systems NSTB ICP Work on Standardized Syslog Wording EVENT TYPE TAG NAMENERC CIP LOG MESSAGE FOR THIS TYPE OF EVENT LDAP Connection LDAPConfigCIP011 R14 LDAP failed connection to at Firewall Rule Change FirewallCIP005 R1, R2 CIP007 R2 Firewall general rules were modified by at SyslogSyslogConfigCIP005 R3 Syslog destination created by at VPNIPSecMgmtCIP005 R1 CIP011 R19 IPSec connection - generated by at VPNIPSecMgmtCIP011 R19 IPSec connection - removed by at User AccountsUserManageme nt CIP011 R10 Password changed at User AccountsLoginCIP007 R6 Invalid login attempt from User AccountsLoginCIP007 R5, R6 Login successful by at Syslog ManySyslog destination deleted by at

Cyber Security for Energy Delivery Systems NSTB Industry Outreach via UCA OpenSG Users Group SG Security Working Group Cybersec-Interop Task Force

Cyber Security for Energy Delivery Systems NSTB Cybersec-Interop Task Force Background Task force created in May 2010 Allows wider review and feedback for ICP’s Lemnos ICP’s will become OpenSG documents Task Force Leadership Chair – Dave Teumim, Teumim Technical, LLC Vice-Chair – John Stewart, TVA Secretary – Joe McCormick, Boeing Energy

Cyber Security for Energy Delivery Systems NSTB Importance of ICP’s – TVA View

Cyber Security for Energy Delivery Systems NSTB Discussion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.