RuggedCom Solutions for

NERC CIP Compliance

Rev 20080401

Copyright RuggedCom Inc. 1

www.RuggedCom.com4 April 2008
 RuggedCom Solutions

Hardware

Serial Server Media

Ethernet Switches Routers Converters Wireless

Embedded Software Application Software

Software
Network Management Software NERC-CIP Cyber Security Solution

Services

Professional Services Training Support

Most Complete Line of Rugged Communications Devices

Copyright RuggedCom Inc. 2
www.RuggedCom.com4 April 2008
Architecture Example

Copyright RuggedCom Inc. 3

www.RuggedCom.com4 April 2008
 The RuggedRouter™
RX1000/1100

“Industrially Hardened Cyber Security Appliance”

¾ Integrated Router/Firewall/VPN
¾ Rugged Operating System on Linux (ROX™)
¾ Wide Operating Temperature Range: -40 to +85C (no fans)
¾ High Immunity to EMI: Meets or exceeds IEC 61850-3, IEEE 1613, NEMA TS-2 and more ...
¾ Integrated Power Supplies: Low and high voltage ranges with true (N+1) redundancy option
¾ RuggedRated™ for Harsh Environments
¾ Modular: Various Types and Configuration of Interface Ports
¾ 5 Year Warranty

Copyright RuggedCom Inc. 4

www.RuggedCom.com4 April 2008
RX1000 / RX1100 K
Key R
Router F
Features
Security Appliance Functions
• Integrated Router/Firewall/VPN
• Stateful Firewall with NAT
• Full IPSec Virtual Private Networking
• VPN with 3DES, DES, AES
• IDS
• Security Gateway (Gauntlet)
Protocols
• WAN: Frame Relay, PPP, PAP, CHAP Authentication,
PPPoE
• IP: Routing, RIP/RIPII, OSPF, DHCP Agent
• Traffic shaping and policing
Management Tools
• Web Based GUI, SSH, CLI (command line interface)
• SNMP v2/v3
• R
Remotet Syslog
S l
• Rich set of diagnostics with logging and alarming
Copyright RuggedCom Inc. 5
www.RuggedCom.com4 April 2008
Product Basket- 19” Rack
Mount Switches

Copyright RuggedCom Inc. 6

www.RuggedCom.com4 April 2008
Product Basket- Din-rail and Small Form
Factor Ethernet Switches

Copyright RuggedCom Inc. 7

www.RuggedCom.com4 April 2008
Product Basket- Serial Servers

Copyright RuggedCom Inc. 8

www.RuggedCom.com4 April 2008
 Rugged Operating System™
(ROS™)
¾ Zero Collisions: IEEE 802.3x Full Duplex
p Operation
p
¾ Priority Queuing: IEEE 802.1p for high priority real-time control
¾ VLAN: IEEE 802.1q for isolating real-time traffic
¾ Enhanced IEEE 802
802.1D
1D 2004Rapid Spanning Tree for fast fault
recovery
¾ IGMP Snooping for multicast filtering and management
¾ Cyber Security: Multi-level
Multi level passwords,
passwords SSH/SSL encryption
encryption,
enable/disable ports, 802.1x port security, Radius
¾ Network management: including SNMPv3, RMON, Port Mirroring
¾ Rich set of diagnostic tools
¾ Common firmware across all managed switches
¾ ROX – ROS on Linux with all the security features of Linux.
ROS and ROX Designed for Real-Time Control and Mission
Critical Applications
Copyright RuggedCom Inc. 9
www.RuggedCom.com4 April 2008
 S i h Security
Switch S i Features
F
¾ Multilevel User Passwords
– Secures switch against unauthorized configuration

¾ SSH / SSL Encryption

– Encryption of passwords and data as they cross the network

¾ Enable / Disable ports

- Disable ports so that traffic can not pass

¾ 802.1Q VLAN (Virtual Local Area Network)

- Logically segregate traffic between predefined ports on switches

¾ MAC Based Port Security

- Secure ports so only specific Devices/MAC addresses can
communicate via that port

¾ 802.1x
802 1x Port Based Network Access Control
- Lock ports to allow only authorized clients to communicate via the port

¾ Radius
- Centralized password management

¾ SNMPv3
- Encrypted authentication and access security
Copyright RuggedCom Inc. 10
www.RuggedCom.com4 April 2008
 RuggedCom Integrated Solutions
Our Partners
ƒ Teltone Gauntlet
ƒ Security Gateway Functionality
ƒ Dynamically Builds Firewall rules for user access
ƒ C t l access tto d
Controls devices
i within
ithi security
it perimeter
i t
ƒ NERC CIP event logging

ƒ Industrial Defender
ƒ IDS Management Console (SEM)
ƒ IDS Signature Management
ƒ Intrusion Event Logging
ƒ N t
Network kH
Health
lth M
Monitoring
it i
ƒ Auditing

RuggedCom,
gg , Teltone,, Industrial Defender – A single
g solution with a single
g
point of contact for sales, Implementation and support

Copyright RuggedCom Inc. 11

www.RuggedCom.com4 April 2008
 RuggedCom Gauntlet

Virtual Polling Controller

Command and Control Center ƒ Software component
ƒ Software component ƒ Secure user access to
substation devices
ƒ Tools for administration of
user credentials, Gateway
port security, and Router
security

Gauntlet Gateway RuggedRouter™ RX1100

ƒ Hardware component ƒ Hardware component
ƒ Line sharing switch ƒ IP router with Firewall
with security and Authentication
enhancements capability

Copyright RuggedCom Inc. 12

www.RuggedCom.com4 April 2008
Industrial Defender with RX1100

Copyright RuggedCom Inc. 13

www.RuggedCom.com4 April 2008
The Ruggedcom-
Ruggedcom- Industrial Defender
Defender--
Gauntlet Solution

Copyright RuggedCom Inc. 14

www.RuggedCom.com4 April 2008
 NERC CIP Category
User Access and Passwords
Access Control Management
Electronic Security Perimeter
Network / Routing Security
Dial-up Security
Logs, Reports and Audit Resources
Employee termination /
User rights revocation
Alerts and Notifications
Security Patch Management
Malicious Software Prevention
Standard # Feature
CIP-004-1: R4, 4.1, 4.2
CIP-005-1: R2.1, R2.4
NERC--CIP Compliance
NERC
ƒIndividual user accounts and passwords
ƒRequired strong passwords, one-time use passwords, expiring passwords, etc.
CIP-007-1:
CIP 007 1: R5,
R5 55.1,
1 55.2,
2 55.3
3 ƒDigital
g security
yppackages
g
ƒStrong Two-factor authentication
CIP-003-1: R5, 5.1, 5.1.1 ƒCentralized administration
CIP-005-1: R2.1, R2.4 ƒIndividual administration accounts and passwords
ƒComprehensive reports: lists of users, assets, access points, etc.
CIP-005-1: R1, 1.1 – 1.6 ƒSecure Access Points (Gauntlet Gateway and RX1100)
R2, 2.1 – 2.6 ƒAccess denied by default
ƒTechnical Control Methods ((2-factor authentication,, etc.))
R3 3
R3, 3.1
1 – 3.2
32
ƒElectronic access monitoring and logging
CIP-007-1: R2, 2.1 – 2.2 ƒAppropriate use banners
CIP-005-1: R2, 2.1, 2.2, 2.4 ƒEnable/Disable Ethernet Ports / Services
CIP-007-1: R2, 2.1 – 2.3 ƒFirewall / VPN
ƒIP Access Control
ƒ802.1x Port Security / 802.1Q VLAN
ƒIntrusion Detection System
CIP-005-1: R1.2, R2.3, R3.1 ƒSecure dial-up modem access control, monitoring and logging
CIP-003-1: R5, 5.1, 5.1.1, R6 ƒComprehensive reports
CIP-004-1: R4, 4.1 ƒSearchable database
ƒDetailed access logs with user, port and connection information
CIP-005-1: R1,1.6, R2,2.5, R3, R5
ƒUser, Administrator and Asset and Access Point lists
CIP-007-1: R3.1, R5.1.2, R6, R9 ƒNERC CIP Auto Audit report
CIP-008-1: R2 ƒCyber incident reports
CIP-004: R4, 4.1, 4.2 ƒAccount / security credential expiration
ƒAdministrator initiated user rights revocation
ƒSuspended user accounts
CIP-005: R3.2 ƒConfigurable system alert email messages
CIP-007: R6.2 ƒUnauthorized access attempt notification
ƒSystem lockout / system error notification
CIP-007: R3, 3.1 ƒPublished Security Patch scrubs
ƒRemote upgrades and auto-update
CIP-007-1: R4, 4.1 – 4.2 ƒAnti-virus software included on RX1100
ƒIDS system (future)
Copyright RuggedCom Inc. 15
www.RuggedCom.com4 April 2008

NERC CIP Category
User Access and Passwords
Access Control Management
Electronic Security Perimeter
NERC--CIP Compliance
NERC
Standard # Feature
CIP-004-1: R4, 4.1, 4.2 ƒ Individual user accounts and passwords
CIP-005-1:
CIP 005 1: R2.1, R2.4 ƒ Required strong passwords, one-time
one time use
CIP-007-1: R5, 5.1, 5.2, 5.3 passwords, expiring passwords, etc.
ƒ Digital security packages
ƒ Strong Two-factor authentication
CIP-003-1: R5, 5.1, 5.1.1 ƒ Centralized administration
CIP-005-1:
CIP 005 1: R2
R2.1,
1 R2
R2.44 ƒ Individual
I di id l administration
d i i t ti accounts
t and
d
passwords
ƒ Comprehensive reports: lists of users, assets,
access points, etc.
CIP-005-1: R1, 1.1 – 1.6 ƒ Secure Access Points (Gauntlet Gateway and
R2, 2.1 – 2.6 RX1100)
R3, 3.1 – 3.2 ƒ Access denied by default
CIP-007-1: R2, 2.1 – 2.2 ƒ Technical Control Methods (2-factor
authentication, etc.)
ƒ Electronic access monitoring and logging
ƒ Appropriate use banners
Copyright RuggedCom Inc. 16
www.RuggedCom.com4 April 2008
 NERC--CIP Compliance
NERC

NERC CIP Category Standard # Feature

Network / Routing Security CIP-005-1: R2, 2.1, 2.2, 2.4
CIP-007-1: R2, 2.1 – 2.3
Dial-up Security CIP-005-1: R1.2, R2.3, R3.1
Logs, Reports and Audit CIP-003-1: R5, 5.1, 5.1.1,
Resources R6
CIP-004-1: R4, 4.1
CIP-005-1: R1,1.6, R2,2.5,
R3, R5
CIP-007-1: R3.1, R5.1.2, R6,
R9
CIP-008-1: R2
ƒ Enable/Disable Ethernet Ports / Services
ƒ Firewall / VPN
ƒ IP Access Control
ƒ 802.1x Port Security / 802.1Q VLAN
ƒ Intrusion Detection System
ƒ Secure dial-up modem access control,
monitoring and logging
ƒ Comprehensive reports
ƒ Searchable database
ƒ Detailed access logs with user, port and
connection information
ƒ User, Administrator and Asset and Access
Point lists
ƒ NERC CIP Auto Audit report
ƒ Cyber incident reports

Copyright RuggedCom Inc. 17

www.RuggedCom.com4 April 2008

NERC CIP Category
Employee termination /
User rights
g revocation
Alerts and Notifications
Security Patch Management
Malicious Software Prevention
NERC--CIP Compliance
NERC
Standard # Feature
CIP-004: R4, 4.1, 4.2 ƒ Account / security credential expiration
ƒ Administrator initiated user rights
g revocation
ƒ Suspended user accounts
CIP-005: R3.2 ƒ Configurable system alert email messages
CIP-007: R6.2 ƒ Unauthorized access attempt notification
ƒ System lockout / system error notification
CIP-007: R3, 3.1 ƒ Published Security Patch scrubs
ƒ Remote upgrades and auto-update
CIP-007-1: R4, 4.1 – 4.2 ƒ Anti-virus software included on RX1100
ƒ IDS system (future)
Copyright RuggedCom Inc. 18
www.RuggedCom.com4 April 2008
Securing the Substation
LAN

Copyright RuggedCom Inc. 19

www.RuggedCom.com4 April 2008
 Securing the Substation Network

¾ Enable / Disable ports – Disable unused ports on switches and Routers

Copyright RuggedCom Inc. 20

www.RuggedCom.com4 April 2008
Securing the Substation Network - VLAN (IEEE 802
802.1Q)
1Q)

Substation
Computer

VLAN VLAN
1 2
IED IED IED IED IED IED IED IED
1 2 3 4 5 6 7 8

Real-time Control IEDs Data collection IEDs

e.g. Relays, RTUs e.g. Meters, DFR

VLAN’ allows
VLAN’s ll segregation
ti off IEDs
IED based
b d on security
it
and real-time traffic requirements.
Copyright RuggedCom Inc. 21
www.RuggedCom.com4 April 2008
 Securing the Substation Network

¾ Port based security – The ability to secure ports on a switch so only specific Devices /
MAC addresses can communicate via that port. This locks the port on the switch to a
specific IED.
Note: It is easy to spook Mac Addresses with a typical PC. In order to effectively use this
capability a network monitoring solution should be used to monitor for port status
changes.

Copyright RuggedCom Inc. 22

www.RuggedCom.com4 April 2008
 S
Securing
i the
th Substation
S b t ti Network
N t k

¾ 802
802.1x
1x – With 802
802.1x
1x ports can be secured such that user credentials from the client
device would need to be validated prior to network access. It is necessary to have a
backend authentication server to store these credentials. With this capability it would not
be necessary to disable unused ports.

Copyright RuggedCom Inc. 23

www.RuggedCom.com4 April 2008
Thank You!

Copyright RuggedCom Inc. 24

www.RuggedCom.com4 April 2008