1 © Nokia 2016
Guarantee Fiber Integrity, the foundation for a secure network
Bart Vrancken | [email protected]
May 2017
© 2017 Nokia 2
Foundation of Smart Grids
The Nokia Utility Blueprint
Bring the power of
mission-critical WAN
Enable distributed
grid intelligence
Embrace IoT
Nokia technology
leadership and expertise
Distribution automation and
renewables integration
Readiness for technology
evolution
WDM+
IP/MPLS
LTE Responsive, green grid Prepared for the future,
today
Confidential
© 2017 Nokia 3
Main requirements for Energy Segment operators
• Power utilities
• Oil, gas & mining
Smart grid
Monitoring & automation
Energy and resources
© 2017 Nokia 4
Use case - How to manage unstable fiber network
• Power utilities
• Oil, gas & mining
Smart grid
Monitoring & automation
Energy and resources
Project
triggers
• Many fiber cuts
• Unexpected power loss at some links
• Fiber theft (assuming it was copper)
• Roadworks damaging fiber ducts
© 2017 Nokia 5
1830 PSS - Fiber Monitoring solution
• Power utilities
• Oil, gas & mining
Smart grid
Monitoring & automation
Energy and resources
Fault
isolation
Our solution can quickly identify fiber cut or
intrusion locations. If you are taking hours or days
to isolate fiber issues it is time to upgrade.
© 2017 Nokia 6
Monitor when and where network security is compromised
Guarantee Optical Infrastructure Integrity
Confidential
Optical Intrusion Detection Optical Time Domain Reflectometry
Fiber Tapping Road works
© 2017 Nokia 7
Monitor when and where network security is compromised
Guarantee Optical Infrastructure Integrity
Confidential
Optical Intrusion Detection
• Monitors each wavelength for changes in optical span loss
• Alarms when loss passes preset threshold, indicating fiber tap or degradation
• Localizes fiber anomalies within a few meters
• Fiber cut and intrusion detection
• In-service loss distribution trending
Optical Time Domain Reflectometry
Attenuation [dB]
Time
Expected variation
Alarm raised
Alarm cleared
Return signal level [dB]
Distance
Intrusion
Patch panel
Terminating connector
© 2017 Nokia 8
Use case – recent TSO/DSO
Fiber monitoring demo and PoC
• Mission Critical Flying Bench shipped to site
• Connected to TSO and DSO own fiber network
• TSO – 19 km link (2 x 9.5 km)
• DSC – 4 km link (2 x 2km)
• Test list included:
• optical intrusion detection (OID)
• fault localization with Optical Time Domain
reflectometry (OTDR)
• L1 optical encryption
Confidential
© 2017 Nokia 9
The test set-up
Confidential
Substation 1
Substation 2
© 2017 Nokia 10
TSO – OTDR trace
Confidential
© 2017 Nokia 11
DSO – OTDR trace – zoom-in
Confidential
© 2017 Nokia 12
DSO – OTDR trace – zoom-in
Confidential
© 2017 Nokia 13
• Pro-actively detect interference
– Intentional: e.g. people/cars near the powerlines
fiber tapping, (copper) cable theft, illegal access to sites
– Unintentional: e.g. construction, works close to these
assets, falling trees, animals…
• Protect investment
– Many of those assets (e.g. substations) are in remote,
unsupervised locations
– Damage will traditionally be detected only when service
is already down/affected
• Lower Opex and less revenue loss
– Proactively react on threats
– Repair before service is affected
Going one step further
Fiber sensing Example for Utilities
© 2017 Nokia 14
Services layer
Infrastructure layer
Security in mission-critical networks
Secure IP/MPLS networks Secure optical transport
Network Group Encryption Optical infrastructure security
Layer 1 transport encryption
Management security Centralized key management
Independent certifications
Firewall
Availability
Security in mission-critical networks
© 2017 Nokia 16
Optical – Layer 1 encryption:
Minimum additional latency and no useful payload reduction
Ultra low
Very high
Latency
Bandwidth
Yes Protocol agnostic
Low Cost / encrypted bit
Quantum-safe Encryption key strength
Security in mission-critical networks
© 2017 Nokia 17
Layer 1 encryption: Minimum additional latency and no useful payload reduction
Bandwidth
Typical latency
Encryption overhead
Average wasted bandwidth
IPSec (Layer 3) 100 msec 76 byte 18.1 %
MACsec (Layer 2) 5 msec 32 byte 7.6 %
OTN (Layer 1) <0.1 msec 0 byte 0 % No bandwidth waste at any packet size
6,060 x 64 byte 2,273 x 576 byte 1,667 x 1,500 byte
Assumption: Typical distribution of 10,000 packets
-> average packet size: 420 byte Eth. Hdr.
IP Hdr.
Payload
1,500 byte
Security in mission-critical networks
© 2017 Nokia 18
Layer 1 encryption is OTN-based:
Protocol agnostic, low cost/bit
Virtually any known traffic type can be encrypted and transported:
OC-192 STM-64 10 Gbit Ethernet Video OC-48 STM-16 1 Gbit Ethernet
ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU1
ODU1
ODU1
ODU1
O
ODU1 ODU1
D 0 U
ODU4
AES-256 bulk encryption Substitution-permutation operation converts input plaintext into ciphertext
a0 c0 d0 b0
a1 c1 d1 b1
a2 c2 d2 b2
a3 c3 d3 b3
5f df 1e f1
30 e0 bf 98
bf a4 e4 c6
2b c7 4b e3
• No need for separate appliances
• Lowest cost per encrypted bit
a0 c0 d0 b0
a1 c1 d1 b1
a2 c2 d2 b2
a3 c3 d3 b3
ODU2
Security in mission-critical networks
© 2017 Nokia 19
Symmetric vs. asymmetric encryption
• AES symmetric keys are quantum-safe
• Faster and more cost-effective
• Compromise security
• Computationally intensive
Symmetric encryption
Shared key for encryption/decryption
AES-256 256 bits
Cipher text Plain text Plain text
Sender Receiver
Asymmetric encryption
RSA-2048 112 bits
Cipher text Plain text Plain text
Sender Receiver
Symmetric key size
(bits)
Asymmetric key size
(bits)
80 1,024
112 2,048
128 3,072
192 7,680
256 15,360
Receiver’s private key
Receiver’s public key
Security in mission-critical networks
© 2017 Nokia 20
Centralized vs. distributed key management
• Off-boarding of encryption/decryption frees host CPU resources
• Well suited for large data transfers requiring encryption/decryption
• Vulnerable architecture
• Not well suited for large data transfers requiring encryption/decryption
Centralized key management
Cipher text Plain text Plain text
Sender Receiver
Distributed key management
Cipher text Plain text Plain text
Sender Receiver
Central key authority
Secure key transfer
Secure key transfer
Central certificate authority
Local key mgmt. -> high CPU load
Public keys
Receiver’s private key
Security in mission-critical networks
© 2017 Nokia 21
Nokia uses quantum-proof symmetric encryption key management
Security in mission-critical networks
© 2017 Nokia 22
Optical Infrastructure Security
Monitor when and where network security is compromised
Optical Intrusion Detection Optical Time Domain Reflectometry
Security in mission-critical networks
© 2017 Nokia 23
Optical Infrastructure Security
Monitor when and where network security is compromised
Optical Intrusion Detection
• Monitors each wavelength for changes in optical span loss
• Alarms when loss passes preset threshold, indicating fiber tap or degradation
• Localizes fiber anomalies within a few meters
• Fiber cut and intrusion detection
• In-service loss distribution trending
Optical Time Domain Reflectometry
Attenuation [dB]
Time
Expected variation
Alarm raised
Alarm cleared
Return signal level [dB]
Distance
Intrusion
Patch panel
Terminating connector
Security in mission-critical networks
© 2017 Nokia 24
Optical transport availability
Secure networks must be highly reliable and available
Best practices
Automatic restoration
Monitoring
L2 QoS
Security logs & audits
Fault isolation
Design for reliability
Redundant equipment
Trusted supply chain
Physical path diversity
3rd party certifications
Optical path diagnostics
Uniform management platforms
Photonic restoration
1+1; 1:n; G.8032 ring
Equipment fail-over
Security in mission-critical networks
© 2017 Nokia 25
Optical portfolio security certification
Independent, vendor-neutral proof
• Attained process and manufacturing milestones
• Satisfied a rigorous set of standards
• Ensures high quality cryptographic key generation
• Globally recognized certification body
• EAL-1, 2 or 3+
• French security agency
• Extended encryption specs
• QS level
• U.S. standards body
• FIPS 140-2; Level 2 or 3
Security in mission-critical networks
© 2017 Nokia 26
Mission-critical networks have to support and secure a diverse range of
traffic
Protection relays
P25/ LMR
SCADA RTU/ Op. voice
LAN/router GOOSE/SV, IED
DS1/E1
V.24/4-wire
C37.94/G.703
IP
Ethernet
Point-to-point (e.g. SCADA, teleprotection, GOOSE/SV, LAN)
MP2MP* (e.g. voice, video, GOOSE, routers)
Network control (e.g. BGP, OSPF, ISIS, RSVP-TE, LLDP, IEEE1588)
Non-IP TDM/Ethernet IP *MP2MP: Multipoint-to-multipoint
CCTV, LTE LAN/ router
Security in mission-critical networks
© 2017 Nokia 27
Network Group Encryption (NGE)
Optimized for mission-critical networks
Point-to-point encryption
Group-based encryption
Ethernet-based encryption
Point-to-point
MP2MP ()
Network control exposed exposed
Non-IP TDM/Ethernet not welcome not welcome
Ill-suited for large scale meshed connectivity
Key server becomes single point of failure
Data decryption/re-encryption at every IP hop -> snooping
Today’s encryption solutions have shortcomings
Nokia introduces secure Network Group Encryption
Key server Network Services Platform
Security
Gateway Point-to-point
Multi-to multipoint
Network control
Security in mission-critical networks
© 2017 Nokia 28
Protection relays
P25/ LMR
SCADA RTU/ Op. voice
LAN/router GOOSE/SV, IED
CCTV, LTE LAN/ router
DS1/E1
V.24/4-wire
C37.94/G.703
IP
Ethernet
Non-IP TDM/Ethernet IP
Network Group Encryption
The ideal encryption solution for mission-critical networks
Encryption management
Network Services Platform
Network & Service management
Point-to-point
MP2MP
Network control
Encrypted MPLS services and control
Service Router portfolio for NGE based service encryption
Key groups enabling secure services & network partitioning
All services / traffic types welcome Security in mission-critical networks
© 2017 Nokia 29
Network Group Encryption
Key groups enable hierarchical encryption and secure network
partitioning
Central location NOC #2
Central location NOC #1
Control key group
Transmission key group
SAR-8 SAR-8
SAR-18 SAR-18
Distribution key group
DA/FAN key group
DA/FAN key group
Less physically secure distribution automation (DA) or field area network (FAN) nodes do not contain keys to more critical components
Key group partitions ensure only associated services are accessible
Fully managed by NSP
7705
SAR-H
SAR-Hc
Security in mission-critical networks
© 2017 Nokia 30
Network Group Encryption
Seamless operation over IP/MPLS
Network Services Platform
Point-to-point
MP2MP
Network control
Security in mission-critical networks
© 2017 Nokia 31
Network Group Encryption
Maximum security and availability
Network Services Platform 1
Network Services Platform 2
Point-to-point
MP2MP
Network control
Security in mission-critical networks
© 2017 Nokia 32
Business L2/L3 VPN
2G, 3G, LTE, Wi-Fi
Network Group Encryption
Maximum deployment flexibility
Network Services Platform
Point-to-point
MP2MP
Network control
Security in mission-critical networks
© 2017 Nokia 33
Maximum deployment flexibility
Seamless operation with maximum availability
Network Group Encryption
The ideal encryption solution for mission-critical networks
Universal encryption +
7705 Service Aggregation Router Network Group Encryption:
Award winner 2016
North American Cyber Security Solutions for Utilities
New product innovation award 2015
7705 Service Aggregation Router Network Group Encryption:
Product of the year 2016
Business L2/L3 VPN
2G, 3G, LTE, Wi-Fi
Point-to-point
MP2MP
Network control
Non-IP TDM/ Ethernet
IP
Security in mission-critical networks
© 2017 Nokia 35
IP/MPLS – Firewall essentials
Deploy your network with security in mind
Centralized firewall policy management
Hardware-based inspection
Firewalls are difficult to manage
Firewalls drag down performance
Ease of config.,
updates, audits
Advanced logging
Intelligent
Integrated security
Service aware
Higher performance
Security in mission-critical networks
© 2017 Nokia 36
IP/MPLS – Firewall example use cases
Secure the network with QoS-enabled firewall
Blocking of unauthorized traffic Flow-based rate-limiting
MPLS tunnel
Compromised device
sending rogue packets Security policy blocks
unauthorized traffic
Disgruntled employee
or botnet exploits
firewall policy and floods
the network
Flow-based rate-limiting
to deter flooding
MPLS tunnel
Security in mission-critical networks
© 2017 Nokia 37
Work Order requires Approval:
Enspoints Involved:
Email notification to supervisor for approval
Stay in control, approve or reject
Logging each user’s action
Archive for future analysis and audit
Services layer
Infrastructure layer
Application layer
Limit visibility to the relevant network span
Minimize security exposure
IP/MPLS – Mitigating management security risk
User action non- repudiation
Security in mission-critical networks
© 2017 Nokia 38
IP/MPLS availability
Secure networks must be highly reliable and available
Best practices
Automatic restoration
Monitoring
Fault detection with BFD
Service performance measurement
Security log and audit
Rich path diversity
Hardware redundancy
Multi-fault tolerance
High priority QoS
Pseudowire redundancy
Secondary LSP
Fast re-route
Non-stop routing / signaling
Security in mission-critical networks
© 2017 Nokia 39
IP portfolio security certification
Independent, vendor-neutral proof
• Passed security evaluation
• Satisfy a rigorous set of standards
• Secure to deploy
• Globally recognized certification body
• EAL-3+
• U.S. DoD Defense Information System Agency (DISA)
• Test for IT and national Security Systems
• Risk-based test evaluation & certification
• U.S. standards body
• FIPS 140-2
Security in mission-critical networks
Top Related