OTSDN What is it? Does it help? Dennis Gammel Schweitzer - - PowerPoint PPT Presentation

otsdn what is it does it help
SMART_READER_LITE
LIVE PREVIEW

OTSDN What is it? Does it help? Dennis Gammel Schweitzer - - PowerPoint PPT Presentation

Mar 22, 2023 300 likes •562 views

OTSDN What is it? Does it help? Dennis Gammel Schweitzer Engineering Laboratories, Inc. Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org Important Aspects of Critical OT Networks

slide-1
SLIDE 1

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org

OTSDN – What is it? Does it help?

Dennis Gammel Schweitzer Engineering Laboratories, Inc.

slide-2
SLIDE 2

cred-c.org | 2

Important Aspects of Critical OT Networks

  • Determinism and low latency
  • Precise time
  • Fast fault detection, isolation, and recovery
  • Cybersecurity defense in layers
  • Monitoring, self-testing, and alarming
  • Maintainability, testing and diagnostics
  • High MTBF hardware
slide-3
SLIDE 3

cred-c.org | 3

Message Delivery Performance Criteria Defined by International Standards

IED performance requirements IEC 61850, IEC 60834, IEC 15802, IEEE 802.1 Latency specifications IEC 61850, IEC 60834, IEC 15802, IEEE 802.1 Speed IEC 61850

slide-4
SLIDE 4

cred-c.org | 4

Message Delivery Quality Criteria Defined by International Standards

Dependability and security requirements IEC 61850, IEC 60834 Availability requirements IEC 61850, IEC 60834, IEEE 802.1 Reliability metrics IEC 61850, IEEE 1613, IEC 60870

slide-5
SLIDE 5

cred-c.org | 5

International Standards Dictate Protection Signal Exchange Acceptance Criteria

  • Signal < 3 ms packet transit < 1 ms 99.99% of the time
  • Signal <18 ms packet transit <15 ms 0.01% of the time
  • Zero dropped GOOSE messages per year, <9 extra messages every 24

hours

slide-6
SLIDE 6

cred-c.org | 6

Challenges With Traditional Ethernet Switching

  • Designed for plug and play
  • Conveniently does things “we don’t want”
  • Reactive failover
  • Topology dependent performance
  • Difficult to achieve 100% test coverage
slide-7
SLIDE 7

cred-c.org | 7

RSTA

7 1 2

RSTA

S1 C1 S3 1 7 2 S2 2 7 1 C2

RSTA IED IED IED

Network Healing Using IEC 62439-1 RSTA

Peer-to-peer RSTP informs RSTA

slide-8
SLIDE 8

cred-c.org | 8

Traditional Eth Switch

Traditional Ethernet Switch

Individual Control and Data Planes

Control Plane Data Plane

Software-Defined Networking (SDN) Switch

Centralized Control Plane, Individual Data Plane

SDN Ethernet Switch

Data Plane

Centralized Control Plane

Introducing SDN

slide-9
SLIDE 9

cred-c.org | 9

Introducing SDN and OpenFlow

Network Operating System Configuration Programming Network Visualization OAM Applications

Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware Simple Packet- Forwarding Hardware

Application Layer Control Plane Data Plane Open Flow

slide-10
SLIDE 10

cred-c.org | 10

How SDN Works

Data plane inspects each Ethernet packet and performs one or more

  • Match fields – match rule based on first 4 layers of the Ethernet packet
  • Instructions – perform one or more programmed actions
  • Counters – increment counters and send counter data to centralized

point

slide-11
SLIDE 11

cred-c.org | 11

Multilayer Match Rules Forward Packets

SDN Flow Match Rule Payload IP Header Layer 3 Ethernet Header Layer 2 TCP / UDP Header Layer 4

slide-12
SLIDE 12

cred-c.org | 12

OTSDN vs Traditional SDN

Static vs Reactive Flows

  • Traditional SDN uses reactive flows to dynamically respond and adapt to

changes in the network and traffic

  • Focus is on bandwidth utilization and latency rather than determinism
  • Continuous learning and flow management
  • Uncertain network performance at any given time
  • SDN Controller performance bottleneck
slide-13
SLIDE 13

cred-c.org | 13

Reactive IT SDN in Operation

SDN Switch IED SDN Switch SDN Switch Server

IT Flow Controller Rule Rule Rule Packet Packet

slide-14
SLIDE 14

cred-c.org | 14

OTSDN vs Traditional SDN

Static vs Reactive Flows

  • OTSDN is uses static flows for proactive engineering of known network

configuration

  • Static flows can be used because all traffic is known
  • Networks never have new traffic or devices without official change order
  • New or unexpected traffic will be dropped
  • Network state and performance is always known and as designed
slide-15
SLIDE 15

cred-c.org | 15

Proactive OT SDN in Operation

SDN Switch IED SDN Switch SDN Switch Server

OT Flow Controller

IED

Rule Rule Rule Packet

slide-16
SLIDE 16

cred-c.org | 16

Design Traffic Where Paths Are Based on Requirements and Applications

Flow Controller Is Not Required for Network Operation

GOOSE 2 Engineering Access SCADA Combined GOOSE 1 Rugged Computer Relay Relay SDN Switch SDN Switch SDN Switch SDN Switch

slide-17
SLIDE 17

cred-c.org | 17

OTSDN - Cybersecurity at Every Network Hop

  • Only allow traffic that is required and only to the places it is needed.
  • No ARP Cache poisoning
  • No Broadcast storms
  • No BPDU attacks
  • Hosts only see traffic for destined them and nothing else
slide-18
SLIDE 18

cred-c.org | 18

No traffic injection from unexpected locations

  • Locked down flows restrict what traffic is allowed on the network at

every point

  • Spoofing a device MAC/IP address is difficult
  • Packets that match flow rules must originate from predetermined

location.

  • Any attempt to spoof a device from an alternate location raises alert and

tracked

slide-19
SLIDE 19

cred-c.org | 19

Traditional Intrusion Detection System

External with Slow Action Response

Network Sensor

Switch Switch Switch IED IED Gateway

WAN Network Sensor Network Sensor IDS Knowledge Database Alarms & events Analysis Engine Response / Action

slide-20
SLIDE 20

cred-c.org | 20

OTSDN Intrusion Detection System

Integrated With Fast Dynamic Response

OTSDN Switch OTSDN Switch OTSDN Switch IED IED OTSDN Switch

WAN

OTSDN Controller IDS Application

Dynamic change of security policies

slide-21
SLIDE 21

cred-c.org | 21

Targeted IDS

  • All needed traffic is engineered to go where it is needed
  • Any unmatched traffic can be easily be discarded or sent to an IDS
  • IDS will ONLY see the traffic that was not already engineered
  • IDS will be burdened much less than watching all traffic
  • More scrutiny can be given to this unwanted traffic
slide-22
SLIDE 22

cred-c.org | 22

Targeted Deep Packet Inspection

Focus DPI processing only where it is needed

  • Individual Flow(s) from individual switch(es) can easily be sent to a DPI

processor.

  • The DPI process can determine if the packets should be allowed on the network.
  • If allowed, send it back to the OTSDN switch for further processing, otherwise

drop/log.

  • Reduces burden on the DPI device by only processing the chosen stream
  • f data.
slide-23
SLIDE 23

cred-c.org | 23

Conclusion

  • OTSDN is standard technology with different methodology
  • Purpose engineered networks allow deny-by-default cybersecurity at

every hop in the network

  • Deterministic failover with traffic metrics
  • New approach to IPS, IDS, and DPI
  • Multipath capable / Application based circuits
  • Controlled change management and network access
slide-24
SLIDE 24

@credcresearch facebook.com/credcresearch/ http://cred-c.org

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security