Guarantee Fiber Integrity, - AfricaUTC€¦ · 1830 PSS - Fiber Monitoring solution • Power utilities • Oil, gas & mining Smart grid Monitoring & automation Energy and resources

1 © Nokia 2016

Guarantee Fiber Integrity, the foundation for a secure network

Bart Vrancken | [email protected]

May 2017

© 2017 Nokia 2

Foundation of Smart Grids

The Nokia Utility Blueprint

Bring the power of

mission-critical WAN

Enable distributed

grid intelligence

Embrace IoT

Nokia technology

leadership and expertise

Distribution automation and

renewables integration

Readiness for technology

evolution

WDM+

IP/MPLS

LTE Responsive, green grid Prepared for the future,

today

Confidential

© 2017 Nokia 3

Main requirements for Energy Segment operators

• Power utilities

• Oil, gas & mining

Smart grid

Monitoring & automation

Energy and resources

© 2017 Nokia 4

Use case - How to manage unstable fiber network

• Power utilities


Smart grid



Project

triggers

• Many fiber cuts

• Unexpected power loss at some links

• Fiber theft (assuming it was copper)

• Roadworks damaging fiber ducts

© 2017 Nokia 5

1830 PSS - Fiber Monitoring solution

• Power utilities


Smart grid



Fault

isolation

Our solution can quickly identify fiber cut or

intrusion locations. If you are taking hours or days

to isolate fiber issues it is time to upgrade.

© 2017 Nokia 6

Monitor when and where network security is compromised

Guarantee Optical Infrastructure Integrity

Confidential

Optical Intrusion Detection Optical Time Domain Reflectometry

Fiber Tapping Road works

© 2017 Nokia 7


Guarantee Optical Infrastructure Integrity

Confidential

Optical Intrusion Detection

• Monitors each wavelength for changes in optical span loss

• Alarms when loss passes preset threshold, indicating fiber tap or degradation

• Localizes fiber anomalies within a few meters

• Fiber cut and intrusion detection

• In-service loss distribution trending

Optical Time Domain Reflectometry

Attenuation [dB]

Time

Expected variation

Alarm raised

Alarm cleared

Return signal level [dB]

Distance

Intrusion

Patch panel

Terminating connector

© 2017 Nokia 8

Use case – recent TSO/DSO

Fiber monitoring demo and PoC

• Mission Critical Flying Bench shipped to site

• Connected to TSO and DSO own fiber network

• TSO – 19 km link (2 x 9.5 km)

• DSC – 4 km link (2 x 2km)

• Test list included:

• optical intrusion detection (OID)

• fault localization with Optical Time Domain

reflectometry (OTDR)

• L1 optical encryption

Confidential

© 2017 Nokia 9

The test set-up

Confidential

Substation 1

Substation 2

© 2017 Nokia 10

TSO – OTDR trace

Confidential

© 2017 Nokia 11

DSO – OTDR trace – zoom-in

Confidential

© 2017 Nokia 12

DSO – OTDR trace – zoom-in

Confidential

© 2017 Nokia 13

• Pro-actively detect interference

– Intentional: e.g. people/cars near the powerlines

fiber tapping, (copper) cable theft, illegal access to sites

– Unintentional: e.g. construction, works close to these

assets, falling trees, animals…

• Protect investment

– Many of those assets (e.g. substations) are in remote,

unsupervised locations

– Damage will traditionally be detected only when service

is already down/affected

• Lower Opex and less revenue loss

– Proactively react on threats

– Repair before service is affected

Going one step further

Fiber sensing Example for Utilities

© 2017 Nokia 14

Services layer

Infrastructure layer

Security in mission-critical networks

Secure IP/MPLS networks Secure optical transport

Network Group Encryption Optical infrastructure security

Layer 1 transport encryption

Management security Centralized key management

Independent certifications

Firewall

Availability


© 2017 Nokia 16

Optical – Layer 1 encryption:

Minimum additional latency and no useful payload reduction

Ultra low

Very high

Latency

Bandwidth

Yes Protocol agnostic

Low Cost / encrypted bit

Quantum-safe Encryption key strength


© 2017 Nokia 17

Layer 1 encryption: Minimum additional latency and no useful payload reduction

Bandwidth

Typical latency

Encryption overhead

Average wasted bandwidth

IPSec (Layer 3) 100 msec 76 byte 18.1 %

MACsec (Layer 2) 5 msec 32 byte 7.6 %

OTN (Layer 1) <0.1 msec 0 byte 0 % No bandwidth waste at any packet size

6,060 x 64 byte 2,273 x 576 byte 1,667 x 1,500 byte

Assumption: Typical distribution of 10,000 packets

-> average packet size: 420 byte Eth. Hdr.

IP Hdr.

Payload

1,500 byte


© 2017 Nokia 18

Layer 1 encryption is OTN-based:

Protocol agnostic, low cost/bit

Virtually any known traffic type can be encrypted and transported:

OC-192 STM-64 10 Gbit Ethernet Video OC-48 STM-16 1 Gbit Ethernet

ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU2 ODU1

ODU1

ODU1

ODU1

O

ODU1 ODU1

D 0 U

ODU4

AES-256 bulk encryption Substitution-permutation operation converts input plaintext into ciphertext

a0 c0 d0 b0

a1 c1 d1 b1

a2 c2 d2 b2

a3 c3 d3 b3

5f df 1e f1

30 e0 bf 98

bf a4 e4 c6

2b c7 4b e3

• No need for separate appliances

• Lowest cost per encrypted bit

a0 c0 d0 b0

a1 c1 d1 b1

a2 c2 d2 b2

a3 c3 d3 b3

ODU2


© 2017 Nokia 19

Symmetric vs. asymmetric encryption

• AES symmetric keys are quantum-safe

• Faster and more cost-effective

• Compromise security

• Computationally intensive

Symmetric encryption

Shared key for encryption/decryption

AES-256 256 bits

Cipher text Plain text Plain text

Sender Receiver

Asymmetric encryption

RSA-2048 112 bits


Sender Receiver

Symmetric key size

(bits)

Asymmetric key size

(bits)

80 1,024

112 2,048

128 3,072

192 7,680

256 15,360

Receiver’s private key

Receiver’s public key


© 2017 Nokia 20

Centralized vs. distributed key management

• Off-boarding of encryption/decryption frees host CPU resources

• Well suited for large data transfers requiring encryption/decryption

• Vulnerable architecture

• Not well suited for large data transfers requiring encryption/decryption

Centralized key management


Sender Receiver

Distributed key management


Sender Receiver

Central key authority

Secure key transfer

Secure key transfer

Central certificate authority

Local key mgmt. -> high CPU load

Public keys

Receiver’s private key


© 2017 Nokia 21

Nokia uses quantum-proof symmetric encryption key management


© 2017 Nokia 22

Optical Infrastructure Security


Optical Intrusion Detection Optical Time Domain Reflectometry


© 2017 Nokia 23

Optical Infrastructure Security


Optical Intrusion Detection

• Monitors each wavelength for changes in optical span loss

• Alarms when loss passes preset threshold, indicating fiber tap or degradation

• Localizes fiber anomalies within a few meters

• Fiber cut and intrusion detection

• In-service loss distribution trending

Optical Time Domain Reflectometry

Attenuation [dB]

Time

Expected variation

Alarm raised

Alarm cleared

Return signal level [dB]

Distance

Intrusion

Patch panel

Terminating connector


© 2017 Nokia 24

Optical transport availability

Secure networks must be highly reliable and available

Best practices

Automatic restoration

Monitoring

L2 QoS

Security logs & audits

Fault isolation

Design for reliability

Redundant equipment

Trusted supply chain

Physical path diversity

3rd party certifications

Optical path diagnostics

Uniform management platforms

Photonic restoration

1+1; 1:n; G.8032 ring

Equipment fail-over


© 2017 Nokia 25

Optical portfolio security certification

Independent, vendor-neutral proof

• Attained process and manufacturing milestones

• Satisfied a rigorous set of standards

• Ensures high quality cryptographic key generation

• Globally recognized certification body

• EAL-1, 2 or 3+

• French security agency

• Extended encryption specs

• QS level

• U.S. standards body

• FIPS 140-2; Level 2 or 3


© 2017 Nokia 26

Mission-critical networks have to support and secure a diverse range of

traffic

Protection relays

P25/ LMR

SCADA RTU/ Op. voice

LAN/router GOOSE/SV, IED

DS1/E1

V.24/4-wire

C37.94/G.703

IP

Ethernet

Point-to-point (e.g. SCADA, teleprotection, GOOSE/SV, LAN)

MP2MP* (e.g. voice, video, GOOSE, routers)

Network control (e.g. BGP, OSPF, ISIS, RSVP-TE, LLDP, IEEE1588)

Non-IP TDM/Ethernet IP *MP2MP: Multipoint-to-multipoint

CCTV, LTE LAN/ router


© 2017 Nokia 27

Network Group Encryption (NGE)

Optimized for mission-critical networks

Point-to-point encryption

Group-based encryption

Ethernet-based encryption

Point-to-point

MP2MP ()

Network control exposed exposed

Non-IP TDM/Ethernet not welcome not welcome

Ill-suited for large scale meshed connectivity

Key server becomes single point of failure

Data decryption/re-encryption at every IP hop -> snooping

Today’s encryption solutions have shortcomings

Nokia introduces secure Network Group Encryption

Key server Network Services Platform

Security

Gateway Point-to-point

Multi-to multipoint

Network control


© 2017 Nokia 28

Protection relays

P25/ LMR

SCADA RTU/ Op. voice

LAN/router GOOSE/SV, IED

CCTV, LTE LAN/ router

DS1/E1

V.24/4-wire

C37.94/G.703

IP

Ethernet

Non-IP TDM/Ethernet IP

Network Group Encryption

The ideal encryption solution for mission-critical networks

Encryption management

Network Services Platform

Network & Service management

Point-to-point

MP2MP

Network control

Encrypted MPLS services and control

Service Router portfolio for NGE based service encryption

Key groups enabling secure services & network partitioning

All services / traffic types welcome Security in mission-critical networks

© 2017 Nokia 29


Key groups enable hierarchical encryption and secure network

partitioning

Central location NOC #2

Central location NOC #1

Control key group

Transmission key group

SAR-8 SAR-8

SAR-18 SAR-18

Distribution key group

DA/FAN key group

DA/FAN key group

Less physically secure distribution automation (DA) or field area network (FAN) nodes do not contain keys to more critical components

Key group partitions ensure only associated services are accessible

Fully managed by NSP

7705

SAR-H

SAR-Hc


© 2017 Nokia 30


Seamless operation over IP/MPLS


Point-to-point

MP2MP

Network control


© 2017 Nokia 31


Maximum security and availability

Network Services Platform 1

Network Services Platform 2

Point-to-point

MP2MP

Network control


© 2017 Nokia 32

Business L2/L3 VPN

2G, 3G, LTE, Wi-Fi


Maximum deployment flexibility


Point-to-point

MP2MP

Network control


© 2017 Nokia 33

Maximum deployment flexibility

Seamless operation with maximum availability


The ideal encryption solution for mission-critical networks

Universal encryption +

7705 Service Aggregation Router Network Group Encryption:

Award winner 2016

North American Cyber Security Solutions for Utilities

New product innovation award 2015

7705 Service Aggregation Router Network Group Encryption:

Product of the year 2016

Business L2/L3 VPN

2G, 3G, LTE, Wi-Fi

Point-to-point

MP2MP

Network control

Non-IP TDM/ Ethernet

IP


© 2017 Nokia 35

IP/MPLS – Firewall essentials

Deploy your network with security in mind

Centralized firewall policy management

Hardware-based inspection

Firewalls are difficult to manage

Firewalls drag down performance

Ease of config.,

updates, audits

Advanced logging

Intelligent

Integrated security

Service aware

Higher performance


© 2017 Nokia 36

IP/MPLS – Firewall example use cases

Secure the network with QoS-enabled firewall

Blocking of unauthorized traffic Flow-based rate-limiting

MPLS tunnel

Compromised device

sending rogue packets Security policy blocks

unauthorized traffic

Disgruntled employee

or botnet exploits

firewall policy and floods

the network

Flow-based rate-limiting

to deter flooding

MPLS tunnel


© 2017 Nokia 37

Work Order requires Approval:

Enspoints Involved:

Email notification to supervisor for approval

Stay in control, approve or reject

Logging each user’s action

Archive for future analysis and audit

Services layer

Infrastructure layer

Application layer

Limit visibility to the relevant network span

Minimize security exposure

IP/MPLS – Mitigating management security risk

User action non- repudiation


© 2017 Nokia 38

IP/MPLS availability

Secure networks must be highly reliable and available

Best practices

Automatic restoration

Monitoring

Fault detection with BFD

Service performance measurement

Security log and audit

Rich path diversity

Hardware redundancy

Multi-fault tolerance

High priority QoS

Pseudowire redundancy

Secondary LSP

Fast re-route

Non-stop routing / signaling


© 2017 Nokia 39

IP portfolio security certification

Independent, vendor-neutral proof

• Passed security evaluation

• Satisfy a rigorous set of standards

• Secure to deploy

• Globally recognized certification body

• EAL-3+

• U.S. DoD Defense Information System Agency (DISA)

• Test for IT and national Security Systems

• Risk-based test evaluation & certification

• U.S. standards body

• FIPS 140-2


Documents

Guarantee Fiber Integrity, - AfricaUTC€¦ · 1830 PSS - Fiber Monitoring solution • Power utilities • Oil, gas & mining Smart grid Monitoring & automation Energy and resources