TECHNOLOGY BRIEF

PROTECTING PROCESS CONTROL/SCADA, SMART GRID, AND INTERNAL

CORPORATE NETWORKS IN UTILITIES

2

TECHNOLOGY BRIEF

TABLE OF CONTENTS

INTRODUCTION 3

Vulnerability of PCN/SCADA and Smart Grid Networks 3

How Sourcefire® Can Help Secure Utility Networks 3

THREE UTILITY NETWORK TYPES 3

PCN/SCADA Networks 3PCN/SCADA System Components 4PCN/SCADA Network Characteristics and Security Concerns 4

Smart Grid Networks 5Smart Grid Composition 5

Figure 1. A smart grid. 6

Security Concerns in Smart Grid Networks 6

Internal Corporate Network 6

HOW THE SOURCEFIRE 3D SYSTEM CAN HELP PROTECT UTILITY NETWORKS 7

Protecting PCNs and SCADA Networks 7Figure 2. The Sourcefire 3D System. 7

Protecting Smart Grids 8

Protecting the Internal Corporate Network 8Figure 3. Sourcefire “defense-in-depth” strategy. 8

SUMMARY AND CONCLUSIONS 9

ACRONYM GLOSSARY 9

3

TECHNOLOGY BRIEF

INTRODUCTIONProcess control networks (PCN)

or supervisory control and data acquisition (SCADA) systems are a part of every nation’s critical infrastructure. Whether in manufacturing, chemical production, energy distribution,

nuclear power, water treatment, or transportation systems, PCNs

and SCADA networks are essential to ongoing operations.

Newer to electric utilities, smart grid initiatives worldwide are receiving increased government focus and stimulus funding. Pike Research predicts a dramatic increase in worldwide smart grid capital spending, from US$10.5 billion in 2009 to US$35.8 billion in 2013.1 Italy’s large smart grid network (the Telegestore project) was completed in 2005, and additional deployments are in progress. The Australian cities of Homebush, Ku-ring-gai, Newcastle, Scone, and the business district of Sydney are scheduled to move onto a smart grid in mid-2010. By the end of 2010, Hydro One’s large-scale smart grid initiative will serve 1.3 million customers in Ontario, Canada.2

Vulnerability of PCN/SCADA and Smart Grid NetworksA failure in any one of these critical infrastructure PCN/SCADA or smart grid networks can result in substantial financial loss, affect hundreds of thousands or millions of people, or even cost lives. The reliability and safety of these networks are vital, but they have shown to be vulnerable. Here is a select list of high-profile utility cybersecurity breaches.

• Russia, 2000: Hackers cracked the security of Gazprom, the Russian state gas company, gaining access to the gas-flow switchboard.

• Queensland, Australia, 2001: A former employee of the software development team repeatedly hacked (46 occasions) into the SCADA system that controlled a Queensland sewage treatment plant, releasing approximately 264,000 gallons of raw sewage into nearby rivers and parks.

• Oak Harbor, Ohio, 2003: Slammer worm penetrated the Davis-Besse nuclear power plant, disabling a safety monitoring system for nearly five hours. Slammer gained access to the plant via an unsecured contractor network.

• Harrisburg, Pennsylvania, 2006: A foreign hacker penetrated security of a water filtering plant through the Internet. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations.

• Willows, California, 2007: An intruder installed unauthorized software on a water canal SCADA system and damaged the computer used to divert water from the Sacramento River.

• Long Beach, California, 2008: Using multiple user accounts, a former IT consultant for Pacific Energy Resources tampered with the company’s SCADA computer systems used to remotely operate giant oil platforms and detect gas leaks.

How Sourcefire® Can Help Secure Utility NetworksSourcefire can help companies and organizations protect their PCN/SCADA, smart grid, and internal corporate networks from disgruntled employees, industrial saboteurs, and terrorists. Sourcefire cybersecurity solutions can passively detect environmental changes in real time, provide network intrusion detection and prevention services using

Snort®-based or custom rules, provide automated intrusion detection system (IDS)

and intrusion prevention system (IPS) tuning and prioritized intrusion alerts, quickly link user identity to security and compliance events, and enable compliance monitoring and enforcement.

Read on to see how the flexibility and passive detection of the Sourcefire 3D®

System from the creators of Snort can help secure your utility organization without disrupting your critical networks and the devices on them.

THREE UTILITY NETWORK TYPES In addition to its own internal corporate network, utilities (electricity, natural gas, oil, water, and sewage) may also run PCN/SCADA and/or smart grid networks. Differences between the architecture and goals of each network can make security management—often by different security teams—challenging and a significant effort. In the following sections, we will explore some characteristics and security concerns of each network type in further detail.

PCN/SCADA NetworksPCNs are specialized communications networks used to connect industrial machinery together so that industrial processes can be automated. For example, a nuclear power station may have hundreds of sensors monitoring critical systems processes, such as core temperature, coolant temperature, steam turbine pressure, turbine rotation speed, fuel rod neutron flux, etc. All of these sensors are linked back to controllers and safety systems across the dedicated PCN.

In the past, these devices were connected together using proprietary network technologies and protocols. In recent years, companies have replaced old RS-422 serial-bus-based PCNs with copper- or fiber-based TCP/IP networks. Collectively, the new networks are labeled

1 Pike Research Newsroom, “Global Smart Grid Investment to Peak at $35.8 Billion in 2013,” June 29, 2010. 2 Hydro One Newsroom, “Redline and Hydro One Team Up on Grid Modernization Using WiMAX,” April 14, 2009.

4

TECHNOLOGY BRIEF

SCADA, which stands for supervisory control and data acquisition. SCADA technology supports automated chemical, broadcasting, rail, power, gas, water, and oil plant systems. The security of these devices is essential for both safety and business continuity.

PCN/SCADA System ComponentsAlthough there are an infinite number of ways to build a utilities plant, there is a relatively simple architecture for networking them all together. Let us examine the world of RTUs, PLCs, HMIs, and historians.

First, you need to acquire data about your process, for example, measuring the temperature of a blast furnace. A remote terminal unit (RTU) handles data collection and reporting, and it has the ability to change a process. In other words, you can read from an RTU to acquire data about a process, and you can write back to it to make a change to the process.

The programmable logic controller (PLC) does this reading and writing. Most processes need to be kept running at optimum conditions. A blast furnace needs more or less fuel to regulate its temperature. The PLC is the “autopilot” that performs this regulation. It operates a closed cycle, known as a PID loop (proportional–integral–derivative), which means that if the PLC detects any change in a monitored quantity it will affect just enough opposite change to bring the monitored quantity back to its proper value. PLCs may receive other inputs, such as process control overrides, safety interlocks, and so on. These would allow the process to be suspended or diverted, for example, to allow people into the plant for maintenance. PLCs read from and write to the RTUs using simple protocols, such as Modbus.

People get involved via a human-machine interface (HMI). This is normally a PC somewhere, or perhaps a UNIX terminal. The HMI is the machine that will represent the status of the process to the operator. HMI displays may not be traditional monitors at all—they could be banks of lamps on an electricity control room display board. A related component to the HMI is the historian—a system that formats and records process data. This historical record is often a regulatory requirement, but may also be used for trend analysis and further system tuning.

Most process control systems have another process loop running in parallel, with data gathered and analyzed by entirely different systems. This is the critical control system (CCS). The idea is that if the PLC PID loop fails for some reason, and the process goes out of control, the CCS is the backup system that can shut it down safely.

PCN/SCADA Network Characteristics and Security ConcernsOne of the biggest differences between a PCN/SCADA system and a corporate network relates to the term

“a matter of life and death.” In the corporate world, if you are told to do something quickly—“It’s a matter of life and death,” you understand that the person, department, or organization might be mildly-to-moderately inconvenienced if you do not complete your assignment in a timely manner. In addition, change management in PCNs/SCADA systems is extremely stringent. In the PCN/SCADA world, a system failure due to slow response or less than 100% quality assurance (QA) on system changes can quite literally be a matter of life and death. If a valve is not shut off in time, the plant may explode and people may die. Failure can be final in a PCN/SCADA network.

Here is an example that highlights the challenge of change management vs. security in PCNs. A new, sophisticated type of attack emerged in July 2010, and it grabbed the attention of those managing industrial networks and systems that comprise the national critical infrastructure. The Stuxnet worm targeted Siemens’ Simatec WinCC and PCS 7 industrial process management software and attempted to access those systems databases by using known passwords. Siemens responded with a fix, but they advised their customers not to change the passwords of these systems. This advice surprised some people, but it made sense considering what these systems do. Due to the complex distributed nature of these critical systems, Siemens was concerned that a hastily implemented password could cause system authentication failures and follow-on effects that could adversely affect process operations with potentially catastrophic consequences. Stuxnet highlights the problems plaguing organizations that run PCNs—network connectivity has increased, but network security has not matched it.

Another key difference between a PCN/SCADA system and a corporate network is that availability is vital for PCNs/SCADA networks. If a SCADA environment is compromised, staff cannot take down the SCADA network to fix it. They are forced to deal with the breach while the network continues to run.

PCNs/SCADA systems tend to be designed and built by engineers, not by IT professionals. Engineers tend to have specific goals. Keep the processes running efficiently and safely. Share data with others to ensure this happens. Trust other engineers to do their jobs, and they will trust you. Now this is where things get interesting from a security perspective. The core protocols of SCADA systems, designed and built by engineers with open mentalities, have no security whatsoever. There is no read- or write-level security in Modbus—any device can issue a “read coils” or “write coils” function call to measure and change a process. This means that a rogue PLC could affect enormous damage to a process. When the PCN/SCADA system was a separate network, this was not an issue—the problem is that this is no longer the case.

5

TECHNOLOGY BRIEF

As PCNs/SCADA systems and corporate networks have become one and the same through the power of networking, organizations are now faced with a new problem—how to protect the vulnerable PCN/SCADA network from disgruntled employees, hackers, and terrorists. And, most importantly, the corporate network is connected to the Internet. How will this be secured? It turns out that the standard arsenal of IT security tools often create more problems than they solve, due to some unique characteristics of the SCADA environment.

Process control equipment is not like a standard IT tool. No doubling in power every two years, and no renewal every three years. Processor power is often very modest, and it is frequently running on very, very old equipment. It is not uncommon to find Windows NT Server, Windows 3.11, DOS, VAXes, Dec PDP11s, and other equipment that the IT department would classify as “historical computers” running a current manufacturing process. The philosophy “if it ain’t broke, don’t fix it” is central in the PCN.

Now corporate and PCN/SCADA networks are joined, and the first thing the IT department wants to do is scan the PCN/SCADA system to determine the networked assets. Usually IT personnel are stopped by irate engineers, which is just as well—many of these older operating systems and applications do not react well to scans. Many of these devices would destabilize or crash, which could quickly lead to a matter of life and death. So perhaps the IT department embarks on a long and painstaking physical audit. What they find is typically discouraging—many of the machines have not been patched for years. This may be due to lack of downtime or a limitation of the PCN software (it does not work with the latest Windows service pack, for example). When the IT department contacts the SCADA system vendors, they often find that the vendors are not forthcoming with security patches—and often the vendors have limited appreciation of security as a discipline.

Most IPSes are useless for protecting PCN/SCADA networks. The majority of IPS vendors do not have specific SCADA rules. If they do, the rules cannot be inspected or modified to take into account local PCN environmental conditions. If an organization has developed their own process control using their own client server software, then all bets are off regarding most IPS systems—they do not lend themselves to adding end-user rule sets. Furthermore, running inline is usually not permitted—false positives could lead to too many life-or-death incidents.

Smart Grid NetworksA smart grid is an electric grid system with two-way communications capability that allows electric utilities, as well as the commercial and residential facilities

using electricity, to regulate electricity use based on need and availability. It optimizes electricity use and attempts to prevent system strains by making users aware of electricity habits, as well as alerting appliances and monitoring tools to off-peak and peak usage hours. As a result, non-urgent electricity needs can be automatically scheduled for off-peak hours, while utilities can better manage their grid systems to meet public need and avoid brown-outs.3

Smart Grid CompositionA smart grid consists of five interconnected networks. To maximize reliability, the majority of smart grid deployments are built as a mesh (similar to the Internet), rather than as a traditional point-to-point network.

Smart meters, similar to advanced metering infrastructure (AMI) meters, may be deployed as standalone devices, or they may be deployed as a gateway to a home area network (HAN) with the ability to communicate with other devices to provide power control of devices to either the home owner or the power company. The primary purposes of the smart meter are to provide provisioning actions (power connection and disconnection) and billing data.

A smart meter may talk to a home automation system or electrical devices (for example, dryers, washers, heaters, and air conditioners), and the meter needs to communicate with the smart grid network. The meter will do this by communicating through other meters or meter data aggregation points (also called the neighborhood area network or NAN). A smart meter will typically communicate to the NAN by taking the shortest path. If the meter cannot reach the aggregation point directly, it will communicate with other meters to reach the NAN.

The NAN communicates into a metropolitan area network (MAN), which may use leased wireless capability, such as 3G or 4G access, until the data is transferred onto fiber or leased line capability (wide area network or WAN) back to the head end of the smart grid.

The head end, which is also known as the EMS (energy management system)/DMS (data management system)/OMS (outage management system)/GIS (geographic information system) or Data Center, is where meter data management resides. The head end is where the billing information is stored, where service provisioning requests are generated to manage power consumption, and where smart grid network device management takes place. The head end is also generally connected to the power company’s (or gas or water company’s) corporate network, and as a result may also be connected to the standalone real-time SCADA network.

3 Candace Lombardi, Green Tech – “Smart Grid” Posts, “Australia Going Smart-grid,” June 9, 2010.

6

TECHNOLOGY BRIEF

Figure 1. A smart grid consists of five interconnected networks—HAN, NAN, MAN, WAN, and the head end (EMS/DMS/OMS/GIS).

Security Concerns in Smart Grid NetworksThe key characteristics of the smart grid—interconnectivity, two-way communications, ability to power devices on or off, and intelligence—create data privacy, integrity, and vulnerability concerns. The software, wireless sensor networks, and smart meter networks that go into a smart grid present many points of vulnerability into the network. As Alex Kirk, a research analyst with the Sourcefire Vulnerability Research Team™ (VRT), wondered when a smart meter was installed on his home:

“900MHz is an open, easily-accessed frequency here in the United States. What is there to prevent pranksters, criminals, or even Google Street View cars from accessing my meter while they drive down the street? …somebody coming along and making my meter tell the power company to up the voltage could mean my house burns down. The remote kill ability … could easily be abused to whack power to entire neighborhoods with a few keyboard strokes. Oh, and what if someone uploaded a malicious new piece of firmware to my power meter and ended up with complete control of the electricity coming into my house—or worse yet, used my meter as an access point to break into the larger electrical grid?”4

In the U.S., the National Institute of Standards and Technology (NIST) has issued two drafts of the “Smart Grid Cyber Security Strategy and Requirements” document. In security analyst Jack Danahy’s blog, he summarized the first draft of the report, dated September 2009, with:

“The draft document categorizes 15 areas of likely risk; their impacts on confidentiality, integrity, and availability; and their levels (high, medium, and low). This hierarchy and its accompanying tables permit a reader with a spreadsheet (me) to draw two conclusions about priorities in smart grid security. Conclusion 1: Integrity is the most important attribute. Conclusion 2: B2B and control system connections have the highest risk.”5

Released in February 2010, the second draft of the NIST report identified 120 interfaces that will link devices, systems, and organizations involved in a two-way flow of electricity and information, and classified these connections according to the level of damage that could result from a security breach. The first chapter of the second draft summarizes the threats as defined by 350 utilities, vendors, academics, regulators, and other stakeholders in the SGIP-CSWG (Smart Grid Interoperability Panel-Cyber Security Working Group).

“Cyber security must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. Vulnerabilities might allow an attacker to penetrate a network, gain access to control software, and alter load conditions to destabilize the grid in unpredictable ways.”6

Although work is in progress, smart grids do not currently include security standardization. Presently, only NERC (North American Electric Reliability Corporation) Critical Infrastructure Protection (CIP) standards are mandatory for the bulk electric system in North America. NIST has found at least five standards that are directly relevant to smart grid security. These include standards from NERC, IEEE (Institute of Electrical and Electronics Engineers), AMI System Security Requirements, UtilityAMI Home Area Network System Requirements, and IEC (International Electrotechnical Commission).

Internal Corporate NetworkIt is important to remember that the utility has its own corporate network to protect. In addition to the components specific to supporting the utility’s production system, it needs all the tools that other organizations need—Human Resources, business-to-business applications, e-mail, Intranet, software tools, and so on. The organization needs to protect its database servers, corporate finance systems, and the IT assets used by employees in the normal course of business.

Today’s networks are highly dynamic. New wireless devices, including smartphones and portable tablet devices, constantly appear and disappear. Individuals increasingly use personal computing equipment to conduct corporate tasks, blurring controls and vastly complicating the enforcement of network security policies. Network links are being established between

4 Alex Kirk, Sourcefire VRT Blog, “Smart Grids and the Importance of Smart Security Choices,” June 26, 2010. 5 Jack Danahy, Smart Grid News Blogs – Blogging the Grid, “What’s on First? New Insights in NIST’s First Draft,” September 28, 2009.

6 John Dodge, SmartPlanet Blog, “Smart Grid Cybersecurity Vulnerabilities Identified,” February 8, 2010.

ProprietaryHANs

HomePlugHANs

ProprietaryHANs

802.15.4 (ZigBee)HANs

900MHz,Spread SpectrumMesh Networks

2.4GHz NAN

3G/4G/POTS/ISDN/VPN

MPLS, Frame RelayTCP/IP, WAN

Home AreaNetwork Zone

(HAN)

PowerConsumption,

MeterDisconnect

Interval MeterData, Ping,Event DataRetrieval

Meter DataAggregation

Point

Meter DataManagement

EMS/DMS/OMS/GIS(head end)

Private Fiber/Utility Lines

Neighborhood AreaNetwork Zone

(NAN)

Metropolitan AreaNetwork Zone

(MAN)

Wide Area Network/Internet Network Zone

(WAN)

7

TECHNOLOGY BRIEF

business partners and contractors, supporting a hybrid mix of applications and technologies, further limiting visibility and understanding. At the same time, threats are constantly evolving and becoming more sophisticated. Attacker’s motivations have shifted from fame and notoriety to profit, making enterprises a key target.

IT security departments are challenged by the level of effort and the risks associated with securing their highly dynamic corporate networks in the face of rapidly changing threats. An increasing number of organizational policies and industry standards add further complexity, and increase the time and energy required to achieve these goals. IT departments need security solutions that will help them work smarter, not harder.

HOW THE SOURCEFIRE 3D SYSTEM CAN HELP PROTECT UTILITY NETWORKSSourcefire has thoroughly investigated PCN/SCADA systems and smart grid networks and believes it can help utilities protect their three types of networks. The flexibility of the Sourcefire solution enables a utility organization to standardize on a single vendor for IDS and IPS to suit the requirements of these disparate networks, even when they are being managed independently.

Protecting PCNs and SCADA NetworksHow can process control networks be secured? Is there a solution that will work for smart grids as well? Will it be compatible with the corporate network security architecture? Fortunately, the answer is yes. Here is how it can be done:

• Do not use active scanners. Instead, implement a passive asset tracking (PAT) system. PAT systems determine assets by monitoring the nuances of their communications. By fingerprinting these communications and by running protocol analysis on all communications, a map of host operating systems and versions, host services and versions, and client services and versions can be determined. Once these are known, vulnerability profiles can be built for each asset on the network.

• Use IDS where possible, correlated with PAT network intelligence. Snort is an ideal IDS system for SCADA/PCN—its open rules language has enabled many third-party sources of rules. Examples include SCADA rules from Digital Bond in the U.S. and other sample rule sets published by international governments. Snort can also take third-party network asset data to enhance its operation, for example, to automatically perform detection for services running on unusual ports. Use the IDS supported by PAT data to dynamically change access control to the SCADA network—much more reliable than simple IDS.

• Implement a compliance monitoring (and enforcement) system that can detect change in the configuration of hosts. It must be able to use the PAT as a feed.

• Use a rules-based escalation system that can correlate IDS, PAT, and network behavioral analysis (NBA) data sources. In this way, you can more reliably determine in real time the extent of an intrusion and the compromises made. You can also make use of multiple data sources to enhance your reliability. For example, combining IDS and PAT means you can downgrade intrusion events that do not apply, such as Microsoft exploits against a DEC PDP11.

• Use identity monitoring systems to decode user names and correlate these with intrusion events. In this way, internal staff hacks can be reliably identified.

• Use a security monitoring system with role-based account management (RBAC) and distributed monitoring facilities so that you can give the engineers controlled access to the security data. Most engineers are distrustful of IT, believing that they can “do it better than IT.” Providing engineers with access is a great way to befriend them—and having them on your side is vital if security is to be effective.

One commercial solution that provides all of the above is the Sourcefire 3D System. Snort is the detection engine of Sourcefire IPS™ and is fully extensible, capable of running custom or third-party rule sets. Sourcefire Real-time Network Awareness (RNA®) is the passive asset tracking (PAT) system. RNA is a process, flow, analysis, and white-listing (identifying any communications that are outside of the SCADA and DNP3 protocols) technology that can add an assurance layer, as well as a real-time audit that operates alongside the reporting of the control system. Sourcefire Real-time User Awareness (RUA®) provides the identity monitoring and integration. Sourcefire Defense Center® provides the “PLC” with rules-based escalation, NBA, compliance monitoring and enforcement, and RBAC.

As an example, the following diagram shows a simple PCN with servers, workstations, switches, and a network tap connecting the switch span ports to the Sourcefire 3D Sensor. The 3D Sensor is running IPS, RNA, and RUA. Remote sensors like the one depicted in Figure 2 report to the Defense Center.

Figure 2. The Sourcefire 3D System protects a PCN/SCADA system.

8

TECHNOLOGY BRIEF

We previously mentioned that change management criteria in a PCN/SCADA environment are very strict. By using RNA, you can passively monitor your network without concern about older hosts that cannot handle agents being installed on them or the ramifications of change management.

We also mentioned that availability is a key requirement for PCNs/SCADA networks. Staff is forced to deal with a security breach without taking down the network. RNA can help discover covert channels, and Snort provides the ability to quickly deploy custom rules to shut down these channels.

Protecting Smart GridsSmart grids are a collection of embedded devices built to use efficient, resilient protocols designed to get messages relating to service provision and power consumption over IP to and from the head end. However, issues with loss of control and poor device and communication protocols have shown that the smart meter network is vulnerable. Smart meter manufacturers should continue to improve their embedded security, but securing the meter is extremely challenging. First-generation smart grid systems require layered security because many are not constructed with security in mind.

Instead of trying to secure the smart meter, a better approach is to validate the data entering and exiting the server end (head end) of the smart grid. Sourcefire can accomplish this using a combination of the following approaches:

• The smart grid network requires high throughput of small packet sizes, while most of the traffic entering the network is encrypted. Sourcefire offers a range of multi-gigabit IDS/IPS appliances (1Gbps to 20Gbps with clustering) with a high detection rate. The Sourcefire SSL Appliance provides the ability to inspect SSL-encrypted messages traversing from the smart grid in and out of the head end, which is typically TCP COPS (Common Open Policy Service) traffic or SSL-based XML/web services traffic.

• With passive monitoring, Sourcefire RNA provides the ability to detect behavior changes in real time. With the ability to customize RNA to provide specific protocol detection for each unique smart grid deployment, RNA provides smart grid customers with the ability to immediately detect covert channels traversing the head end from the smart grid and likewise validate provisioning requests from the head end onto the smart grid. In addition, RNA’s ability to look at back-end systems, such as provisioning and billing systems, which run commercial off-the-shelf web servers, such as Apache, Linux, and SQL, adds value in protecting core systems.

• The powerful Snort IDS/IPS detection engine provides protection to both the head end and the smart grid for known vulnerabilities. In addition,

in the case of a successful breach, Snort provides the ability for the organization to quickly deploy a custom rule or rules to shut down any covert communication channels.

The Sourcefire approach enables the utility to quickly detect covert channels operating on the smart grid to and from the head end without disrupting the grid itself. This places a priority on availability over confidentiality and integrity—that is, the grid itself may be compromised, but the Sourcefire solution will protect the head end, enabling the grid to function without compromising the billing or provisioning systems.

Protecting the Internal Corporate NetworkThe same points listed in the “Protecting PCNs and SCADA Networks” section apply to protecting a utility’s own internal corporate network. Utilities can use the Sourcefire 3D System to protect their dynamically changing corporate networks by:

• Using RNA—24x7, passive network intelligence that stores a real-time inventory of operating systems, services, applications, protocols, and potential vulnerabilities that exist on the network. RNA is deployable on both physical and virtual Sourcefire 3D Sensors.

• Using Sourcefire IPS correlated with RNA’s real-time network intelligence. RNA reduces workload in maintaining and tuning an IPS (automated IPS tuning and prioritized intrusion alerts), detects network configuration changes and traffic anomalies, and monitors and enforces compliance.

Figure 3. Sourcefire supports a “defense-in-depth” intrusion prevention strategy with physical or virtual Sourcefire 3D Sensors running IPS, RNA, and RUA positioned in all areas of the network. Sourcefire Defense Center orchestrates all event aggregation, analysis, and IPS policy management.

9

TECHNOLOGY BRIEF

©2010 Sourcefire, Inc. All rights reserved. SOURCEFIRE®, Snort®, the Sourcefire logo, the Snort and Pig logo, SOURCEFIRE 3D®, RNA®, SOURCEFIRE DEFENSE CENTER®, SOURCEFIRE RUA®, CLAMAV®, SECURITY FOR THE REAL WORLD™, DAEMONLOGGER™, and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

www.sourcefire.com 10.10 | REV1

• Using RUA—a technology that quickly links user identity to security and compliance events. RUA provides increased visibility into specific user activity in enterprise networks.

• Using the Sourcefire Defense Center management console. Defense Center orchestrates all event aggregation, event analysis, and IDS/IPS policy management.

SUMMARY AND CONCLUSIONSThe Sourcefire 3D System helps to address the unique security challenges faced by today’s utilities companies. The flexibility of the 3D System enables a utility organization to standardize on a single vendor for IDS/IPS to suit the requirements of its three different networks—process control networks/SCADA systems, smart grid networks, and internal corporate networks—even though they may be managed independently.

Sourcefire’s key benefits for utilities include:

• Sourcefire IPS correlated with RNA’s passive, real-time network monitoring intelligence provides automated IPS tuning and prioritized intrusion alerts, detects network configuration changes and traffic anomalies, and monitors and enforces compliance.

• Sourcefire RUA quickly links user identity to security and compliance events.

• Sourcefire Defense Center provides rules-based escalation, network behavior analysis, compliance monitoring and enforcement, and role-based access control.

• Sourcefire offers a range of IDS/IPS appliances (5Mbps to 20Gbps with clustering) with a high detection rate.

• With RNA, users can passively monitor PCN/SCADA networks without concern about older hosts that cannot handle agents being installed on them or the proper QA of change management.

• To maintain availability of PCNs/SCADA systems, RNA can quickly discover covert channels, and Snort provides the ability to quickly deploy custom rules to shut down these channels.

• The Sourcefire SSL Appliance provides the ability to inspect SSL-encrypted messages traversing from the smart grid in and out of the head end.

• RNA provides smart grid customers with the ability to immediately detect covert channels traversing the head end from the smart grid and likewise validate provisioning requests from the head end onto the smart grid.

• The Snort IDS/IPS detection engine, created by Sourcefire, provides protection to both the head end and the smart grid for known vulnerabilities. If there is a successful breach, Snort provides the ability for an organization to quickly deploy a custom rule or rules to shut down any covert communication channels. The ease of being able

to write custom rules ensures that network traffic complies with known parameters and the 3D System raises an alert if it changes.

For additional information about securing critical infrastructures, view the “Meeting and Exceeding NERC Requirements” fact sheet available on the Sourcefire website and from your local Sourcefire representative. To learn more about Sourcefire cybersecurity solutions for utilities, visit us at www.sourcefire.com or contact Sourcefire or a Sourcefire Global Security Alliance channel partner today.

ACRONYM GLOSSARYAMI: advanced metering infrastructure

CCS: critical control system

COPS: Common Open Policy Service

DMS: data management system

DNP: Distributed Network Protocol

EMS: energy management system

GIS: geographic information system

HAN: home area network

HMI: human-machine interface

IEC: International Electrotechnical Commission

IEEE: Institute of Electrical and Electronics Engineers

MAN: metropolitan area network

NAN: neighborhood area network

NERC: North American Electric Reliability Corporation

NIST: National Institute of Standards and Technology

OMS: outage management system

PAT: passive asset tracking

PCN: process control network

PID: proportional–integral–derivative

PLC: programmable logic controller

RBAC: role-based account management

RTU: remote terminal unit

SCADA: supervisory control and data acquisition

SGIP–CSWG: Smart Grid Interoperability Panel–Cyber Security Working Group

WAN: wide area network