This document discusses how Crypto-Flow segmentation and encryption can help organizations comply with various security standards and regulations. It provides examples of how Crypto-Flow can be used to encrypt data in transit for ISO27001, PCI-DSS, IEC 62443, NESA, and the Cloud Security Alliance guidelines. It also outlines best practices for key management and testing the security of implemented encryption controls.
3. Crypto-Flow / ISO27001:2013
• On mobile devices such as laptops and Smartphones
• For authorised use of removable media such as USB memory sticks
• Where classified data is transmitted across communications lines that extend
beyond the boundaries of the organization e.g. over the Internet, Extranet…
4. Crypto-Flow / ISO27001:2013
Process/Situation Technique Specific Guidance
E-Commerce transactions over
the Internet
Symmetric encryption using
SSL/TLS (Asymmetric
techniques used to share
session key)
RSA to be used for public key
cryptography. Certificates to be
obtained from Thawte
Protection of data on
removable media
Symmetric encryption using
TrueCrypt
AES-256 encryption to be used where
available
Protection of passwords on
systems
All passwords must be hashed
MD5 hashing to be used where
available
Email Security
Symmetric/asymmetric
encryption using S/MIME
Features available in MS Outlook
should be used to simplify the process
Remote Access
Virtual Private Network (VPN)
using SSL
A SSL VPN may be used where
permitted by the Network Security
Policy
5. Crypto-Flow / ISO27001:2013
Testing and Validation of Implemented Control Objectives;
Once deployed, it is critical that the security of the encryption be tested under as
realistic conditions as possible in order to identify any weaknesses. Such testing
should cover the use of:
• commonly-available software tools to try to break the encryption
• social engineering methods to try to discover the key
• interception of encrypted data at various points in its transmission
6. Crypto-Flow / ISO27001:2013
Key Management
• Key generation (HSM Integration)
• Distribution of keys to point of use
• Storage at point of use
• Backup as protection against loss
• Recovery in the event of loss
• Updating keys once expired
• Revoking if compromised
• Archiving once expired
• Destroying when no longer required
• Logging and auditing of key management related activities
8. Crypto-Flow / PCI-DSS v3
Cypto-Flow Network Segmentation
(helps reduce the scope of PCI-DSS)
9. Crypto-Flow / PCI-DSS v3
• Encryption Overlay Network
• Not the rip-replace but re-engineer existing networks to isolate CDE
• Ease of Deployment – Managed Encryption with a simple GUI-based policies
and key management server
• Certes Networks uses strong cryptography and simple and flexible policies to
isolate areas of the network without changing the physical or logical network
topology.
• This protection is stronger than traditional firewall-based approaches
because it isolates the network using encryption rather than relying only on
the packet headers.
11. Security Zone Definition
• “Security zone: grouping of logical or physical assets that
share common security requirements”. [ANSI/ISA-
99.01.01–2007- 3.2.116]
– A zone has a clearly defined border (either logical or physical),
which is the boundary between included and excluded elements.
HMI Zone
PLC Zone
12. Conduits
• A conduit is a path for the flow of data between two
zones.
– can provide the security functions that allow different zones to
communicate securely.
– Any communications between zone must have a conduit.
HMI Zone
PLC Zone
Conduit
13. Protecting the Network with Zones and Conduits
• A firewall in each conduit will allow only the MINIMUM
network traffic necessary for correct plant operation
HMI Zone
PLC Zone
Firewall
14. Shared
SCADA
Network
• Firewalls
• Deployed with equipment
• Inspects network traffic
• Challenges
• No integrity protection of data
• No protection against data
replay, injection, or modification
• Hard to dynamically adjust
policies to allow zone based
access – static configuration
• One deployed – Retained
Firewalls: Current Attempt at Security
15. Shared
SCADA
Network
VLAN 123 • VLAN
• Defined across Shared ICS Network
• Terminates at individual network ports
• High cost per managed port
• Challenges
• Security configuration embedded in core
network
• Secure perimeter - no internal security
• Security through Switching
• No visibility by users
• Change management is difficult
VLANs: Current Attempt at Isolation
17. The Purdue Model – Secure Architecture
Level 4
Level 3
Level 2
Level 1
Business Network
UPS Clients Level 3.5DMZ & Firewalls
PHD Shadow Server
Data Collector
EPKS Server DCS Servers
Data is given to the Users (PHD Clients) from the Shadow Server
PHD Buffer
Server
Collects the Data from the Experion or DCS Servers
Collects the Data from Controllers, pumps, valves etc.
Clients from the network cannot request data from the Data Collector Directly
20. Cloud Security Alliance
Cloud Security Alliance Guide v3
• Domain 11
• Encryption and Key Management
• Some Key Points;
• Data in Motion (not at Rest)
• Content Aware Encryption
• User Aware Encryption
• Format Preservation
• Common Use Cases;
• Cloud Hosting Provider (Public or Private Usage)
• vCEP Deployment
• User Aware Encryption
• A Virtual Encrypted Overlay from your DC to cloud
21. Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com