Secure Gateways

Radiflow’s secure gateways include the full-featured iSEG RF-3180 for critical operational units, the iSEG RF-3180 for small remote sites that require a secure connection to a limited number of devices, and the iSIM Industrial Service Management Tool for managing arrays of secure gateways.

iSEG RF-3180: Secure Gateway for Remote Sites and Substations

The iSEG RF-3180 secures both M2M (Machine to Machine) and H2M (Human to Machine) traffic by incorporating DPI (Deep-Packet Inspection) capability for analyzing SCADA network traffic.

Once connected to the OT (SCADA/ICS) network, the iSEG RF-3180 immediately begins to gather information from across the network (devices, behaviors, etc.) and suggest editable firewall rules. Upon detecting an anomaly the 3180 will automatically generate alerts, block the abnormal activity and isolate any affected sub-networks.

To facilitate NERC CIP V6 compliance, the iSEG RF-3180 includes an APA (Authentication Proxy Access). It grants authenticated users access to predefined devices and functions, all fully logged. Integration with a physical identity server system also allows other authentication methods, e.g. magnetic card.

Radiflow’s whitelist-based, distributed DPI firewall ensures uninterrupted control over the network. Installed at every port for both Serial and Ethernet traffic, meaning that every access point at the remote site is firewalled. Each SCADA protocol packet is validated by the firewall engine not only for its source and destination, but also for its protocol and packet content. The distributed firewall structure enables the creation of a unique firewall at each access point on the network, which is especially important for securing insider attack.

Implementation

iSEG RF-1031 Secure Gateway

The iSEG RF-1031 Secure Gateway was designed for small remote sites that require a secure connection to a limited number of devices. It offers security solutions for both M2M (Machine to Machine) and H2M (Human to Machine) traffic by incorporating a DPI (Deep-Packet Inspection) firewall, as well as a user-identity firewall.

Features:

• Authentication proxy: Compliance with NERC CIP V6 via APA (Authentication Proxy Access) for network access management
• IP SCADA firewall: DPI firewall or monitoring all network traffic and managing physical and remote access control systems
• Secure VPN connectivity: Communication with central site via IPsec VPN over cellular & fiber with X.509 certificates
• Resilient network uplink: Connectivity via LAN or Cellular Modem with dual SIM for HSPA +/ LTE CDMA 450MHz
• SCADA protocols gateway: Validation by the firewall for source, destination, protocol and packet content
• Fit for harsh environments: Radiflow’s iSEG 1031 was designed for operation under harsh temperature and radiation conditions

iSIM Management Tool for iSEG Secure Gateways

iSIM is an intuitive network management tool for Radiflow’s secure ruggedized gateways installed at remote sites and substations. iSIM provides a real-time view of all networked devices and allows combining devices on disparate networks into a single group for simple cross-network maintenance, thus increasing the cost-effectiveness of the operator’s overall cybersecurity operation.

iSIM significantly simplifies OS upgrading by creating device groups and allowing for group batch provisioning (accompanied by a detailed report upon completion.) iSIM periodically backs up device configurations to the server. This backup can be used to restore the configuration of devices that had been misconfigured due to human error, or should a physical replacement of a device be needed.

Security

Radiflow’s devices offer advanced security features such as a distributed firewall and task-based validation of human-to-machine (H2M) sessions. This enables granting access to only specific end-devices without exposing the entire network. All user access and activities are fully logged.

Radiflow’s distributed firewall enables enforcing security profiles across the network according to predetermined policies. iSIM translates the security profiles into firewall rules, which are automatically uploaded to the secure gateways across the network. This ensures that the same profiles are used across the network.

When service maintenance is needed but granting access to the entire network is not acceptable, Radiflow’s APA (Authentication Proxy Agent) allows setting a time window for accessing a specific device via the distributed firewall.

iSIM enables selecting specific Radiflow devices on the network and creating custom firewall rules for each device. This in effect creates, during the allotted time window, a direct tunnel from the technician’s PC to the specific SCADA device (PLC, IED, RTU, etc.) without exposed the entire network. At the end of the access window a detailed log file is generated with all of the technician’s operations.

Diagnostics

• iSIM provides a map view of the network topology, divided into sub-networks, indicating each edge device (by Radiflow or otherwise) such as PLCs, RTUs etc.
• Events reported to iSIM by Radiflow’s networked devices are presents in an aggregate view.
• Operational alerts are prioritized and color-coded, and presented graphically as map links. The user is able to filter alerts by severity, protocol and more.

Traffic analysis tools:

• Log files with all violations
• Log files for the maintenance process
• Traffic statistics of links in the network
• Performance-over-time graphs for selected links

Features:

• Cross-network maintenance: Combine multiple iSEG Secure gateways on different networks into maintenance groups for easy batch OS upgrades
• Security violation alerting: Filterable, prioritized security alerts from across all managed gateways, with all required exception details
• User-access management: Security profiles are converted into firewall rules, which are automatically uploaded to the secure gateways
• Automatic database backup: Automatic backup of device settings databases for restoring misconfigured devices or setting up failover gateways
• Network performance analysis: performance visibility including traffic statistics and reports for maintenance log files and
• Authentication management: Radiflow’s Authentication Proxy Agent allows setting time and device access constraints, for maintenance activities