Cisco Blogs


Cisco Blog > Energy - Oil & Gas and Utilities

Energy Networking Convergence Part 2: Cyber & Physical Security

This is the second of a four part series on the convergence of IT and OT (Operational Technologies) by Rick Geiger

Physical Security has evolved from serial communication to modern systems that are largely, if not completely, IP networked systems.  The unique requirements of physical security have often lead to shadow IT departments within the physical security department with networks and servers procured and operated by the physical security department with little or no involvement from IT.

Intersections with IT and the corporate network began with the interconnection of physical security systems and the placement of physical security appliances on the corporate network to avoid the cost of wiring that would duplicate existing networks.  At one time IT may have been persuaded that these “physical security appliances” didn’t need to be managed by IT.  But that persuasion was shattered by malware infections that revealed far too many “physical security appliances” to be repackaged PCs with specialized interface cards.

HAK22620 - for webIT departments scrambled to locate and remove these vulnerable devices and either outright banned them from the corporate network or insisted that they be managed by IT.  A hard lesson was learned that just as the organization, including IT, required physical security, video surveillance and badge access control, the physical security department needed the cyber security expertise of IT to protect the communication and information integrity of networked physical security systems.

Convergence is sometimes regarded as the use of physical location as a criteria for network access.  Restricting certain network access to a particular location and/or noting any discrepancies between the location source of a login attempt and the physical location reported by the badge access system.  For example, the network won’t accept a login from Asia when that user badged into a building in Philadelphia.

The need and opportunity for Cyber and Physical security convergence is much broader than network access.  Physical Security systems need Cyber Security protection just as Cyber Systems need Physical Security protection.

What are, at a very high level, the primary activities of Physical Security on a day to day basis?

  • Protect the perimeter
  • Detect breaches
  • Situational awareness
  • Standard operating procedures define for anticipated events
  • Forensic to gather, preserve and analyze evidence & information

Physical security personnel often have a law enforcement or military background, and approach these activities from that point of view.

HAK22891-webOver time, the technology of physical security has evolved from walls, guns and guards to sophisticated microprocessor based sensors, IP video cameras with analytics, and network storage of video & audio.  Although there are many examples of close collaboration between IT and Physical Security, there may also be tension.  Physical Security departments defend their turf from what they perceive as the encroachment of IT by claiming that they are fundamentally different.

A quick look at the Physical Security systems quickly reveals something that looks very familiar to IT. Networked devices, servers, identity management systems, etc. are all familiar to IT.

At a very high level, the primary activities of Cyber Security can be grouped into a set of activities that are very similar to Physical Security.  The common process that both need to follow is a regular review of Risk Assessment:

  • What are the possible threats
  • What is the probability of occurrence of each threat
  • What are the consequences of such occurrence
  • What are cost effective mitigations — as well as mitigations required by compliance

The Risk Assessment process is an integral part of NERC-CIP V5, which requires a review at least every 15 months of “…cyber security policies that collectively address…” CIP-004 through CIP -011.  Implementation is required to be done “..in a manner that identifies, assesses, and corrects deficiencies…

Many of the activities Cyber and Physical Security overlap and need to align:

  • The use of IT Technology in Physical Security systems
  • Overlapping Identity Management
  • Device Identity management
  • Requirement for IT process maturity
  • IT security required for Physical Security systems
  • Physical Security required for IT Systems
  • Consistent future strategy & direction

The bottom line is that the activities of Physical and Cyber security have many parallels with opportunities to learn from each other and collaborate in threat assessment and risk assessment strategies and coordinated implementation and operation.  NERC-CIP V5 has mandatory requirements for both Physical and Cyber security.  Modern security, both Physical and Cyber, need to move beyond reacting to events that have already occurred, to agility and anticipation.

What does this mean for Cisco?

Cisco has a portfolio of leading edge Cyber and Physical Security solutions.  Cisco’s Advanced Services offerings help our customers develop and deploy a collaborative, unified approach to Physical and Cyber security.  NERC-CIP V5 is a compelling event for the electric utility industry.  The transition period is underway with completion required by April 2016.  Are you up to date on Cisco’s solutions and capabilities? We are here to help!

Tags: , , , ,

Next Generation Data Center Design With MDS 9710 – Part II

EMC World was wonderful. It was gratifying to meet industry professionals,  listen in on great presentations and watch the demos for key business enabling technologies that Cisco, EMC and others have brought to fruition.  Its fascinating to see the transition of DC from cost center to a strategic business driver . The same repeated all over again at Cisco Live. More than 25000 attendees, hundreds of demos and sessions. Lot of  interesting customer meetings and MDS continues to resonate. We are excited about the MDS hardware that was on the display on show floor and interesting Multiprotocol demo and a lot of interesting SAN sessions.

Outside these we recently did a webinar on how Cisco MDS 9710 is enabling High Performance DC design with customer case studies. You can listen to that here.

Three Pillars of ReliabilitySo let’s continue our discussion. There is no doubt when it comes to High Performance SAN switches there is no comparable to Cisco MDS 9710. Another component that is paramount to a good data center design is high availability. Massive virtualization, DC consolidation and ability to deploy more and more applications on powerful multi core CPUs has increased the risk profile within DC. These DC trends requires renewed focus on availability. MDS 9710 is leading the innovation there again. Hardware design and architecture has to guarantee high availability. At the same time, it’s not just about hardware but it’s a holistic approach with hardware, software, management and right architecture. Let me give you some just few examples of the first three pillars for high reliability and availability.

 

Reliability examples in MDS

 

Picture6

MDS 9710 is the only director in the industry that provides Hardware Redundancy on all critical components of the switch, including fabric cards. Cisco Director Switches provide not only CRC checks but ability to drop corrupted frames. Without that ability network infrastructure exposes the end devices to the corrupted frames. Having ability to drop the CRC frames and quickly isolate the failing links outside as well as inside of the director provides Data Integrity and fault resiliency. VSAN allows fault isolation, Port Channel provides smaller failure domains, DCNM provides rich feature set for higher availability and redundancy. All of these are but a subset of examples which provides high resiliency and reliability.

 

Weakest link

 

We are proud of the 9500 family and strong foundation for reliability and availability that we stand on. We have taken that to a completely new level with 9710. For any design within Data center high availability  has to go hand in hand with consistent performance. One without the other doesn’t make sense. Right design and architecture with DC as is important as components that power the connectivity. As an example Cisco recommend customers to distribute the ISL ports of an Port Channel across multiple line cards and multiple ASICs. This spreads the failure domain such that any ASIC  or even line card failures will not impact the port channel connectivity between switches and no need to reinitiate all the hosts logins. You can see white paper on Next generation Cisco MDS here. At part of writing this white paper ESG tested the Fabric Card redundancy (Page 9) in addition to other features of the platform. Remember that a chain is only as strong as its weakest link.

 

Geschäftsmann hat Wut, Frust und Ärger im Büro

 

The most important aspect for all of this is for customer is to be educated.

Ask the right questions. Have in depth discussions to achieve higher availability and consistent performance. Most importantly selecting the right equipment, right architecture and best practices means no surprises.

We will continue our discussion for the Flexibility aspect of MDS 9710.

 

 

-We are what we repeatedly do. Excellence, then, is not an act, but a habit (Aristotle)

 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Cisco Live Utilities Session a Big Success: Converging IT and OT (Operational Technologies) – BSAIoT-2100

May 20, 2014 at 10:21 am PST

rgeiger2Rick Geiger presented Session BSAIoT-2100 -- How to Successfully Converge IT and OT (Operational Technologies) at Cisco live in San Francisco this week, with strong interest from attendees.

Many of you know of Rick Geiger from this blog and other publications. Rick’s session at Cisco Live 2014 discussed the many aspects and challenges of merging OT and IT in organizations.  Computing and networking for operations requires more IT-based support and a growing convergence of IT and OT skill sets to support intelligent devices and varied processes. Rick’s session discussed the convergence driven by the critical needs of the OT organization for the process maturity of IT and for managing and securing the growing complexity of OT systems.

Rick Geiger CLUS AgendaIn bringing IT processes & capabilities to OT, IT will need to recognize the needs of critical control systems and the equivalent process capabilities that OT provides for engineering and operations. Successful companies will find ways to establish common ground & combine the expertise & value of both. Bringing standalone devices or isolated networks into core operational systems will bring clear and tangible advantages and business benefits to those companies.

Rick’s session topic covered new ideas & concepts that are developing around IT/OT, providing major opportunities for those who understand how to leverage their IT know-how to Operations.

Missed it? Well you can download the slide deck here:

BSAIoT-2100 -- How to Successfully Converge IT and OT (2014 San Francisco) - 1 Hour, Rick Geiger (requires registration)

Let us know what you think!

(Find out more about convergence by reading Rick’s series of blogs, starting with: Energy Networking Convergence Part 1 – The Journey From Serial to IP)

Tags: , , , ,

Delivering Policy in the Age of Open Source

This is an exciting time in the history of datacenter infrastructure.  We are witnessing the collision of two major trends: the maturation of open source software and the redefinition of infrastructure policy.
The trend towards open source is self-evident.  Platforms such as OpenStack and OpenDaylight are gaining huge developer mindshare as well as support and investment from major vendors.  Even some newer technologies like Docker, which employs linux kernel containers, and Ceph, a software-based storage solution, offer promising paths in open source.  Given the fundamental requirements of interoperability in architecturally diverse infrastructure environments, its no surprise that open source is gaining momentum.

The second trend around policy is a bit earlier in its evolution but equally disruptive.  Today, there is a huge disconnect between how application developers think about their requirements and the languages and tools through which they are communicated to the infrastructure itself.  For example,  just to handle networking, a simple three tier app must be deconstructed into an array of VLANs, ACLs, and routes spread across a number of devices.  Storage and compute present similar challenges as well.   To simplify this interaction and create more scalable systems, we need to actually rethink how resources are requested and distributed between different components.  This really boils down to shifting the abstraction model away from configuring individual devices to focus on separately capturing user intent, operational, infrastructure, and compliance requirements.

At Cisco, we’ve really embraced both of these trends.  We are active contributors to over 100 open source projects and were founding members of OpenStack Neutron and OpenDaylight.  We’ve also made open source a successful business practice by incorporating and integrating popular projects with our products.  In parallel, Cisco has accumulated a lot of experience in describing policy through the work we’ve done with Cisco Unified Computing (UCS) and most recently with Cisco Application-Centric Infrastructure (ACI).

Building on this foundation, we see a unique opportunity to collaborate with the open source community to deliver a vision for policy-driven infrastructure.  This will enhance the usability, scale, and interoperability of open source software and benefit the entire infrastructure ecosystem.

This vision includes two initiatives in the open source community:

GroupBasedPolicy

  1. Group-Based Policy: An information model designed to express applications’ resource requirements from the network through a hardware-independent, declarative language and leave a simple control and dataplane in place.  This approach replaces traditional networking constructs like VLANs with new primitives such as “groups”, which model tiers or components of an application, and “contracts” describing relationships between them.  Group-Based Policy will be available in the context of OpenStack Neutron as well as OpenDaylight through a plug in model that can support any software or hardware infrastructure.
  2. OpFlex: A distributed framework of intelligent agents within each networking device designed to resolve policies.  These agents would translate an abstract, hardware-independent policy taken from a logically central repository into device-specific features and capabilities.

 

Let’s look a bit more closely at each of these initiatives.

Read More »

Tags: , , , , , , , , , , , , , , ,

Top Five Mobility Trends CXOs Should Watch

As technology becomes smarter and capable of more connections and interactions, we will begin to see certain trends arise in the mobility industry. Trends such as, low-cost mobile devices will positively impact developing regions around the world, Internet of Things (IoT) partnerships will drive transformation of mobile networks and the proliferation of wearables will further increase the number of connected devices.

These trends and more are shaping the future of mobility, and what they mean for executives in today’s business landscape. In addition, the convergence of mobile, cloud and infrastructure is demanding that executives prepare for what will certainly be an evolutionary time in our history.

So looking ahead over the next twelve months, what mobility trends have immediate business implications for organizations and service providers?

Future of Mobility Podcast on iTunes

Listen to the Future of Mobility Podcast on iTunes

What do CXOs need to watch for?

Read More »

Tags: , , , , , , , , , , , , , , , , ,