Protection for Data-in-Transit
for Electric Utilities
Protecting SCADA Communications
To ensure the safety and reliability of power generation,
transmission, and distribution systems, utilities and operators
must protect their supervisory control and data acquisition
(SCADA) communications networks. To protect control system
devices, organizations are integrating IPsec and TLS Virtual
Private Networks (VPNs) with new protocols such as Distributed
Network Protocol Secure Authentication (DNP3-SA). Under
the IEEE 1815-2012 DNP3 standard, DNP3-SA enables
authenticated master-outstation communications.
Encrypted VPNs are only as secure as the devices and methods
used to encrypt and decrypt the network traffic. Malicious actors
target system vulnerabilities that allow them to:
- Steal plaintext keys that reside in memory
- Decrypt IPsec VPN tunnels
- Impersonate devices with stolen/predicted credentials
- Compromise mission-critical data and applications
Cybersecurity breaches continue to increase by attacking
vulnerabilities in traditional security solutions that expose
unencrypted data in system memory, the CPU, network and
storage. Attackers that gain access to an intelligent edge device
(IED), remote terminal unit (RTU), gateway or network device,
may be able to compromise the control systems and the quality
of performance data.
SCADA Networks Are Vulnerable to Attacks
Side Channel Attacks and Eavesdropping
Power VPN Untrusted VPN Power
Generation Device Network Device Distribution
Cache Memory Attacks
VPNs can be difficult to manage and are prone to performance
challenges due to:
- High IPsec VPN overhead that reduces throughput
- Shared CPU resource utilization for encryption that slows
firewall performance
- Application layer protocols that are impacted by IPsec and GRE
- Chatty security protocols increasing latency
- Complex configuration of IPsec and GRE tunnels
- Security and compliance policies
There is an urgent need for solutions that can withstand
persistent, sophisticated, and costly cyber threats without
compromising performance or flexibility. VPNs need to be
hardened to protect data at rest and in transit.
Cyphre BTX Security Platform
Cyphre BTX is a hardware-based network encryption solution
for site-to-site communications that is delivered as an appliance.
Deployed at each site, BTX appliances leverage Cyphre’s
patented BlackTIE® security engine that offloads encryption
operations to hardware in a way that protects plaintext
encryption keys from ever being exposed in the CPU or system
memory.
Inbound and
Man-in-the-Middle Attacks
VPN Untrusted VPN Outstation Edge & IIoT
Device Network Device
Fireware and Software Vulnerabilities
06/2020
Cyphre BTX appliances are available in multiple form factors to
protect remote, edge and cloud deployments. The BTX extends
defense-in-depth approaches and provides:
- Tamper-resistant hardware-based security that never exposes
private keys and encryption keys to the CPU or memory
- Resistance to side-channel, cache memory and MITM attacks
- Better application performance over high latency, low
bandwidth links
- Reduction of typical IP VPN packet overhead by more than
50%
- Offload of crypto operations to hardware to reduce CPU load
for encryption and decryption
- Simple VPN configuration and tunnel management
- Support for any IP-based network
Cyphre, a RigNet company (NASDAQ:RNET), is a cybersecurity
company deploying disruptive data protection innovations by
enhancing industry standard encryption protocols with our
patented BlackTIE® technology.
For more information
visit our website www.cyphre.com
or contact us at info@cyphre.com
© 2020 RigNet. RigNet is a registered trademark of RigNet, Inc.
Cyhpre’s turnkey solution is comprised of:
- Cyphre BTX Security Appliances available in multiple form
factors for data center or edge deployment
- Cyphre BlackTIE Technology hardware-based Security Engine
that is integrated with the BTX appliance
- CyphreLink Application secure site-to-site encryption solution
that leverages BlackTIE
By handling cryptographic operations in hardware and not
exposing keys in the CPU and memory, Cyphre is able to ensure
trustworthy communications to protect critical assets.
FIPS
VAꢀIDATED
140-2
IT Schedule 70
Enabling Intelligence. Delivering Results.