Body

 

 

Customer Needs

Isolate all SCADA traffic

Deploy quickly using non-technical staff

Segment SCADA remote access

Revoke access instantly

Provide fast network provisioning

Constraints

Distributed sites using different cell networks

Staff expertise and budget

Avoid carrier lock-in

No system downtime

Shared network in datacenter

Results

Replaced VPNs and internal firewalls

Isolated and segmented SCADA network

Eliminated lateral movement

Segmented remote access to specific systems only

Instant provisioning and revocation

Eliminated need for cellular APNs

 

Innovation With a Better Way to Network

A renewable energy provider in the U.S. operates wind farms in many locations across the west coast.

With a large number of supervisory control and data acquisition (SCADA) systems monitoring the sites in real time, the provider found itself faced with the challenge of protecting their infrastructure from attack. After studying the attack on the Ukrainian power grid where similar networking and security technology was in place, they determined the old model of applying traditional IT to SCADA networks was to susceptible to attack.

 

Clean Energy Wanted a Clean Network

Over the years the SCADA network grew to be a mix of radio, Ethernet, and cellular. The cellular network required an APN at considerable cost and prevented them from easily on-boarding new sites where a different carrier had better cell coverage. In between their energy generation and central operations was a complex chain of VPNs, firewalls, core routers, switches, ACLs, and VLANs.

They found it difficult to maintain, support, and secure their critical infrastructure. They were also faced with overlapping IP address spaces in different sites which made networking and security even more complicated.

 

Access, Isolation, and Segmentation Made Simple

During their pilot of Tempered Networks, the energy company created a series of private overlay networks which allowed them to simplify and harden ICS access control. Their pilot proved that no SCADA system could be discovered or connected to by unauthenticated and unauthorized machines; even those with valid tokens or credentials. Their pilot SCADA network was made invisible and inaccessible to any network communication from non-verifiable systems hardening their interior in a way that wasn't possible before.

 

50 sites in under 50 days

The speed of their deployment and the simplicity of their private overlay networks have not only given the security team peace of mind, but the SCADA network team's work has been simplified. Granting temporary secure remote access to a specific machine in any of their sites takes just one click of the mouse. Failover and revocation are just as quick and don't require routing updates, firewall rule changes, or certificate revocation.

They have also freed themselves from being locked into any one carrier and can use whatever transport is appropriate for their sites. Their unified access control architecture makes all of the different SCADA systems using different networks behave and act like one local, invisible, and encrypted broadcast domain.

 

 

 

 

 

Experience the same simplicity, security, and cost-savings