Cyber Secured Service Unit
Improved Cyber Security for Lentronics SONET/SDH Multiplexers
GE’s Lentronics™ Cyber Secured Service Unit (CSSU) protects Lentronics Multiplexers against cyber threats, specifically those that target the reliability of the Bulk Electric System (BES). The CSSU is an essential security appliance that takes the place of a legacy Service or IP Service Unit, to better protect against malicious and unintentional network changes. It utilizes defense-in-depth strategies, allowing utilities to meet demanding security standards such as NERC CIP.
Acting as a secure gateway between Lentronics Multiplexers and the Lentronics VistaNET NMS software, CSSUs employ strong AES 256 bit encryption, SSL/TLS and X.509 digital certificates to ensure privacy and authenticity of users attempting to access the network.
- Single hardware platform supporting two operating modes; Legacy and Secure
- Legacy mode: Interoperable with existing Service Unit/IPSU
- Secure mode: Network-wide AAA supported for improved access control and confidentiality
- Eliminates 2kHz tie cables between rings
- Extends network domains beyond 100 nodes
- Drop-in replacement without SONET/SDH payload traffic disruptions
- Supports Dual-Homed NMS paths
- Secure access-control with policy replication and distribution for a single, consistent security policy
- Prevents unauthorized user actions with hardware-based authorization
- RADIUS support for centralized and local authentication
- Provides event logging and secure event storage
- Provides confidentiality for NMS traffic with strong AES encryption
Cyber Secured Service Unit
Improved Cyber Security for Lentronics SONET/SDH Multiplexers
GE’s Lentronics™ Cyber Secured Service Unit (CSSU) protects Lentronics Multiplexers against cyber threats, specifically those that target the reliability of the Bulk Electric System (BES). The CSSU is an essential security appliance that takes the place of a legacy Service or IP Service Unit, to better protect against malicious and unintentional network changes. It utilizes defense-in-depth strategies, allowing utilities to meet demanding security standards such as NERC CIP.
Acting as a secure gateway between Lentronics Multiplexers and the Lentronics VistaNET NMS software, CSSUs employ strong AES 256 bit encryption, SSL/TLS and X.509 digital certificates to ensure privacy and authenticity of users attempting to access the network.
- Single hardware platform supporting two operating modes; Legacy and Secure
- Legacy mode: Interoperable with existing Service Unit/IPSU
- Secure mode: Network-wide AAA supported for improved access control and confidentiality
- Eliminates 2kHz tie cables between rings
- Extends network domains beyond 100 nodes
- Drop-in replacement without SONET/SDH payload traffic disruptions
- Supports Dual-Homed NMS paths
- Secure access-control with policy replication and distribution for a single, consistent security policy
- Prevents unauthorized user actions with hardware-based authorization
- RADIUS support for centralized and local authentication
- Provides event logging and secure event storage
- Provides confidentiality for NMS traffic with strong AES encryption
The Lentronics Cyber Secured Service Unit protects Lentronics multiplexers from unauthorized user access and remote equipment configuration. In addition, non-authenticated software clients will be actively rejected along with failed user authentication attempts. The use of strong privacy policies help prevent man-in-the-middle attacks.
Each CSSU communicates with adjacent CSSUs over the SONET/SDH overhead to facilitate:
- Centralized user authentication
- Distribution of a common, network-wide security policy
- Distribution of common security settings, including digital certificates
- Upgrade of the units operating firmware to apply any future patches
- Distribution of the current time
This extends the electronic security perimeter around each NMS access point, securing all sites, particularly remote locations containing critical assets belonging to critical BES Cyber Systems.
- Supports OpenSSL
- Supports Transport Layer Security (TLS)
- Strong AES 256 encryption
- X.509 Digital Certificates
- Digitally signed communications to EMS clients (Lentronics VistaNET)
- Digitally signed firmware to authenticate trusted source operating code
- Integrates with central authentication server (RADIUS) for centralized user administration
- Supports dual RADIUS servers and gateways
- Authenticates users locally if RADIUS is absent
- Integrated Access Control List (ACL) for local authentication and authorization
- Distributes ACL between sites over SONET/ SDH overhead
- Enforces user authentication
- Optional unit password to control craft console port access
- Encrypted front and rear Ethernet ports
- Supports concurrent network management sessions
- Secured console port
- Inter-Ring Tie port to bridge NMS domains
- Meets IEEE 1613 and IEC 61850-3 environmental specifications
- Reliable operation in extreme temperature from -4°F to +140°F (-20°C to +60°C)
- Meets Earthquake risk Zone 4 shock and vibration specification
A Cyber Secured Service Unit can be deployed in one of two operational modes, Legacy or Secure. Legacy mode (CSSU-L) offers a consistent set of features that supports interoperability with pre-existing Service or IP Service Units.
Secure mode (CSSU-S) is a licensed component that must be applied to all CSSUs within a ring, or across the entire management domain. In this case, a network-wide security envelope is formed to protect and control assets through Authentication, Authorization, Accountability, Privacy and Integrity.
|
|
|
|
* Equipped with CSSU-S code
| Part Number | Description |
| B86434-11 | Cyber Secured Service Unit, Legacy Mode for JungleMUX, TN1U and TN1Ue Multiplexers Ethernet 10/100BaseT via RJ-45 front connector, providing a gateway for Network Management Serial 9.6kb RS232 via RJ-11 front connector, supporting network management or local unit setup only |
| B86434-11/A | Activated Cyber Secured Service Unit, to operate in Secured Mode for JungleMUX, TN1U and TN1Ue Multiplexers Ethernet 10/100BaseT via RJ-45 front connector, providing a secure gateway for Network Management Serial 9.6kb RS232 via RJ-11 front connector, local unit setup |
| 86434/A | Activation code to upgrade from CSSU-Legacy to CSSU-Secure operating mode |
| 86434-75 | TN1Ue CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals |
| 86434-81 | TN1U CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals |
| 86434-92 | JungleMUX CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals |
* Equipped with CSSU-S code
