IT Security for Existing Systems – SPRECON Security Gateway

> Inquiry

General information

General Information

To put it simply, the SPRECON Security Gateway is a secure, central and specialised access point for power engineering systems.

All network-related access to secondary devices is provided via the gateway. This acts as a „deny-by-default“ firewall that blocks all data traffic that is not expressly permitted. An integrated RBAC concept (role-based access control) can also be used to implement logical access security on all subordinate devices. Only users who are correctly authenticated at the gateway can access the devices that have been approved for them via the network.

Among other things, this enables:

  • Secure remote maintenance for external service providers
  • Separation of networks and areas of responsibility
  • Analysis of all processes (keyword: security monitoring)

Since the gateway is installed at the network level ahead of systems to be protected, these secondary existing systems do not have to be modified, reconfigured or functionally re-examined – fundamental security measures can thus be introduced with maximum economic efficiency.

Security Gateway as central access point of a network

Multiple features within one device

Application

Features

Features

Security Gateway as an access point for substation networks (“Substation Access“)

Substation Access

The SPRECON-SG basic device as an access point at the zone boundary

  • Interactive Firewall & Routing:
    • Isolation of the subordinate substation
    • Interactive textual management of routes
    • NAT included (full concealing of subordinate IP addresses)
  • Role-based Access Control (RBAC)
    • Administrator accounts for the configuration of the gateway and for approval of
      routes
    • Clients can only use resp. activate their specific predefined route
    • Free configuration of all user account authorisations
  • Integration of RADIUS authentication (i.e. users at the gateway are authenticated via the central RADIUS server)
  • Syslog (Logging to central location)
  • Time synchronisation via NTP or local time setting
  • Online configuration via secured web interface (no tool)
  • Secured data (backups, firmware packages) with encryption and digital signature, secure boot and signed firmware images
  • Easy Patching (import of new firmware)
  • Easy installation

Security Services Manager

Security Services Manager

SPRECON-SG extension with security services for modern station automation systems

Security Gateway as Authentication Server

  • Integrated RADIUS server
    • Easy integration of SPRECON-E-C/P/T3 devicese
    • Possible integration of arbitrary third-party devices
  • Integrated LDAP server
    • Integration of LDAP clients
    • Authentication of MS Windows user accounts
  • Users can be defined locally or can be replicated via central locations
  • Replication of users via external LDAP servers or Active Directory

Security Gateway as Syslog relay

  • Syslog server for secondary devices (switches, control/protection devices etc.)
  • Logs can be forwarded to central servers / SIEM systems
  • Local storing in ring buffer
  • Definable filters for forwarding
bgContainerEnde