GE Logo
Home Products & Services Industries News/Events About Us Resources Contact Store
Grid Solutions  Communications  Lentronics Fiber Optic Multiplexers  Cyber Secured Service Unit
Product Lookup
Support
 
Product Categories
  Overview
  Industrial Wireless
  Hardened Optical Networks
  Broadband Power Line
  Professional Services
  Switches & Converters
Services
  Professional Services
  Training
  Repair / Return (RMA)
 
  Brochures
Related Links
  JungleMUX
  TN1U
  TN1Ue
  Ether-1000

Lentronics CSSU cyber security for SONET/SDH multiplexers
Cyber Secured
Service Unit
Improved Cyber Security for Lentronics SONET/SDH Multiplexers

GE’s Lentronics™ Cyber Secured Service Unit (CSSU) protects Lentronics Multiplexers against cyber threats, specifically those that target the reliability of the Bulk Electric System (BES). The CSSU is an essential security appliance that takes the place of a legacy Service or IP Service Unit, to better protect against malicious and unintentional network changes. It utilizes defense-in-depth strategies, allowing utilities to meet demanding security standards such as NERC CIP.

Acting as a secure gateway between Lentronics Multiplexers and the Lentronics VistaNET NMS software, CSSUs employ strong AES 256 bit encryption, SSL/TLS and X.509 digital certificates to ensure privacy and authenticity of users attempting to access the network.

Key Benefits
  • Single hardware platform supporting two operating modes; Legacy and Secure
    • Legacy mode: Interoperable with existing Service Unit/IPSU
    • Secure mode: Network-wide AAA supported for improved access control and confidentiality
  • Eliminates 2kHz tie cables between rings
  • Extends network domains beyond 100 nodes
  • Drop-in replacement without SONET/SDH payload traffic disruptions
  • Supports Dual-Homed NMS paths
  • Secure access-control with policy replication and distribution for a single, consistent security policy
  • Prevents unauthorized user actions with hardware-based authorization
  • RADIUS support for centralized and local authentication
  • Provides event logging and secure event storage
  • Provides confidentiality for NMS traffic with strong AES encryption
Overview

The Lentronics Cyber Secured Service Unit protects Lentronics multiplexers from unauthorized user access and remote equipment configuration. In addition, non-authenticated software clients will be actively rejected along with failed user authentication attempts. The use of strong privacy policies help prevent man-in-the-middle attacks.

Each CSSU communicates with adjacent CSSUs over the SONET/SDH overhead to facilitate:

  • Centralized user authentication
  • Distribution of a common, network-wide security policy
  • Distribution of common security settings, including digital certificates
  • Upgrade of the units operating firmware to apply any future patches
  • Distribution of the current time

This extends the electronic security perimeter around each NMS access point, securing all sites, particularly remote locations containing critical assets belonging to critical BES Cyber Systems.

Cyber Secured Service Units Perform Centralized and Localized User Authentication
Security
  • Supports OpenSSL
  • Supports Transport Layer Security (TLS)
  • Strong AES 256 encryption
  • X.509 Digital Certificates
  • Digitally signed communications to EMS clients (Lentronics VistaNET)
  • Digitally signed firmware to authenticate trusted source operating code
Access Control
  • Integrates with central authentication server (RADIUS) for centralized user administration
  • Supports dual RADIUS servers and gateways
  • Authenticates users locally if RADIUS is absent
  • Integrated Access Control List (ACL) for local authentication and authorization
  • Distributes ACL between sites over SONET/ SDH overhead
  • Enforces user authentication
  • Optional unit password to control craft console port access
Connectivity
  • Encrypted front and rear Ethernet ports
  • Supports concurrent network management sessions
  • Secured console port
  • Inter-Ring Tie port to bridge NMS domains
Utility Hardened
  • Meets IEEE 1613 and IEC 61850-3 environmental specifications
  • Reliable operation in extreme temperature from -4°F to +140°F (-20°C to +60°C)
  • Meets Earthquake risk Zone 4 shock and vibration specification
GE Cyber Secured Service Unit Security Features
Access Control

A Cyber Secured Service Unit can be deployed in one of two operational modes, Legacy or Secure. Legacy mode (CSSU-L) offers a consistent set of features that supports interoperability with pre-existing Service or IP Service Units.

Secure mode (CSSU-S) is a licensed component that must be applied to all CSSUs within a ring, or across the entire management domain. In this case, a network-wide security envelope is formed to protect and control assets through Authentication, Authorization, Accountability, Privacy and Integrity.

Updating the CSSUs Access Control List: Example of Revoking Users Access

Example of Revoking Users Access

VistaNET Administrator Creates a New Policy
  • User X: Access Rights Expired
  • Applies new security policy to connected CSSU
 
SONET/SDH Overhead
  • CSSU synchronizes the new security policy to all connected CSSUs
 
Enforcing Security
  • Each CSSU enforces the new security policy
 
Access Control Enforced
  • Access is denied for User X
  • Any damage caused by User X is contained to the local site where physical access was breached
Technical Specifications

Technical specifications, encryption, authentication and security standards for the Lentronics CSSU

* Equipped with CSSU-S code

Order Code
Part Number Description
B86434-11 Cyber Secured Service Unit, Legacy Mode for JungleMUX, TN1U and TN1Ue Multiplexers
Ethernet 10/100BaseT via RJ-45 front connector, providing a gateway for Network Management
Serial 9.6kb RS232 via RJ-11 front connector, supporting network management or local unit setup only
B86434-11/A Activated Cyber Secured Service Unit, to operate in Secured Mode for JungleMUX, TN1U and TN1Ue Multiplexers
Ethernet 10/100BaseT via RJ-45 front connector, providing a secure gateway for Network Management
Serial 9.6kb RS232 via RJ-11 front connector, local unit setup
86434/A Activation code to upgrade from CSSU-Legacy to CSSU-Secure operating mode
86434-75 TN1Ue CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals
86434-81 TN1U CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals
86434-92 JungleMUX CSSU paddleboard equipped with rear Ethernet 10/100BaseT, Major/Minor Form C relay, Power alarm input, Protected NMS Tie ports (new tie format) and Contact IN terminals

* Equipped with CSSU-S code