NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Binary Armor SCADA Network Guard

Certificate Date:  2018.08.07

Validation Report Number:  CCEVS-VR-VID10879-2018

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is Binary Armor (BA) SCADA Network Guard.  The Binary Armor® SCADA Network Guard provides critical, real-time, endpoint cybersecurity for Supervisory Control and Data Acquisition (SCADA) network systems.

Binary Armor is designed for in-line installation between Programmable Logic Controllers (PLCs), remote terminal units, intelligent electronic devices or controllers and the WAN/LAN, to provide bi-directional security across all communication layers. The TOE works by processing every byte of every message with a dynamic state-based rule-set that processes messages based on system control logic. This process ensures only safe message traffic reaches critical SCADA systems.

Binary Armor supports TLS encryption.  The TOE provides two, separate, physical interfaces: a high NIC (typically connected to SCADA/ICS equipment) and a low NIC (typically connected to external systems such as Human Machine Interface, HMI).  The TOE supports remote administration over the network as well local administration (through a directly networked workstation).


Evaluated Configuration

The TOE is the Sierra Nevada Corporation Binary Armor SCADA Network Guard composed of the following hardware and software:

·         Binary Armor hardware version 7000-SNC-01

·         Binary Armor firmware version 1.6.19 

·         Binary Armor software suite version 1.6.19 consisting of:

o    Binary Armor Forge (management client that provides administrative access to the TOE)

o    (optional) Binary Armor Monitor (status and monitoring client for a single TOE)

o    (optional) Binary Armor Armory Client & Server (the Armory Server gathers status and monitoring from multiple TOEs and then makes that information available to Armory Clients (which connect to the Armory Server)).

The TOE has a rugged enclosure that protects it from modification and contains a single embedded board containing an Intel Atom E3845 processor, memory, and flash storage.  The TOE hardware consists of a hardened operating system (RHEL 7.4) that does not permit operators (even an authorized administrator) access to the OS with SNC developed firmware running atop.  The TOE provides a TLS-protected management interface which is accessed via SNC’s Forge, Armory, and Monitor applications running on a PC/workstation.  An administrator can configure the TOE for remote access on either its high or low network interface.  The administrator always accesses the TOE through its TLS management interface, irrespective of whether the administrator configured the TOE to listen for management connections on its low or high network interface and irrespective of whether the administrator accesses the TOE remotely or locally.

The administrator gains local access by physically pressing and holding the TOE’s configuration (CFG) button and then accessing the TOE’s TLS management interface from a directly networked workstation.  In this context, “directly networked” means connected via “crossover” cable or through a network switch to which only the TOE and the workstation are connected.

The TOE’s Operating Environment includes the following

·         A Windows workstation - The Binary Armor software suite of tools operates on Microsoft Windows 7, 8 or 10. 

·         A security token in the form of a PKCS#11 compliant smart card or USB device present on the workstation. The security token is used by the TOE to sign and encrypt configuration files and to activate override mode.   The token is configured by loading private/public key pairs in the form of X509 certificates onto the TOE and then pairing them to the override and configuration operations on the device.

·         A TLS-protected syslog server that receives audit events from the TOE

·         An NTP server with which the TOE can synchronize its clock


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.  Gossamer Security Solutions determined that the evaluation assurance level (EAL) for the TOE is EAL 1.  The product, when delivered and configured as identified in the Sierra Nevada Corporation Administrator Guide for Common Criteria for Binary Armor, 0318-0200-0001, Rev B, 3 Aug 18 and the Binary Armor User Manual, 0318-0100-0015, Rev B, 17 July 18 documents, satisfies all of the security functional requirements stated in the Sierra Nevada Corporation Binary Armor SCADA Network Guard (NDcPP20E) Security Target, Version 0.7, 07/31/2018.  The project underwent CCEVS Validator review.  The evaluation was completed in August 2018.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10879-2018) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the Sierra Nevada Corporation Binary Armor SCADA Network Guard are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE generates audit events associated with identification and authentication, management, updates, and user sessions.  The TOE can store the events in a local log or export them to a syslog server using a TLS protected channel.

Cryptographic support:

The TOE provides CAVP certified cryptography in support of its TLS implementation and administrator authentication.    Cryptographic services include key management, random bit generation, encryption/decryption, digital signature and secure hashing.

Identification and authentication:

The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of reading the login banner, obtaining status, and (if configured) restarting the TOE and enabling override. It provides the ability to both assign attributes (user password) and to authenticate users against these attributes.  The TOE also provides X.509 certificate checking for its TLS connections.

Security management:

The TOE provides a management interface that an administrator can access via a network port.  The SNC Forge, Monitor, and Armory applications utilize the TOE’s API.  The management interface is protected with TLS.  The management interface is limited to the authorized administrator.

Protection of the TSF:

The TOE provides a variety of means of protecting itself.  The TOE performs self-tests that cover the correct operation of the TOE.  It provides functions necessary to securely update the TOE.  It relies upon either manually provided time or an NTP server in its environment to ensure reliable timestamps.  It protects sensitive data such as stored passwords and cryptographic keys stored on the TOE’s internal Flash so that they are not accessible even by an authorized administrator.

TOE access:

The TOE can be configured to display a logon banner before a user session is established.  The TOE also enforces inactivity timeouts for administrative sessions.

Trusted path/channels:

The TOE provides local administration which is subject to physical protection.  To access local administrator, an operator must directly network their workstation to the TOE, and then must physically press the TOE’s configuration button.  This transitions the TOE into its configuration mode, where an administrator can locally configure it.  For both local and remote access, the administrative session is protected by TLS thus ensuring protection against modification and disclosure.

 The TOE also protects its audit records from modification and disclosure by using TLS to communicate with the syslog server.


Vendor Information

Logo
Sierra Nevada Corporation
na
303-566-9687
na
kevin.streander@sncorp.com

www.sncorp.com
Site Map              Contact Us              Home