© 2019 cisco and/or its affiliates. all rights reserved. · apply traffic inspection (ips rules,...
TRANSCRIPT
© 2019 Cisco and/or its affiliates. All rights reserved.
Vinay Dua
Head – Business Development, IoT & Digital Transformation
Manufacturing Industry Vertical
Cisco India & SAARC
Industrial Cybersecurity: The Never-Ending Journey
RAOTM, 22nd January 2019
3 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPwE – Converged Plantwide Ethernet
Cisco and Rockwell Automation have tested and validated CPwE architectures to help manufacturers create a secure and adaptable network strategy. The CPwE architectures help customers to have:
•! Lower Total cost of Ownership
•! Faster Time to Market
•! Improved Operational Responsiveness
•! Security
4 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Requirements and Consideration for Factory Security
Cisco security solutions transform diverse manufacturing processes, allowing companies to safely secure integrate infrastructure, machine processes, and people. Designed to deliver maximum ROI and measurable business outcomes, these solutions and services include: ! Segmentation within the OT network ! IDMZ Installation and Management
! Factory Wireless for IT and OT ! Secure Remote Access - Remote Access VPN
! Internet and Cloud
! Visualization And Monitoring of Devices and Applications
5 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
•! By grouping the OT devices into various segment, we are able to achieve enhanced management, optimized access control, processing performance and on top of that, the ability to quickly isolate the affected segment in the event of security incident
•! Devices that need to communicate frequently are normally group into the same segment. Similarly, it is important to ensure the shortest path for field controllers to reach site-level control systems etc
•! Although VLAN and Subnetting are the most common way of doing segmentation, software-based network access policy via Cisco TrustSec, SDA, ACI can also be deployed to achieve a stricter and complex requirements
•! Many topologies are available, depending on the needs of cost, scalability, reliability and ease of installation
Segmentation Approach
Linear Star/Bus
Cell/Area Zone
Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O
HMI
Controllers
Distribution Switch
Cell/Area Zone
Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O
HMI
Controllers
Ring Resilient Ethernet Protocol (REP) Distribution Switch
HMI
Cisco Catalyst 2955
Cell/Area Zone Controllers, Drives, and Distributed I/O
Cell/Area Zone
HMI
Controller
Redundant Star Flex Links EtherChannel Distribution Switch
Segmentation Within The OT Network
6 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cell/Area Zone Segmentation by Campus Network Architecture
•! Group machines, controllers and other OT systems into different cell/area zone based on their respective functions •! VLAN/VRF/ACL or VLAN/VRF/Firewall(Multi Context) to restrict access between segments of Cell/Area Zone •! In this example, All segments can communicates each other via firewall with security policy
Segmentation Within The OT Network
Safety Controller
Robot
Safety I/O
Servo Drive
HMI
AP
SSID OT 5 GHz
WGB
Safety I/O
HMI
Soft Starter
I/O
Instrumentation
I/O Controller
Instrument
AP
SSID IT 2.4 GHz
Drive
Cell/Area Zone 1 (Levels 0-2 : Redundant Star Topology)
Phone
Controller
Camera
WGB
AP
SSID OT 5 GHz
WGB
AP
Controller
Stratix 5400
* Resilient Ethernet Protocol
IDMZ Firewall
OT Distribution
OT Distribution
OT Distribution
OT Backbone
Mobile for IT
Stratix 5400 Stratix 5400
PC for IT
Mobile for IT
IT Backbone
Mobile for IT
Mobile for IT
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
Cell/Area Zone 2 (Levels 0-2 : Ring Topology – REP*)
IT Distribution
IT Distribution
IT Distribution
Cell/Area Zone 3 (Levels 0-2 : Linear/Bus/Star Topology)
OT(FA) IT(OA) OT(FA) IT(OA) OT(FA) IT(OA)
OT Servers
DMZs Servers
IT Servers
7 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Within The OT Network
•! The IT/OT network in the Cell/Area Zone connects to a redundant Leaf switches and logically separated •! ACI Controller enables configuration setup and management of the entire network •! Communication between the Cell/Area Zone is possible through the function of the ACI Contract
Safety Controller
Robot
Safety I/O
Servo Drive
HMI
AP
SSID OT 5 GHz
WGB
Safety I/O
HMI
Soft Starter
I/O
Instrumentation
I/O Controller
Instrument
AP
SSID IT 2.4 GHz
Drive
Cell/Area Zone 1 (Levels 0-2 : Redundant Star Topology)
Phone
Controller
Camera
WGB
AP
SSID OT 5 GHz
WGB
AP
Controller
Stratix 5400
Mobile for IT
Stratix 5400 Stratix 5400
PC for IT
Mobile for IT
Mobile for IT
Mobile for IT
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
Cell/Area Zone 2 (Levels 0-2 : Ring Topology – REP*)
Cell/Area Zone 3 (Levels 0-2 : Linear/Bus/Star Topology)
OT(FA) IT(OA) OT(FA) IT(OA) OT(FA) IT(OA)
Cell/Area Zone Segmentation by Cisco ACI and SDA
Leaf
Spine
IDMZ Firewall OT
Servers IT
Servers DMZ
Servers
ACI Controller 40G
Leaf Leaf
8 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IDMZ (Industrial DMZ)
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Desktop Gateway
Patch / AV Server
Historian Mirror
Web App Reverse Proxy
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
SCADA Server
Application Historian
Engineering Workstation
Remote Access Server
Control Server
Operator Interface
Control Server
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Security Zone
Industrial DMZ
Industrial Security Zone
Cell/Area Zone
Firewall
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
•! Security requirements in IT/OT are different due to its characteristics and user needs. It is strongly recommended to apply strictest zone segmentation between IT/OT for maximum security
•! Therefore, IDMZ should be built in between with Firewall to allow only permitted communications and proxy servers for relevant services
•! Ensure all IT/OT communications go through the single path – Firewall – with the rules that only permit necessary and predefined communications
•! Active-Standby Firewall in IDMZ is strongly recommended for redundancy and availability
•! Apply traffic inspection (IPS rules, malware scan etc) to IDMZ traffic if necessary
Web E-Mail
Industrial
IDMZ Installation and Management
File copyPatch etc
DC replicate NTP Sync etc
File Transfer Proxy
Firewall rules to allow necessary
IT/OT communications
Deny undefined IT/OT communications
(e.g. deny OT protocols from crossing into IT section; deny OT systems from accessing
Internet and email, etc
Proxy services (File transfer, reverse proxy)
for IT/OT communications; also do
packet inspection if necessary
9 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IDMZ Installation and Management
DMZ Firewall Rules Recommendations•! In summary, the following should be considered as recommended practice for general firewall rule sets:
•! The base rule set should be deny all, permit none.
•! Ports and services between the control network environment and the corporate network should be enabled and
permissions granted on a specific case-by-case basis. There should be a documented
business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow.
•! All “permit” rules should be both IP address and TCP/UDP port specific, and stateful if appropriate.
•! All rules should restrict traffic to a specific IP address or range of addresses.
•! Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in the DMZ.
•! Any protocol allowed between the control network and DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa).
•! All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port.
•! Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices.
•! Control network devices should not be allowed to access the Internet.
•! Control networks should not be directly connected to the Internet, even if protected via a firewall.
•! All firewall management traffic should be carried on either a separate, secured management network (e.g., out of band) or over an encrypted network with two-factor authentication. Traffic should also be restricted by IP address to specific management stations.
Do not allow end-to-end TCP session between IT and OT
ISA-99 – Security Attitude (Terms)
10 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unified Management Via Wireless ControllerFactory Wireless for IT and OT
Safety Controller
Robot
Safety I/O
Servo Drive
HMI
AP
SSID OT 5 GHz
WGB
Safety I/O
HMI
Soft Starter
I/O
Instrumentation
I/O Controller
Instrument
AP
SSID IT 2.4 GHz
Drive
Cell/Area Zone 1 (Levels 0-2 : Redundant Star Topology)
Phone
Controller
Camera
WGB
AP
SSID OT 5 GHz
WGB
AP
Controller
Stratix 5400
IDMZ Firewall
OT Distribution
OT Distribution
OT Distribution
OT Backbone
Mobile for IT
Stratix 5400 Stratix 5400
PC for IT
Mobile for IT
IT Backbone
Mobile for IT
Mobile for IT
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
SSID IT 2.4 GHz
Cell/Area Zone 2 (Levels 0-2 : Ring Topology – REP*)
IT Distribution
IT Distribution
IT Distribution
Cell/Area Zone 3 (Levels 0-2 : Linear/Bus/Star Topology)
OT(FA) IT(OA) OT(FA) IT(OA) OT(FA) IT(OA)
WLC (Wireless Lan Controller)
AP SSID IT SSID IT 2.4 GHz 2.4 GHz 2.4 GHz
SSID, Channel, VLAN Encryption Policies
Configure
Camera Camera
SSID IT SSID IT SSID IT SSID IT 2.4 GHz 2.4 GHz 2.4 GHz 2.4 GHz
Phone AP
SSID OT 5 GHz
SSID IT SSID IT 2.4 GHz 2.4 GHz
AP
SSID IT SSID IT 2.4 GHz 2.4 GHz SSID IT 2.4 GHz
AP
SSID OT 5 GHz
SSID IT SSID IT SSID IT
•! Recommended to have wireless controllers serving as the centralized unified management point for pervasive wireless APs in Smart Factory. The wireless security can also be rolled out uniformly across all the Aps
•! Unified management enables easy tuning of channels and TX power, as well as rogue AP detection for security
11 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Wireless Network Security and Visualization
•! On a single-pane view, display all unmanaged devices, rogue client, tags, interference
•! Rogue AP detection
•! Ease of troubleshooting on connectivity issues caused by RF interference
•! Client location tracking
Rogue AP Rogue Client C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Source of Interference 11 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attacker
Factory Wireless Architecture
•! With the all the information obtained from the APs, WLC is able to provide a full view of the followings on a dashboard if coupled with visualization tool: rogue AP/client, signal qualities (RSSI, SNR etc), RF interference on factory floors etc
12 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use of VPN and Remote Desktop Connection
•! Engineers and vendors use VPN to remotely connect to Enterprise zone. Access from Enterprise zone to OT network is only allowed for addresses configured on the IDMZ firewall
•! IDMZ FW uses SSL VPN to provide remote desktop services to OT network system such as HMI. Engineers use these published applications or access the portal with the link to these services. IDMZ firewall rules use ACL to restrict the access to only specific destination and at the same time, IPS inspects and blocks malicious traffic
•! IDMZ firewall and the respective application security feature limits the remote desktop application access to only certain predefined resources
•! This can be achieved by Cisco ASA or Windows Server Remote Desktop Gateway feature
VPN coupled with Remote Desktop Connection provides an effective way to fend off security threats via remote access
Under IT Management
Under OT Management
Secure Remote Access
13 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ASA/ISA Clientless VPN Service Browser-based Application Gateway Secure Remote Access
In Cisco ASA/ISA Clientless VPN, it serves as an efficient option by providing a portal linking to Remote Network Desktop session or HTML-based application GUI
14 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet Exit Management Two major paths for OT network to go out to the Internet
The traffic goes through the WAN to the HQ’s backbone DMZ to access the Internet •! Generally this is a desirable approach as it fully leverages enterprise
IT department’s security policy and solutions •! However in this case, OT side does not have full control on the
security control, and there may be cases where security measures that OT desires are not implemented. For example, IT security may not maintain the white-list that uses IP address and domain name of each factory Direct Internet access
•! There are cases where is not practical such as when transferring huge data volume to the cloud for analysis. In this case, the direct routing to the Internet from the factory for the specific cloud applications is justifiable
Measures to be considered For both and , the following rules should be adhered to
•! IP white-listing on the factory’s Internet gateway router •! Domain filtering via Forward Proxy •! Inspection via NGN Firewall and Secure Web Gateway •! Use dedicated line or VPN for the Cloud services
Generally this is a desirable approach as it fully leverages enterprise
However in this case, OT side does not have full control on the security control, and there may be cases where security measures that OT desires are not implemented. For example, IT security may not maintain the white-list that uses IP address and domain name of
is not practical such as when transferring huge data volume to the cloud for analysis. In this case, the direct
Cloud Service Cloud Service
Factory
MPLS
R14
DC
Internet
Internet
DMZ
Internet and Cloud Management
15 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vendor External Cloud Connectivity
•! More machine vendors are requesting for remote access to their respective machine via cloud for maintenance purpose
•! This poses a high security risk as there is no way to control and inspect the traffic going through the embedded LTE module etc
「LTE Backup」 Issue
•! Audit the security level and maturity of vendor’s system during vendor selection stage •! To prevent malware coming in from the vendor network, the followings should be implemented
•! Segmentise the machines into a specific zone and use VLAN/ACL/Firewall rules to restrict the traffic flows besides using IPS for deep inspection
•! Monitor security event logs and netflow
Recommended Solutions
“LTE Backup”
Internet and Cloud Management
16 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Inventory Identification In Smart Factory
•! For security management and operations, it is important to: -! Identify devices and applications in the network for inventory control -! Traffic baseline for applications and protocols
•! However, this is not a simple task as there are many machines, devices and applications in the factory. This is made even more complicated with ports, protocol, traffic patterns and baseline traffic. The same situation applies to Smart Factory with the time goes by
•! The followings two approaches can be considered to tackle this problem
! 1. Deploy NG-FW/IPS NG-FW/IPS has the capability in profiling the devices, applications and services in details which helps in event audit and also malicious attacks. The device profiling also helps to visualize the inventory in the network
! 2. NAC NAC solution enables detailed profiling of devices connected to the network, especially when it comes to profiling of devices that are not compatible with standard AAA
Visualization And Monitoring of Devices and Applications!
17 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware
Client Application
OS
Mobile Device
VoIP Phone
Router, Switch
Printer
C&C Servers
Network Server
User
File Transfer
Web Application
Application Control
Network Exploitation
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
Security Contexts Gathered by NGN Firewall (NGFW)/IPS
A typical FW/IPS inspects for malicious traffic and signature whereas the NGN FW has the capability to do profiling based on device, OS, application etc This feature enhances overall security level by handling various components in the network based on their respective weaknesses
Visualization And Monitoring of Devices and Applications!
18 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Identity Services Engine (ISE)
Differentiate Network/User Context
How
What
Context Context
Who
Context Context Context
Where When When
Device Profiling Signature
How How
What
Where Where
By profiling device/user in the network, the visualization enables a better and efficient control
Employee Contractor Guest
Visualization And Monitoring of Devices and Applications!
•! Cisco ISE – high-end NAC (Network Access Control) Solution •! Integrate the profiling with AAA provides precise visualization on devices and users accessing the network
19 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ISE
Printer
FAX
IP Phone
IP Camera
Wireless AP
UPS
Hub
Cashier Machine
MRI etc
Alarm System
Video Conference
Entrance Gate
Air Con
Network Monitor
Vending Machine
Visualization And Monitoring of Devices and Applications!
For devices that do not support 802.1x authentication, ISE uses signature to check the type/vendor for identification/profiling
20 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ISE – Dashboard Display
Use the most advanced probes to identify device types and match them to policy.
Create contextual identity with the user, location, time, vulnerability score and other attributes.
Use this to monitor behaviors and help determine access and segmentation policies as well as behavioral and forensics investigations.
Share contextual information with other security products, enriching their value and providing deeper visibility across the entire security apparatus.
Visualization And Monitoring of Devices and Applications!
Cisco Stealthwatch – Netflow Info Collection, Anomaly Detection
Network-wide visualization •! Data flow •! Device profiling •! Network profiling (traffic baselining •! Policy monitoring •! Anomaly detection (host/port scanning, C&C, suspicious
outbound traffic, alerts) !! Speedy incident management
NetFlow
Cisco Stealthwatch
pxGrid API collaboration
Cisco ISE Incident Response
Dynamic segmentation to isolate the threats etc
Contexts used for security analysis (user, device profiling and logs)
Enhanced visualization and dynamic security measures via Cisco ISE collaboration
Compatible Device router, switch, wireless, firewall etc
Visualization And Monitoring of Devices and Applications!
Cisco Stealthwatch ! An integrated platform to collect and analyze info collected by Netflow for Security audit This enables the detection and the alert on any anomaly traffic in the network
22 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploy Connected Factory - Security in Your Manufacturing Facility
•! http:www.cisco.com/go/factorysecurity
24 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CPwE – Converging Reference Model Zone Level Name Description
Enterprise
(IT or OA)
5 Enterprise •! Corporate level applications (for example, ERP, CRM, document management) and services (Internet access, VPN entry point) exist in this level.
4 Site business planning and logistics
•! Manufacturing facility IT services exist in this level and may include scheduling systems, material flow applications, manufacturing execution systems (MES), and local IT services (phone, E-mail, printing, security/monitoring).
DMZ DMZ
•! Provides a buffer zone where services and data can be shared between the Manufacturing and Enterprise zones. In addition, the DMZ allows for easy segmentation of organizational control.
•! Cisco and Rockwell Automation recommend that the DMZ be designed so that no traffic traverses the DMZ. All traffic should originate/terminate in the DMZ.
Manufacturing
(OT or FA)
3 Site manufacturing operations and control
•! Control room, controller status, IACS network/application administration, and other control-related applications (supervisory control, historian)
2 Basic control •! Multidiscipline controllers, dedicated HMIs, and other applications may talk to each other to run a part or whole IACS.
1 Process •! Where devices (sensors, actuators) and machines (drives, motors, robots) communicate with the controller or multiple controllers.
Safety Safety-critical •! Devices, sensors, and other equipment used to manage the safety functions of an IACS.