© 2019 cisco and/or its affiliates. all rights reserved. · apply traffic inspection (ips rules,...

Vinay Dua

Head – Business Development, IoT & Digital Transformation

Manufacturing Industry Vertical

Cisco India & SAARC

Industrial Cybersecurity: The Never-Ending Journey

RAOTM, 22nd January 2019

3 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CPwE – Converged Plantwide Ethernet

Cisco and Rockwell Automation have tested and validated CPwE architectures to help manufacturers create a secure and adaptable network strategy. The CPwE architectures help customers to have:

•! Lower Total cost of Ownership

•! Faster Time to Market

•! Improved Operational Responsiveness

•! Security


Key Requirements and Consideration for Factory Security

Cisco security solutions transform diverse manufacturing processes, allowing companies to safely secure integrate infrastructure, machine processes, and people. Designed to deliver maximum ROI and measurable business outcomes, these solutions and services include: ! Segmentation within the OT network ! IDMZ Installation and Management

! Factory Wireless for IT and OT ! Secure Remote Access - Remote Access VPN

! Internet and Cloud

! Visualization And Monitoring of Devices and Applications


•! By grouping the OT devices into various segment, we are able to achieve enhanced management, optimized access control, processing performance and on top of that, the ability to quickly isolate the affected segment in the event of security incident

•! Devices that need to communicate frequently are normally group into the same segment. Similarly, it is important to ensure the shortest path for field controllers to reach site-level control systems etc

•! Although VLAN and Subnetting are the most common way of doing segmentation, software-based network access policy via Cisco TrustSec, SDA, ACI can also be deployed to achieve a stricter and complex requirements

•! Many topologies are available, depending on the needs of cost, scalability, reliability and ease of installation

Segmentation Approach

Linear Star/Bus

Cell/Area Zone

Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O

HMI

Controllers

Distribution Switch

Cell/Area Zone

Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O

HMI

Controllers

Ring Resilient Ethernet Protocol (REP) Distribution Switch

HMI

Cisco Catalyst 2955

Cell/Area Zone Controllers, Drives, and Distributed I/O

Cell/Area Zone

HMI

Controller

Redundant Star Flex Links EtherChannel Distribution Switch

Segmentation Within The OT Network


Cell/Area Zone Segmentation by Campus Network Architecture

•! Group machines, controllers and other OT systems into different cell/area zone based on their respective functions •! VLAN/VRF/ACL or VLAN/VRF/Firewall(Multi Context) to restrict access between segments of Cell/Area Zone •! In this example, All segments can communicates each other via firewall with security policy


Safety Controller

Robot

Safety I/O

Servo Drive

HMI

AP

SSID OT 5 GHz

WGB

Safety I/O

HMI

Soft Starter

I/O

Instrumentation

I/O Controller

Instrument

AP

SSID IT 2.4 GHz

Drive

Cell/Area Zone 1 (Levels 0-2 : Redundant Star Topology)

Phone

Controller

Camera

WGB

AP

SSID OT 5 GHz

WGB

AP

Controller

Stratix 5400

* Resilient Ethernet Protocol

IDMZ Firewall

OT Distribution

OT Distribution

OT Distribution

OT Backbone

Mobile for IT

Stratix 5400 Stratix 5400

PC for IT

Mobile for IT

IT Backbone

Mobile for IT

Mobile for IT

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz

Cell/Area Zone 2 (Levels 0-2 : Ring Topology – REP*)

IT Distribution

IT Distribution

IT Distribution

Cell/Area Zone 3 (Levels 0-2 : Linear/Bus/Star Topology)

OT(FA) IT(OA) OT(FA) IT(OA) OT(FA) IT(OA)

OT Servers

DMZs Servers

IT Servers



•! The IT/OT network in the Cell/Area Zone connects to a redundant Leaf switches and logically separated •! ACI Controller enables configuration setup and management of the entire network •! Communication between the Cell/Area Zone is possible through the function of the ACI Contract

Safety Controller

Robot

Safety I/O

Servo Drive

HMI

AP

SSID OT 5 GHz

WGB

Safety I/O

HMI

Soft Starter

I/O

Instrumentation

I/O Controller

Instrument

AP

SSID IT 2.4 GHz

Drive


Phone

Controller

Camera

WGB

AP

SSID OT 5 GHz

WGB

AP

Controller

Stratix 5400

Mobile for IT


PC for IT

Mobile for IT

Mobile for IT

Mobile for IT

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz




Cell/Area Zone Segmentation by Cisco ACI and SDA

Leaf

Spine

IDMZ Firewall OT

Servers IT

Servers DMZ

Servers

ACI Controller 40G

Leaf Leaf


IDMZ (Industrial DMZ)

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Desktop Gateway

Patch / AV Server

Historian Mirror

Web App Reverse Proxy

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

SCADA Server

Application Historian

Engineering Workstation

Remote Access Server

Control Server

Operator Interface

Control Server

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Security Zone

Industrial DMZ

Industrial Security Zone

Cell/Area Zone

Firewall

Site Operations and Control

Area Supervisory

Control

Basic Control

Process

•! Security requirements in IT/OT are different due to its characteristics and user needs. It is strongly recommended to apply strictest zone segmentation between IT/OT for maximum security

•! Therefore, IDMZ should be built in between with Firewall to allow only permitted communications and proxy servers for relevant services

•! Ensure all IT/OT communications go through the single path – Firewall – with the rules that only permit necessary and predefined communications

•! Active-Standby Firewall in IDMZ is strongly recommended for redundancy and availability

•! Apply traffic inspection (IPS rules, malware scan etc) to IDMZ traffic if necessary

Web E-Mail

Industrial

IDMZ Installation and Management

File copyPatch etc

DC replicate NTP Sync etc

File Transfer Proxy

Firewall rules to allow necessary

IT/OT communications

Deny undefined IT/OT communications

(e.g. deny OT protocols from crossing into IT section; deny OT systems from accessing

Internet and email, etc

Proxy services (File transfer, reverse proxy)

for IT/OT communications; also do

packet inspection if necessary


IDMZ Installation and Management

DMZ Firewall Rules Recommendations•! In summary, the following should be considered as recommended practice for general firewall rule sets:

•! The base rule set should be deny all, permit none.

•! Ports and services between the control network environment and the corporate network should be enabled and

permissions granted on a specific case-by-case basis. There should be a documented

business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow.

•! All “permit” rules should be both IP address and TCP/UDP port specific, and stateful if appropriate.

•! All rules should restrict traffic to a specific IP address or range of addresses.

•! Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in the DMZ.

•! Any protocol allowed between the control network and DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa).

•! All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port.

•! Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices.

•! Control network devices should not be allowed to access the Internet.

•! Control networks should not be directly connected to the Internet, even if protected via a firewall.

•! All firewall management traffic should be carried on either a separate, secured management network (e.g., out of band) or over an encrypted network with two-factor authentication. Traffic should also be restricted by IP address to specific management stations.

Do not allow end-to-end TCP session between IT and OT

ISA-99 – Security Attitude (Terms)


Unified Management Via Wireless ControllerFactory Wireless for IT and OT

Safety Controller

Robot

Safety I/O

Servo Drive

HMI

AP

SSID OT 5 GHz

WGB

Safety I/O

HMI

Soft Starter

I/O

Instrumentation

I/O Controller

Instrument

AP

SSID IT 2.4 GHz

Drive


Phone

Controller

Camera

WGB

AP

SSID OT 5 GHz

WGB

AP

Controller

Stratix 5400

IDMZ Firewall

OT Distribution

OT Distribution

OT Distribution

OT Backbone

Mobile for IT


PC for IT

Mobile for IT

IT Backbone

Mobile for IT

Mobile for IT

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz

SSID IT 2.4 GHz


IT Distribution

IT Distribution

IT Distribution



WLC (Wireless Lan Controller)

AP SSID IT SSID IT 2.4 GHz 2.4 GHz 2.4 GHz

SSID, Channel, VLAN Encryption Policies

Configure

Camera Camera

SSID IT SSID IT SSID IT SSID IT 2.4 GHz 2.4 GHz 2.4 GHz 2.4 GHz

Phone AP

SSID OT 5 GHz

SSID IT SSID IT 2.4 GHz 2.4 GHz

AP

SSID IT SSID IT 2.4 GHz 2.4 GHz SSID IT 2.4 GHz

AP

SSID OT 5 GHz

SSID IT SSID IT SSID IT

•! Recommended to have wireless controllers serving as the centralized unified management point for pervasive wireless APs in Smart Factory. The wireless security can also be rolled out uniformly across all the Aps

•! Unified management enables easy tuning of channels and TX power, as well as rogue AP detection for security


Wireless Network Security and Visualization

•! On a single-pane view, display all unmanaged devices, rogue client, tags, interference

•! Rogue AP detection

•! Ease of troubleshooting on connectivity issues caused by RF interference

•! Client location tracking

Rogue AP Rogue Client C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Source of Interference 11 C97-734467-00 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Attacker

Factory Wireless Architecture

•! With the all the information obtained from the APs, WLC is able to provide a full view of the followings on a dashboard if coupled with visualization tool: rogue AP/client, signal qualities (RSSI, SNR etc), RF interference on factory floors etc


Use of VPN and Remote Desktop Connection

•! Engineers and vendors use VPN to remotely connect to Enterprise zone. Access from Enterprise zone to OT network is only allowed for addresses configured on the IDMZ firewall

•! IDMZ FW uses SSL VPN to provide remote desktop services to OT network system such as HMI. Engineers use these published applications or access the portal with the link to these services. IDMZ firewall rules use ACL to restrict the access to only specific destination and at the same time, IPS inspects and blocks malicious traffic

•! IDMZ firewall and the respective application security feature limits the remote desktop application access to only certain predefined resources

•! This can be achieved by Cisco ASA or Windows Server Remote Desktop Gateway feature

VPN coupled with Remote Desktop Connection provides an effective way to fend off security threats via remote access

Under IT Management

Under OT Management

Secure Remote Access


Cisco ASA/ISA Clientless VPN Service Browser-based Application Gateway Secure Remote Access

In Cisco ASA/ISA Clientless VPN, it serves as an efficient option by providing a portal linking to Remote Network Desktop session or HTML-based application GUI


Internet Exit Management Two major paths for OT network to go out to the Internet

The traffic goes through the WAN to the HQ’s backbone DMZ to access the Internet •! Generally this is a desirable approach as it fully leverages enterprise

IT department’s security policy and solutions •! However in this case, OT side does not have full control on the

security control, and there may be cases where security measures that OT desires are not implemented. For example, IT security may not maintain the white-list that uses IP address and domain name of each factory Direct Internet access

•! There are cases where is not practical such as when transferring huge data volume to the cloud for analysis. In this case, the direct routing to the Internet from the factory for the specific cloud applications is justifiable

Measures to be considered For both and , the following rules should be adhered to

•! IP white-listing on the factory’s Internet gateway router •! Domain filtering via Forward Proxy •! Inspection via NGN Firewall and Secure Web Gateway •! Use dedicated line or VPN for the Cloud services

Generally this is a desirable approach as it fully leverages enterprise

However in this case, OT side does not have full control on the security control, and there may be cases where security measures that OT desires are not implemented. For example, IT security may not maintain the white-list that uses IP address and domain name of

is not practical such as when transferring huge data volume to the cloud for analysis. In this case, the direct

Cloud Service Cloud Service

Factory

MPLS

R14

DC

Internet

Internet

DMZ

Internet and Cloud Management


Vendor External Cloud Connectivity

•! More machine vendors are requesting for remote access to their respective machine via cloud for maintenance purpose

•! This poses a high security risk as there is no way to control and inspect the traffic going through the embedded LTE module etc

「LTE Backup」 Issue

•! Audit the security level and maturity of vendor’s system during vendor selection stage •! To prevent malware coming in from the vendor network, the followings should be implemented

•! Segmentise the machines into a specific zone and use VLAN/ACL/Firewall rules to restrict the traffic flows besides using IPS for deep inspection

•! Monitor security event logs and netflow

Recommended Solutions

“LTE Backup”

Internet and Cloud Management


Inventory Identification In Smart Factory

•! For security management and operations, it is important to: -! Identify devices and applications in the network for inventory control -! Traffic baseline for applications and protocols

•! However, this is not a simple task as there are many machines, devices and applications in the factory. This is made even more complicated with ports, protocol, traffic patterns and baseline traffic. The same situation applies to Smart Factory with the time goes by

•! The followings two approaches can be considered to tackle this problem

! 1. Deploy NG-FW/IPS NG-FW/IPS has the capability in profiling the devices, applications and services in details which helps in event audit and also malicious attacks. The device profiling also helps to visualize the inventory in the network

! 2. NAC NAC solution enables detailed profiling of devices connected to the network, especially when it comes to profiling of devices that are not compatible with standard AAA

Visualization And Monitoring of Devices and Applications!


Malware

Client Application

OS

Mobile Device

VoIP Phone

Router, Switch

Printer

C&C Servers

Network Server

User

File Transfer

Web Application

Application Control

Network Exploitation

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW

Security Contexts Gathered by NGN Firewall (NGFW)/IPS

A typical FW/IPS inspects for malicious traffic and signature whereas the NGN FW has the capability to do profiling based on device, OS, application etc This feature enhances overall security level by handling various components in the network based on their respective weaknesses



Cisco Identity Services Engine (ISE)

Differentiate Network/User Context

How

What

Context Context

Who

Context Context Context

Where When When

Device Profiling Signature

How How

What

Where Where

By profiling device/user in the network, the visualization enables a better and efficient control

Employee Contractor Guest


•! Cisco ISE – high-end NAC (Network Access Control) Solution •! Integrate the profiling with AAA provides precise visualization on devices and users accessing the network


Cisco ISE

Printer

FAX

IP Phone

IP Camera

Wireless AP

UPS

Hub

Cashier Machine

MRI etc

Alarm System

Video Conference

Entrance Gate

Air Con

Network Monitor

Vending Machine


For devices that do not support 802.1x authentication, ISE uses signature to check the type/vendor for identification/profiling


Cisco ISE – Dashboard Display

Use the most advanced probes to identify device types and match them to policy.

Create contextual identity with the user, location, time, vulnerability score and other attributes.

Use this to monitor behaviors and help determine access and segmentation policies as well as behavioral and forensics investigations.

Share contextual information with other security products, enriching their value and providing deeper visibility across the entire security apparatus.


Cisco Stealthwatch – Netflow Info Collection, Anomaly Detection

Network-wide visualization •! Data flow •! Device profiling •! Network profiling (traffic baselining •! Policy monitoring •! Anomaly detection (host/port scanning, C&C, suspicious

outbound traffic, alerts) !! Speedy incident management

NetFlow

Cisco Stealthwatch

pxGrid API collaboration

Cisco ISE Incident Response

Dynamic segmentation to isolate the threats etc

Contexts used for security analysis (user, device profiling and logs)

Enhanced visualization and dynamic security measures via Cisco ISE collaboration

Compatible Device router, switch, wireless, firewall etc


Cisco Stealthwatch ! An integrated platform to collect and analyze info collected by Netflow for Security audit This enables the detection and the alert on any anomaly traffic in the network


Deploy Connected Factory - Security in Your Manufacturing Facility

•! http:www.cisco.com/go/factorysecurity


CPwE – Converging Reference Model Zone Level Name Description

Enterprise

(IT or OA)

5 Enterprise •! Corporate level applications (for example, ERP, CRM, document management) and services (Internet access, VPN entry point) exist in this level.

4 Site business planning and logistics

•! Manufacturing facility IT services exist in this level and may include scheduling systems, material flow applications, manufacturing execution systems (MES), and local IT services (phone, E-mail, printing, security/monitoring).

DMZ DMZ

•! Provides a buffer zone where services and data can be shared between the Manufacturing and Enterprise zones. In addition, the DMZ allows for easy segmentation of organizational control.

•! Cisco and Rockwell Automation recommend that the DMZ be designed so that no traffic traverses the DMZ. All traffic should originate/terminate in the DMZ.

Manufacturing

(OT or FA)

3 Site manufacturing operations and control

•! Control room, controller status, IACS network/application administration, and other control-related applications (supervisory control, historian)

2 Basic control •! Multidiscipline controllers, dedicated HMIs, and other applications may talk to each other to run a part or whole IACS.

1 Process •! Where devices (sensors, actuators) and machines (drives, motors, robots) communicate with the controller or multiple controllers.

Safety Safety-critical •! Devices, sensors, and other equipment used to manage the safety functions of an IACS.

© 2019 cisco and/or its affiliates. all rights reserved. · apply traffic inspection (ips rules,...

Documents