consumer industry day - rockwell automation · consumer industry day ... hmi cell/area zone -...
TRANSCRIPT
PUBLIC
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 1
Consumer Industry dayImportance of network structure and cyber security
Arno den ElzenDate – 31st January 2017
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2
Agenda
Actionable steps for customers
Cyber Security Threats
Overview Stratix series
Rockwell Automation Network standartisation
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 3
Logical Model ISA 95Controlling Access to the Industrial Zone
3
Logical Model ISA 95 – Industrial Automation and Control System (IACS)Connect to Company Enterprise System
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
VSE- Remote Access Client
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 44
Cisco and Rockwell Automation AllianceTechnology, Network, Cultural and Organizational Convergence
Stratix 5900™ Services Router, Stratix 5950™ Industrial Firewall, Stratix 5100™ Wireless Access Point/ Workgroup Bridge, and Stratix™ 5000/Stratix 8000™ families of managed industrial Ethernet switches, combine the best of both Rockwell Automation and Cisco
Collection of tested and validated architectures developed by subject matter authorities at Cisco and Rockwell Automation. The content of CPwE is relevant to both Operational Technology (OT) and Information Technology (IT) disciplines and consists of documented architectures, best practices, guidance and configuration settings to help manufacturers with design and deployment of a scalable, robust, safe, secure and future-ready plant-wide industrial network infrastructure.
A single scalable architecture, using open and standard Ethernet and IP networking technologies, such as EtherNet/IP, enabling the Industrial Internet of Things to help achieve the flexibility, visibility and efficiency required in a competitive manufacturing environment.
Education and services to facilitate OT and IT convergence, assist with successful architecture deployment, and enable efficient operations that allow critical resources to focus on increasing innovation and productivity.
People and Process Optimization:
Common Technology View:
Converged Plantwide Ethernet (CPwE) Architectures:
Joint Product Collaboration STRATIX series:
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 55
Logical FrameworkConverged Plantwide Ethernet (CPwE)
Operational TechnologyEtherNet/IP (Industrial Protocol),
Real-Time Control and Information,Industrial Security Policies,Wired and Wireless LANs
(Unified and Autonomous WLAN),Fast Network Resiliency,
Traffic Segmentation, Data PrioritizationEase of Use
Secure Application and Data Share,Inter-zone Segmentation,
Access Control, Threat ProtectionIndustrial IT
Industrial Security Policies,Site Operations, Network Resiliency,
Virtualization, Traffic Segmentation, Routing, Network and Security Management
Information TechnologyEnterprise Security Policies,
Collaboration Tools, Unified Wireless,Business Application Optimization
Physical or Virtualized Servers• FactoryTalk Application Servers
and Services Platform
• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)
• Storage ArrayRemote AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
DistributionSwitch Stack
HMI
Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology
Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4-5
Rockwell AutomationStratix 5000/8000
Layer 2 Access Switch
Industrial ZoneLevels 0–3
(Plant-wide Network)
CoreSwitches
Phone
Controller
CameraSafety
Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN(Lines, Machines, Skids, Equipment)
I/O
Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
SafetyI/O
ServoDrive
Instrumentation
Level 3 - Site Operations(Control Room)
HMI
Active
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Standby
WirelessLAN Controller
(WLC)
Cell/Area ZoneLevels 0–2
Cell/Area ZoneLevels 0–2
Drive
DistributionSwitch Stack
Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),
Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/ Firewall
Internet
AccessSwitches
AccessSwitches
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 6
Tested, validated and documented reference architectures Developed from use cases – customer, application, technology Tested for performance, availability, repeatability, scalability and security Comprised of a collection of Cisco and Rockwell Automation Validated Designs
Built on technology and industry standards “Future-ready” network design
Network Security Service Team from Rockwell Automation: Helps customers to implement secure network architecture and is able to discover performance
and cyber security issues in existing infrastructure
Reference ArchitecturesConverged Plantwide Ethernet (CPwE)
6
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 7
Agenda
Actionable steps for customers
Cyber Security Threats
Overview Stratix series
Rockwell Automation Network standartisation
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 8
Networks Infrastructure Portfolio PositioningManaged Switches
Access switching or distribution routing Diagnostic information Network Address Translation (NAT) Segmentation / VLAN capabilities Prioritization services (QoS) Network resiliency
Security Appliances Secure real-time control communication Routing and firewall capabilities Intrusion protection Access control lists DPI Depp Package Inspection
Wireless Technology Connect hard-to-reach and remote areas Mobile access to equipment and key
business systems Minimizes hardware
and wiring
Unmanaged Switches Low-cost, compact solution Automatically negotiates speed
and duplex settings No configuration required Automatically detects
cross-over cable
Premier Integration to the Rockwell Automation Integrated Architecture® system and embedded Cisco Technology
Embedded Switch Technology Enables greater topology configuration
choices for EtherNet/IP applications such as linear and device-level ring (DLR)
Offers diagnostics and fast recovery
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 9
Optimized OT Network IntegrationIntegrated Architecture System
Studio 5000® Add-on Profile (AOP) for easy
configuration and monitoring
Pre-designed FactoryTalk® View
faceplates for monitoring and alarming
Pre-defined Logix tags for monitoring and port
control
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 10
Agenda
Actionable steps for customers
Cyber Security Threats
Overview Stratix series
Rockwell Automation Network standartisation
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 11
Security risks increase potential for disruption tosystem uptime, safe operation, and a loss of intellectual property
Unintended employee actions
Theft
Unauthorized actions by employees
Unauthorized accessDenial of Denial of
ServiceDoS
Application of patches
Unauthorized remote access
Natural or Man-made disasters
Sabotage
Worms and viruses
Security Threat Vectors & Actors
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 12
The Cost of Security*
Cyber incidents cost US organizations: $558K in revenue losses $481K in brand damage $366K in compliance fines $174K in lost productivity
Incidents are costing US industry $6M per day –or–$2B per year.
Actual case Thyssen Krupp Germany Dec2016 Technical trade secrets were stolen from the steel production and manufacturing plant design divisions of
ThyssenKrupp AG (TKAG.DE) in cyber attacks mid year 2016 Same attack at Rolling Mill Attack Hohenlimburg cause 1 days shutdown on the plant
DAY
* Source: Belden Industrial Ethernet Infrastructure Design Seminar. Greg Hale, the Editor and Founder of ISSSource.com. October 2012
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 13
Defense-in-DepthMultiple Layers to Protect the Network and Defend the Edge
13
No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.
Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats.
This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 14
Agenda
Actionable steps for customers
Cyber Security Threats
Overview Stratix series
Rockwell Automation Network standartisation
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 15
Getting StartedCreating a secure Industrial Infrastructure
15
Start with Design and Assessment Physical design of the Infrastructure Logical design of the Infrastructure Identify critical assets (Devices, IP, Data) Discover risks, potential threats and
vulnerabilities Implement right level of security for the
assets The industrial security policy is unique from and in
addition to enterprise security policy IT/OT policies might be different in some areas Alignment with applicable industry standards
Security policy - plan of action with procedures (non-technical):
Rules for controlling human interactions and access Determination of risk tolerance Identify Domains of Trust and appropriately apply
security to maintain policies Consider balancing security with functional and
application requirements: 24x7 operations, low Mean-Time-To-Repair (MTTR), high Overall
Equipment Effectiveness (OEE).
Sustainability Stakeholders Process Changes / Auditing Maintenance of the Risk Profile
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 16
Implement Validated Secure Network InfrastructureAchieve infrastructure security through a common, validated system architecture leveraging the Stratix portfolio and Cisco security solutions.
Design and Implementation Guides: • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (2011)• Segmentation Methods within the Cell/Area Zone (2013)• Securely Traversing IACS Data Across the Industrial Demilitarized Zone (2015)• Deploying Identity Services within a Converged Plantwide Ethernet Architecture (2015)• Site-to-site VPN to a Converged Plantwide Ethernet Architecture (2015)
Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page
IDENTITYSERVICES ENGINE
Adaptive Security
Appliances
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 17
Educate and create Awareness in your organization Align with Industrial Automation and Control System Security Standards
DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA-99)
Leverage a Defense-in-Depth philosophy No single product, methodology, nor technology fully secures IACS networks
Establish Open Dialog between Teams Production, Engineering, IT and Rockwell Automation (Incident Response Sharing)
Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security ...never. (Tom West, Data
General)
17
Create a Security Culture
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 18
What Can You Do Now to Mitigate Risk?Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security today :
1.Control who has network access2.Employ firewalls and intrusion detection/prevention 3.Use Anti Virus Protection and patch your system 4.Manage & protect your passwords5.Turn the processor key(s) to the Run Mode6.Utilize features embedded in Rockwell Automation products today
(example: FactoryTalk Security , managed switch setting)7.Develop a process to manage removable media8.Block access ports (example: key connectors)
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 191
Network & Security Services
ASSESS DESIGN IMPLEMENT VALIDATE MANAGE
PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 20
Industrial Security Resources
Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities
that help increase overall control system system-level security. http://www.rockwellautomation.com/security
EtherNet/IP™ Plantwide Reference Architectures Control system validated designs and security best-practices that complement recommended layered
security/defense-in-depth measures. http://www.ab.com/networks/architectures.html
Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and make recommendations for how
to avert risk and mitigate vulnerabilities. http://www.rockwellautomation.com/services/security
20