nw04 - secure network architectures for the connected enterprise
TRANSCRIPT
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
Secure Network Architectures for The Connected Enterprise
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
3
Key Takeaways – Design Considerations
Demonstration – Architectural Security Framework
Lecture – Trends, Defense-in-Depth
Additional Information
Lecture – Demonstration Scenario
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What We Will Demonstrate
4
Device hardening
Physical
Procedural
Electronic
Port Security
Physical
Electronic
Segmentation
Smaller Domains of Trust
Network Infrastructure Hardening
Cryptographic Images
Access Control Lists (ACLs)
Resiliency
Zone-based Policy Firewall (ZFW)
Firewall Policies
Encrypted Communications
Incremental additions of products, technology and methodology to help you secure your Industrial
Automation and Control System (IACS) application
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What We Will Demonstrate
5
Software Tools
RSLinx® Classic
Studio 5000®
Stratix™ Device Manager
Stratix Command-line Interface
Stratix Configurator
Wireshark
Netflow
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Why Is This Important? Control and Information Convergence
7
Scalable, robust, secure and future-ready infrastructure: Application
Software
Network
Internet of Things, Internet of Everything
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Why Is This Important? Industrial Automation and Control System Convergence
8
Structured and Hardened IACS Network Infrastructure
Flat and Open Industrial Automation and Control System
Network Infrastructure
Flat and Open IACS Network Infrastructure
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial Security Trends Security Quips
8
"Good enough" security now, is better than "perfect" security ... never (Tom West, Data General)
Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to
be thorough. It gets in the way of being done (Dave Piscitello)
Your absolute security is only as strong as your weakest link
Concentrate on known, probable threats
Security is not a static end state, it is an interactive process
You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial Security Trends Established Industrial Security Standards
9
International Society of Automation
ISA/IEC-62443 (Formerly ISA99)
Industrial Automation and Control Systems (IACS) Security
Defense-in-Depth
IDMZ Deployment
National Institute of Standards and Technology
NIST 800-82
Industrial Control System (ICS) Security
Defense-in-Depth
IDMZ Deployment
Department of Homeland Security / Idaho National Lab
DHS INL/EXT-06-11478
Control Systems Cyber Security: Defense-in-Depth Strategies
Defense-in-Depth
IDMZ Deployment
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security – Holistic Defense-in-Depth EtherNet/IP™ Industrial Automation and Control System Network
10
Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks
Secured by configuration:
Help Protect the network - Electronic Security Perimeter
Defend the edge - Industrial DMZ (IDMZ)
Defense-in-Depth
- Multiple layers of security
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security – Holistic Defense-in-Depth Multiple Layers to Help Protect and Defend the Edge
11
No single product, technology or methodology can fully secure
Industrial Automation and Control System (IACS) applications.
Protecting IACS assets requires a defense-in-depth security
approach, which addresses internal and external security threats.
This approach uses multiple layers of defense (physical,
procedural and electronic) at separate IACS levels by applying
policies and procedures that address different types of threats.
111
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security – Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls
12
Physical – limit physical access to authorized personnel: Cells/Areas, control panels,
devices, cabling, and control room…. locks, gates,
key cards, biometrics. This may also include policies,
procedures and technology to escort and track visitors
Network – security framework – for example, firewall policies,
access control list (ACL) policies for switches and routers,
AAA, intrusion detection and prevention systems (IDS/IPS)
Computer Hardening – patch management, Anti-X software,
removal of unused applications/protocols/services,
closing unnecessary logical ports, protecting physical ports
Application – authentication, authorization, and accounting (AAA) software
Device Hardening – change management, communication encryption,
and restrictive access
13
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Networking Design Considerations CPwE Reference Architectures
14
Education, design considerations and guidance to help reduce network Latency and Jitter, to help increase the Availability, Integrity and Confidentiality of data, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP™ network infrastructure:
Single Industrial Network Technology
Robust Physical Layer
Segmentation / Structure (modular and scalable building blocks)
Prioritization - Quality of Service (QoS)
Redundant Path Topologies with Resiliency Protocols
Time Synchronization – PTP, CIP Sync, Integrated Motion on the EtherNet/IP network
Multicast Management
Convergence-ready Solutions
Security – Holistic Defense-in-Depth
Scalable Secure Remote Access
Wireless – 802.11
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security – Holistic Defense-in-Depth CPwE Reference Architectures
14
Enterprise WAN
Firewall (Active)
Firewall (Standby)
MCC
Enterprise Zone: Levels 4–5
Cisco ASA 5500
Catalyst 6500/4500
Soft Starter
I/O
Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server
Level 0 - Process Level 1 - Controller
Level 3 – Site Operations:
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk®
Client
Controller
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0–3
Authentication, Authorization and Accounting (AAA)
Catalyst 3750X StackWise
Switch Stack
Internet
External DMZ/ Firewall
LWAP
SSID
2.4 GHz
SSID
5 GHz WGB
I/O
Active
5500 Wireless
LAN Controller
(WLC) UCS
RADIUS
AAA Server
Standby
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Demonstration Scenario Defense-in-Depth Security
15
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Demonstration Scenario Defense-in-Depth Security
16
To simplify design and speed deployment of the demonstration
All EtherNet/IP™ devices and the laptop were configured for dynamic IP addressing
DHCP per port on the Stratix 5700™/8000™ was used to dynamically assign IP addresses
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Demonstration Scenario Layer 2 Segmentation Via VLANs
18
EtherNet/IP™ Layer 3 Networking Capabilities
Machine #1 (OEM #1)
VLAN 20
IP Subnet 10.20.20.0/24
VLAN 10
IP Subnet 10.10.10.0/24
Machine #2 (OEM #2)
VLAN 30
IP Subnet 192.168.30.0/24
VLAN 5
IP Subnet 192.168.1.0/24
Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24
VLAN 10
Stratix 8300™
Ring
Stratix 5700™
Stratix 8000™
Plant-wide IACS
Machine #1 OEM #1
Machine #2 OEM #2
Engineering Workstation
OWS
CompactLogix™ 5370 L3
1732E Slim ArmorBlock® I/O
1734 Point I/O
ControlLogix® 1756-EN2T
Layer 3
VLAN 20
VLAN 30
VLAN 5
Layer 2
Stratix 8300™
Ring
Stratix 5700™
Stratix 8000™
Plant-wide IACS
Machine #1 OEM #1
Machine #2 OEM #2
Engineering Workstation
OWS
CompactLogix™ 5370 L3
1732E Slim ArmorBlock® I/O
1734 Point I/O
ControlLogix® 1756-EN2T
Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24
19
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Demonstration Scenario Defense-in-Depth Security
19
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Device Hardening
20
Physical procedure:
Restrict Industrial Automation and Control System (IACS) access to authorized personnel only
Control panels, devices, cabling, and control room
Locks, gates, key cards
Video Surveillance
Other Authentication Devices (biometric, keypad, and so forth).
Switch the Logix Controller key to “RUN”
Electronic design:
Logix Controller Source Protection
Logix Controller Data Access Control
Trusted Slot Designation
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Network Infrastructure Access Control and Hardening
21
Cryptographic Image
HTTPS (HTTP Secure)
Secure Shell (SSH)
SNMPv3
Restrict Access
Port Security – Dynamic learning of MAC
addresses
ACL (Access Control List) Local
Authentication through AAA Server
Resiliency
Layer 2 Loop Prevention
Quality of Service (QoS)
Minimize Impact of DDoS Attacks
Disable Unnecessary Services
MOP (Maintenance Operations Protocol)
IP redirects
Proxy ARP
Attack Prevention
DHCP Snooping Rogue DHCP Server Protection
DHCP Starvation Protection
Dynamic ARP Inspection ARP Spoofing, man-in-the-middle attack
Storm Control Thresholds Denial-of-service (DoS) attach
Disable HTTP Server
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Network Infrastructure Access Control and Hardening
22
Example - Stratix 8300™ Access Control Lists (ACLs)
Action Protocol Source Destination and Mask Port
Permit ICMP Any 10.20.20.0 0.0.0.255
Permit TCP Any 10.20.20.0 0.0.0.255 80 (WWW)
Permit TCP Any 10.20.20.0 0.0.0.255 443 (SSL)
Permit UDP Any 10.20.20.0 0.0.0.255 161 (SNMP)
Permit UDP Any 10.20.20.0 0.0.0.255 162
(SNMPTRAP)
Permit TCP Any 10.20.20.0 0.0.0.255 162
(SNMPTRAP)
Deny IP Any Any
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Port Security
23
Keyed solutions for copper and fiber
Lock-in, Blockout products secure connections
Data Access Port (keyed cable and jack)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Physical Port Security - Keyed Connectors
24
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Stratix 5900™ Services Router
25
Enterprise-wide Business Systems Enterprise Zone
Levels 4 & 5 – Data Center
Physical or Virtualized Servers • FactoryTalk® Application Servers and Services
Platform • Network Services – for example, DNS, AD, DHCP,
AAA • Remote Access Server (RAS) • Call Manager • Storage Array
IDMZ - Level 3.5
Plant-wide Site-wide
Operation Systems
Site-to-Site Connection
Remote Site #1 Skid / Machine
Local Skid / Machine #1
Industrial Zone Levels 0–3
Site Operations - Level 3
Cell/Area Zone - Levels 0-2 Ring Topology - Resilient Ethernet Protocol (REP)
Local Skid / Machine #2
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ZFW
Architectural Security Framework Zone-based Firewall (ZFW) – Policy Enforcement (Example)
26
Industrial
Zone
Skid /
Machine
CIP Class 3 CIP Class 1
icmp - ping CIP Class 3
CIP Class 3 CIP Class 1
Http icmp - ping CIP Class 3
SNMP Sweep Ping Sweep
icmp - ping
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Architectural Security Framework Network Device Resiliency
27
Distribution switches typically provide first hop (default gateway)
redundancy
StackWise (3750X), stack management
Hot Standby Router Protocol (HSRP)
Virtual Router Redundancy Protocol (VRRP)
Gateway Load Balancing Protocol (GLBP)
Catalyst 3750x Switch Stack
HSRP Active
HSRP Standby
Catalyst 3560
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Key Takeaways
28
Align with Industrial Automation and Control System Security Standards
Implement a Holistic Defense-in-Depth approach: no single product, methodology, nor technology
fully secures IACS networks
Establish an open dialog between Industrial Automation and IT groups
Establish an Industrial security policy, unique from and in addition to the Enterprise security policy
Establish an IDMZ between the Industrial and Enterprise Zones
Work with trusted partners knowledgeable in automation and security
"Good enough" security now, is better than "perfect" security ... never
(Tom West, Data General)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional Material
29
Website:
http://www.odva.org/
Securing EtherNet/IP™ Networks
http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securi
ng_EtherNetIP_Networks.pdf
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional Material
30
http://rockwellautomation.com/security
Assessment
Services
Security
Technology
Security
FAQ
Assessment
Services
Security
Resources
Reference
Architectures
Security
Services
Leadership and
Standards
MS Patch
Qualification
Security Advisory
Index
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional Material CPwE Reference Architectures
31
Websites Reference Architectures
Design Guides Converged Plantwide Ethernet (CPwE)
Deploying the Resilient Ethernet Protocol (REP) in a
Converged Plantwide Ethernet Architecture
Deploying 802.11 Wireless LAN Technology within a
Converged Plantwide Ethernet Architecture
Application Guides Fiber-optic Infrastructure Application Guide
Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments
Securing Manufacturing Computer and Controller Assets
Achieving Secure Remote Access to plant-floor Applications and Data
Design Considerations for Securing Industrial Automation and Control System Networks
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional Material Training and Certifications
32
Cisco® Industrial Networking Specialist Training
and Certification
E-learning modules (pre-learning courses)
Control Systems Fundamentals for Industrial
Networking (ICINS)
Networking Fundamentals for Industrial
Control Systems (INICS)
Classroom training
Managing Industrial Networks with Cisco
Networking Technologies (IMINS)
Exam
600–601 IMINS
CCNA for Industrial Applications - Training
and Certification
Training - TBD
Exam - TBD
Industrial IP Advantage
E-learning modules
CPwE Design Considerations and Best
Practices
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial IP Advantage
33
A ‘go-to’ resource for educational information
about industrial network communication and
using standard Internet Protocol (IP) for
industrial applications
Community of like-minded companies –
Cisco®, Panduit®, and Rockwell
Automation®
Receive monthly e-newsletters with
articles and videos on the latest trends Network Design eLearning course available for TechEd Attendee promotional price!
Sign up today at www.industrial–ip.org
Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional Material Training and Certifications
34
http://www.cisco.com/web/learning/training-index.html
ICND1
ICND2
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
www.rockwellautomationteched.com
Thank you!
Cisco is a trademark of Cisco Systems, Inc. Microsoft is a trademark of the Microsoft Corporation. Panduit is a trademark of the Panduit Corporation. EtherNet/IP and ODVA are trademarks of the ODVA.