Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Similar presentations


Presentation on theme: "Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa."— Presentation transcript:

1 Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa

2 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 2 © 2011 ODVA, Inc. All rights reserved. Agenda Securing EtherNet/IP Networks Introduction Best Practices Isolated Control Network with Single Controller Isolated Network with multiple Controllers Enterprise Connected and Integrated Control Systems Other Considerations Emerging Industrial Security Technologies ISA 99

3 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 3 © 2011 ODVA, Inc. All rights reserved. Introduction High level paper for customers, implementers to identify security concepts per type of control networks. Start with Risk identification and analysis Identify Risk reduction and mitigation techniques There will be costs and trade-offs Differences between IT and Industrial Automation and Control Working with IT

4 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 4 © 2011 ODVA, Inc. All rights reserved. Who Needs to Talk to Whom?

5 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 5 © 2011 ODVA, Inc. All rights reserved. Control Network types Isolated Single Controller Single Controller 10s of devices Potentially multiple switches Limited non-CIP traffic Sharing data via sneaker net or transferable device Isolated Multiple Controller Multiple Controllers Up to 100s of devices 10s of switches, maybe a router A few networks Potentially multiple switches Controllers sharing data Some non-CIP traffic (e.g. HTTP, file sharing, etc.) Enterprise Connected Many Controllers Up to 1000s of devices Lots of switches and routers and other network infrastructure Many networks Sharing data, applications and services between Enterprise and Plant networks Could have lots of non-CIP traffic (e.g. Voice, Video, etc.)

6 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 6 © 2011 ODVA, Inc. All rights reserved. Best Practices – Isolated Single Controller Managed Switches Diagnostics Port Security Device Maintenance End-device security OS patches Anti-virus Network and Application monitoring and management

7 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 7 © 2011 ODVA, Inc. All rights reserved. Isolated Multiple Controller VLANs Basic segmentation Performance Quality of Service Protect key traffic from performance or some Denial of Service Previous Considerations and… IGMP (Multicast management) Network Resiliency Spanning Tree or Device Level Ring (DLR)

8 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 8 © 2011 ODVA, Inc. All rights reserved. Quality of Service Operations Classification and Marking Queuing and (Selective) Dropping Post-Queuing Operations

9 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 9 © 2011 ODVA, Inc. All rights reserved. Connected and Integrated Control Firewall and DMZ Control traffic flows Protect Plant from Enterprise threats Intrusion Detection Monitor and stop known and unknown attacks Previous Considerations and… Remote Access VPN to Firewall/DMZ Terminal Services into controlled, locked-down server

10 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 10 © 2011 ODVA, Inc. All rights reserved. Firewalls A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based A firewall's basic task is to control traffic between computer networks with different zones of trust Todays firewalls combine multilayer stateful packet inspection and multiprotocol application inspection Virtual Private Network (VPN), Anti-x, Authentication and Intrusion Prevention Services (IPS) have been integrated Despite these complexities, the primary role of the firewall is to enforce security policy Enterprise Plant

11 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 11 © 2011 ODVA, Inc. All rights reserved. De-Militarized Zone Enterprise Plant Demilitarized zone is a physical or logical sub-network that contains and exposes an entities external data and services to a larger un-trusted network Typically requires a Firewall DMZ may contain terminal server, replicated historian, AV, patch, DNS, AD/LDAP or mail servers. Buffers a zone from the threats, traffic, scans and other network-born activities in other networks DMZ

12 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 12 © 2011 ODVA, Inc. All rights reserved. Virtual Private Network (VPN) Overview Mechanism for secure communication over IP (Internet) Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread) Remote Access (RA) VPN components Client (mobile or fixed) Termination device (high number of endpoints) VPN Security Appliance VPN Client or Browser VPN tunnel

13 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 13 © 2011 ODVA, Inc. All rights reserved. VPN - What Are We Talking About? Secure VPN includes a number of technologies IPsec L2TP/IPSec TLS (HTTPS/SSL) DTLS SSL HMAC-MD5 HMAC-SHA-1 RSA digital certificates Pre-Shared key DES 3DES AES RC4 TunnelingEncryptionAuthentication*Integrity *IKE 1st Phase, Not User Auth.

14 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 14 © 2011 ODVA, Inc. All rights reserved. Wireless CIP and EtherNet/IP, being based on open standards, is readily transportable over standard wireless technologies. Common wireless security practices include: IEEE 802.1x Network Access Control and authentication with shared keys Encryption – WPA2 is best practice Disable SSID broadcasting for control WLAN Rogue access point and end-point detection

15 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 15 © 2011 ODVA, Inc. All rights reserved. Authenticator (e.g. Access Point) Authentication Server (e.g. RADIUS) Wireless Client How 802.1x Works IEEE 802.1X (Port-based Network Access Control) restricts port access to authorized users only. Authentication is done using the local user database or an external RADIUS (Remote Authentication Dial In User Service) server.

16 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 16 © 2011 ODVA, Inc. All rights reserved. Security - Authentication MAC address filtering Fast Ethernet Moving Process Field Engineers Access Point AP Client MAC Address Access Rights Deny Allow Deny or Allow

17 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 17 © 2011 ODVA, Inc. All rights reserved. Other Security Considerations Other considerations include: Security enhanced operating systems Virtual Private Network (VPN) – tunneled encryption outside for traffic external to Plant network Enhanced authentication via Biometrics Network Access Control and Protection to verify every device on the network

18 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 18 © 2011 ODVA, Inc. All rights reserved. AUTHENTICATE users and devices to the network Posture and Remediate the device for policy compliance Audit and Report who is on my network Network Access Control Differentiated Access role based access control NAC is solution that uses a set of protocols to define and implement a policy that describes how to secure access to the network by devices. Network Access Control controls access to a network with policies, including pre-admission endpoint security policy checks and post- admission controls over where users and devices can go on a network and what they can do. Network Access Protection (NAP) is Microsofts implementation of NAC.

19 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 19 © 2011 ODVA, Inc. All rights reserved. ISA 99

20 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 20 © 2011 ODVA, Inc. All rights reserved. ISA 99 Working Groups

21 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 21 © 2011 ODVA, Inc. All rights reserved. ISA 99 SALs


Download ppt "Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa."

Similar presentations


Ads by Google