Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Network Security Using Stratix Switches

Published byDina Nichols Modified over 6 years ago

Similar presentations

Presentation on theme: "Understanding Network Security Using Stratix Switches"— Presentation transcript:

1 Understanding Network Security Using Stratix Switches
June 2014 TechConnect Genius Webinar Anthony Baker Product Manager June 26, 2014

2 Industrial Network Security Trends Security in Recent Events
Feb 16th 2014

3 Industrial Network Security Trends Security Threat Vectors and Actors
Natural or Man-made disasters Worms and viruses Application of patches Theft Sabotage Unauthorized access Denial of Service When we think about risk and threats in the Industrial automation space, we tend to think about events such as unauthorized remote access, theft, worms and virus. But, similarly, there are internal threats that we must be equally concerned about. Examples such as changes to the configuration of a network switch which has ripple effects through out the system. Because IACs are generally open by default, it requires IACs networks to be secured by configuration. Unauthorized actions by employees Unintended employee actions Unauthorized remote access Security risks increase potential for disruption to system uptime, safe operation, and a loss of intellectual property

4 Industrial Network Security Trends Reality of Security Events
Source : 2013 DBIR Industrial Network Security Trends Reality of Security Events 91% = number of cybersecurity breaches that took hours or less to perpetrate 62% = number of cybersecurity breaches that took months or years to discover 53% = number of cybersecurity breaches that took months or more to contain 21% = number of successful Intellectual Property external cybersecurity breaches that had internal help, and 80% of those exploited normal users, not administrators 10% = number of cybersecurity breaches detected by internal resource DBIR= Data breach investigation report

5 Industrial Network Security Trends The Cost of Security*
Cyber incidents cost US organizations:  $558K in revenue losses $481K in brand damage $366K in compliance fines $174K in lost productivity Incidents are costing US industry $6M per day –or– $2B per year. Companies that implement cybersecurity best practices see the ROI 2½ times less likely to experience a major cyber attack 3½ times less likely to experience unplanned downtime DAY 2012 spend on ICS Cyber security was 1.7B (52%) Hardware, 40% Services, 8% software Types of competitors: ICS control System vendors, component suppliers, cyber security specialists (Wurldtech) RISK = Vulnerability × Threat × Consequence x Frequency * Source: Belden Industrial Ethernet Infrastructure Design Seminar. Greg Hale, the Editor and Founder of ISSSource.com. October 2012

6 Convergence Operation Technology(OT) with Information Technology (IT)
Industrial Network Security Trends Emerging Domains of Security Expertise Convergence Operation Technology(OT) with Information Technology (IT)

7 Industrial Network Security Trends Industrial vs
Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Industrial Requirements Enterprise Requirements Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Similarities and differences?

8 Industrial (OT) Network Enterprise (IT) Network
Industrial Network Security Trends Industrial vs. Enterprise Policy Requirements Industrial (OT) Network Enterprise (IT) Network Focus 24/7 operations, high OEE Protecting intellectual property and company assets Precedence of Priorities Availability Integrity Confidentiality Types of Data Traffic Converged network of data, control, information, safety and motion Converged network of data, voice and video Access Control Strict physical access Simple network device access Strict network authentication and access policies Implications of a Device Failure Production is down ($$’s/hour … or worse) Work-around or wait Threat Protection Isolate threat but keep operating Shut down access to detected threat Upgrades Scheduled during downtime Automatically pushed during uptime This technology and network convergence creates an unclear demarcation line for network ownership. Groups that traditionally had limited interaction within Manufacturers now collaborate. To support this network convergence, controls engineers and Information Technology (IT) professionals experience both organizational and cultural convergence as well as share best practices. The emergence of manufacturing IT, distinct from enterprise IT, takes this collaboration to a new level. Security Policies are a prime example of Cultural and Organizational Convergence differences between IT and controls. Please note that both IT and Controls have their companies best interests in mind, but they do have different perspectives. IT Security – pervasive Industrial Security - emerging: Open by Default and Closed by Configuration IT responsibilities include protecting company assets and intellectual property (IP). IT accomplishes this by implementing an enterprise security policy enforcement to protect data confidentiality, integrity and availability (CIA) – typically in that order of priority. Although similarities exist, the Industrial security policy must place continuous manufacturing operation (Availability) as top priority. Industrial security policy enforcement protects data availability, integrity, then confidentiality (AIC) – in that order. Enterprise and Industrial security policies differ in terms of how they handle upgrades. For enterprise applications like operating system and application software patching as well as antivirus definition updates, users conduct upgrades as soon as possible. Applying upgrades to a running manufacturing server could disrupt operations, resulting in a production loss. Industrial security policies should define upgrades as a scheduled activity, during manufacturing downtime.

9 Industrial Network Security Trends Established Industrial Security Standards
International Society of Automation ISO/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defense-in-Depth Strategies

10 Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network
Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Defend the edge - Industrial DMZ (IDMZ) Protect the network - Structured and Hardened Defense-in-Depth – Multiple layers of security Common Industrial Protocol (CIP™) is an upper layer protocol and encompasses a comprehensive suite of messages and services for a variety of industrial automation applications, including control, safety, synchronization, motion, configuration and information. As a truly media independent protocol that is supported by hundreds of vendors around the world. CIP is open by default and does not provide for encryption. CIP, EtherNet/IP, is secured by protecting the network and defending the edge with a defense-in-depth approach.

11 Getting Started Creating a Industrial Security Policy
Start with an assessment Identify assets (Devices, IP, Data) Evaluate properties and characteristics Discover risks, potential threats and vulnerabilities The industrial security policy is unique from and in addition to enterprise security policy Security policy - plan of action with procedures (non-technical): Rules for controlling human interactions and access Determination of risk tolerance Identify Domains of Trust and appropriately apply security to maintain policies Consider balancing security with functional and application requirements: 24x7 operations, low Mean-Time-To-Repair (MTTR), high Overall Equipment Effectiveness (OEE). Sustainability Stakeholders Process Changes / Auditing Maintenance of the Risk Profile Alignment with applicable industry standards

12 Defend the Edge Plant Firewall
ASA (Adaptive Security Appliance) Provides firewall capabilities to logically segment the IACS network from the enterprise network. Tracks traffic flows. VPN concentration Allows clients to connect a VPN session to the firewall over IPSEC, SSL, etc. Performance Provides as many as 8 integrated and as many as 14 Gigabit ports with service modules for flexibility in network design Provides as many as 700 Mbps of VPN throughput, and as many as 5,000 concurrent VPN sessions.

13 Defend the Edge Industrial Demilitarized Zone
Level 5 Enterprise Network Enterprise Security Zone Level 4 , Intranet, etc. Site Business Planning and Logistics Network Remote Gateway Services Firewall Patch Management AV Server Web CIP Industrial DMZ Application Mirror Web Services Operations Application Server Firewall FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server Industrial Security Zone Level 3 Site Operations and Control Area Supervisory Control FactoryTalk Client FactoryTalk Client Level 2 The core of Converged Plantwide Ethernet (CPwE) Architectures is this Logical Framework. That is, Network Segmentation – segmentation for the purpose of traffic management, and segmented policies such as security and QoS. This segmentation is organized into levels and zones. Segmenting network services such as Quality of Service, or QoS, Virtual LANS, or VLANs, and Multicast traffic. These services exist in both the Enterprise and Industrial Zones, and should be segmented. The Industrial Demilitarized Zone – or IDMZ – is used as a barrier between the Enterprise Zone and Industrial Zone – the IDMZ concept is common in IT, but it’s a new concept in Industrial applications Industrial Zone Best Practices Replicate critical services in the industrial zone, consider the following: Domain Services e.g. LDAP or Active Directory Naming services e.g. DNS & WINS IP Address services e.g. DHCP Time services e.g. NTP or PTP Availability: apply redundant network routers/switches and links to maintain overall network availability Scalability: small sites use combined core and distribution switches, larger or growing sites should separate to avoid oversubscription on uplinks. Deploy Security and Network Management Routing: Use link-state routing protocols or EIGRP for Layer 3 load balancing and convergence Use EIGRP to simplify configuration If standard protocols are required, use OSPF No overlapping IP addresses with enterprise network. Operator Interface Engineering Workstation Operator Interface Cell/Area Zone Basic Control Level 1 Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Level 0 Sensors Drives Actuators Robots Process Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone

14 Defend the Edge One Size Does Not Fit All
Enterprise-wide Network Plant-wide Network Figure 1 Plant-wide Network Enterprise-wide Network Figure 3 Plant-wide Network Enterprise-wide Network Switch with VLANs Figure 4 Enterprise-wide Network Plant-wide Network Figure 2 Not Recommended Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Plant-wide Network Enterprise-wide Network Router (Zone Based FW) Good Figure 5 Plant-wide Network Enterprise-wide Network Firewall Better Figure 6 Plant-wide Network Enterprise-wide Network IDMZ Best Figure 7

15 Defend the Edge Industrial Demilitarized Zone (IDMZ)
Sometimes referred to a perimeter network that exposes an organization’s external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise Security Zone UNTRUSTED/TRUSTED Industrial DMZ BROKER Industrial Security Zone TRUSTED

16 Defend the Edge IDMZ Functional Requirements
All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to “turn-off” access via the firewall Trusted? Untrusted? Enterprise Security Zone Disconnect Point Replicated Services IDMZ For enhanced security and traffic management, ISA-99, NIST , and DHS/INL segments levels into security zones. Zones establish domains of trust for security access and smaller LANs to shape and manage network traffic. The best practices call for establishing a IDMZ between the Enterprise Zone and the Industrial Zone. The IDMZ is a buffer zone providing a barrier between the Industrial and Enterprise Zones, but allows for data and services to be shared securely. All network traffic from either side of the IDMZ terminates in the IDMZ. No traffic traverses the IDMZ. That is, no traffic directly travels between the Enterprise and Industrial Zones. Finally, users should contain all Industrial assets, such as FactoryTalk, required for operations within the Industrial Zone. To maintain these best practices while enabling information convergence between the Enterprise and Industrial Zones, Industrial Zone applications should replicate data to an application mirror within the IDMZ. Users should then replicate the data from this application mirror to an application within the Enterprise Zone. This can be either unidirectional or bidirectional. The IDMZ is also a demarcation line for segmenting network traffic and security policies between the Enterprise and Industrial Zones. Segmenting network services such as Quality of Service, or QoS, Virtual LANS, or VLANs, and Multicast traffic. These services exist in both the Enterprise and Industrial Zones, and should be segmented. The IDMZ is not a new concept, and is prevalent in enterprise networks where applications and data are shared with other enterprises or made available to the Internet. The concept and application of the IDMZ between the enterprise and industrial zones is very similar to the IDMZs applied at the Internet and enterprise interface. Those IDMZs apply strong traffic control, in-depth packet inspection, and enforced authorization and authentication for privileged access. The IDMZ is also a point where access can easily be shut off if issues or threats arise in a zone that threatens operations in other zones. No Direct Traffic Industrial Security Zone Disconnect Point Trusted

17 Defend the Edge IDMZ Segmentation
Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g., Partner zone, Operations, IT) Trusted? Untrusted? Disconnect Point Enterprise Zone Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ The Industrial Zone requires a different “Security Stance” The devices and applications in the Industrial Zone are sensitive and vulnerable in different ways than enterprise systems and application. Security is critical to performance and availability of the automation and control systems Yet, data and services need to be shared Modern firewalls provide that critical segmentation between the industrial and enterprise networks, yet allow safe and secure sharing of data and services Industrial Demilitarized Zone concepts allow the sharing of critical data and services between the two zones Provides a buffer zone where services and data can be shared between the manufacturing and enterprise zones. In addition, the DMZ allows for easy segmentation of organizational control No traffic should traverses the DMZ. All traffic should originate/terminate in the DMZ. The DMZ is also a demarcation where different operational and security policies can be applied to meet objectives from various perspectives. For example, the DMZ demarks where QoS settings change. In addition, the DMZ also demarks where critical I/O traffic from the manufacturing zone stops and is not mixed with enterprise traffic. The DMZ can be used to apply different operational settings (for example, authorizations, configurations, monitoring, and so on) to allow different network operational models to exist between the manufacturing environment and the IT-managed enterprise. As a last resort, the DMZ is also a point where access can easily be shut off if issues or threats arise in a zone that threatens operations in other zones. The DMZ is not a new concept, but is prevalent in enterprise networks where applications and data are shared with other enterprises or made available to the Internet. The concept and application of the DMZ between the enterprise and manufacturing zones is very similar to the DMZs applied at the Internet and enterprise interface. Those DMZs apply strong traffic control, in-depth packet inspection, and enforced authorization and authentication for privileged access. Key concepts: Firewalls are still logical view NO direct traffic permitted between enterprise and control zone All inbound and outbound traffic must stop at a server in DMZ Operations like patch installation must be two-stage process Remote administration must go thru a terminal or application server Different colored networks are different subzones, like partner/vendor access Traffic permitted between enterprise, DMZ, and control zones and between different subzones only as needed Multiple functional subzones help contain spread of a worm infection, limit sniffing and scanning by attackers, and aid in management of firewall rules For more information on Demilitarized Zone, refer to chapter 2 of the Design and Implementation Guide - No Direct Traffic Historian Mirror Web Services Operations Application Server Industrial Zone Disconnect Point Trusted

18 Defense-in-Depth EtherNet/IP Industrial Automation & Control System Network
M&M -> Everlasting Gobstopper Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure

19 Defense-in-Depth Multiple Layers to Protect the Network and Defend the Edge
This approach utilizes multiple layers of defense at separate IACS levels by applying policies and procedures that address different types of threats. No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Addresses internal and external security threats. Balance of technical and non-technical enforcement Securing industrial assets requires a comprehensive security model based on a well-defined set of security policies. Policies should identify both security risks and potential mitigation techniques to address these risks. Protecting industrial assets requires a “defense-in-depth” security approach that addresses internal and external security threats. This approach utilizes multiple layers of defense (physical and electronic) at separate industrial levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data, and end points, and multiple layers of physical security to protect high value assets. No single technology, product, or methodology can fully secure industrial networks. Securing manufacturing assets requires a comprehensive security model based on a well-defined set of security policies. Policies should identify both security risks and potential mitigation techniques to address these risks. Protecting manufacturing assets requires a “defense-in-depth” security approach that addresses internal and external security threats. This approach utilizes multiple layers of defense (physical and electronic) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data, and end points, and multiple layers of physical security to protect high value assets. No single technology or methodology can fully secure industrial control systems. A comprehensive security model should be designed and implemented as a natural extension to the manufacturing process. Security should not be implemented as an afterthought or bolt-on component. Recommendations and best practices for securing manufacturing assets include: Deploy holistic security based on “defense-in-depth”. Conduct a security risk assessment. Develop a manufacturing security policy that support manufacturing operation requirements based on enterprise security policy best practices. Implement a manufacturing network security framework to establish domains of trust and appropriately apply security policies. Establish a IDMZ between the Enterprise and Manufacturing Zones. Prevent traffic from traversing the IDMZ. Use application mirroring within the IDMZ to converge Manufacturing and Enterprise Zone information, noted in next section. Harden computers and controllers. Utilize industry standards such as ISA-99. Leverage Rockwell Automation Network and Security Services.

20 Defense-in-Depth Industrial Security Policies Drive Technical Controls
Physical – limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room Network – firewall policies, access control list (ACL) policies for switches and routers, intrusion detection and prevention systems (IDS/IPS) Computer Hardening – patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application – authentication, authorization, and accounting (AAA) software Device Hardening – change management, communication encryption, and restrictive access

21 Defense-in-Depth Example: Physical Port Security
Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack) Strategy: Defense in Depth requires physical security Security is a growing concern with the move to open networks. RA and Cisco’s CPwE DIG provides reference architecture for securing networks including using a Demilitarized Zone (IDMZ) and VPN for remote access to avoid many of the security risks from a logical view of the network. However, security requires a Defense in Depth approach. Panduit provides physical security products include lockable zone enclosures, lockable data access ports, and of special consideration products for securing connectivity. Keyed connectivity Panduit’s physical security products include keyed jacks and plugs for both fiber and copper that are color coded with unique keying built into each half of the mating connector that prevent connecting to a mismatched color code. This allows different zones or priorities of cabling to be kept secure. Lock-in / Block-Out Panduit’s Lock-in products are small plastic parts that slip over standard copper or fiber patch cords plugs and prevent removal of the inserted connector from the Stratix switch, controller, device or patch panel without a special key (as shown in picture above). This Lock-in prevents unauthorized users from removing the patch cable without a tool. The Block-out device is another small plastic part that is inserted in unused ports on devices, switches, or patch panels that prevents inserting any fiber or copper plug. Again, a special tool is required to remove, so a measure of physical security and mistake proofing is achieved. Keyed Connectivity and Lock-in/Blockout can be used to effectively segment and control zones of connections whether in a control panel or rack based switch.

22 Defense-in-Depth Security Zones, Conduits and Barrier Devices
Security Zones- areas under protection. Typical requirements: Communications access Physical access and proximity Conduits- a type of security zone that provides communication and has channels Barrier Devices – devices used to separate zones with different security policies, levels, or risks. Example: block all non-essential communications in/out of the zone. Zone 1 Zone 2

23 Defense-in-Depth Unified Threat Management
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response Low latency Diverse topologies Multicast support Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN Firewall with Application Layer Security Access Control and Authentication IPS and Anti-X Defenses Intelligent Networking Services SSL and IPSec Connectivity Cisco Adaptive Security Appliance (ASA) 5520 and 5510 SSL – Secure Socket Layer VPN – Virtual Private Network IPsec - IP security is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream. IPS – Intrusion Protection System Anti-X – antivirus, antispyware, etc. LDAP – Lightweight Directory Access Protocol Kerberos – network authentication protocol RSA SecureID – hardware or software authentication token A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based A firewall's basic task is to control traffic between computer networks with different zones of trust Today’s firewalls combine multilayer stateful packet inspection and multi-protocol application inspection Virtual Private Network (VPN) services and Intrusion Prevention Services (IPS) have been combined with the firewall inspection engine(s) Despite these complexities, the primary role of the firewall is to enforce security policy Today’s firewalls combine multilayer stateful packet inspection and multiprotocol application inspection Modern Firewalls (UTMs) provide a range of security services

24 Stratix 5900 Layer 2 & Layer 3 Services Router
Premiere routing and security services for Layer 2 or Layer 3 Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) Connections: 1 Gigabit WAN 4 Fast Ethernet Industrially hardened, DIN rail mountable Ideal for Site-to-Site Connections, Cell/Zone Area Firewall & OEM Integration New Services router is a unified threat management devices that combines several functions together to help protect your network at the perimeter. Ideal for helping protect communications through secure channels & restricting unwanted communications by policy and inspection

25 Defense-in-Depth Unified Threat Management – Stratix 5900 Services Router
Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level IDMZ Level 3 - Site Operations Industrial Zone Plant-wide Site-wide Operation Systems Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Levels 0-2 Cell/Area Zones Site-to-Site Connection Stratix 5900 2) Cell/Area Zone Firewall Stratix 5900 1) Site-to-Site Connection Stratix 5900 3) OEM Integration In this system you can see that there are 3 Cell/Area Zones, each with different hardware. You could imagine that these 3 systems could be from unique manufacturers who would like to protect their Intellectual Property Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1

26 Defense-in-Depth Stratix 5900 Services Router - Encryption

27 Defense-in-Depth Stratix 5900 Services Router - Encryption

28 Protect the Network The Stratix Managed Switch Portfolio
Products that offer Technology that offers Layer 2 and Layer 3 switching for simple to complex networks applications Advanced security services Plant-floor and Enterprise integration Advanced switching, routing & security features Common tools for Controls & IT Improved Maintainability Addressing the needs of Automation & Operations and IT

29 Protect the Network The Stratix Managed Switch Portfolio
Designed & developed for Industrial EtherNet/IP applications Optimize network performance QoS – Quality of Service - default configurations are set to ODVA standards for EtherNet/IP industrial applications for discrete, motion, safety and process applications IEEE1588 (CIP Sync) - ODVA implementation of the IEEE 1588 precision time protocol ensures performance when connecting EtherNet/IP devices Simplify design, deployment and maintainability DHCP per port - assign a specific IP address to each port, ensuring that the device attached to a given port will get the same IP address Broken Wire Detection - detect cabling problems like, open, broken, cut or shorted twisted-pair wires, with status availability in Logix Network Address Translation – NAT – A 1:1 IP address translation to help segment machine level network devices from the plant network, translate only the devices that need to be visible to the plant network Call out QoS to prevent DDoS attacks DHCP per port prevents user misconfiguration NAT can be used to hide internal system, make reconnaissance difficult

30 Protect the Network The Stratix Managed Switch Portfolio
Providing simplified tools and advanced features sets Helping protect the assets Application/Project (CIP) based port access Controller based port control (on/off) Port access based on controller mode (idle/fault) Unauthorized device identification (tags) per port Configurable port security Preconfigured port security set-up via smartports Configure number of devices allowed per port Configurable device MAC ID authentication Helping protect the plant Encrypted administrative traffic - VPN, SSHv2, SNMPv3, and HTTPS Advanced security features Access Control Lists (ACLs) to apply security policies per port Device-based authentication with 802.1x–Centralized Management through TACACS+ and Radius

31 Protect the Network Rockwell Automation & Partner Portfolio
Collaboration of Partners Rockwell Automation & Partner Portfolio Our unique enterprise-wide approach and partnerships help customers establish a secure environment that both protects the industrial control system and links end-point devices in manufacturing and industrial operations within the enterprise and supply and demand chain. Successful collaboration with strategic alliance partners like Cisco, Panduit and Microsoft results in unique expertise and insights that facilitate the design and management of a more secure and productive Connected Enterprise. Our strategic alliance partners are critical to our Connected Enterprise offering, to support our strategies we’ve partnered with: Cisco to provide a common network and security environment on a single, unified network infrastructure. Together we’re driving the adoption of the Common Industrial Protocol through the EtherNet/IP standard for safe and highly deterministic automation applications. Panduit to provide optimized physical network infrastructure solutions and integrated solutions and services for customers. Microsoft around application security, cloud computing and technology roadmaps to develop information solutions that enable customers to increase the value of ownership, and empower people by lowering the barriers of applying information technologies to optimize production. Rockwell Automation Integrated Control & Information Cisco Wireless, Security, Switching & Routing Microsoft Operating Systems, Database / Cloud Infrastructure, & Application Security Panduit Physical Layer Network Infrastructure, Zone Enclosures VMware Data Center Virtualization PartnerNetwork Alliances, Encompass, Distributors, System Integrators, OEMs

32 Protect the Network Converged Plant-Wide Ethernet (CPwE)
Recommendations and guidance to help reduce Latency and Jitter, to help increase data Availability, Integrity and Confidentiality, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP IACS network infrastructure Single Industrial Network Technology Robust Physical Layer Segmentation Resiliency Protocols and Redundant Topologies Time Synchronization Prioritization - Quality of Service (QoS) Multicast Management Convergence-Ready Solutions Security - Defense-in-Depth Scalable Secure Remote Access Designing a resilient network infrastructure with low latency and jitter increases the availability and integrity of control and information data. Latency, or delay, represents the time elapsed from when one device transmits data until another device receives it. Jitter represents the variation of delay. Converging multidiscipline control and information traffic into a common industrial network requires reducing latency and jitter. To reduce network latency and jitter, CPwE recommends segmenting and prioritizing network traffic. Segmentation reduces the impact of broadcast and multicast traffic.

33 Protect the Network Converged Plantwide Ethernet (CPwE)
Industrial security policy Defend the edge - Industrial DMZ (IDMZ) Protect the network - Structured and Hardened Defense-in-Depth – Multiple layers of security Standard DMZ Design Best Practices Enterprise WAN Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) VLANs Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server Cisco ASA 5500 Firewall (Standby) Firewall (Active) Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Network Status and Monitoring AAA - Application Authentication Server, Active Directory (AD), Catalyst 6500/4500 AAA - Network Network Device Resiliency Remote Access Server Catalyst 3750 StackWise Switch Stack Level 3 – Site Operations Network Infrastructure Access Control and Hardening FactoryTalk Client As discussed earlier, the reference architectures define recommended “best practices” tested by Rockwell & Cisco. They use industry standards such as ISA/IEC and NIST to establish an industrial security network framework. Core tenants include: The need for a security policy The recommendation for an IDMZ to add an additional buffer zone Built on Defense in Depth approach. Client Hardening Level 2 – Area Supervisory Control HMI VLANs, Segmenting Domains of Trust Controllers, I/O, Drives Physical Port Security Unified Threat Management (UTM) Controller Hardening, Physical Security Network Security Services Must Not Compromise Operations of the IACS Controller Hardening, Encrypted Communications I/O Drive Soft Starter Controller Controller MCC Level 1 - Controller Level 0 - Process

34 Network & Security Services Life Cycle Approach to Services and Solutions
ASSESS DESIGN IMPLEMENT VALIDATE MANAGE

35 What Can You Do Now to Mitigate Risk?
Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security: Control who has network access Employ firewalls and intrusion detection/prevention Use Anti Virus Protection and patch your system Manage & protect your passwords Turn the processor key(s) or toggle mode switch to the Run Mode Utilize features embedded in Rockwell Automation products today (example: FactoryTalk Security) Develop a process to manage removable media Block access ports (example: key connectors)

36 What Can You Do Moving Forward to Mitigate Risk?
Separate control network from enterprise network Harden connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside Harden interior of control network Make reconnaissance difficult from inside Avoid single points of vulnerability Frustrate opportunities to expand a compromise Harden field sites and partner connections Mutual distrust Monitor both perimeter and inside events Periodically scan for changes in security posture

37 What Can You Do to Create a Security Culture?
Educate and create Awareness in your organization Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT , NIST , ISO/IEC (Formerly ISA-99) Leverage a Defense-in-Depth philosophy No single product, methodology, nor technology fully secures IACS networks Establish Open Dialog between Teams Production, Engineering, IT and Rockwell Automation (Incident Response Sharing) Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security ...never. (Tom West, Data General)

38 Thank You

39 Rockwell Automation Industrial Security Resources
Security Seminars Multimedia Videos Industrial Security Website Industrial IP Advantage SANS Continuous learning from many resources explain what we have done, and tee it up for the Wed train the trainer session, explain that they can have a session in FY15.

40 Rockwell Automation Industrial Security Resources
Security-enhanced Products and Technologies Rockwell Automation product and technologies with security capabilities that help increase overall control system system-level security. EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that complement recommended layered security/defense-in-depth measures. Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and make recommendations for how to avert risk and mitigate vulnerabilities. Remote Asset Monitoring Services The Virtual Support Engineer is a service that offers a simple and secure approach to monitoring your equipment and collecting valuable performance analytics.

41 Rockwell Automation: Industrial Security Resources
Assessment Services Security Advisory Index Security Technology MS Patch Qualification Security FAQ Reference Architectures Security Services Assessment Services Leadership & Standards Pretty Good Privacy (PGP) Public Key

42 Rockwell Automation: Educational Tools & Content
A new ‘go-to’ resource for educational, technical and thought leadership information about industrial network communication Basic and Advanced Training courses will be available in September – December Register today at to be a part of the community Networks Mythbusters coming out in end of march E-newsletter starting March Webinars will be hosted

43 Rockwell Automation: Industrial Security Resources
Rockwell Automation Knowledgebase Article #: 35530* Microsoft Patch Qualification for Rockwell Automation software products *TechConnect support contract required 46

44 Rockwell Automation Educational Tools & Content
EtherNet/IP Website: Network Network and Security Services Website: Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) Application Guides Fiber Optic Infrastructure Application Guide

45 Rockwell Automation Educational Tools & Content
Knowledgebase Security Table of Contents TCP/UDP Ports used by Rockwell Automation products Network and Security Services Brochure Whitepapers Patch Management and Computer System Security Updates Scalable Secure Remote Access Solutions for OEMs Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks - ENET-WP031A-EN-E

46 Rockwell Automation Educational Tools & Content
New Customer Training Courses: Ex: CCP179 Stratix 5700 Switch Configuration for an EtherNet/IP™ Network Integrated Architecture Tools EtherNet/IP Capacity Tool Reference Drawings EtherNet/IP Toolkit – Customer Guide to getting started quickly with EIP New EtherNet/IP Toolkit

47 Rockwell Automation Educational Tools & Content
Educational Series Webcasts What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access for Plant-Floor Applications and Data Securing Architectures and Applications for Network Convergence IT-Ready EtherNet/IP Solutions Available Online /products-technologies/network-technology/architectures.page? People and Process Optimization: This Series is part of an overall collaboration between Cisco and Rockwell Automation to facilitate convergence between Industrial and Enterprise Networks. The intent of the Education Series is to provide a common reference and understanding on terminology between IT professionals and Control Engineers to facilitate dialogue. Education to facilitate Industrial and IT convergence and help enable successful architecture deployment and efficient operations allowing critical resources to focus on increasing innovation and productivity. Rockwell Automation and Cisco encourages that IT and Control Engineers watch these video on demands (VoDs) together. Remember, it’s all about facilitating dialogue

48 ODVA Educational Tools & Content
Website: Securing EtherNet/IP Networks 269R0_ODVA_Securing_EtherNetIP_Networks.pdf

49 SANS Educational Tools & Content
Valuable, trusted source for Industrial Control Systems security training, certification and tools: Security policy templates (i.e., Remote Access Policy, Network Security Policy) Webinars (Mobile, Leveraging Critical Security Controls to Mitigate Risks, etc) Online and live training courses Research and discussion

Download ppt "Understanding Network Security Using Stratix Switches"

Similar presentations

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Controls – What Works

Security Controls – What Works
Firewall Configuration Strategies

Firewall Configuration Strategies
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing & IT Network Convergence Bryce Barnes - Cisco Systems Vertical.

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing & IT Network Convergence Bryce Barnes - Cisco Systems Vertical.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security.

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C97-721796-00.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C

Similar presentations

Ads by Google