Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security.

Published byLeon McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security."— Presentation transcript:

1 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security Services SESAM Møde 6/4 2011 IT-Sikkerhed Erik Gross Jensen Solution Architect software

2 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. What We Are Delivering Together Education Series Stratix 8000, and portfolio Reference Architectures for Manufacturing Common Technology View Network and Security Services http://www.ab.com/networks/architectures.html

3 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Network Management IT and Production Control Automation and Control Applications CIP-Based Support in the Network Local Applications (Device Manager) IT Network Management (SNMP-Based) Command Line Interface

4 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Material Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 4 http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

5 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Architectures for Manufacturing Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Layer 3 Router Layer 3 Switch Stack Layer 2 Switch Drive Controller Drive HMI Controller Drive HMI Distributed I/O Level 0–2 HMI Cell/Area #1 (Redundant Star Topology) Cell/Area #2 (Ring Topology) Cell/Area #3 (Bus/Star Topology) Cell/Area Zone Manufacturing Zone Level 3 Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Windows 2003 Servers Remote desktop connection VPN FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security Data Servers Network Services DNS, DHCP, syslog server Network and security management Design guidance –Methodology – built on Industry Standards –Best practices and recommendations –Documented configuration settings –Tested with Industrial Applications –Cisco “Validated” network design “Future-ready” network foundation –CIP Safety, CIP Sync, CIP Motion –Voice, Video

6 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. High Level Architecture Review Remote access involves cooperation between: –Enterprise Zone Information Technologies (IT) and infrastructure of the facility –Automation Demilitarized Zone (Automation DMZ) Knowledge of traffic that must move from the plant to enterprise systems –Manufacturing Zone Cell and Area devices Traffic flow and protocols Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 6

7 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Enterprise Zone –“Levels” 4 & 5 owned by Information Technologies (IT) –Traditionally some VLAN’s in place –Campus to Campus communications –IT knowledgeable with routing and firewalls You need to work with the IT personnel to get access to the DMZ –Don’t bypass these fine folks! Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 7

8 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Automation DMZ –Shared ownership by IT and Manufacturing professionals “Typically” –IT owns firewalls –IT configures the switches on behalf of Manufacturing professionals –Manufacturing professionals own DMZ terminal servers, application servers, patch management servers DMZ requires cooperation from both IT and Manufacturing Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 8

9 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Why a Demilitarized Zone (DMZ)? To preserve smooth plantwide operations and functioning of the Industrial Automation and Control System (IACS) application and IACS network, this zone requires clear isolation and protection from the Enterprise zone via security devices within the Demilitarized zone (DMZ) This insulation not only enhances security segmentation between the Enterprise and Manufacturing zones, but may also represent an organization boundary where IT and manufacturing organizational responsibilities interface. This approach permits the Manufacturing zone to function entirely on its own, irrespective of the connectivity status to the higher levels Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 9

10 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Controlling Access to the Manufacturing Zone Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 10 No Direct Traffic Flow from Enterprise to Manufacturing Zone

11 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. DMZ Topology Firewall(s) –Enterprise Interface –DMZ Interface –Manufacturing Interface Firewalls are used to block or allow access to devices on these interfaces based on a set of rules There will be assets like switches and servers that are part of the DMZ Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 11

12 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Division of plant into functional areas for secured access –ISA-SP99 “Zones and Conduit” model OEM’s Participation –IP Address –VLAN ID’s –Access layer to Distribution layer cooperation System design requires full cooperation of all System Integrators, OEM’s, IT and Engineering Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 12

13 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Defense in depth still applies to manufacturing zone Defense in depth steps in the manufacturing zone is still applied to: –Device Hardening –Application –Computers –Networks –Physical Rockwell Automation products support the defense in depth strategy Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 13

14 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Defense in Depth Designs Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 14 (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 14 Apply security products and supporting a defense- in-depth (or layered) architecture; 1.Network & Security Design 2.Limit physical access to all equipment 3.Control access to automation networks 4.Control access to computers and keep them up to date 5.Control access to software applications that are used to configure devices 6.Control access to both the configuration and data in automation devices Perimeter Enforcement Device Security Security Services Application Computer Device Physical Network This is not a “one size fits all problem” …you are in the best position to decide which risks are the most urgent and which tools to use to reduce that risk Design

15 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Configuration Access Control Using FactoryTalk Security (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 15 How does it work? –Provides centralized authentication and access control by verifying the identity of each user (and computer) who attempts to access the automation system and then either granting or denying each user's request to perform particular actions on features and resources within the system Authentication – verifies a user’s identity and verifies that a request for service originates with that user. Authorization – verifies a user’s request to access a software product, feature, or system resource against a set of defined access permissions. –Authenticates and authorizes users against a set of defined permissions held in the FactoryTalk Directory Application Computer Device Physical Network

16 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Application: Device Configuration (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16 Use FactoryTalk Security to –Control computer and user access to devices –Control use of selected software applications that access devices Perimeter Enforcement Application Operating System Device Physical Network

17 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. 17 FactoryTalk Security (FTS-05) Product Policies –Defines which functions, features or users of a software application can be used across your site or enterprise System Policies –Define the rules that govern how security is implemented (like Password expirations) across your site or enterprise Computer and Computer Groups –Defines which computers can be used to access your automation system Networks and Devices –Defines which actions can be performed on a specific hardware resource User and User Groups (roles) –Defines which users or groups of users can get access to your automation system Product Policies –Restrict access to the features of individual FactoryTalk-enabled products –Only users with the required level of access can use the product features that you have secured. System policies –Define general security rules, such as how frequently passwords must be changed Computers and Groups –You can use these accounts to enforce line-of-sight security –Combine individual computer accounts into groups, to make it easier to manage security. Networks and Devices –Secure access to control hardware –Securable actions can be defined for all similar devices, groups of devices or can be defined on a device by device basis –Actions and devices can be put into groups for easier management (new in CPR9) Users and User Groups –FactoryTalk User User accounts that are held in the FactoryTalk Directory –Windows Linked User User accounts that already exist in a Windows domain or workgroup –Combine user accounts into User Groups to set up role-based security access; Windows-linked User Group – reference user groups that already exist in a Windows Domain FactoryTalk Group – combine individual Users and other groups into a FactoryTalk Group –Including Windows Linked groups

18 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Security Design Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security – authentication, authorization, and audit software Device Hardening – change management and restrictive access

19 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Tenants of a Good Security Design: The Physical - Switch Lock-in & Block-out Panduit/RA Physical Layer Reference Architectures Design Guide – MN05 PSL-DCPL PSL-DCJB

20 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources Website : http://www.ab.com/networks/architectures.html http://www.ab.com/networks/architectures.html Whitepapers –Reference Architectures for ManufacturingReference Architectures for Manufacturing –Securing Manufacturing Computer and Controller AssetsSecuring Manufacturing Computer and Controller Assets –Production Software within Manufacturing Reference Architectures Design and Implementation Guides –ODVA - Network Infrastructure for EtherNet/IP: Introduction and ConsiderationsODVA - Network Infrastructure for EtherNet/IP: Introduction and Considerations –ODVA - EtherNet/IP Media Planning and Installation ManualODVA - EtherNet/IP Media Planning and Installation Manual –Rockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architecturesRockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architectures

21 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources - Webcasts Rockwell Automation and Cisco webcasts: What Every IT Professional Should Know about Plant Floor NetworkingWhat Every IT Professional Should Know about Plant Floor Networking What Every Plant Floor Controls Engineer Should Know about Working with ITWhat Every Plant Floor Controls Engineer Should Know about Working with IT Rockwell Automation Knowledge Network webcasts: Rockwell Automation and Cisco: Best Practices Reference Architectures: Fundamentals of Ethernet Network Design Securing Manufacturing and Enterprise Network Convergence Industrial Ethernet Resiliency

22 © 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Available Resources Whitepapers –Stratix Switches within Integrated Architecture –Achieving Secure Remote Access to Plant Floor Applications and Data –Recommendations for Designing, Selecting, Configuring and Maintaining Wireless EtherNet/IP Networks –Industrial Ethernet Resiliency – late summer –IT Ready for OEMs – late summer Design and Implementation Guides –DIG 2.0 – Stratix 8000, resiliency, performance –Panduit and Rockwell Automation Physical Layer Reference Architectures

Download ppt "© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security."

Similar presentations

Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing & IT Network Convergence Bryce Barnes - Cisco Systems Vertical.

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing & IT Network Convergence Bryce Barnes - Cisco Systems Vertical.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.

Similar presentations

Ads by Google