Download presentation
Presentation is loading. Please wait.
Published byLillian Taylor Modified over 9 years ago
1
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Network Security Trends & Fundamentals of Securing EtherNet/IP Networks
2
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Agenda 2 Network Security Framework Defense-in-Depth Industrial Network Security Trends Additional Information
3
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 3 Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect" security...never (Tom West, Data General) Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello) Your absolute security is only as strong as your weakest link Concentrate on known, probable threats Security is not a static end state, it is an interactive process You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)
4
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Industrial vs. Enterprise Network Requirements 4 Convergence of Industrial Automation Technology (IAT) with Information Technology (IT)
5
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Enterprise Requirements 5 Industrial Requirements Similarities and differences?
6
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Policies - Industrial vs. Enterprise Network Requirements 6 Industrial (IAT) NetworkEnterprise (IT) Network Focus 24/7 operations, high OEE Protecting intellectual property and company assets Precedence of Priorities Availability Integrity Confidentiality Integrity Availability Types of Data Traffic Converged network of data, control, information, safety and motion Converged network of data, voice and video Access Control Strict physical access Simple network device access Strict network authentication and access policies Implications of a Device Failure Production is down ($$’s/hour … or worse) Work-around or wait Threat Protection Isolate threat but keep operating Shut down access to detected threat Upgrades Scheduled during downtime Automatically pushed during uptime
7
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Collaboration of Partners 7 The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure Reduce RiskSimplify Design Speed Deployment www.industrial-ip.org
8
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 8 A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies www.industrial-ip.org
9
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 9 Industrial Network Security Trends IACS Networking Design Considerations Recommendations and guidance to help reduce Latency and Jitter, to help increase data Availability, Integrity and Confidentiality, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP IACS network infrastructure Single Industrial Network Technology Robust Physical Layer Segmentation Resiliency Protocols and Redundant Topologies Time Synchronization Prioritization - Quality of Service (QoS) Multicast Management Convergence-Ready Solutions Security - Defense-in-Depth Scalable Secure Remote Access
10
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network 10 Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth – multiple layers of security
11
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network 11 Structured and Hardened IACS Network Infrastructure Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure
12
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Multiple Layers to Protect the Network and Defend the Edge 12 No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats. This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.
13
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Critical Elements to Industrial Security 13 A balanced Industrial Security Program must address both Technical and Non-Technical Elements Non-technical controls - rules for environments: e.g. standards, policies, procedures, training and risk management Technical controls – technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs) Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the long-term security success “ one-size-fits-all ”
14
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Balanced Industrial Security Program - Example 14 When a Non-Technical Control is lacking, the technical control will only provide so much protection Example: Firewalls are in place to prevent operators from surfing the web from an industrial automation and control system HMI; however there is no non-technical control in place stating you shouldn’t change the HMI’s network port access to the other side of the firewall When a Technical Control is lacking, the non-technical control will only provide so much protection Example: Policy states operators should not surf the web from an industrial automation and control system HMI; however there is no technical control in place preventing such access or behavior How much security is enough security? The amount of security in a system should rise to meet a corporation’s level of risk tolerance. In theory, the more security that is properly designed and deployed in a system, the lower the amount of risk that should remain.
15
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Industrial Security Policies and Procedures 15 Multi-layer security approach – Defense-in-Depth Procedural, physical and electronic measures Identify Domains of Trust and appropriately apply security to maintain policies Risk management: Determination of acceptable risk (tolerance to risk) Assessment - current risk analysis Deployment of risk mitigation techniques Security policy - plan of action with procedures (non-technical): Rules for controlling human interactions in automation systems Protect IACS assets, while balancing functional and application requirements such as 24x7 operations, low Mean-Time-To- Repair (MTTR) and high Overall Equipment Effectiveness (OEE). Alignment with applicable industry standards Industrial security policy, unique from and in addition to enterprise security policy Securing industrial assets requires a comprehensive network security model developed against a defined set of security policies
16
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Industrial Security Policies Drive Technical Controls 16 Physical – limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room …. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors Network – security framework – e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening – patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application – authentication, authorization, and accounting (AAA) software Device Hardening – change management, communication encryption, and restrictive access
17
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 17 Network Security Framework Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server Network Device Resiliency VLANs Standard DMZ Design Best Practices Network Infrastructure Access Control and Hardening Physical Port Security Level 0 - Process Level 1 - Controller Plant Firewall: Inter-zone traffic segmentation Inter-zone traffic segmentation ACLs, IPS and IDS ACLs, IPS and IDS VPN Services VPN Services Portal and Terminal Server proxy Portal and Terminal Server proxy VLANs, Segmenting Domains of Trust AAA - Application Authentication Server, Active Directory (AD), Remote Access Server Client Hardening Level 3 – Site Operations Controller Network Status and Monitoring Drive Level 2 – Area Supervisory Control Controller Hardening, Physical Security FactoryTalk Client Unified Threat Management (UTM) Controller Hardening, Encrypted Communications Controller AAA - Network Security framework utilizing holistic defense-in-depth approach Structured and Hardened IACS Network Infrastructure Industrial security policy Pervasive security, not a bolt-on component Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Operations of the IACS
18
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.) This may also include policies, procedures and technology to escort and track visitors. Switch the Logix Controller key to “RUN Electronic design: Logix Controller Source Protection Logix Controller Data Access Control Trusted Slot Designation 18 Network Security Framework Controller Hardening
19
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 19 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Levels 0-2 Cell/Area Zones Plant-wide Site-wide Operation Systems UTM 1 1756-EN2TSC 2b 2a 2a) IPsec tunnel from 1756-EN2TSC module to Windows Server 2008 1) IPsec tunnel between two 1756- EN2TSC modules Workstation 3) L2TP tunnel from Windows 7 client to 1756-EN2TSC module Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Level 3.5 - IDMZ 2b) IPsec tunnel from 1756-EN2TSC module to Cisco ASA Firewall IPsec tunnel from ASA Firewall to Windows Server 2008 3 Local Cell/Area Zone #1 Local Cell/Area Zone #2 Local Cell/Area Zone #3
20
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 20
21
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 21
22
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Physical Port Security 22 Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack)
23
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Physical Port Security - Keyed Connectors 23
24
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Infrastructure Access Control and Hardening 24 Cryptographic Image HTTPS (HTTP Secure) Secure Shell (SSH) SNMPv3 Restrict Access Port Security – Dynamic learning of MAC addresses ACL (Access Control List) Local Authentication through AAA Server Resiliency Layer 2 Loop Prevention Quality of Service (QoS) Minimize Impact of DDoS Attacks Disable Unnecessary Services MOP (Maintenance Operations Protocol) IP redirects Proxy ARP Attack Prevention DHCP Snooping Rogue DHCP Server Protection DHCP Starvation Protection Dynamic ARP Inspection ARP Spoofing, man-in-the-middle attack Storm Control Thresholds Denial-of-service (DoS) attach
25
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Infrastructure Access Control and Hardening 25 ActionProtocolSourceDestination and MaskPort permiticmpany10.20.20.0 0.0.0.255 permittcpany10.20.20.0 0.0.0.25580 (www) permittcpany10.20.20.0 0.0.0.255443 (ssl) permitudpany10.20.20.0 0.0.0.255161 (snmp) permitudpany10.20.20.0 0.0.0.255162 (snmptrap) permittcpany10.20.20.0 0.0.0.255162 (snmptrap) denyipanyany All ACLs have an implied “deny any any” at the end Any traffic not specifically allowed will be dropped Does not inspect traffic Example - Stratix 8300 Access Control Lists (ACL)
26
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework VLANs, Segmenting Domains of Trust 26 Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Machine #1 OEM #1 Machine #2 OEM #2 Layer 2 Flat and Open IACS Network Infrastructure Machine #1 (OEM #1) VLAN 20 IP Subnet 10.20.20.0/24 Machine #2 (OEM #2) VLAN 30 IP Subnet 192.168.30.0/24 Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Layer 2 Layer 3 Structured and Hardened IACS Network Infrastructure Machine #1 OEM #1 Machine #2 OEM #2
27
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Unified Threat Management – Integrated Services Router 27 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems Stratix 5900 1) Site-to-Site Connection Site-to-Site Connection Stratix 5900 3) OEM Integration Stratix 5900 2) Cell/Area Zone Firewall
28
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Cell/Area Zone Firewall – Policy Enforcement (example) 28 Plant-wide IACS Zone Cell/Area IACS Zone CIP Class 3 CIP Class 1 http icmp CIP Class 3 icmp CIP Class 3 CIP Class 1
29
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Device Resiliency 29 Distribution switches typically provide first hop (default gateway) redundancy –StackWise (3750X), stack management –Hot Standby Router Protocol (HSRP) –Virtual Router Redundancy Protocol (VRRP) –Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack HSRP Active HSRP Standby Catalyst 3560
30
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 30 Network Security Framework Network Device Resiliency 3750X, Layer 3 Distribution StackWise™ allows up to 9 switches to be linked together, managed as a single switch Stackpower allows power supplies of members in a stack to pool resources 24 and 48 port with Gigabit or 10 GB uplinks Optional uplink modules for greater flexibility Copper and Fiber downlinks for connections from switches
31
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 31 Network Security Framework Network Device Resiliency 4500, Layer 3 Distribution/Core Mid to high level plant distribution and aggregation Modular chassis: 3, 6, 7, or 10 slots for supervisor engine and line cards and up to 48 Gigabits slot. Virtual Switching System – two switches act as a single virtual switch Line cards include – 10/100/1000 Copper, Fiber, and 10 Gigabit. Many different options
32
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 32 Network Security Framework Network Device Resiliency 6500, Layer 3 Core Flagship network core switch, many different chassis sizes. 80 Gigabits per slot. Network services modules for security and wireless, take place of separate appliances 10/100/1000 modules, 10 Gigabit modules, and 40 Gigabit modules available. Virtual Switching System allows physical separation of switches, but managed as a single switch
33
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework AAA - Network 33 Keep the Outsiders Out Who are you? 1 Keep the Insiders Honest Where can you go? 2 Personalize the IACS Application 3 What service level do you receive? What are you doing? 4 Increase Network Visibility
34
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 34 Network Security Framework AAA - Network Identity Services Engine (ISE) Combines AAA (authentication, authorization, accounting), posture and profiler into one appliance Gathers real-time network information to allow administrators to make network access decisions Uses network access control to manage what resources users and guests are allowed to access Determines what kind of device users are using, and whether it complies with hardware and software policies Manages wired and wireless access with 802.1X
35
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response Low latency Diverse topologies Multicast support Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN Firewall with Application Layer Security Access Control and Authentication IPS and Anti-X Defenses Intelligent Networking Services SSL and IPSec Connectivity Network Security Framework Plant Firewall – Unified Threat Management 35 Modern Firewalls (UTM) provide a range of security services
36
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 36 Network Security Framework Plant Firewall ASA (Adaptive Security Appliance) – Provides firewall capabilities to logically segment the IACS network from the enterprise network. Tracks traffic flows. VPN concentration – Allows clients to connect a VPN session to the firewall over IPSEC, or SSL Provides up to 8 integrated and up to 14 Gigabit ports with service modules for flexibility in network design. Provides up to 700 Mbps of VPN throughput, and up to 5000 concurrent VPN sessions.
37
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Industrial Demilitarized Zone 37 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics NetworkE-Mail, Intranet, etc. FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control SensorsDrivesActuatorsRobots Enterprise Security Zone Industrial DMZ Industrial Security Zone Cell/Area Zone Web E-Mail CIP Firewall Site Operations and Control Area Supervisory Control Basic Control Process Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone
38
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Scalable Network Security Framework One Size Does Not Fit All 38 Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Not Recommended Enterprise-wide Network Plant-wide Network Figure 1 Enterprise-wide Network Plant-wide Network Figure 2 Plant-wide Network Enterprise-wide Network Figure 3 Plant-wide Network Enterprise-wide Network Switch with VLANs Figure 4 Plant-wide Network Enterprise-wide Network Firewall Better Figure 6 Plant-wide Network Enterprise-wide Network IDMZ Best Figure 7 Plant-wide Network Enterprise-wide Network Router (Zone Based FW) Good Figure 5
39
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 39 Network Security Framework Demilitarized Zone (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network UNTRUSTED TRUSTED BROKER DMZ Web Proxy
40
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 40 Network Security Framework Industrial Demilitarized Zone (IDMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network UNTRUSTED /TRUSTED TRUSTED BROKER Enterprise Security Zone Industrial DMZ Industrial Security Zone
41
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 41 Network Security Framework Industrial Demilitarized Zone (IDMZ) All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to “turn-off” access via the firewall No Direct Traffic Enterprise Security Zone Industrial Security Zone Disconnect Point IDMZ Replicated Services Trusted? Untrusted? Trusted
42
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 42 Network Security Framework Industrial Demilitarized Zone (IDMZ) Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Disconnect Point Terminal Services Patch Management Historian Mirror Web Services Operations Application Server Multiple Functional Subzones AV Server IDMZ No Direct Traffic Enterprise Zone Industrial Zone Trusted? Untrusted? Trusted
43
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Industrial Demilitarized Zone (IDMZ) – Application Mirror 43
44
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA-99) Implement a Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks Establish an open dialog between Industrial Automation and IT groups Establish a Industrial security policy, unique from and in addition to Enterprise security policy Establish a IDMZ between the Enterprise and Industrial Zones Work with Rockwell Automation Network and Security Services team "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) 44 IACS Network Security Key Takeaways - Design and Implementation Considerations
45
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 45 Additional Material Automation Fair 2013 November 13 th and 14 th, Houston Cisco Live 2014 May 19 th – 22 nd, San Francisco RSTechED 2014 June 15 th – June 20 th, Orlando
46
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 46 Additional Material ODVA Website: http://www.odva.org/ http://www.odva.org/ Securing EtherNet/IP Networks http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_S ecuring_EtherNetIP_Networks.pdf http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_S ecuring_EtherNetIP_Networks.pdf
47
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 47 Additional Material Rockwell Automation Networks Website: http://www.ab.com/networks/http://www.ab.com/networks/ EtherNet/IP Website: http://ab.rockwellautomation.com/Networks-and- Communications/Ethernet-IP-Networkhttp://ab.rockwellautomation.com/Networks-and- Communications/Ethernet-IP-Network Network and Security Services Website: http://www.rockwellautomation.com/services/networks/ http://www.rockwellautomation.com/services/networks/ http://www.rockwellautomation.com/services/security/ http://www.rockwellautomation.com/services/security/ KnowledgeBase Security Table of Contents KnowledgeBase Security Table of Contents TCP/UDP Ports used by Rockwell Automation products TCP/UDP Ports used by Rockwell Automation products Network and Security Services Brochure Network and Security Services Brochure Whitepapers Patch Management and Computer System Security Updates Patch Management and Computer System Security Updates Scalable Secure Remote Access Solutions for OEMs Scalable Secure Remote Access Solutions for OEMs
48
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 48 Additional Material Education Series Webcasts What every IT professional should know about Plant-Floor Networking What every Plant-Floor Engineer should know about working with IT Industrial Ethernet: Introduction to Resiliency Fundamentals of Secure Remote Access for Plant-Floor Applications and Data Securing Architectures and Applications for Network Convergence IT-Ready EtherNet/IP Solutions Available Online http://www.rockwellautomation.com/rockwellautomation /products-technologies/network-technology/architectures.page? http://www.rockwellautomation.com/rockwellautomation /products-technologies/network-technology/architectures.page?
49
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 49 Additional Material Websites Reference Architectures Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) Converged Plant-wide Ethernet (CPwE) Application Guides Fiber Optic Infrastructure Application Guide Fiber Optic Infrastructure Application Guide Education Series Webcasts Education Series Webcasts Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks - ENET-WP031A-EN-E Design Considerations for Securing Industrial Automation and Control System Networks - ENET-WP031A-EN-E
50
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 50 A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies www.industrial-ip.org
51
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION www.rockwellautomation.com Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Rev 5058-CO900E Network Security Trends & Fundamentals of Securing EtherNet/IP Networks
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.