Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Network Security Trends & Fundamentals.

Similar presentations


Presentation on theme: "Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Network Security Trends & Fundamentals."— Presentation transcript:

1 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Network Security Trends & Fundamentals of Securing EtherNet/IP Networks

2 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Agenda 2 Network Security Framework Defense-in-Depth Industrial Network Security Trends Additional Information

3 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 3 Industrial Network Security Trends Security Quips  "Good enough" security now, is better than "perfect" security...never (Tom West, Data General)  Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)  Your absolute security is only as strong as your weakest link  Concentrate on known, probable threats  Security is not a static end state, it is an interactive process  You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)

4 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Industrial vs. Enterprise Network Requirements 4 Convergence of Industrial Automation Technology (IAT) with Information Technology (IT)

5 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Industrial vs. Enterprise Network Requirements  Switches  Managed  Layer 2 and Layer 3  Traffic types  Voice, Video, Data  Performance  Low Latency, Low Jitter  Data Prioritization – QoS – Layer 3  IP Addressing  Dynamic  Security  Pervasive  Strong policies  Switches  Managed and Unmanaged  Layer 2 is predominant  Traffic types  Information, control, safety, motion, time synchronization, energy management  Performance  Low Latency, Low Jitter  Data Prioritization – QoS – Layer 2 & 3  IP Addressing  Static  Security  Industrial security policies are inconsistently deployed  Open by default, must close by configuration and architecture Enterprise Requirements 5 Industrial Requirements Similarities and differences?

6 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Policies - Industrial vs. Enterprise Network Requirements 6 Industrial (IAT) NetworkEnterprise (IT) Network Focus 24/7 operations, high OEE Protecting intellectual property and company assets Precedence of Priorities Availability Integrity Confidentiality Integrity Availability Types of Data Traffic Converged network of data, control, information, safety and motion Converged network of data, voice and video Access Control Strict physical access Simple network device access Strict network authentication and access policies Implications of a Device Failure Production is down ($$’s/hour … or worse) Work-around or wait Threat Protection Isolate threat but keep operating Shut down access to detected threat Upgrades Scheduled during downtime Automatically pushed during uptime

7 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends Collaboration of Partners 7 The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure Reduce RiskSimplify Design Speed Deployment www.industrial-ip.org

8 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 8  A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications  Standard Internet Protocol (IP) for Industrial Applications  Coalition of like-minded companies www.industrial-ip.org

9 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 9 Industrial Network Security Trends IACS Networking Design Considerations  Recommendations and guidance to help reduce Latency and Jitter, to help increase data Availability, Integrity and Confidentiality, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP IACS network infrastructure  Single Industrial Network Technology  Robust Physical Layer  Segmentation  Resiliency Protocols and Redundant Topologies  Time Synchronization  Prioritization - Quality of Service (QoS)  Multicast Management  Convergence-Ready Solutions  Security - Defense-in-Depth  Scalable Secure Remote Access

10 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network 10  Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks  Secured by configuration:  Protect the network - Electronic Security Perimeter  Defend the edge - Industrial DMZ (IDMZ)  Defense-in-Depth – multiple layers of security

11 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network 11 Structured and Hardened IACS Network Infrastructure Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure

12 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Multiple Layers to Protect the Network and Defend the Edge 12  No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.  Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats.  This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.

13 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Critical Elements to Industrial Security 13  A balanced Industrial Security Program must address both Technical and Non-Technical Elements  Non-technical controls - rules for environments: e.g. standards, policies, procedures, training and risk management  Technical controls – technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs)  Security is only as strong as the weakest link  Vigilance and Attention to Detail are KEY to the long-term security success “ one-size-fits-all ”

14 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Balanced Industrial Security Program - Example 14  When a Non-Technical Control is lacking, the technical control will only provide so much protection  Example: Firewalls are in place to prevent operators from surfing the web from an industrial automation and control system HMI; however there is no non-technical control in place stating you shouldn’t change the HMI’s network port access to the other side of the firewall  When a Technical Control is lacking, the non-technical control will only provide so much protection  Example: Policy states operators should not surf the web from an industrial automation and control system HMI; however there is no technical control in place preventing such access or behavior  How much security is enough security?  The amount of security in a system should rise to meet a corporation’s level of risk tolerance.  In theory, the more security that is properly designed and deployed in a system, the lower the amount of risk that should remain.

15 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Industrial Security Policies and Procedures 15  Multi-layer security approach – Defense-in-Depth  Procedural, physical and electronic measures  Identify Domains of Trust and appropriately apply security to maintain policies  Risk management:  Determination of acceptable risk (tolerance to risk)  Assessment - current risk analysis  Deployment of risk mitigation techniques  Security policy - plan of action with procedures (non-technical):  Rules for controlling human interactions in automation systems  Protect IACS assets, while balancing functional and application requirements such as 24x7 operations, low Mean-Time-To- Repair (MTTR) and high Overall Equipment Effectiveness (OEE).  Alignment with applicable industry standards  Industrial security policy, unique from and in addition to enterprise security policy Securing industrial assets requires a comprehensive network security model developed against a defined set of security policies

16 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Defense-in-Depth Industrial Security Policies Drive Technical Controls 16  Physical – limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room …. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors  Network – security framework – e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS)  Computer Hardening – patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports  Application – authentication, authorization, and accounting (AAA) software  Device Hardening – change management, communication encryption, and restrictive access

17 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 17 Network Security Framework Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server Network Device Resiliency VLANs Standard DMZ Design Best Practices Network Infrastructure Access Control and Hardening Physical Port Security Level 0 - Process Level 1 - Controller Plant Firewall:  Inter-zone traffic segmentation Inter-zone traffic segmentation  ACLs, IPS and IDS ACLs, IPS and IDS  VPN Services VPN Services  Portal and Terminal Server proxy Portal and Terminal Server proxy VLANs, Segmenting Domains of Trust AAA - Application Authentication Server, Active Directory (AD), Remote Access Server Client Hardening Level 3 – Site Operations Controller Network Status and Monitoring Drive Level 2 – Area Supervisory Control Controller Hardening, Physical Security FactoryTalk Client Unified Threat Management (UTM) Controller Hardening, Encrypted Communications Controller AAA - Network  Security framework utilizing holistic defense-in-depth approach  Structured and Hardened IACS Network Infrastructure  Industrial security policy  Pervasive security, not a bolt-on component  Industrial DMZ implementation  Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Operations of the IACS

18 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION  Physical procedure:  Restrict Industrial Automation and Control System (IACS) access to authorized personnel only  Control panels, devices, cabling, and control room  Locks, gates, key cards  Video Surveillance  Other Authentication Devices (biometric, keypad, etc.)  This may also include policies, procedures and technology to escort and track visitors.  Switch the Logix Controller key to “RUN  Electronic design:  Logix Controller Source Protection  Logix Controller Data Access Control  Trusted Slot Designation 18 Network Security Framework Controller Hardening

19 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 19 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Levels 0-2 Cell/Area Zones Plant-wide Site-wide Operation Systems UTM 1 1756-EN2TSC 2b 2a 2a) IPsec tunnel from 1756-EN2TSC module to Windows Server 2008 1) IPsec tunnel between two 1756- EN2TSC modules Workstation 3) L2TP tunnel from Windows 7 client to 1756-EN2TSC module Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Level 3.5 - IDMZ 2b) IPsec tunnel from 1756-EN2TSC module to Cisco ASA Firewall IPsec tunnel from ASA Firewall to Windows Server 2008 3 Local Cell/Area Zone #1 Local Cell/Area Zone #2 Local Cell/Area Zone #3

20 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 20

21 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Controller Hardening – Encrypted Communications 21

22 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Physical Port Security 22  Keyed solutions for copper and fiber  Lock-in, Blockout products secure connections  Data Access Port (keyed cable and jack)

23 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Physical Port Security - Keyed Connectors 23

24 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Infrastructure Access Control and Hardening 24  Cryptographic Image  HTTPS (HTTP Secure)  Secure Shell (SSH)  SNMPv3  Restrict Access  Port Security – Dynamic learning of MAC addresses  ACL (Access Control List)  Local  Authentication through AAA Server  Resiliency  Layer 2 Loop Prevention  Quality of Service (QoS)  Minimize Impact of DDoS Attacks  Disable Unnecessary Services  MOP (Maintenance Operations Protocol)  IP redirects  Proxy ARP  Attack Prevention  DHCP Snooping  Rogue DHCP Server Protection  DHCP Starvation Protection  Dynamic ARP Inspection  ARP Spoofing, man-in-the-middle attack  Storm Control Thresholds  Denial-of-service (DoS) attach

25 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Infrastructure Access Control and Hardening 25 ActionProtocolSourceDestination and MaskPort permiticmpany10.20.20.0 0.0.0.255 permittcpany10.20.20.0 0.0.0.25580 (www) permittcpany10.20.20.0 0.0.0.255443 (ssl) permitudpany10.20.20.0 0.0.0.255161 (snmp) permitudpany10.20.20.0 0.0.0.255162 (snmptrap) permittcpany10.20.20.0 0.0.0.255162 (snmptrap) denyipanyany  All ACLs have an implied “deny any any” at the end  Any traffic not specifically allowed will be dropped  Does not inspect traffic Example - Stratix 8300 Access Control Lists (ACL)

26 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework VLANs, Segmenting Domains of Trust 26 Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Machine #1 OEM #1 Machine #2 OEM #2 Layer 2 Flat and Open IACS Network Infrastructure Machine #1 (OEM #1) VLAN 20 IP Subnet 10.20.20.0/24 Machine #2 (OEM #2) VLAN 30 IP Subnet 192.168.30.0/24 Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Layer 2 Layer 3 Structured and Hardened IACS Network Infrastructure Machine #1 OEM #1 Machine #2 OEM #2

27 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Unified Threat Management – Integrated Services Router 27 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems Stratix 5900 1) Site-to-Site Connection Site-to-Site Connection Stratix 5900 3) OEM Integration Stratix 5900 2) Cell/Area Zone Firewall

28 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Cell/Area Zone Firewall – Policy Enforcement (example) 28 Plant-wide IACS Zone Cell/Area IACS Zone CIP Class 3 CIP Class 1 http icmp CIP Class 3 icmp CIP Class 3 CIP Class 1

29 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Network Device Resiliency 29 Distribution switches typically provide first hop (default gateway) redundancy –StackWise (3750X), stack management –Hot Standby Router Protocol (HSRP) –Virtual Router Redundancy Protocol (VRRP) –Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack HSRP Active HSRP Standby Catalyst 3560

30 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 30 Network Security Framework Network Device Resiliency  3750X, Layer 3 Distribution  StackWise™ allows up to 9 switches to be linked together, managed as a single switch  Stackpower allows power supplies of members in a stack to pool resources  24 and 48 port with Gigabit or 10 GB uplinks  Optional uplink modules for greater flexibility  Copper and Fiber downlinks for connections from switches

31 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 31 Network Security Framework Network Device Resiliency  4500, Layer 3 Distribution/Core  Mid to high level plant distribution and aggregation  Modular chassis: 3, 6, 7, or 10 slots for supervisor engine and line cards and up to 48 Gigabits slot.  Virtual Switching System – two switches act as a single virtual switch  Line cards include – 10/100/1000 Copper, Fiber, and 10 Gigabit. Many different options

32 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 32 Network Security Framework Network Device Resiliency  6500, Layer 3 Core  Flagship network core switch, many different chassis sizes. 80 Gigabits per slot.  Network services modules for security and wireless, take place of separate appliances  10/100/1000 modules, 10 Gigabit modules, and 40 Gigabit modules available.  Virtual Switching System allows physical separation of switches, but managed as a single switch

33 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework AAA - Network 33 Keep the Outsiders Out Who are you? 1 Keep the Insiders Honest Where can you go? 2 Personalize the IACS Application 3 What service level do you receive? What are you doing? 4 Increase Network Visibility

34 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 34 Network Security Framework AAA - Network  Identity Services Engine (ISE)  Combines AAA (authentication, authorization, accounting), posture and profiler into one appliance  Gathers real-time network information to allow administrators to make network access decisions  Uses network access control to manage what resources users and guests are allowed to access  Determines what kind of device users are using, and whether it complies with hardware and software policies  Manages wired and wireless access with 802.1X

35 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION  Multi-layer packet and traffic analysis  Advanced application and protocol inspection services  Network application controls  Flexible user and network based access control services  Stateful packet inspection  Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID  Real-time protection from application and OS level attacks  Network-based worm and virus mitigation  Spyware, adware, malware detection and control  On-box event correlation and proactive response  Low latency  Diverse topologies  Multicast support  Services virtualization  Network segmentation & partitioning  Routing, resiliency, load-balancing  Threat protected SSL and IPSec VPN services  Zero-touch, automatically updateable IPSec remote access  Flexible clientless and full tunneling client SSL VPN services  QoS/routing-enabled site-to-site VPN Firewall with Application Layer Security Access Control and Authentication IPS and Anti-X Defenses Intelligent Networking Services SSL and IPSec Connectivity Network Security Framework Plant Firewall – Unified Threat Management 35 Modern Firewalls (UTM) provide a range of security services

36 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 36 Network Security Framework Plant Firewall  ASA (Adaptive Security Appliance) – Provides firewall capabilities to logically segment the IACS network from the enterprise network. Tracks traffic flows.  VPN concentration – Allows clients to connect a VPN session to the firewall over IPSEC, or SSL  Provides up to 8 integrated and up to 14 Gigabit ports with service modules for flexibility in network design.  Provides up to 700 Mbps of VPN throughput, and up to 5000 concurrent VPN sessions.

37 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Industrial Demilitarized Zone 37 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics NetworkE-Mail, Intranet, etc. FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control SensorsDrivesActuatorsRobots Enterprise Security Zone Industrial DMZ Industrial Security Zone Cell/Area Zone Web E-Mail CIP Firewall Site Operations and Control Area Supervisory Control Basic Control Process Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone

38 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Scalable Network Security Framework One Size Does Not Fit All 38 Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Not Recommended Enterprise-wide Network Plant-wide Network Figure 1 Enterprise-wide Network Plant-wide Network Figure 2 Plant-wide Network Enterprise-wide Network Figure 3 Plant-wide Network Enterprise-wide Network Switch with VLANs Figure 4 Plant-wide Network Enterprise-wide Network Firewall Better Figure 6 Plant-wide Network Enterprise-wide Network IDMZ Best Figure 7 Plant-wide Network Enterprise-wide Network Router (Zone Based FW) Good Figure 5

39 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 39 Network Security Framework Demilitarized Zone (DMZ)  Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network UNTRUSTED TRUSTED BROKER DMZ Web Proxy

40 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 40 Network Security Framework Industrial Demilitarized Zone (IDMZ)  Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network UNTRUSTED /TRUSTED TRUSTED BROKER Enterprise Security Zone Industrial DMZ Industrial Security Zone

41 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 41 Network Security Framework Industrial Demilitarized Zone (IDMZ)  All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ  Only path between zones  No common protocols in each logical firewall  No control traffic into the IDMZ, CIP stays home  No primary services are permanently housed in the IDMZ  IDMZ shall not permanently house data  Application data mirror to move data into and out of the Industrial Zone  Limit outbound connections from the IDMZ  Be prepared to “turn-off” access via the firewall No Direct Traffic Enterprise Security Zone Industrial Security Zone Disconnect Point IDMZ Replicated Services Trusted? Untrusted? Trusted

42 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 42 Network Security Framework Industrial Demilitarized Zone (IDMZ)  Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Disconnect Point Terminal Services Patch Management Historian Mirror Web Services Operations Application Server Multiple Functional Subzones AV Server IDMZ No Direct Traffic Enterprise Zone Industrial Zone Trusted? Untrusted? Trusted

43 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Network Security Framework Industrial Demilitarized Zone (IDMZ) – Application Mirror 43

44 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION  Align with Industrial Automation and Control System Security Standards  DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA-99)  Implement a Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks  Establish an open dialog between Industrial Automation and IT groups  Establish a Industrial security policy, unique from and in addition to Enterprise security policy  Establish a IDMZ between the Enterprise and Industrial Zones  Work with Rockwell Automation Network and Security Services team  "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) 44 IACS Network Security Key Takeaways - Design and Implementation Considerations

45 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 45 Additional Material  Automation Fair 2013  November 13 th and 14 th, Houston  Cisco Live 2014  May 19 th – 22 nd, San Francisco  RSTechED 2014  June 15 th – June 20 th, Orlando

46 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 46 Additional Material ODVA  Website:  http://www.odva.org/ http://www.odva.org/  Securing EtherNet/IP Networks  http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_S ecuring_EtherNetIP_Networks.pdf http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_S ecuring_EtherNetIP_Networks.pdf

47 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 47 Additional Material Rockwell Automation  Networks Website: http://www.ab.com/networks/http://www.ab.com/networks/  EtherNet/IP Website: http://ab.rockwellautomation.com/Networks-and- Communications/Ethernet-IP-Networkhttp://ab.rockwellautomation.com/Networks-and- Communications/Ethernet-IP-Network  Network and Security Services Website:  http://www.rockwellautomation.com/services/networks/ http://www.rockwellautomation.com/services/networks/  http://www.rockwellautomation.com/services/security/ http://www.rockwellautomation.com/services/security/  KnowledgeBase Security Table of Contents KnowledgeBase Security Table of Contents  TCP/UDP Ports used by Rockwell Automation products TCP/UDP Ports used by Rockwell Automation products  Network and Security Services Brochure Network and Security Services Brochure  Whitepapers  Patch Management and Computer System Security Updates Patch Management and Computer System Security Updates  Scalable Secure Remote Access Solutions for OEMs Scalable Secure Remote Access Solutions for OEMs

48 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 48 Additional Material  Education Series Webcasts  What every IT professional should know about Plant-Floor Networking  What every Plant-Floor Engineer should know about working with IT  Industrial Ethernet: Introduction to Resiliency  Fundamentals of Secure Remote Access for Plant-Floor Applications and Data  Securing Architectures and Applications for Network Convergence  IT-Ready EtherNet/IP Solutions  Available Online  http://www.rockwellautomation.com/rockwellautomation /products-technologies/network-technology/architectures.page? http://www.rockwellautomation.com/rockwellautomation /products-technologies/network-technology/architectures.page?

49 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 49 Additional Material  Websites  Reference Architectures Reference Architectures  Design Guides  Converged Plant-wide Ethernet (CPwE) Converged Plant-wide Ethernet (CPwE)  Application Guides  Fiber Optic Infrastructure Application Guide Fiber Optic Infrastructure Application Guide  Education Series Webcasts Education Series Webcasts  Whitepapers  Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Top 10 Recommendations for Plant-wide EtherNet/IP Deployments  Securing Manufacturing Computer and Controller Assets Securing Manufacturing Computer and Controller Assets  Production Software within Manufacturing Reference Architectures Production Software within Manufacturing Reference Architectures  Achieving Secure Remote Access to plant-floor Applications and Data Achieving Secure Remote Access to plant-floor Applications and Data  Design Considerations for Securing Industrial Automation and Control System Networks - ENET-WP031A-EN-E Design Considerations for Securing Industrial Automation and Control System Networks - ENET-WP031A-EN-E

50 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION 50  A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications  Standard Internet Protocol (IP) for Industrial Applications  Coalition of like-minded companies www.industrial-ip.org

51 Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION www.rockwellautomation.com Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Rev 5058-CO900E Network Security Trends & Fundamentals of Securing EtherNet/IP Networks


Download ppt "Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Network Security Trends & Fundamentals."

Similar presentations


Ads by Google