network security trends & fundamentals of securing ... · physical security factorytalk client...
Post on 30-Aug-2018
218 Views
Preview:
TRANSCRIPT
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 2
Industrial Network Security TrendsSecurity Quips
"Good enough" security now, is better than "perfect" security ...never. (Tom West, Data General)
Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)
Your absolute security is only as strong as your weakest link.
Concentrate on known, probable threats.
Security is not a static end state, it is an interactive process.
You only get to pick two: fast, secure, cheap. (Brett Eldridge.)
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsEstablished Industrial Security Standards
3
International Society of Automation ISO/IEC-62443 (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment
National Institute of Standards and Technology NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment
Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment
A secure application depends on multiple layers of protection.Industrial security must be implemented as a system.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsIndustrial vs. Enterprise Network Requirements
4
Convergence of Industrial Automation Technology (IAT) with Information Technology (IT)
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsIndustrial vs. Enterprise Network Requirements
Switches Managed Layer 2 and Layer 3
Traffic types Voice, Video, Data
Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 3
IP Addressing Dynamic
Security Pervasive Strong policies
Switches Managed and Unmanaged Layer 2 is predominant
Traffic types Information, control, safety, motion, time
synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 2 & 3
IP Addressing Static
Security Industrial security policies are
inconsistently deployed Open by default, must close by
configuration and architecture
Enterprise Requirements
5
Industrial Requirements
Similarities and differences?
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsPolicies - Industrial vs. Enterprise Network Requirements
6
Industrial (IAT) Network Enterprise (IT) Network
Focus 24/7 operations, high OEE Protecting intellectual property and company assets
Precedence of Priorities
AvailabilityIntegrity
Confidentiality
ConfidentialityIntegrity
Availability
Types of Data Traffic Converged network of data, control, information, safety and motion
Converged network of data, voice and video
Access Control Strict physical accessSimple network device access
Strict network authentication and access policies
Implications of a Device Failure
Production is down($$’s/hour … or worse) Work-around or wait
Threat Protection Isolate threat but keep operating Shut down access to detected threat
Upgrades Scheduledduring downtime Automatically pushed during uptime
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security Trends Collaboration of Partners
7
The Established #1 Industrial Ethernet
Physical Layer Network Infrastructure
Wireless, Security, Switching/Routing
Leader inIndustrial Network
Infrastructure
Reduce Risk Simplify Design Speed Deployment
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 8
Industrial Network Security TrendsIACS Networking Design Considerations
Recommendations and guidance to help reduce Latency and Jitter, to help increase data Availability, Integrity and Confidentiality, and to helpdesign and deploy a Scalable, Robust, Secure and Future-ReadyEtherNet/IP IACS network infrastructure
Single Industrial Network Technology Robust Physical Layer Segmentation Resiliency Protocols and Redundant Topologies Time Synchronization Prioritization - Quality of Service (QoS) Multicast Management Convergence-Ready Solutions Security - Defense-in-Depth Scalable Secure Remote Access
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsEtherNet/IP Industrial Automation & Control System Network
9
Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks
Secured by configuration: Protect the network
- Electronic Security Perimeter Defend the edge
- Industrial DMZ (IDMZ) Defense-in-Depth
– Multiple layers of security
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsEtherNet/IP Industrial Automation & Control System Network
10
Structured and HardenedIACS Network Infrastructure
Flat and OpenIACS Network Infrastructure
Flat and OpenIACS Network Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthMultiple Layers to Protect the Network and Defend the Edge
11
No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.
Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and externalsecurity threats.
This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense-in-Depth Critical Elements to Industrial Security
12
A balanced Industrial Security Program must address both Technical and Non-TechnicalElements
Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management
Technical controls – technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs)
Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the
long-term security success
“one-size-fits-all”
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthBalanced Industrial Security Program - Example
13
When a Non-Technical Control is lacking, the technical control will only provide so much protection Example: Firewalls are in place
to prevent operators from surfing the web from an industrial automation and control system HMI; however there is no non-technical control in place stating you shouldn’t change the HMI’s network port access to the other side of the firewall
When a Technical Control is lacking, the non-technical control will only provide so much protection Example: Policy states operators
should not surf the web from an industrial automation and control system HMI; however there is no technical control in place preventing such access or behavior
How much security is enough security? The amount of security in a system should rise to meet a corporation’s level of risk
tolerance. In theory, the more security that is properly designed and deployed in a system, the lower
the amount of risk that should remain.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthIndustrial Security Policies and Procedures
14
Multi-layer security approach – Defense-in-Depth Procedural, physical and electronic
measures Identify Domains of Trust and
appropriately apply security to maintain policies
Risk management: Determination of acceptable risk
(tolerance to risk) Assessment - current risk analysis Deployment of risk mitigation
techniques
Security policy - plan of action with procedures (non-technical): Rules for controlling human interactions in
automation systems Protect IACS assets, while balancing
functional and application requirements such as 24x7 operations, low Mean-Time-To-Repair (MTTR) and high Overall Equipment Effectiveness (OEE).
Alignment with applicable industry standards Industrial security policy, unique from and in
addition to enterprise security policy
Securing industrial assets requires a comprehensive network security model developed against a defined set of security policies
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthIndustrial Security Policies Drive Technical Controls
15
Physical – limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room
Network – security framework– e.g. firewall policies, access control list (ACL)policies for switches and routers, AAA, intrusiondetection and prevention systems (IDS/IPS)
Computer Hardening – patch management,Anti-X software, removal of unused applications/protocols/services, closing unnecessary logical ports, protecting physical ports
Application – authentication, authorization, and accounting (AAA) software
Device Hardening – change management, communication encryption, and restrictive access
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 16
Network Security FrameworkConverged Plant-wide Ethernet (CPwE) Reference Architectures
Structured and Hardened IACS Network Infrastructure
Industrial security policy Pervasive security, not a
bolt-on component Security framework utilizing defense-in-
depth approach Industrial DMZ implementation Remote partner access policy, with
robust & secure implementation
Network Security ServicesMust Not Compromise Operations of
the IACS
EnterpriseWAN
Catalyst 3750StackWise
Switch Stack
Firewall(Active)
Firewall(Standby)
MCC
HMI
IndustrialDemilitarized Zone(IDMZ)
Enterprise ZoneLevels 4-5
CiscoASA 5500
Controllers, I/O, Drives
Catalyst6500/4500
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server
Network DeviceResiliency
VLANs
Standard DMZ Design Best Practices
Network Infrastructure Access Control and
Hardening
Physical Port Security
Level 0 - ProcessLevel 1 - Controller
Plant Firewall: Inter-zone traffic
segmentation ACLs, IPS and IDS VPN Services Portal and Terminal
Server proxy
VLANs, Segmenting Domains of Trust
AAA - Application
Authentication Server,Active Directory (AD),
Remote Access Server
Client Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
Drive
Level 2 – Area Supervisory Control
Controller Hardening, Physical Security
FactoryTalk Client
Unified Threat Management (UTM)
Controller Hardening, Encrypted Communications
Controller
AAA - Network
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized
personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.).
Switch the Logix Controller key to “RUN”
Electronic design: Logix Controller Source Protection Logix Controller Data Access Control Trusted Slot Designation
17
Network Security FrameworkController Hardening
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkPhysical Port Security
21
Keyed solutions for copper and fiber
Lock-in, Blockout products secure connections
Data Access Port (keyed cable and jack)
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkNetwork Infrastructure Access Control and Hardening
22
Cryptographic Image HTTPS (HTTP Secure) Secure Shell (SSH) SNMPv3
Restrict Access Port Security – Dynamic learning of
MAC addresses ACL (Access Control List)
Local Authentication through AAA Server
Quality of Service (QoS) Minimize Impact of DDoS Attacks
Disable Unnecessary Services MOP (Maintenance Operations
Protocol) IP redirects Proxy ARP
Attack Prevention DHCP Snooping
Rogue DHCP Server Protection DHCP Starvation Protection
Dynamic ARP Inspection ARP Spoofing, man-in-the-middle
attack Storm Control Thresholds
Denial-of-service (DoS) attack
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkVLANs, Segmenting Domains of Trust
23
Machine #1 (OEM #1)VLAN 20IP Subnet 10.20.20.0/24
Machine #2 (OEM #2)VLAN 30IP Subnet 172.16.30.0/24
Plant-wide IACSVLAN 10IP Subnet 192.168.1.0/24
Stratix 8300
Ring
Stratix 8000
Stratix 8000
Plant-wide IACS
Machine #1OEM #1
Machine #2OEM #2
Layer 2
Plant-wide IACSVLAN 10IP Subnet 192.168.1.0/24
Stratix 8300
Ring
Stratix 8000
Stratix 8000
Plant-wide IACS
Machine #1OEM #1
Machine #2OEM #2
Layer 2 Layer 2
Layer 3
Structured and HardenedIACS Network Infrastructure
Flat and OpenIACS Network Infrastructure
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls
Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response
Low latency Diverse topologies Multicast support
Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing
Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN
Firewall with Application Layer Security
Access ControlandAuthentication
IPS and Anti-X Defenses
Intelligent NetworkingServices
SSL and IPSecConnectivity
Network Security FrameworkPlant Firewall – Unified Threat Management
24
Modern Firewalls (UTM’s) provide a range of security services
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkUnified Threat Management – Stratix Services Router
25
Enterprise-wideBusiness Systems Levels 4 & 5 – Data Center
Enterprise Zone
Level 3 - Site OperationsIndustrial ZonePhysical or Virtualized Servers
• FactoryTalk Application Servers & Services Platform• Network Services – e.g. DNS, AD, DHCP, AAA• Remote Access Server (RAS)• Call Manager• Storage Array
Levels 0-2Cell/Area Zones
Level 3.5 - IDMZ
Remote Site #1 Local Cell/Area Zone #1
Local OEM Skid / Machine #1
Plant-wideSite-wide
Operation Systems
Stratix 59001) Site-to-Site Connection
Site-to-SiteConnection
Stratix 59003) OEM Integration
Stratix 59002) Cell/Area Zone Firewall
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkNetwork Device Resiliency
26
• Distribution switches typically provide first hop (default gateway) redundancy– StackWise (3750X), stack management – Hot Standby Router Protocol (HSRP)– Virtual Router Redundancy Protocol (VRRP)– Gateway Load Balancing Protocol (GLBP)
Catalyst 3750x Switch Stack
HSRPActive
HSRPStandby
Catalyst 3560
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkAAA - Network
27
Keep the Outsiders Out
Who are you?1
Keep the Insiders Honest
Where can you go?2
Personalize the IACS
Application3
What service level do you receive?
What are you doing?4
Increase Network Visibility
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 28
Network Security FrameworkAAA - Network
Cisco -Identity Services Engine (ISE)
Combines AAA (authentication, authorization, accounting), posture and profiler into one appliance
Gathers real-time network information to allow administrators to make network access decisions
Uses network access control to manage what resources users and guests are allowed to access
Determines what kind of device users are using, and whether it complies with hardware and software policies
Manages wired and wireless access with 802.1X
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkIndustrial Demilitarized Zone
30
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Gateway Services
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Remote Access Server
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
Logical Model – Industrial Automation and Control System (IACS)Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Scalable Network Security FrameworkOne Size Does Not Fit All
31
Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards
Not Recommended
Enterprise-wide Network
Plant-wide Network
Figure 1
Enterprise-wide NetworkPlant-wide Network
Figure 2
Plant-wide Network
Enterprise-wide Network
Figure 3
Plant-wide Network
Enterprise-wide Network
Switchwith VLANs
Figure 4
Plant-wide Network
Enterprise-wide Network
Firewall
BetterFigure 6
Plant-wide Network
Enterprise-wide Network
IDMZ
BestFigure 7
Plant-wide Network
Enterprise-wide Network
Router(Zone Based FW)
GoodFigure 5
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 32
Network Security FrameworkDemilitarized Zone (DMZ)
Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network.
The purpose of the DMZ is to add an additional layer of security to the trusted network
UNTRUSTED
TRUSTED
BROKER
DMZWeb Proxy
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 33
Network Security FrameworkIndustrial Demilitarized Zone (IDMZ)
Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network
UNTRUSTED/TRUSTED
TRUSTED
BROKER
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 34
Network Security FrameworkIndustrial Demilitarized Zone (IDMZ)
All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall
No control traffic into the IDMZ, CIP stays home
No primary services are permanently housed in the IDMZ
IDMZ shall not permanently house data
Application data mirror to move data into and out of the Industrial Zone
Limit outbound connections from the IDMZ
Be prepared to “turn-off” access via the firewall
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
IDMZReplicated Services
Trusted? Untrusted?
Trusted
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 35
Network Security FrameworkIndustrial Demilitarized Zone (IDMZ)
Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT)
Disconnect Point
Disconnect Point
Terminal Services
Patch Management
Historian Mirror
Web Services Operations
Application Server
Multiple Functional Subzones
AV Server
IDMZ
No Direct Traffic
Enterprise Zone
Industrial Zone
Trusted? Untrusted?
Trusted
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA-
99)
Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks
Establish an open dialog between Industrial Automation and IT groups Establish an industrial security policy Establish an IDMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security ...never.
(Tom West, Data General)
37
IACS Network SecurityDesign and Implementation Considerations
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
top related