Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC
PUBLIC - 5058-CO900G
T24 - New Security Features Help to Reduce Risk in Your Industrial Control System
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Threat Vectors
Unintended
employee actions
Theft
Unauthorized actions
by employees
Unauthorized
accessDenial of
Service
Application of
patches
Unauthorized
remote access
Natural or Man-made
disasters
Sabotage
Worms and
viruses
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 3
ICS Security in the News
Source: http://www.theregister.co.uk
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 4
ICS Security in the News
Source: https://www.bostonglobe.com
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Quality
5
Vendors must build security
into products with a focus on
security throughout the
products lifecycle…
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security QualityIncident Response Process
6
Product Vulnerabilities:
We expect them
We plan for them
We work to avoid them
We support our customers
See Rockwell Automation®
Knowledgebase article 54102 for up-to-
date information on product vulnerabilities
CloseMitigate and
Remediate
Evaluate and
AssessReceive
Communications
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tamper
Detection
Content
ProtectionAccess Control and
Policy Management
Detect and Record unwanted
Activity and Modifications to
the application
Protect viewing, editing, and
use of specific pieces of
control system content
Control Who, What, Where
and When access is allowed,
to which application and
device
Secure Automation and InformationDefending the Digital Architecture
MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY
Secure Network
Infrastructure
Control Access to the
network, and Detect unwanted
access and activity
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
• Validated Architectures
• Stratix™ Portfolio
• Network and Security
Services
• Logix Source Protection • Data Access Control
• FactoryTalk Security
• Firmware Digital Signatures
• Auditing with FactoryTalk®
AssetCentre
• Change Detection and
Logging for Controllers
• High Integrity Add-On
Instructions
Secure Automation and InformationCapability Overview
Tamper
Detection
Content
ProtectionAccess Control and
Policy Management
Detect and Record unwanted
Activity and Modifications to
the application
Protect viewing, editing, and
use of specific pieces of
control system content
Control Who, What, Where
and When access is allowed,
to which application and
device
Secure Network
Infrastructure
Control Access to the
network, and Detect unwanted
access and activity
New Symantec Partnership
New Tempered Networks Partnership
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Secure Network InfrastructureNew Validated Architectures
Achieve infrastructure security through a common, validated system architecture leveraging the Stratix™ portfolio and Cisco security solutions.
Design and Implementation Guides: • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (2011)
• Segmentation Methods within the Cell/Area Zone (2013)
• Securely Traversing IACS Data Across the Industrial Demilitarized Zone (2015)
• Deploying Identity Services within a Converged Plantwide Ethernet Architecture (2015)
• Site-to-site VPN to a Converged Plantwide Ethernet Architecture (2015)
Download these and more at:
http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Content Protection: License Based Source Protection– Coming Soon!
Access to selected Routines and Add-On Instructions can be controlled using Licenses
Licenses are managed by the content owner using a web-based application, and reside on secure USB devices
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Access Control: Application Access Control with FactoryTalk Security
Use FactoryTalk® Security to… Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation® software
applications to access automation devices
How does it work?Provides a centralized authority to verify identity of each user and grants or deny user requests to perform a
particular set of actions on resources within the system
• Authenticate the User
• Authorize Use of Applications
• Authorize Access to Specific Devices
FactoryTalk Directory
(All FactoryTalk Security
enabled software)
11
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
FactoryTalk Temporary UsersNew in latest version of Studio 5000
12
Use FactoryTalk® Temporary Users to temporarily give someone access to privileges of another user group
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Permission Sets for Securing Projects New in latest version of Studio 5000
13
Secure a project file with a
Permission Set to use the same
policies for many controllers
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Permission Sets for Securing ObjectsNew in latest version of Studio 5000
14
Apply Permission Sets to Routines, Add-On Instructions and Tags to have different policies for different components
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Guest User Access New in latest version of Studio 5000
15
With Guest Users, grant limited
permissions to users who
aren’t members of your
FactoryTalk® Directory
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Secondary Security Authority New in latest version of Studio 5000
16
Guest Users can further limit access to a project file
with a Secondary Security Authority
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Support for Disconnected EnvironmentsNew in latest version of Studio 5000
FactoryTalk®
Directory
Network 1
Active Directory
VPN
Field EngineerLaptop
Network 2
Project File that is
secured by Machine
Builder
Controller who is
secured by Machine
Builder
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Sources of Risk
Source: The State of Security in Control Systems Today, SANS Institute
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Sources of Risk
Source: Common Cybersecurity Vulnerabilities in Industrial Control Systems, Department of Homeland Security Control Systems Security Program
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
New Encompass™ Partner - Symantec
Symantec Embedded Security: Critical System Protection
Great for helping to protect PCs that can’t be frequently updated
Completely policy driven – no signatures
Features Application Whitelisting, Sandboxing, Host Firewall, File
Protection and Monitoring, and more
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tempered Networks
Network segmentation using private
overlay networks on top of untrusted
infrastructure
Private networks can be mapped to users
and/or devices
Leverages HIPswitches and a centralized
HIPConductor without any changes to existing
infrastructure
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Industrial Security Resources
22
Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities
that help increase overall control system system-level security.
http://www.rockwellautomation.com/security
EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that
complement recommended layered security/defense-in-depth measures.
http://www.ab.com/networks/architectures.html
Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and
make recommendations for how to avert risk and mitigate vulnerabilities.
http://www.rockwellautomation.com/services/security
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Industrial Security Landing Pad
23
http://rockwellautomation.com/security
Video Series &
Tools
Take an
Assessment
Related Products
Reference
Architectures
[email protected] Good Privacy (PGP) Public Key
Design Guides
and Whitepapers
Security Advisory
Index