ferry hallewas - automation technology · plantwidebenefits of ethernet/ip clive barwise ferry...
TRANSCRIPT
2/22/2011
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
Plantwide Benefits of EtherNet/IPClive BarwiseFerry Hallewas
botlek Studiegroep17-February-2011
www.ODVA.org
2/22/2011
Plantwide Network ArchitecturesConverged Plantwide Ethernet (CPwE) Architectures
Level 3 - Site OperationsLevel 4 – Data Center
Cell/Area ZonesLevels 0-2
Processing Filling Material Handling
EtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
3
EtherNet/IP – Differentiator #1
EtherNet/IP
Differentiator #1
Established
2/22/2011
EtherNet/IP – Established (partial list)
5Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
280+ EtherNet/IP Vendors Registered, over 3,000,000 nodes shipped
280+ EtherNet/IP Vendors Registered, over 3,000,000 nodes shipped
Industrial EthernetEtherNet/IP – Standard and Established
Source IMS Research
Rockwell Automation, Omron, and Schneider Electric use EtherNet/IP as core technology.
Many other vendors also provide EtherNet/IP.
Standard/UnmodifiedStandard/Unmodified
Ethernet & TCP/IPEthernet & TCP/IP• Standard:
– Future Proof Technology– Mix commercial and industrial
information on one common network infrastructure
– Scalable plantwide networks with 1,000s of nodes
– Topology to match your plant– Diverse and broad supplier
support
EtherNetEtherNet/IP is the current global leader for nodes sold/IP is the current global leader for nodes sold
6Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
Network Evolution – EtherNet/IP
DeviceNet
HMI
Controllerstime
EtherNet/IPServo &
Standard
Drives
Robots
Valves
Devices
I/O
Safety I/O
E1 Overload
SafetyComponents
E3 Overload
cost
$xx
Today Future
Pushbuttons, PhotoEye, Proximity &
Limit Switches
Low Cost EtherNet/IP:
•NEO ASIC•2 port embedded switch•Lower cost scalable chipset/stacks•PHY designed for 1G•PoF – Poly Fiber media•PoE – Power over Ethernet
EtherNet/IP EtherNet/IP EtherNet/IP
MCC Today
•All DeviceNet inside
MCC Short-term
•EtherNet/IP - Drives•DeviceNet - Overloads
MCC Future
•All EtherNet/IP•PoF media
• Cost of EtherNet/IP implementation
continues to lower– Faster adoption of devices on Ethernet
– EDS for devices on CIP networks
– 2-port DLR technology for simplified integration
• Cost of DeviceNet implementation levels– Continues to provide solution for low cost devices
Instruments
7
EtherNet/IP – Differentiator #2
EtherNet/IP
Differentiator #2
Standard…
Not “Standards-Based”
2/22/2011
Layer 7 – ApplicationCommon Industrial Protocol
FTP HTTP OPC SNMPBOOTPDHCP
IP
IEEE 802.3 Ethernet
OSPFICMP
IGMP
RARPARP
Explicit
Messaging
Real-Time
I/O Control
UDP
CIP
TCP
Layer 1-2
Layer 3
Layers 5-7
Layer 4
• CIP: Implicit traffic
– I/O control, drive control, Produced/Consumed tags
– Uses UDP protocol (unicast and multicast)
• CIP: Explicit traffic
– HMI, Message Instructions, Program upload/download
– Uses TCP protocol
• Other common traffic
– HTTP, Email, SNMP, etc.
• Advantages of EtherNet/IP
– Standard Ethernet and IP Protocol suite
– Future proof
– Established – 280+ registered vendors
– Supported – All EIP products require conformance testing
• Ethernet/Industrial Protocol or EtherNet/IP
specifies how CIP communication packets
can be transported over standard Ethernet
and TCP/IP technology.
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 9
Standard vs. “standards-based”
• Standard– Uses standard switches
– Integrates easily into existing Ethernet installations and corporate networks
– Requires no special training or knowledge from IT workforce
• “Standards-based”– Requires the use of proprietary switches
or protected segments
– Potential integration issues with existing Ethernet installations
– Requires extra training and knowledge from IT workforce
Standard
2/22/2011
Ethernet/Industrial ProtocolEtherNet/IP vs. Ethernet and IP vs. Ethernet/IP
• Standard– IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)
– IETF - Internet Engineering Task Force, standard Internet Protocol (IP)
– IEC - International Electrotechnical Commission
– ODVA - Common Industrial Protocol (CIP)
• IT Friendly and Future Proof (Sustainable)
• Established - products, applications and vendors
• Multidiscipline control and information platform
• ODVA– Supported by global industry vendors such asCisco Systems®, Omron®, Schneider Electric®,
Rockwell Automation and many more!
– Conformance & Performance Testing
http://www.odva.org
11Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
OSI Reference ModelNetwork Independent
4. Transport
3. Network
2. Data Link
1. Physical
Layer No.
Network
Independent
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 12
7. Application
6. Presentation
5. Session
2/22/2011
EtherNet/IP Advantage Summary
• ODVA - Cisco Systems and Rockwell Automation are principal members
• IT friendly - Standard Ethernet and TCP/IP Protocol Suite
• Future proof – Sustainable– Industry Standards such as IEEE and IETF
• Portability and Routability– Physical layer and data link layer independence
• Established – 280+ Registered Vendors, over 3,000,000 nodes
• Supported – All EtherNet/IP products require conformance testing
• Multidiscipline Support– Discrete Control, Process Control, Batch Control, Configuration,Information/Diagnostics, Safety Control, Time Synchronization, Motion Control and Energy Management
• Common industrial application protocol– DeviceNet, ControlNet and EtherNet/IP
– Seamless bridging throughout CIP networks13
Welcome and IntroductionCopyright © 2010 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP – Differentiator #3
EtherNet/IP
Differentiator #3
More Than a Fieldbus
2/22/2011
EtherNet/IP – Technology Convergence
Mix Business, Industrial, and Commercial Technologies to Solve Applications – Plant-wide
Mix Business, Industrial, and Commercial Technologies to Solve Applications – Plant-wide
Webpage
Remote
Access
Video/Voice
Over IP
Other
CommercialTechnologies
Wireless
FTP
Commercial Technologies
Controllers
Business System
Programming Terminals
HMIBusiness & Traditional Plant Floor
Applications
Robots
I/O Devices
Real-Time Plant Floor
Control Applications
Drives
Instruments
More Than a Fieldbus
Industrial Network ConvergenceContinuing Trend
Industrial Network Convergence
Evolution of industrial Ethernet applications
EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 16
Information I/O ControlSafety
ApplicationsMotionControl
InstrumentationEnergy
Near future
2/22/2011
Industrial Network ConvergenceContinuing Trend
EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Converged Plantwide EthernetIndustrial Network Model
Corporate Network
Sensors and otherInput/Output Devices
Motors, DrivesActuators
SupervisoryControl
Robotics
Back-Office Mainframes andServers (ERP, MES, etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Human MachineInterface (HMI)
SafetyController
Traditional – 3 TierIndustrial Network Model
Corporate Network
Sensors and otherInput/Output Devices
Controller
Motors, DrivesActuators
Robotics
Back-Office Mainframes andServers (ERP, MES, etc.)
OfficeApplications,Internetworking,Data Servers,Storage
Control NetworkGateway
Human MachineInterface (HMI)
SupervisoryControl
Camera
Phone
Industrial NetworkIndustrial Network
SafetyI/O
I/O
Controller
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 17
Industrial NetworksContinuing Trends
• Open Networks Are In Demand– Broad availability of products, applications and vendor support for Industrial Automation and Control System (IACS)
– Network standards for coexistence and interoperability
• Convergence of Network Technologies– Reduce the number of different networks in an operation and create a seamless information sharing from the plant floor to the enterprise
– Use common network design and troubleshooting tools across the plant and enterprise, and avoid special tools for each application
• Better Asset Utilization to Support Lean Initiatives– Reduce training, support, and inventory for different networking technologies– Common network infrastructure assets, while accounting for environmental requirements
• Future Proof – Maximizing Investments– Support new technologies and features without a network forklift upgrade
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 18
2/22/2011
Many field device integration options
Engineering
Work Station
Process
Controller
FFLDC
FF H1
Operator
Work Stations
Compact HART
Asset
Management
Ethernet (supervisory network)
HART
FF H1
FFLD
Drives
Motor Control Centers
Profi PAEN2PACN2PA
Hart IO
Instrument with EtherNet/IP
• Technical highlights / features
– Dual Ethernet port design (support for ring topology)
– Integrated Webserver and Ethernet switch functionality
– Electronic Data Sheet (EDS file) located in the device
2/22/2011
Configuration within a FDT frame
Calibration management
Planning, calibrate and reporting
2/22/2011
EtherNet/IP
Industrial Networks similarities and differences between IT and Plant Floor
IT vs. Industrial Network RequirementsTrend - Industrial and IT Network Convergence
• Enterprise (IT) Network Requirements– Internet Protocols– Wide Area Network (WAN)– High availability – redundant star topologies– Latency, jitter, etc.– Voice, video, data applications– IP Addressing - dynamic– Security - pervasive
• Industrial Network Requirements– Industrial and internet protocols– Local Area Network (LAN)– Resiliency – ring topologies are prominent, redundant star topologies are emerging
– Latency, jitter, etc.– Information, control, safety, synchronization and motion– IP Addressing – static– Security – emerging: Open by Default vs. Closed by Configuration
So, what are the
similarities and
differences?
EtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
24
2/22/2011
Cultural and Organizational ConvergenceTrend - Industrial and IT Network Convergence
Security Policies IT Network Industrial Network
Focus
Protecting Intellectual Property and Company
Assets24/7 Operations, High OEE
Priorities
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
Types of Data TrafficConverged Network of Data,
Voice and VideoConverged Network of Data,
Control, Information, Safety and Motion
Access ControlStrict Network Authentication
and Access Policies
Strict Physical Access
Simple Network Device Access
Implications of a
Device FailureContinues to Operate Could Stop Operation
Threat ProtectionShut Down Access to
Detected ThreatPotentially Keep Operating with a Detected Threat
UpgradesASAP
During UptimeScheduled
During DowntimeEtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
25
EtherNet/IP
Considerations
2/22/2011
Networking Best Practices for Real-Time EtherNet/IP PerformanceCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 27
Application Requirements
Discrete
Automation
Motion
Control
Process
Automation
Function
Information Integration,
Slower Process Automation
Time-criticalDiscrete Automation
Motion Control
CommunicationTechnology
.Net, DCOM, TCP/IP Industrial Protocols - CIPHardware and Software
solutions, e.g. CIP Motion, PTP
Period 1 second or longer 10 ms to 100 ms <1 ms
IndustriesOil & gas, chemicals,
energy, water
Auto, food & beverage, semiconductor,
metals, pharmaceuticalSubset of discrete automation
ApplicationsPumps, compressors, mixers, instrumentation
Material handling, filling, labeling, palletizing, packaging
Printing presses, wire drawing, web making, pick & place
Networking Best Practices for Real-Time EtherNet/IP PerformanceCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 28
Networking Best Practices
� Best practices for reducing Latency and Jitter, and to increase data Availability, Integrity and Confidentiality
• Robust Physical Layer
• Segmentation
– Structure and Hierarchy – Multi-tier Network Model
– Logical Framework – organization into levels and zones
– Topology
– Virtual LANs (VLANs)
• Resiliency Protocols and Redundant Topologies
• Time Synchronization
• Prioritization - Quality of Service (QoS)
• Multicast Management
• Security - Defense-in-Depth
2/22/2011
Logical FrameworkConverged Plantwide Ethernet (CPwE) Architectures
EtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
29
Levels 0–2
Level 1 Controller
Layer 3 Distribution
Switch
Drive
Controller
Controller
Drive
HMI
Controller
Drive
HMI
I/O
HMI
Cell/Area Zones
Layer 2 Access Switch
Level 0 Drive
Level 2 HMILayer 2
Access Switch
Media & Connectors
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
Cell/Area Zone #3Bus/Star Topology
I/O
I/O
Fundamentals of Network Resiliency and Redundancy Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
30
Redundant Star Ring Linear
Cabling Requirements
Ease of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance Best OK Worst
RedundantStarFlex Links
RingResilient Ethernet Protocol (REP)
Star/BusLinear
HMI
CiscoCatalyst 2955
Cell/Area Zone
Cisco Catalyst3750 StackWise
Switch Stack
Controllers,Drives, and Distributed I/O
HMI
Cell/Area Zone
Controllers
Controllers, Drives, and Distributed I/O
Cell/Area ZoneControllers, Drives, and Distributed I/O
HMI
Controllers
Cell/Area Zone
HMI
Controller
Cisco Catalyst3750 StackWise
Switch Stack
Cisco Catalyst3750 StackWise
Switch Stack
Resiliency Protocols and Redundant TopologiesLayer 2 – Loop Avoidance
2/22/2011
(Confidential – For Internal Use Only) Copyright © 2008 Rockwell
31
Logically Isolate areas of control (VLAN)
Segmentation by Function, not by Location (VLAN)
32
Clear division of responsibilities can easily be obtainedClear division of responsibilities can easily be obtained
2/22/2011
Control between Subnets
• Controllers communicate to other EtherNet/IP devices via unicast– Produce & Consume Standard & Safety tags +
standard I/O
• Unicast also allows EtherNet/IP communications to span multiple subnets
• Interlocking of remote controllers over the plant infrastructure
• Streamline traffic on the network by allowing one-to-one transmission of EtherNet/IP I/O data which greatly eliminates unwanted multicast traffic
• Layer 3 switching to communicate across VLANs
* Hardware support may vary
Fundamentals of Securing Ethernet Control
Networks
Clive Barwise
Networks Business Manager
Rockwell Automation EMEA.
@ KROHNE Altometer Nederland B.V.Kerkeplaat 12
3313 LC DORDRECHT
2/22/2011
Agenda
1. Industrial Network Security Trends
2. Defense-in-Depth
3. Secure Remote Access
4. Conclusion Steps for a secure future
What is security for youConverged Plantwide Ethernet (CPwE) Architectures
• What do users want from the control system.
• System Performance.– Do things at the appropriate
speed.
• Continuous Operation– Availability
• Accuracy– How much did I make
• Privacy of data– Only select people should have
this information
• Freedom for data Access– Reports on my phone.– Connect from Home.
• Technology Convergence.– IT Technologies embedded is the
system.• Video• IP Phones• Wireless
Catalyst 3750StackWise
Switch Stack
FactoryTalk Application Servers• View• Historian• AssetCentre, • Transaction Manager
FactoryTalk Services Platform• Directory• Security/Audit
Data Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
DIO
Levels 0–2
HMI
Cell/Area #1Redundant Star TopologyFlex Links Resiliency
Cell/Area #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
CiscoCatalyst Switch
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
Patch ManagementTerminal ServicesApplication MirrorAV Server
ERP, Email,
Wide Area Network
(WAN)
Network Services• DNS, DHCP, syslog server• Network and security mgmt
Drive
Controller
HMI DIO
Controller
Drive
Controller
Drive
HMI
Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)
DIODIO
2/22/2011
• Denial of service• Denial of service
• Natural or manmade disaster• Natural or manmade disaster
• Theft• Theft
Industrial Network Security TrendsCommonly Reported Business Disruptions
• Worms and viruses• Worms and viruses
• Unauthorized access• Unauthorized access
• Application of Security patches• Application of Security patches
• Unauthorized actions by employees• Unauthorized actions by employees
• Unauthorized actions by vendors• Unauthorized actions by vendors
• Unintended employee actions• Unintended employee actions
• Sabotage• Sabotage
Unaddressed security risks increase potential for disruption
to control system’s uptime and safe operation
Industrial Network Security Trends Two Critical Elements to Security
• Security is basically two pronged:– Technical vs. Non-technical
– A balanced Security Program must address both Technical (technology) and Non-Technical (procedures) Elements
• Technical controls - Firewalls, Group Policy Objects, Layer 3 ACLs, etc. - provide restrictive measures for non-technical controls
• Non-technical controls - rules for environments, such as policy and procedure, risk management
• Security is only as strong as the weakest link
• Vigilance and Attention to Detail are KEY to the long-term security success
TechnicalNon
Technical
“one-size-fits-all”
2/22/2011
Industrial Network Security Trends Two Critical Elements to Security
• When a Technical Control is lacking, the non-technical control will only provide so much protection– Example: Policy states you should not surf
the web from a control system HMI; however there is no technical control in place preventing such access or behavior
– This exposes a technical attack vector (i.e. unauthorized access from non control system elements
• When a Non-Technical Control is lacking, the technical control will only provide so much protection– Example: Firewalls are in place to prevent
operators from surfing the web from a control system HMI; however there is no non-technical control in place stating you shouldn’t change the HMI’s network port access to the other side of the firewall
– This exposes a non-technical attack vector (i.e. a social engineering type attack
• How much security is enough security?– The amount of security is a system should rise to meet a corporation’s level of risk
tolerance.
– In theory, the more security that is properly designed and deployed in a system, a lower amount of risk should remain.
EPIC Security FAIL!
• Failure to follow good design principles may have unintended consequences.
• Safety systems may or may not help, depending on the infrastructure.
2/22/2011
Consequences: ICS Network Issues
• ICS Network issues are much more than “data loss” - there are real world, physical consequences
• You cannot fix these “issues” by restoring from backups…
Just because you can…doesn’t always mean you should
NOTE:NOTE:This will be deadlyThis will be deadly
FERCFERC
Industrial Network Security TrendsMap Evolving Standards
NISTNIST
CIDxCIDx
APIAPI
AGAAGA
Rail &
Transport
Rail &
Transport
NERCNERC
EuroSCSIEEuroSCSIE
IEC 62443IEC 62443
SmartGrid
component
SmartGrid
component
NIST 800NIST 800
ISA S99ISA S99
ISA S99ISA S99
IEC 62443IEC 62443
SmartGrid
component
SmartGrid
component
INLINL
PAST PRESENT FUTURE
Industry:
NERC,AGA,
API,CIDX,
AWWA,Etc.
Industry:
NERC,AGA,
API,CIDX,
AWWA,Etc.
DHSDHS
EU
Regulations
EU
Regulations
ISAISA
ICS-CERTICS-CERT
W & WWW & WWFERCFERC
DHSDHS
2 /2 2 /2 0 1 1
• International Society of Automation & IEC– ISA-99
– Industrial Automation and Control System (IACS) Security
–– DefenseDefense--inin--DepthDepth
–– DMZ DeploymentDMZ Deployment
• National Institute of Standards and Technology– NIST 800-82
– Industrial Control System (ICS) Security
–– DefenseDefense--inin--DepthDepth
–– DMZ DeploymentDMZ Deployment
• Department of Homeland Security / Idaho National Lab– DHS INL/EXT-06-11478
– Control Systems Cyber Security: Defense-in-Depth Strategies
–– DefenseDefense--inin--DepthDepth
–– DMZ DeploymentDMZ Deployment
Industrial Network Security TrendsIndustry Standards
Defense-in-DepthMultiple Layers to Protect the network and Defend the edge
• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors
• Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers
• Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services
• Application Security – authentication, authorization, and audit software
• Device Hardening – change management and restrictive access
Defensein Depth
Computer
Device
Physical
Network
Application
Security Model
2/22/2011
Defense-in-DepthPhysical Security - Examples
• Physical Security Plan —create and maintain a physical security plan (PSP)
• Physical Access Controls - document and implement the operational and procedural controls to manage physical access at all access points to the PSP’s twenty-four hours a day, seven days a week. – Card Key
– Special Locks
– Security Personnel
– Other Authentication Devices (Biometric, keypad, token, etc)
Defense-in-DepthPhysical Security - Examples
2/22/2011
Defense-in-DepthPhysical Security - Examples
• Panduit Keyed LC deployments– Lock-In (left)
– Blockout (right)
– Prevents unintentional moves, adds, and changes
Defense-in-DepthComputer Hardening - Examples
• Security Patch Management - establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches– Keep computers up-to-date on service packs and hot fixes
• Disable automatic updates
• Check software vendor website
• Test patches before implementing
• Schedule patching during downtime
– Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection software
• Disable automatic updates and automatic scanning
• Test definition updates before implementing
• Schedule manually initiated scanning during downtime
• Uninstall unused Windows components– Protocols and Services
• Protect unused or infrequently used USB, parallel or serial interfaces
2/22/2011
Defense-in-DepthController Hardening - Examples
• Physical procedure:– Restrict control panel access to authorized personnel
– Switch the Logix Controller key to “RUN”
• Electronic design: – Logix Controller CPU Lock feature
– Logix Controller Source Protection
– Authentication, authorization and audit (AAA) by implementing FactoryTalk Security
– Change Management with disaster recovery: FactoryTalk AssetCentre
Defense-in-DepthApplication Security - Examples
•Primarily AAA–Authenticate
–Authorize
–Audit• Reduce Security if
– One Login
• Computer
• Network
• Application
2/22/2011
Defense-in-DepthNetwork Security
• Comprehensive Network Security Model for Defense-in-Depth
• Security is not a bolt-on component
• Industrial Security Policy
• Implement DMZ
• Engage the experts Network & Security Services team
• Remote/Partner Access Policy,with robust & secure implementation
Network Security ServicesMust Not Compromise Operations of the Cell/Area Zone
Industrial and IT Network ConvergenceLogical Infrastructure Framework
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
DMZ
IndustrialSecurity Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
• Network Segmentation• Demarcation Line for: Security Policies, Quality of Service
Policies, Multicast Groups.
2/22/2011
Defense-in-DepthDemilitarized Zone (DMZ)
• Industrial Security Policy
• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ
• No primary services are permanentlyhoused in the DMZ
• DMZ shall not permanentlyhouse data
• Be prepared to “turn-off” accessvia the firewall
• No control traffic into the DMZIndustrial Protocols stay at home.
• Application Data Mirror
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
DMZReplicated Services
Secure Remote AccessSolution is Application Driven
• Industrial application within a greater Enterprise– Larger manufacturer with production (industrial) and business (IT) systems integration
– Requirements
• IT presence, defense-in-depth requirement, alignment with Industrial Security Standards
– Recommended Solution
• Rockwell Automation & Cisco Secure Remote Access solution, Rockwell Automation Network and Security Services
Plantwide SystemsEnterprise SystemsRemote SitePlant Engineer
Machine BuilderSystem Integrator
WAN
2/22/2011
Secure Remote AccessConverged Plantwide Ethernet (CPwE) Architectures
• Logical framework
• Industrial and IT network convergence
• Hierarchical segmentation– Scalability
– Resiliency
– Traffic management
– Policy enforcement
• Security policies– Defense-in-depth
• Secure remote access
Catalyst 3750StackWise
Switch Stack
FactoryTalk Application Servers• View• Historian• AssetCentre, • Transaction Manager
FactoryTalk Services Platform• Directory• Security/Audit
Data Servers
Gbps Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
DIO
Levels 0–2
HMI
Cell/Area #1Redundant Star TopologyFlex Links Resiliency
Cell/Area #3Bus/Star Topology
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Rockwell AutomationStratix 8000
Layer 2 Access Switch
CiscoASA 5500
CiscoCatalyst Switch
Industrial Zone Site Operations and Control
Level 3
Remote AccessServer
Catalyst6500/4500
Patch ManagementTerminal ServicesApplication MirrorAV Server
ERP, Email,
Wide Area Network
(WAN)
Network Services• DNS, DHCP, syslog server• Network and security mgmt
Drive
Controller
HMI DIO
Controller
Drive
Controller
Drive
HMI
Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)
DIODIO
FactoryTalk Application Servers• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services Platform• Directory
• Security/Audit
Data Servers
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Active)Firewall
(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Access Server• RSLogix 5000• FactoryTalk View Studio
Catalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750StackWise
Switch Stack
EtherNet/IP
IPS
EC
VP
N
SS
LV
PN
Secure Remote AccessCPwE - Solution
• Secure remote access for employees and trusted partners such as machine builders and system integrators
• Meeting the security requirements of IT while enabling manufacturers to leverage shared, distributed company resources and trusted partners
• Management of assets -monitor, configure and audit
• Simplifies change management, version control, regulatory compliance, and software license management
• Network and applicationauthentication and authorization
• Simplifies remote clienthealth management
2/22/2011
Secure Remote AccessCPwE - Solution
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
Remote Engineeror Partner
Cisco VPN Client
Secure Remote AccessCPwE - Solution
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Remote Engineeror Partner
Cisco VPN ClientIPS
EC
VP
N
Enterprise EdgeFirewall
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2/22/2011
Secure Remote AccessCPwE - Solution
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Active)Firewall
(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
Cisco VPN ClientIPS
EC
VP
N
SS
LV
PN
HTTPS
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2. Portal on plant firewall enables access to industrial application data and files
– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host
Secure Remote AccessCPwE - Solution
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Active)Firewall
(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Access ServerCatalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
IPS
EC
VP
N
SS
LV
PN
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2. Portal on plant firewall enables access to industrial application data and files
– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host
3. Firewall proxies a client session to remote access server
2/22/2011
FactoryTalk Application Servers• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services Platform• Directory
• Security/Audit
Data Servers
Secure Remote AccessCPwE - Solution
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2. Portal on plant firewall enables access to industrial application data and files – Intrusion protection system
(IPS) on plant firewall detects and protects against attacks from remote host
3. Firewall proxies a client session to remote access server
4. Access to applications on remote access server is restricted to specified plant floor resources through industrial application security
Levels 0–2Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Active)Firewall
(Standby)
Patch ManagementTerminal ServicesApplication MirrorAV Server
CiscoASA 5500
Remote Access Server• RSLogix 5000• FactoryTalk View Studio
Catalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750StackWise
Switch Stack
EtherNet/IP
IPS
EC
VP
N
SS
LV
PN
SECURITY IN SUMMARYReviewing the lessons, application to the future and verification of success
Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 62
2/22/2011
Steps to Increasing Security
1. Create a ProgramNOTE: This is different than an Enterprise Security Program.
Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 63
“Programs” drive accountability, action and responsibility.
Steps to Increasing Security (cont)
2. Know what you have in your process
•Every control system event must be coded. EVERY ONE!
•This means that every almost network event can be predicted– Some exceptions, like ARP, NetBIOS traffic, etc.
•If it can be predicted, it can be whitelisted and authorized via tiered firewall rule sets and layer 3 access control lists (ACLs)
•If these can be whitelisted, other network events can be tuned for disclosure in intrusion detection and prevention systems (IDS/IPS)
Knowing what you have in your process allows for the creation of a
defensible network architecture and response posture
Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 64
REMEMBER: Security is about variable management.
2/22/2011
Steps to Increasing Security (cont)
3. Harden your endpoints
•Enable the security features of products implemented in the environment!
•Configure what you already have in the environment– Most Microsoft Windows platforms now support firewalls. Use them.
– Enable Infrastructure & Application security features (Active Directory features, etc.)
– Enable Control System software and hardware security features (key switch, etc.)
•Through the processes created in the Industrial Control System Security Program (see step 1), maintain ICS life cycle by enacting:
– Endpoint Protection updates (patches, virus definitions, host IDS/IPS signatures, etc)
– Change and Configuration management
Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 65
Variables: Good guys need to manage all of them.
The bad guys only need one variable for compromise…
Steps to Increasing Security (cont)
4. Audit the EnvironmentDesign/Implementation Audits
•Configuration audits to verify end states conforms to the Conceptual and Detailed Design projects
•Very important as “things change” during implementation
Safety Audits
•Many times required by regulation – now part of the common “culture”
Security Audits
•Many times required by regulation (depending on industry)
•Ensures proper security management going forward (i.e. hire/fireprocedures, governance and security programs, etc.)
•Security should be and will be part of the common “culture”66
2/22/2011
Steps to Increasing Security (cont)
5. Monitor the Systems
Si ViS PACEM, PARA BELLUM
If you wish for peace, prepare for war.
•Infrastructure: double edged sword– The purveyance of an attack (vector)
– Greatest asset in digital protection (mitigation)
•Many Commercial & FOSS packages available to assist– Multi-Tier and Distributed UTM and Intrusion Detection/Prevention Systems
– Distributed packet capture, Syslog, SNMP, Nagios and various management apps
If you wish for a stable, secure network, prepare for the day your network
completely falls apart, fails, and turns against you.
Complacency Kills–100% Vigilance is REQUIRED
The End…for now…
• Go Beyond Defense-in Depth: no single methodology nor technology fully secures industrial networks.
• This is a people problem too!– Industrial Control Systems Security Programs are uniquely different from Enterprise Security Programs
– Work with security expert Services team and establish an open dialog between Manufacturing and IT
2/22/2011
Industrial Network SecurityDesign and Implementation Considerations
• Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks
• Align with Industrial Automation and Control System Security Standards– DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA-99
• Establish an open dialog between Industrial and IT groups
• Establish a Industrial security policy, unique from enterprise security policy
• Establish a DMZ between the Enterprise and Industrial Zones
• Keep FactoryTalk applications and Services Platform within the Industrial Zone
• Deploy a methodology and/or procedure to buffer production data to and from the Enterprise Zone in the event DMZ connectivity is disrupted
• Work with your vendor Network and Security Services team
Additional MaterialODVA
• Website:– http://www.odva.org/
• Media Planning and Installation Manual– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_EtherNetIP_Media_Planning_and_Installation_Manual.pdf
• Network Infrastructure for EtherNet/IP: Introduction and Considerations– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00035R0_Infrastructure_Guide.pdf
• Device Level Ring – http://www.odva.org/Portals/0/Library/CIPConf_AGM2009/2009_CIP_Networks_Conference_
Technical_Track_Intro_to_DLR_PPT.pdf
• The CIP Advantage– http://www.odva.org/default.aspx?tabid=54
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 70
2/22/2011
Additional MaterialCisco and Rockwell Automation Alliance
• Website– http://www.ab.com/networks/architectures.html
• Design Guides– CPwE DIG 2.0
• Education Series
• Whitepapers– Securing Manufacturing Computer and
Controller Assets
– Production Software within ManufacturingReference Architectures
– Achieving Secure Remote Access to Plant FloorApplications and Data
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 71
Additional MaterialCisco and Rockwell Automation Alliance
• Education Series Webcasts
– The Trend - Network Technology and Cultural Convergence
– What every IT professional should know about Plant Floor Networking
– What every Plant Floor Controls Engineer should know about working with IT
– Industrial Ethernet: Introduction to Resiliency
– Fundamentals of Secure Remote Accessfor Plant Floor Applications and Data
– Securing Architectures and Applicationsfor Network Convergence
– Available Online
• http://www.ab.com/networks/architectures.html
Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 72
2/22/2011
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
Questions?