ics security from the plant floor up - a controls engineers approach to securing plant floor...
DESCRIPTION
The presentation covers assessment, implementation methodology, and current level of success for addressing four key objectives which are protecting the controls fieldbus (networks) from untrusted networks (domain), secure and safe remote support capability from both inside and outside of the company, control supplier access to manufacturing equipment when onsite, and protect manufacturing systems from Malware and intrusion. This system isn’t theoretical, it’s in broad use and full critical production. If the time and connectivity is available a quick remote access demonstration can be given. The presentation will wrap up with a series of thoughts and ideas that occur to me regarding security in general as I listen to other organizations and groups talking about various security needs and activities.TRANSCRIPT
1
ICS Security from the Plant Floor Up
A Controls Engineers Approach to Securing Plant Floor Networks
Jeffrey Smith
2
Less than a minute of blather about
Jeffrey Smith
3
Nothing. Zero. Nada. Zip.
How much do I want to spend?
4
ICS Security
1. Assess our current posture
2. Define key objectives for which to develop a solution to improve that posture.
5
Key Objective #1
Protect the manufacturing controls networks (EtherNet/IP fieldbus) from the
enterprise networks (untrusted networks)
and they from us.
6
Key Objective #1
Isolate the Controls Fieldbus from the Enterprise network through two different Firewalls, one managed by IT, one by Controls.
EtherNet/IP Fieldbus
IT Firewall
Zenwall-5Controls FirewallIndustrial Protocol DPI
IT SPACE
CONTROLS
Key Objective #2
Secure and Safe Remote Support Capability from inside and outside the company
7
8
Key Objective #3
Control and track supplier access to Manufacturing Control Systems when onsite in one of our facilities
9
Supplier Support Login
10
Key Objective #4
Protect manufacturing systems from malware attack by removing PC(s) from or isolating them on the controls network.
Whitelist where applicable.
11
Say NO to PCs on your Fieldbus
Friends don’t let friends put PC(s) on Controls Networks
Computer
12
Move the PCs to the EnterpriseENTERPRISE NETWORK
13
Line Topology
14
Station Topology
PanelView PlusCompactLogix L3x ERM
Kinetix 6500 Servos
EtherNet/IP – Device Level Ring (DLR)
PowerFLEX 755 VFD
OP90
E-TAP
Torque Tool
HMS Gateway
OptionalE-TAP173x AENT
Numatics G3
EtherNet/IP Ring Link
OP100 OP80
UPLINK #2TO MACH 102
STATION DEVICE LEVEL RING (DLR) TOPOLOGY
EtherNet/IP Ring Link
15
PC at the Edge…If you must.
16
17
“Deep thoughts” by Jeff Smith
18
10 Ton Security Model
DMZ!
ACL!
DPI
19
Assessment is Critical
We don’t build rockets…you might.
20
Ethernet based Fieldbus
Is still young, it has long way to grow and it’s a long way from mature when
compared to it’s IT counterpart.
21
Can we move to Ethernet?
•Many companies, small to large, are just looking at making a move to an Ethernet based fieldbus.
•What’s the value proposition of Ethernet if we are pushing a huge security posture on them at the same time?
22
Controls Engineers
•Many don’t have experience with Ethernet based controls networks.
•Companies are tight with training dollars, more are forcing their support staff to learn via OJT even though technology growth is raging.
23
Migrating the “Ethernetly” Challenged
Are you helping? What does your “Convert Legacy Fieldbus X to an
Ethernet fieldbus” Engineering Plan look like?
24
Shore up the foundation
Perhaps for those who have taken a “swag” at Ethernet based fieldbus, the
correct approach to TLC is to help them “fix” their strategy for Control System Ethernet and then help them
secure it.
TLC = Total Landed Cost
25
Air Gapped?
Is there *REALLY* such a thing?
26
Pssst! We can do Controls Stuff…
When talking about security, let’s capitalize on our seemingly forgotten skillset of hardwired safety/security.
Might not be a singular product purchased from a shelf, but it is value
controls can bring to the table.
It’s our cockpit door.
27
If we had a little money left…
“Replace all unmanaged switches with managed switches.”
28
How to get started?
Do something, a little today, and more tomorrow.
Eat the elephant one bite at a time.
29
Not enough people talking about Detection and Fast Recovery.
If we agree we will never stop every attack, shouldn’t we spend time on detection and
recovery?
Detection and Recovery
30
This year, the first production vehicle will be released that uses Ethernet instead of CAN as it’s primary vehicle communications network.
Nervous? I am.
Ethernet in Automobiles
31
Forensic Diagnostics
Diagnostics
32
What do I look for?
ICS Security Appliance
33
Controls Security Appliance
•Fast, Low Latency Deep Packet Inspection of Industrial Protocols
•Ability to easily configure and manage firewall rules without needing a degree in “firewall”
•Horsepower to spare, with the ability to lay in changes without interrupting performance.
34
ICS Security Appliances
•Can’t require an IT person at 2:00am when the line is down.
•Best way to introduce yourself and your new wiz-bang security “stuff” to the plant manager is to take the line down OR prevent the 2:00am support staff from bringing it back up.
35
ICS Security Appliances
You won’t forget him and he won’t forget you or your security #%^!&%#*%.
And you thought CapEx funding of security initiatives was challenging before.…
36
ICS Security Appliances
•Must have easily replicatable configurations
•Must be scalable from small to large
•Must have reasonable pricing models to accompany their scalability
37
Security = Risk Mitigation
I’m often asked “How much security is enough?”
“Whatever you need to mitigate the risk you can’t live with.”
38
I can make up answers to any…
Questions?