routeco cyber security and secure remote access 1 01

24
IACS Network Security & Secure Remote Access Guy Denis [email protected] Rockwell Automation Alliance Manager Europe www.cisco.com/go/security 11 th Feb 2014

Upload: routecomarketing

Post on 16-Jul-2015

77 views

Category:

Engineering


9 download

TRANSCRIPT

Page 1: Routeco cyber security and secure remote access 1 01

IACS Network Security & Secure Remote Access

Guy Denis [email protected]

Rockwell Automation Alliance Manager Europe

www.cisco.com/go/security

11th Feb 2014

Page 2: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

On Average, there is a ratio of 15:1 Industrial

Devices to Enterprise within a manufacturing plant

Industrial Devices

Meter

Sensor

Machines Vehicles

Robots

HMI I/O Controller/PLC

Scanner Phone RFID Tag

Enterprise Devices

IP Phone PC Printers Servers

“As manufacturers replace legacy network systems and look for

areas to streamline on a common solution, ARC sees a tremendous

opportunity for growth of EtherNet/IP applications,” according to

Craig Resnick, Research Director, ARC Advisory Group

1

15

Page 3: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Theft Unintended employee action

Natural or manmade disaster

Unauthorized contractor actions

Security patches

Worms, viruses, malware

Denial of service Sabotage

Unauthorized access

Unauthorized employee action

Potential Disruptions

Page 4: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Stuxnet – a wake up call…. breakdown of Stuxnet http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

Ralph Langner

German Control systems security

consultant

F-Secure wrap-up on Stuxnet

http://www.youtube.com/watch?v=gFzadFI7sco

Page 5: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Page 6: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup

• Little or no device level authentication

• Poor network design – hubs, unmanaged switches

• Windows based IA servers – patching, legacy OS

• Unnecessary services running – FTP, HTTP

• Open environment, no port security, no physical security of switch, Ethernet ports

• Limited auditing and monitoring of access to IA devices

• Unauthorised use of HMI, IA systems for browsing, music/movie downloads

• Lack of IT expertise in IA networks, many blind spots

Page 7: Routeco cyber security and secure remote access 1 01

Defense in Depth Approach

Page 8: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Real–Time Control

Fast Convergence

Traffic Segmentation and Management

Ease of Use

Site Operations and Control

Multi-Service Networks

Network and Security Management

Routing

Application and Data share

Access Control

Threat Protection

Gbps Link for Failover Detection

Firewall (Active)

Firewall (Standby)

SCADA Application

and Services Servers

Cisco

ASA 5500

Cisco

Catalyst Switch

Network Services

Cisco Catalyst

6500/4500

Cisco Cat. 3750X

StackWise Switch Stack

Patch Management, Terminal Services, Application Mirrors,

AV Servers

Cell/Area #1 (Redundant Star

Topology)

Drive

Controller

HMI Distributed I/O

Controller

Drive Drive

HMI

Distributed I/O

HMI

Cell/Area #2 (Ring Topology)

Cell/Area #3 (Linear Topology)

IE3000/3010/2000

Layer 2 Access Switch

Controller

Enterprise/IT Integration

Collaboration

Wireless

Application Optimization

Cell/Area Zone

Levels 0–2

Layer 2 Access

Manufacturing Zone

Level 3

Distribution and Core

Demilitarized Zone

(DMZ) Firewalls

Enterprise Network

Levels 4–5

Web Apps DNS FTP

Internet

8

Page 9: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors

• Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers

• End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services

• Application Security – authentication, authorization, and audit software

• Device Hardening – change management and restrictive access

Defense in Depth

Computer

Device

Physical

Network

Application

Page 10: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

• Security is not a bolt-on component

• Comprehensive Network Security Model for Defense-in-Depth

• Industrial Security Policy

• DMZ Implementation

• Design Remote Partner Access Policy, with robust & secure implementation

Page 11: Routeco cyber security and secure remote access 1 01

Secure Network Architectures for Industrial Control Systems

Page 12: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Panduit/RA Physical Layer Reference Architectures Design Guide

PSL-DCPL

PSL-DCJB

Page 13: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ

• Application Data Mirror

• No primary services are permanently housed in the DMZ

• DMZ shall not permanently house data

• No control traffic into the DMZ

• Be prepared to “turn-off” access via the firewall

No Direct Traffic

Enterprise Security Zone

Industrial Security Zone

Disconnect Point

Disconnect Point

DMZ Replicated Services

Page 14: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

1

5

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

SCADA App

Server

SCADA Directory

Engineering Workstation

Domain Controller

SCADA Client

Operator Interface

SCADA Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous

Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Process Control Domain

Process Control Network

Web E-Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process Purd

ue R

efe

rence M

odel, I

SA

-95

Indu

str

ial S

ecurity

Sta

ndard

IS

A-9

9

Page 15: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

1.Firewall Services (Segmentation, Isolation)

2.Application Services (Behavior Enforcement, Application

Intelligence and Awareness, Gateway Capabilities)

3.Logging and Historical Services (Traffic, Event histories)

4.Encryption and Data Integrity Services (remote access, and

secure channels for data transfer)

5. IPS/IDS Services (deep packet inspection – Sourcefire and

Wurldtech Industrial Signatures

1.Malware Detection and Filtering (deep packet and URL

inspection

Page 16: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

VPN

VDI

WSA

IPS

ASA-CX

ASA

ISE

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Level

Enterprise Zone

DMZ

PCD /

Manufacturing Zone

PCN /

Cell / Area Zone

1783-SR

Page 17: Routeco cyber security and secure remote access 1 01

Secure Remote Access

Page 18: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Use Stratix 5900 (1783-SR)

NOT this (or similar such item)

Page 19: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

De

fen

se

in

De

pth

Se

cu

rity

te

ch

no

logie

s a

pp

lied

Authentication, Authorization and Accounting

Access Control Lists (ACLs)

Secure Browsing (HTTPS)

Intrusion Protection and Detection

Remote Terminal Session

Application Security

VLANs

Remote Engineers and Partners

Plant Floor Applications and Data

Page 20: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

WAN

Plant Engineer Skid Builder

System Integrator

Remote Site

WAN Router

Plant Site

WAN Router

• Stand-alone Remote Industrial Application

Example: remote site

Requirements

Connection out from the Plant, direct access

Little to no IT support, little to no alignment with Industrial Automation and Control System security standards

Potential Solution

IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or STX5900

1783-SR/819 ISR

IPSec

X many

Page 21: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Cell/Area Zone #3 Cell/Area Zone #4

FactoryTalk

Applications

and Services Ring Topology

Cell/Area Zone #1 Cell/Area Zone #2

Manufacturing Zone

8000 Managed

Layer 2 Switch

ETAP - Embedded

Layer 2 Switch

Ring Topology

Enterprise Zone Enterprise

Network

5700 Managed

Layer 2 Switch

Star Topology

Embedded Layer 2

Switch Linear

Topology

Mobile User

Lightweight AP

(LWAP)

AP as Workgroup

Bridge (WGB)

ERP, Email, Wide Area

Network (WAN)

5100

802.11n – Dual Band

Access point

8300 Managed

Layer 3 Switch

5900 Industrial

Services Router

Page 22: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Levels 0–2 Cell/Area Zones

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Enterprise Zone Levels 4 and 5

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Internet

Enterprise Zone Levels 4 and 5

Enterprise WAN

Enterprise Data Center

Gbps Link Failover

Detection

Firewall (Active)

Firewall (Standby)

Patch Management Terminal Services Application Mirror AV Server

Cisco ASA 5500

Remote Access Server • RSLogix 5000 • FactoryTalk View Studio

Catalyst 6500/4500

Remote Engineer or Partner

Enterprise Connected Engineer

Enterprise Edge Firewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)

Catalyst 3750 StackWise

Switch Stack

EtherNet/IP

I P S

E C V

P N

S S

L V

P N

FactoryTalk Application Servers

• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform

• Directory

• Security/Audit

Data Servers

1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall

2. Portal on plant firewall enables access to IACS data, files and applications

– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host

3. Firewall proxies a client session to remote access server

4. Access to applications on remote access server is restricted to specified plant floor IACS resources through IACS application security

Page 23: Routeco cyber security and secure remote access 1 01

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

1. Identify all connections to SCADA networks

2. Disconnect unnecessary connections to the SCADA network

3. Evaluate and strengthen the security of any remaining connections to the SCADA network

4. Harden SCADA networks by removing or disabling unnecessary services

5. Do not rely on proprietary protocols to protect your system

6. Implement the security features provided by device and system vendors

7. Establish strong controls over any medium that is used as a backdoor into the SCADA network

8. Implement internal and external intrusion detection systems and establish 24-hour-a-day

incident monitoring

9. Perform technical audits of SCADA devices and networks, and any other connected

networks, to identify security concerns

10. Conduct physical security surveys and assess all remote sites connected to the

SCADA network to evaluate their security

11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios

12. Clearly define cyber security roles, responsibilities, and authorities for managers,

system administrators, and users

13. Document network architecture and identify systems that serve critical functions

or contain sensitive information that require additional levels of protection

14. Establish a rigorous, ongoing risk management process

15. Establish a network protection strategy based on the principle of defense-in-depth

16. Clearly identify cyber security requirements

17. Establish effective configuration management processes

18. Conduct routine self-assessments

19. Establish system backups and disaster recovery plans

20. Senior organizational leadership should establish expectations for cyber security

performance and hold individuals accountable for their performance

21. Establish policies and conduct training to minimize the likelihood that organizational

personnel will inadvertently disclose sensitive information regarding SCADA system

design, operations, or security controls

21 Steps to securing a SCADA network

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

Page 24: Routeco cyber security and secure remote access 1 01