routeco cyber security and secure remote access 1 01

IACS Network Security & Secure Remote Access

Guy Denis [email protected]

Rockwell Automation Alliance Manager Europe

www.cisco.com/go/security

11th Feb 2014

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

On Average, there is a ratio of 15:1 Industrial

Devices to Enterprise within a manufacturing plant

Industrial Devices

Meter

Sensor

Machines Vehicles

Robots

HMI I/O Controller/PLC

Scanner Phone RFID Tag

Enterprise Devices

IP Phone PC Printers Servers

“As manufacturers replace legacy network systems and look for

areas to streamline on a common solution, ARC sees a tremendous

opportunity for growth of EtherNet/IP applications,” according to

Craig Resnick, Research Director, ARC Advisory Group

1

15


Theft Unintended employee action

Natural or manmade disaster

Unauthorized contractor actions

Security patches

Worms, viruses, malware

Denial of service Sabotage

Unauthorized access

Unauthorized employee action

Potential Disruptions


Stuxnet – a wake up call…. breakdown of Stuxnet http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html

Ralph Langner

German Control systems security

consultant

F-Secure wrap-up on Stuxnet

http://www.youtube.com/watch?v=gFzadFI7sco

http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html










• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup

• Little or no device level authentication

• Poor network design – hubs, unmanaged switches

• Windows based IA servers – patching, legacy OS

• Unnecessary services running – FTP, HTTP

• Open environment, no port security, no physical security of switch, Ethernet ports

• Limited auditing and monitoring of access to IA devices

• Unauthorised use of HMI, IA systems for browsing, music/movie downloads

• Lack of IT expertise in IA networks, many blind spots

Defense in Depth Approach


Real–Time Control

Fast Convergence

Traffic Segmentation and Management

Ease of Use

Site Operations and Control

Multi-Service Networks

Network and Security Management

Routing

Application and Data share

Access Control

Threat Protection

Gbps Link for Failover Detection

Firewall (Active)

Firewall (Standby)

SCADA Application

and Services Servers

Cisco

ASA 5500

Cisco

Catalyst Switch

Network Services

Cisco Catalyst

6500/4500

Cisco Cat. 3750X

StackWise Switch Stack

Patch Management, Terminal Services, Application Mirrors,

AV Servers

Cell/Area #1 (Redundant Star

Topology)

Drive

Controller

HMI Distributed I/O

Controller

Drive Drive

HMI

Distributed I/O

HMI

Cell/Area #2 (Ring Topology)

Cell/Area #3 (Linear Topology)

IE3000/3010/2000

Layer 2 Access Switch

Controller

Enterprise/IT Integration

Collaboration

Wireless

Application Optimization

Cell/Area Zone

Levels 0–2

Layer 2 Access

Manufacturing Zone

Level 3

Distribution and Core

Demilitarized Zone

(DMZ) Firewalls

Enterprise Network

Levels 4–5

Web Apps DNS FTP

Internet

8


• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors

• Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers

• End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services

• Application Security – authentication, authorization, and audit software

• Device Hardening – change management and restrictive access

Defense in Depth

Computer

Device

Physical

Network

Application

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


• Security is not a bolt-on component

• Comprehensive Network Security Model for Defense-in-Depth

• Industrial Security Policy

• DMZ Implementation

• Design Remote Partner Access Policy, with robust & secure implementation

Secure Network Architectures for Industrial Control Systems


Panduit/RA Physical Layer Reference Architectures Design Guide

PSL-DCPL

PSL-DCJB


• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ

• Application Data Mirror

• No primary services are permanently housed in the DMZ

• DMZ shall not permanently house data

• No control traffic into the DMZ

• Be prepared to “turn-off” access via the firewall

No Direct Traffic

Enterprise Security Zone

Industrial Security Zone

Disconnect Point

Disconnect Point

DMZ Replicated Services


1

5

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

SCADA App

Server

SCADA Directory

Engineering Workstation

Domain Controller

SCADA Client

Operator Interface

SCADA Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous

Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Process Control Domain

Process Control Network

Web E-Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process Purd

ue R

efe

rence M

odel, I

SA

-95

Indu

str

ial S

ecurity

Sta

ndard

IS

A-9

9


1.Firewall Services (Segmentation, Isolation)

2.Application Services (Behavior Enforcement, Application

Intelligence and Awareness, Gateway Capabilities)

3.Logging and Historical Services (Traffic, Event histories)

4.Encryption and Data Integrity Services (remote access, and

secure channels for data transfer)

5. IPS/IDS Services (deep packet inspection – Sourcefire and

Wurldtech Industrial Signatures

1.Malware Detection and Filtering (deep packet and URL

inspection


VPN

VDI

WSA

IPS

ASA-CX

ASA

ISE

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Level

3½

Enterprise Zone

DMZ

PCD /

Manufacturing Zone

PCN /

Cell / Area Zone

1783-SR

Secure Remote Access


Use Stratix 5900 (1783-SR)

NOT this (or similar such item)


De

fen

se

in

De

pth

Se

cu

rity

te

ch

no

logie

s a

pp

lied

Authentication, Authorization and Accounting

Access Control Lists (ACLs)

Secure Browsing (HTTPS)

Intrusion Protection and Detection

Remote Terminal Session

Application Security

VLANs

Remote Engineers and Partners

Plant Floor Applications and Data


WAN

Plant Engineer Skid Builder

System Integrator

Remote Site

WAN Router

Plant Site

WAN Router

• Stand-alone Remote Industrial Application

Example: remote site

Requirements

Connection out from the Plant, direct access

Little to no IT support, little to no alignment with Industrial Automation and Control System security standards

Potential Solution

IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or STX5900

1783-SR/819 ISR

IPSec

X many

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Cell/Area Zone #3 Cell/Area Zone #4

FactoryTalk

Applications

and Services Ring Topology

Cell/Area Zone #1 Cell/Area Zone #2

Manufacturing Zone

8000 Managed

Layer 2 Switch

ETAP - Embedded

Layer 2 Switch

Ring Topology

Enterprise Zone Enterprise

Network

5700 Managed

Layer 2 Switch

Star Topology

Embedded Layer 2

Switch Linear

Topology

Mobile User

Lightweight AP

(LWAP)

AP as Workgroup

Bridge (WGB)

ERP, Email, Wide Area

Network (WAN)

5100

802.11n – Dual Band

Access point

8300 Managed

Layer 3 Switch

5900 Industrial

Services Router


Levels 0–2 Cell/Area Zones

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Enterprise Zone Levels 4 and 5

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Internet

Enterprise Zone Levels 4 and 5

Enterprise WAN

Enterprise Data Center

Gbps Link Failover

Detection

Firewall (Active)

Firewall (Standby)

Patch Management Terminal Services Application Mirror AV Server

Cisco ASA 5500

Remote Access Server • RSLogix 5000 • FactoryTalk View Studio

Catalyst 6500/4500

Remote Engineer or Partner

Enterprise Connected Engineer

Enterprise Edge Firewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)

Catalyst 3750 StackWise

Switch Stack

EtherNet/IP

I P S

E C V

P N

S S

L V

P N

FactoryTalk Application Servers

• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform

• Directory

• Security/Audit

Data Servers

1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall

2. Portal on plant firewall enables access to IACS data, files and applications

– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host

3. Firewall proxies a client session to remote access server

4. Access to applications on remote access server is restricted to specified plant floor IACS resources through IACS application security


1. Identify all connections to SCADA networks

2. Disconnect unnecessary connections to the SCADA network

3. Evaluate and strengthen the security of any remaining connections to the SCADA network

4. Harden SCADA networks by removing or disabling unnecessary services

5. Do not rely on proprietary protocols to protect your system

6. Implement the security features provided by device and system vendors

7. Establish strong controls over any medium that is used as a backdoor into the SCADA network

8. Implement internal and external intrusion detection systems and establish 24-hour-a-day

incident monitoring

9. Perform technical audits of SCADA devices and networks, and any other connected

networks, to identify security concerns

10. Conduct physical security surveys and assess all remote sites connected to the

SCADA network to evaluate their security

11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios

12. Clearly define cyber security roles, responsibilities, and authorities for managers,

system administrators, and users

13. Document network architecture and identify systems that serve critical functions

or contain sensitive information that require additional levels of protection

14. Establish a rigorous, ongoing risk management process

15. Establish a network protection strategy based on the principle of defense-in-depth

16. Clearly identify cyber security requirements

17. Establish effective configuration management processes

18. Conduct routine self-assessments

19. Establish system backups and disaster recovery plans

20. Senior organizational leadership should establish expectations for cyber security

performance and hold individuals accountable for their performance

21. Establish policies and conduct training to minimize the likelihood that organizational

personnel will inadvertently disclose sensitive information regarding SCADA system

design, operations, or security controls

21 Steps to securing a SCADA network

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

routeco cyber security and secure remote access 1 01

Engineering

cisco confidential

cisco andor

services servers cisco

physical security of

monitoring of access

port security

legacy network systems

ia systems