routeco cyber security and secure remote access 1 01
TRANSCRIPT
IACS Network Security & Secure Remote Access
Guy Denis [email protected]
Rockwell Automation Alliance Manager Europe
www.cisco.com/go/security
11th Feb 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
On Average, there is a ratio of 15:1 Industrial
Devices to Enterprise within a manufacturing plant
Industrial Devices
Meter
Sensor
Machines Vehicles
Robots
HMI I/O Controller/PLC
Scanner Phone RFID Tag
Enterprise Devices
IP Phone PC Printers Servers
“As manufacturers replace legacy network systems and look for
areas to streamline on a common solution, ARC sees a tremendous
opportunity for growth of EtherNet/IP applications,” according to
Craig Resnick, Research Director, ARC Advisory Group
1
15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Theft Unintended employee action
Natural or manmade disaster
Unauthorized contractor actions
Security patches
Worms, viruses, malware
Denial of service Sabotage
Unauthorized access
Unauthorized employee action
Potential Disruptions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Stuxnet – a wake up call…. breakdown of Stuxnet http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
Ralph Langner
German Control systems security
consultant
F-Secure wrap-up on Stuxnet
http://www.youtube.com/watch?v=gFzadFI7sco
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup
• Little or no device level authentication
• Poor network design – hubs, unmanaged switches
• Windows based IA servers – patching, legacy OS
• Unnecessary services running – FTP, HTTP
• Open environment, no port security, no physical security of switch, Ethernet ports
• Limited auditing and monitoring of access to IA devices
• Unauthorised use of HMI, IA systems for browsing, music/movie downloads
• Lack of IT expertise in IA networks, many blind spots
Defense in Depth Approach
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Real–Time Control
Fast Convergence
Traffic Segmentation and Management
Ease of Use
Site Operations and Control
Multi-Service Networks
Network and Security Management
Routing
Application and Data share
Access Control
Threat Protection
Gbps Link for Failover Detection
Firewall (Active)
Firewall (Standby)
SCADA Application
and Services Servers
Cisco
ASA 5500
Cisco
Catalyst Switch
Network Services
Cisco Catalyst
6500/4500
Cisco Cat. 3750X
StackWise Switch Stack
Patch Management, Terminal Services, Application Mirrors,
AV Servers
Cell/Area #1 (Redundant Star
Topology)
Drive
Controller
HMI Distributed I/O
Controller
Drive Drive
HMI
Distributed I/O
HMI
Cell/Area #2 (Ring Topology)
Cell/Area #3 (Linear Topology)
IE3000/3010/2000
Layer 2 Access Switch
Controller
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Cell/Area Zone
Levels 0–2
Layer 2 Access
Manufacturing Zone
Level 3
Distribution and Core
Demilitarized Zone
(DMZ) Firewalls
Enterprise Network
Levels 4–5
Web Apps DNS FTP
Internet
8
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors
• Network Hardening – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers
• End-point Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services
• Application Security – authentication, authorization, and audit software
• Device Hardening – change management and restrictive access
Defense in Depth
Computer
Device
Physical
Network
Application
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• Security is not a bolt-on component
• Comprehensive Network Security Model for Defense-in-Depth
• Industrial Security Policy
• DMZ Implementation
• Design Remote Partner Access Policy, with robust & secure implementation
Secure Network Architectures for Industrial Control Systems
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Panduit/RA Physical Layer Reference Architectures Design Guide
PSL-DCPL
PSL-DCJB
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ
• Application Data Mirror
• No primary services are permanently housed in the DMZ
• DMZ shall not permanently house data
• No control traffic into the DMZ
• Be prepared to “turn-off” access via the firewall
No Direct Traffic
Enterprise Security Zone
Industrial Security Zone
Disconnect Point
Disconnect Point
DMZ Replicated Services
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
1
5
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
SCADA App
Server
SCADA Directory
Engineering Workstation
Domain Controller
SCADA Client
Operator Interface
SCADA Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous
Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Process Control Domain
Process Control Network
Web E-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process Purd
ue R
efe
rence M
odel, I
SA
-95
Indu
str
ial S
ecurity
Sta
ndard
IS
A-9
9
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
1.Firewall Services (Segmentation, Isolation)
2.Application Services (Behavior Enforcement, Application
Intelligence and Awareness, Gateway Capabilities)
3.Logging and Historical Services (Traffic, Event histories)
4.Encryption and Data Integrity Services (remote access, and
secure channels for data transfer)
5. IPS/IDS Services (deep packet inspection – Sourcefire and
Wurldtech Industrial Signatures
1.Malware Detection and Filtering (deep packet and URL
inspection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
VPN
VDI
WSA
IPS
ASA-CX
ASA
ISE
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Level
3½
Enterprise Zone
DMZ
PCD /
Manufacturing Zone
PCN /
Cell / Area Zone
1783-SR
Secure Remote Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Use Stratix 5900 (1783-SR)
NOT this (or similar such item)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
De
fen
se
in
De
pth
Se
cu
rity
te
ch
no
logie
s a
pp
lied
Authentication, Authorization and Accounting
Access Control Lists (ACLs)
Secure Browsing (HTTPS)
Intrusion Protection and Detection
Remote Terminal Session
Application Security
VLANs
Remote Engineers and Partners
Plant Floor Applications and Data
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
WAN
Plant Engineer Skid Builder
System Integrator
Remote Site
WAN Router
Plant Site
WAN Router
• Stand-alone Remote Industrial Application
Example: remote site
Requirements
Connection out from the Plant, direct access
Little to no IT support, little to no alignment with Industrial Automation and Control System security standards
Potential Solution
IPSecVPN, DMVPN,FlexVPN – ASA5515 and/or STX5900
1783-SR/819 ISR
IPSec
X many
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Cell/Area Zone #3 Cell/Area Zone #4
FactoryTalk
Applications
and Services Ring Topology
Cell/Area Zone #1 Cell/Area Zone #2
Manufacturing Zone
8000 Managed
Layer 2 Switch
ETAP - Embedded
Layer 2 Switch
Ring Topology
Enterprise Zone Enterprise
Network
5700 Managed
Layer 2 Switch
Star Topology
Embedded Layer 2
Switch Linear
Topology
Mobile User
Lightweight AP
(LWAP)
AP as Workgroup
Bridge (WGB)
ERP, Email, Wide Area
Network (WAN)
5100
802.11n – Dual Band
Access point
8300 Managed
Layer 3 Switch
5900 Industrial
Services Router
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Levels 0–2 Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise Zone Levels 4 and 5
Manufacturing Zone Site Manufacturing Operations and Control Level 3
Internet
Enterprise Zone Levels 4 and 5
Enterprise WAN
Enterprise Data Center
Gbps Link Failover
Detection
Firewall (Active)
Firewall (Standby)
Patch Management Terminal Services Application Mirror AV Server
Cisco ASA 5500
Remote Access Server • RSLogix 5000 • FactoryTalk View Studio
Catalyst 6500/4500
Remote Engineer or Partner
Enterprise Connected Engineer
Enterprise Edge Firewall
HTTPS
Cisco VPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750 StackWise
Switch Stack
EtherNet/IP
I P S
E C V
P N
S S
L V
P N
FactoryTalk Application Servers
• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services Platform
• Directory
• Security/Audit
Data Servers
1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall
2. Portal on plant firewall enables access to IACS data, files and applications
– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host
3. Firewall proxies a client session to remote access server
4. Access to applications on remote access server is restricted to specified plant floor IACS resources through IACS application security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day
incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected
networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the
SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers,
system administrators, and users
13. Document network architecture and identify systems that serve critical functions
or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational
personnel will inadvertently disclose sensitive information regarding SCADA system
design, operations, or security controls
21 Steps to securing a SCADA network
http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf