• No results found

Securing The Connected Enterprise

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Securing The Connected Enterprise"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

PUBLIC

Securing The Connected Enterprise

Pack Expo 2015 – Las Vegas

Chelsea An

(2)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Connected Enterprise

Control and Information Convergence

8

Scalable, robust, secure and

future-ready infrastructure:

Application

Software

Network

Internet of Things, Internet of Everything

(3)

MATERIAL &

TRANSPORT

INDUSTRIAL

“THINGS”

SCANNERS

PLCS &

PRINTERS &

LABEL SERVICES

SHOP FLOOR

PERSONNEL

MACHINES &

TESTERS

Real-time data:

alarms, events, states, energy, diagnostics, …

FINANCIALS

HR

LOGISTICS

QUALITY

WAREHOUSE

Transactional information:

orders, supply network, product design …

(4)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Unintended

employee actions

Theft

Unauthorized actions

by employees

Unauthorized

access

Denial of

Service

Application of

Security patches

Unauthorized

remote access

Natural or Man-made

disasters

Sabotage

Worms and

viruses

Business

Risk

INFORMATION

OPERATIONS

Risks and Threats to Control Systems

Security risks increase potential for disruption to system uptime, safety operation, and a loss

of intellectual property.

(5)

Industrial Security Trends

Security Quips

"Good enough" security now, is better than "perfect" security ... never

(Tom West, Data General)

Security ultimately relies - and fails - on the degree to which you are

thorough. People don't like to be thorough. It gets in the way of being

done (Dave Piscitello)

Your absolute security is only as strong as your weakest link

Concentrate on known, probable threats

Security is not a static end state, it is an interactive process

(6)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Tamper

Detection

Protection

Content

Policy Management

Access Control &

Detect & Record unwanted

Activity & Modifications to

the application

Protect viewing, editing, and

use of specific pieces of

control system content

Control Who, What, Where &

When access is allowed, to

which application & device

Secure Automation & Information

Defending the digital architecture

MUST BE IMPLEMENTED

AS A SYSTEM

INDUSTRIAL

SECURITY

Secure Network

Infrastructure

Control Access to the

(7)

Why is this important?

Industrial Automation and Control

System

Convergence

Structured and Hardened

IACS Network Infrastructure

Flat and Open

Industrial Automation and Control System

Network Infrastructure

Flat and Open

(8)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Industrial Security Trends

Established Industrial Security Standards

9

International Society of Automation

ISA/IEC-62443 (Formerly ISA-99)

Industrial Automation and Control Systems (IACS) Security

Defense-in-Depth

IDMZ Deployment

National Institute of Standards and Technology

NIST 800-82

Industrial Control System (ICS) Security

Defense-in-Depth

IDMZ Deployment

Department of Homeland Security / Idaho National Lab

DHS INL/EXT-06-11478

Control Systems Cyber Security: Defense-in-Depth Strategies

Defense-in-Depth

(9)

Security – Holistic Defense-in-Depth

Multiple Layers to Protect and Defend the Edge

No single product, technology or methodology

can fully

secure Industrial Automation and Control System

(IACS) applications.

Protecting IACS assets requires a

defense-in-depth

security approach, which addresses internal and

external security threats.

This approach utilizes multiple layers of defense

(10)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Industrial Network Security Trends

Policies - Industrial vs. Enterprise Network Requirements

11

Industrial (OT) Network

Enterprise (IT) Network

Focus

24/7 operations, high OEE

Protecting intellectual property and

company assets

Precedence of

Priorities

Availability

Integrity

Confidentiality

Confidentiality

Integrity

Availability

Types of Data Traffic

control, information, safety and motion

Converged network of data,

Converged network of data,

voice and video

Access Control

Simple network device access

Strict physical access

Strict network authentication

and access policies

Implications of a

Device Failure

Production is down

($$’s/hour … or worse)

Work-around or wait

Threat Protection

Isolate threat but keep operating

Shut down access to

detected threat

Upgrades

Scheduled

(11)
(12)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Network Security Framework

Industrial Demilitarized Zone

13

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control

Sensors Drives Actuators Robots

Enterprise

Security

Zone

Industrial

DMZ

Industrial

Security

Zone

Cell/Area

Zone

Web

E-Mail

CIP

Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process

Logical Model – Industrial Automation and Control System (IACS)

Converged Multi-discipline Industrial Network

(13)

Physical – limit physical access to authorized personnel:

cells/areas, control panels, devices, cabling, and control room ….

locks, gates, key cards, biometrics. This may also include policies,

procedures and technology to escort

and track visitors

Network – security framework – e.g., firewall policies,

access control list (ACL) policies for switches and routers,

AAA, intrusion detection and prevention systems (IDS/IPS)

Computer Hardening – patch management, anti-x software,

removal of unused applications/protocols/services,

closing unnecessary logical ports, protecting physical ports

Application – authentication, authorization, and accounting (AAA)

Device Hardening – change management, communication

encryption, and restrictive access

Security – Holistic Defense-in-Depth

(14)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Networking Design Considerations

CPwE Reference Architectures

15

Education, design considerations and guidance to help reduce network Latency and Jitter, to

help increase the Availability, Integrity and Confidentiality of data, and to help design and

deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP™ network infrastructure:

Single Industrial Network Technology

Robust Physical Layer

Segmentation / Structure (modular & scalable building blocks)

Prioritization - Quality of Service (QoS)

Redundant Path Topologies with Resiliency Protocols

Time Synchronization – PTP, CIP Sync, Integrated

Motion on the EtherNet/IP network

Multicast Management

Convergence-ready Solutions

Security – Holistic Defense-in-Depth

Scalable Secure Remote Access

(15)

Security – Holistic Defense-in-Depth

CPwE Reference Architectures - Architectural Security Framework

Enterprise Zone: Levels 4–5

I/O

Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror

• Remote Desktop Gateway Server

Level 3 – Site Operations:

Level 2 – Area Supervisory Control

FactoryTalk Client

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0–3

Authentication, Authorization and Accounting (AAA)

(16)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material

Training & Certifications

17

Cisco® Industrial Networking

Specialist Training and Certification

E-learning modules (pre-learning

courses)

Control Systems Fundamentals for

Industrial Networking (ICINS)

Networking Fundamentals for Industrial

Control Systems (INICS)

Classroom training

Managing Industrial Networks with Cisco

Networking Technologies (IMINS)

Exam

200-401 IMINS

CCNA Industrial

Training and Certification

Classroom training

Managing Industrial Networks for

Manufacturing with Cisco Technologies

(IMINS2)

Exam

200-601 IMINS2

Industrial IP Advantage

E-learning modules

CPwE Design Considerations and

(17)

Network & Security Services:

Life Cycle Approach to Services and Solutions

ASSESS

DESIGN

IMPLEMENT

VALIDATE

MANAGE

(18)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Key Takeaways

19

Education and awareness:

Within your organization, for your customers or trusted partners

Establish an open dialog between Industrial Automation and IT groups

Establish an Industrial security policy, unique from and in addition to the Enterprise

security policy

Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully

secures IACS networks

Be aware of Industrial Automation and Control System Security Standards

ISA/IEC-62443 (Formerly ISA99), NIST 800-82, DHS External Report # INL/EXT-06-11478

Utilize standards, reference models and reference architectures

Work with trusted partners knowledgeable in industrial automation and security

(19)

PUBLIC

www.rockwellautomation.com

References

Download now ( PDF - 19 Page - 3.98 MB )

Related documents

Case Study Enfield Bikes

That was when the board of directors at Eicher Motors decided to either shut down or sell off Royal Enfield - the company's Chennai-based motorcycle division, which manufactured

Auditing Problems With Answers

a) On 1 January 2012 the entity acquired 25 per cent of the equity of each of entities B, C and D for P10 million, P15 million and P28 million respectively. Transaction costs of 1

Economics. Breathing life into Birmingham. Commissioned by. April 2021

CBI Economics analysis quantifies the potential gains to the health of Birmingham’s workforce, and to the local economy, that could be achieved through a reduction in nitrogen

V200AAFL0D0

24 ip route addrom display Displays all static routes 25 ip route addrom freememory Clears working buffer 26 ip route addrom index <index> Adds a static route.. 27

What is network convergence all about?

The most effective solutions are those that unify all the environments of voice, video and data onto a single network infrastructure, enabling converged and unified

Putting Reliability into VoIP Networks

• Converged network requires costly new tools and expertise to deploy and manage elementary convergence technology with both voice and data traffic. – With proper time and

Agile L2 Access Switch Solution for Converged Data, Video and Voice Networking

• Fully managed Layer 2 switching solution • High power budget of 375W (24HP/48HP) and 180W (8HP) • L2 multicast, IGMP snooping, MVR and voice VLAN for convergence •

Agile L2 Access Switch Solution for Converged Data, Video and Voice Networking

With rich traffi c shaping, network isolation, and security features, the GS2210 Series is the perfect L2 access switch solution for converged data, video and voice