• No results found

Security in IT & Automatisierung

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security in IT & Automatisierung"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Welten wachsen zusammen und ermöglichen Industrie 4.0

Security in IT & Automatisierung

Manfred Bauer

[email protected] April 2015

(2)

Verfügbarkeit,

Verlässlichkeit

Automati-sierung

Schutz von

Mensch und Material

Menschen

Maschinen

Sicherheit von

Informationen

Informations

Technologie

(3)

Das Security Problem

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

(4)

Policy IT Network OT Network

Focus Protecting Intellectual Property and

Company Assets

24/7 Operations, High Overall Equipment Effectiveness Priorities 1. Confidentiality 2. Integrity 3. Availability 1. Availability 2. Integrity 3. Confidentiality Types of Data Traffic

Converged Network of Data, Voice and Video

Converged Network of Data, Control, Information, Safety and Motion

Access Control Strict Network Authentication, Strict Access Policies

Strict Physical Access, Simple Network Device Access

Implications of a Device Failure

Continues to Operate Could Stop Operation

Threat Protection Shut Down Access to Detected Threat

Keep Operating with a Detected Threat and Manage

Upgrades ASAP During Uptime Scheduled During Downtime

IP Addressing Dynamic Static

Prioritäten in IT und Automatisierung

Security in IoT networks is crucial as people,

communities, and financial systems could be negatively

impacted by cyber/physical security breaches

Top priorities are availability, safety, and ease-of-use

Biggest pain point is the management of who, what,

where, when, and how (people, data,

devices

, and

(5)

Access Control

Data Confidentiality and Privacy

Threat Detection and Mitigation

Device and Platform Integrity

Pol

ic

y

Manag

ement

Oper

ati

on

Rel

iabi

lity

&

S

afety

Security bedeutet

(6)

Wir müssen Security ganzheitlich betrachten

BEFORE

Discover Enforce Harden

AFTER

Scope Contain Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block Defend

DURING

(7)

Was müssen wir ändern?

Data Center IT Clients

Plants Internet

IT Controlled Security

Isolated world of OT

Machines

Remote Expert

Secure Third

Party Access Global Location Routing separated from Intra Intranet

Plant wide selective

Access to Machine Selective Access to Function Devices

DMZ Global IT DMZ Plant IT Isolated or Indus. FW F unc tion D ev ic es Selective Authentication Authorization Selective Authentication Authorization Authorization

A process

of days

End to End Secure Connectivity and Computing Demands Seamless Network Concepts

Rechenzentrum Zentrale Zweigstelle Anlage Vor Ort

Informationstechnologie (IT) Automatisierung (OT)

(8)

The Main Problem with separated OT/IT

Networks

Data Center IT Clients Plants Internet

IT Controlled Security

Isolated/confuse world of OT

Machines

Remote Expert

Secure Third

Party Access Global Location Routing separated from Intra Intranet

Plant wide selective

Access to Machine Selective Access to Function Devices

DMZ Global IT DMZ Plant IT Isolated or Indus. FW F unc tion D ev ic es Selective Authentication Authorization Selective Authentication Authorization Authorization

A process

of days

(9)

Demands Cross Domain Data Management

Data Center IT Clients Plants Internet

Classical IT Responsibility

Network Devices Ports

People

Locations

Machines

Classical OT Responsibility

End to End Secure Connectivity and Computing Demands Seamless Network Concepts

Machines

Things

Function Devices Process Data
(10)

Ein Beispiel – die vernetzte Fabrik

Web Apps DNS FTP Internet Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Factory Application Servers Access Switch Network Services Core Switches Aggregation Switch Patch Mgmt. Terminal Services Application Mirror AV Server Cell/Area #1 (Redundant Star Topology) Drive Controller HMI Distributed I/O Controller Drive Drive HMI Distributed I/O HMI Cell/Area #2 (Ring Topology) Cell/Area #3 (Linear Topology) Layer 2 Access Switch Controller Cell/Area Zone Levels 0–2 Manufacturing Zone Level 3 Demilitarized Zone Level 3.5 Enterprise Network Levels 4–5 Ruggedized NG Firewall

Ruggedized NG Intrusion Protection (IPS) Remote Monitoring / Surveillance

SW, Config & Asset Mgmt VPN & Remote Access Services Next-Generation Firewall

NG Intrusion Prevention (IPS) Advanced Malware Protection Cloud-based Threat Protection Network-wide Policy Enforcement Context based Access Control (application-level, who, when, where)

Stateful Firewall

NG Intrusion Protection/Detection (IPS/IDS) Physical Access Control Systems

Id en ti ty Ser v ices A dv a nce d Thre a t Detec tion & Res ponse ISE

(11)

All devices support all functions with highlighted features are normally covered from central functions

Cisco Cross Domains Firewall Solutions

Plant HQ / DC Machine Internet Intranet LAN ASA 5585X ASA 5512-5555X Network Firewall

Ad. Malware Protection Intrusion Prevention URL Filtering ISA 4000 ASA 5506 ASA 5506H Data Center IT Env. Internet VPN IT Env. Shop Floor Indus. Env. VPN Branch / Thing Mod. Env. ISA3000 Intranet IT Env. VPN Thing Indus. Env. Thing Indus. Env. IT Environmental: - Air Condition (5 - 40C) - Clean Moderately Environmental: - Room Air (0 - 50C) - Commodity Conditions Industrial Environmental: - Ext. Temp. (-20 - 65C)

- Shop Floor Conditions

- Vibration / Pollutant

Apr. 2015 Oct. 2015

Management & Analytic

FireSIGHT

(12)

Einheitliche Architektue für die Automatisierung

(ruggedized Industrial Ethernet, OT) und IT

(Enterprise IT Network network)

 End-2-End Architektur, speziell designed, getestet und validiert für IT und die

Automatisierung

 Verbinden von Business Applikationen mit Industriellen Systemen

 Auf Standards basierte Industrie Ethernet Switching und Security Services

 Einbinden von Unified Communication, Wireless und Rechenzentrumstechnologie

(13)

Beispiel Fernwartung

Service and Support Maschinenbauer/Anlagenbauer

Produktion

Visualisierung

Kommunikation

Cisco

Unified Communication und WEBEX

Second and Third Level Support Abteilung

Inter/Intra Net

(14)

Beispiel Identity Management

Data Center IT Clients

Plants

Identity Services Engine

(15)

Clear Business Outcomes Simple to order and buy Whole Offer Go-to-Market

Remote Assets

Management

Integration Platform ROI Customer POC

+

+

CVD

+

Accelerate Starter kits

+

Cisco

+

azeti Networks Channel Partners

+

Asset Optimization Downtime reduction Safety and Security Risk Management Solution SKUs Starter Kits EMEA IoT Sales Support Coverage First planned application for DSX in openBerlin First 3rd party IoT applications to run on Cisco Cloud Services

Beispiel Remote Site

Management

(16)

Cisco Internet of Things Portfolio

1

6

Oil and Gas

Energy-Utility Transportation Mining

Manufacturing City Defense SP/M2M

Management IoT Security

Application Enablement [Fog Computing/IOx]

Connected Factory  Connected Train  City Safety and Security  Energy Distribution Automation  Connected Well

IE 2000 IE 3000 CGS2000 Industrial Switching IP67 IE 4000 IE 5000 Industrial Routing CGR 2000 ASR 903 Industrial Wireless Field AP - 1552 Industrial AP (Rockwell) Field AP - IW 3700 802.11ac

Positive Train Control

Field Network CGR 1000 819H 809H IR910 IR 509 829H Embedded Networks 5900 ESR, ESS 2020 Switches 5921 ESR Software Router Connected Safety & Security Video Surveillance Manager and IP Cameras Physical Access Manager Digital Media

DMM Digital Media Manager

Digital Media Processors

(17)

Innovation

Für Ihren Erfolg

Security

Use Cases

(18)

[email protected]

Manfred Bauer

References

Download now ( PDF - 18 Page - 3.06 MB )

Related documents

PART-TIME COURSE GUIDE

The part-time study option on Academy allows students to come and study on Thursday mornings only.. Part-time students come and join with the full-time students on Thursday

The Quality Development of Madrasah Ibtidaiyah Teachers through Dual Mode System at Tarbiyah and Education Faculty (FITK), State Islamic University of North Sumatra (UINSU),Medan, Indonesia

6 Farida Sarimaya, Sertifikasi Guru, Apa, Mengapadan Bagaimana, Cet.. From the above description, the competency development and improvement for the teachers who

Low jitter phase-locked loop clock synthesis with wide locking range

The specific research contributions of this work include (1) proposing, designing, and implementing a new charge pump circuit architecture that matches current levels and

The Effectiveness of Using Hangman Game in Increasing Students’ Vocabulary Mastery : A Quasi Experimental Study at the Second Grade of MTs Yapin Kertasemaya, Indramayu

This paper is concerned with The Effectiveness of Using Hangman Game in Increasing Students’ Vocabulary Mastery (A Quasi Experimental Study at the Second Grade of MTs Yapin

Geoscience AT ITS best. Software solution. Consulting. International Oil & Gas Consultant and Software Solution Provider

• Seismic reservoir characterization, modeling of fractured reservoirs, basin modeling and prospect evaluation • Economics, strategy and contractual services • Unitization reserves

Effect of compost and soil properties on the availability of compost phosphate for white clover ( Trifolium repens L.)

This indirect effect was related to a general improvement of plant growth conditions in this soil induced by compost addition (from 9.9 g DM kg −1 soil in the control without P

From Artifacts to Experiences: Brands in the Era of Prosumeration

The most powerful brands do not rely on simple “core-product” characteristics that could be easily duplicated and blurred; it is actually the other way around. These influential

Implementation Of Wireless Monitoring System On The Performance Of 48v Dc-Dc Boost Converter In Photovoltaic Solar Energy

menghasilkan voltan keluaran 48 V daripada AT –AT penukar dorongan yang berterusan dengan voltan masukan yang pelbagai daripada bekalan kuasa panel fotovolta 8