• No results found

Industrial Security in the Connected Enterprise

N/A
N/A
Protected

Academic year: 2021

Share "Industrial Security in the Connected Enterprise"

Copied!
36
0
0

Loading.... (view fulltext now)

Full text

(1)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Security in the

Connected Enterprise

© 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

(2)

Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 2

Supply Chain

Optimized for Rapid Value Creation

 Supply Chain Integration  Collaborative, Demand

Driven

 Compliant and Sustainable

AGILITY AGILITY PRODUCTIVITY PRODUCTIVITY Enterprise Distribution Center Smart Grid Customers COMPANY CONFIDENTIAL

THE CONNECTED ENTERPRISE

(3)
(4)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

CONTROLLER

CONTROLLER

Active Energy Management

INDUSTRIAL

(5)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

The Internet of Things – IoT

Continuing Trend in Industrial Applications

 More “Things” are being embedded with smart sensors and gaining the ability to communicate

 “Things” become the tools for better understanding complex processes and can adapt to changes quickly

 “Things” are linked through wired & wireless

networks using the same network technology as the internet – Ethernet IP (Internet Protocol)

 Smarter machines can be better controlled - there-by increasing efficiency– “Plant-wide Optimization”

 Securing the architecture from attacks, data authentication & access control become increasingly important

Faster Time to Market

Improved Asset Utilization

Lower Total Cost

(6)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Connected Enterprise

-The IoT at work for Industrial Applications

Big Data & Analytics

Information available to manage the supply chain

& complex processes

Cloud Computing & Virtualization

Mobility & BYOD

Speed up deployment, Increase longevity, reliability & provide

disaster recovery

Improve maintainability, uptime, asset longevity,

safety and cost control

Machine data is expected to grow by a factor of >15

Centers around IT -Information Technology

Workforce is mobile during typical work day

(7)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Risks and Threats

Security risks increase potential for disruption to

System uptime, safe operation, and a loss of IP

(8)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Rockwell Automation’s

Approach to Industrial Security

 Build in Security Quality by…

 Providing control system solutions

that follow global standards and regulatory security requirements

 Utilizing common secure design

requirements for our products

 Leading the industry in Responsible

Disclosure policies and processes

8

 Create Security Value by…

 Building compelling security related

products, features and functionality

 Supply detailed and useful system

architecture recommendations

 Provide access to experts in control

system security to help customers design and maintain robust systems

(9)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. Network Hardening

Tamper Detection

(10)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Connected Enterprise

-Collaboration of Partners

Rockwell

Automation Cisco Panduit NetworksFluke

(11)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Network Security Trends

Established Industrial Security Standards

11

 International Society of Automation

 ISA/IEC-62443 (Formerly ISA-99)

 Industrial Automation and Control Systems (IACS) Security  Defence-in-Depth

 IDMZ Deployment

 National Institute of Standards and Technology

 NIST 800-82

 Industrial Control System (ICS) Security  Defence-in-Depth

 IDMZ Deployment

 Department of Homeland Security / Idaho National Lab

 DHS INL/EXT-06-11478

 Control Systems Cyber Security: Defence-in-Depth Strategies  Defence-in-Depth

 IDMZ Deployment

(12)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Network Security Trends

Industrial vs Enterprise Network Requirements

 Switches

 Managed

 Layer 2 and Layer 3  Traffic types

 Voice, Video, Data  Performance

 Low Latency, Low Jitter

 Data Prioritization – QoS – Layer 3  IP Addressing  Dynamic  Security  Pervasive  Strong policies  Switches

 Managed and Unmanaged  Layer 2 is predominant  Traffic types

 Information, control, safety, motion, time

synchronization, energy management

 Performance

 Low Latency, Low Jitter

 Data Prioritization – QoS – Layer 2 & 3  IP Addressing

 Static  Security

 Industrial security policies are inconsistently deployed

 Open by default, must close by configuration and architecture

Enterprise Requirements

12 Industrial Requirements

(13)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Network Security Trends

Policies - Industrial vs. Enterprise Network Requirements

13

Industrial (IAT) Network Enterprise (IT) Network

Focus 24/7 operations, high OEE Protecting intellectual property and company assets Precedence of Priorities Availability Integrity Confidentiality Confidentiality Integrity Availability

Types of Data Traffic Converged network of data,

control, information, safety and motion

Converged network of data, voice and video

Access Control Strict physical access

Simple network device access

Strict network authentication and access policies

Implications of a Device Failure

Production is down

($$’s/hour … or worse) Work-around or wait

Threat Protection Isolate threat but keep operating Shut down access to detected threat

Upgrades Scheduled

(14)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 14

Network Security Framework

Converged Plant-wide Ethernet (CPwE) Reference Architectures

 Structured and Hardened IACS Network Infrastructure

 Industrial security policy  Pervasive security, not a

bolt-on component

 Security framework utilizing defense-in-depth approach

 Industrial DMZ implementation  Remote partner access policy, with

robust & secure implementation

Network Security Services

Must Not Compromise Operations of

the IACS Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O

Physical or Virtualized Servers

• Patch Management

• Remote Gateway Services

• Application Mirror

• AV Server

Network Device Resiliency VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security

Level 0 - Process Level 1 - Controller

Plant Firewall:

 Inter-zone traffic segmentation  ACLs, IPS and IDS  VPN Services  Portal and Terminal

Server proxy

VLANs, Segmenting Domains of Trust AAA - Application

Authentication Server, Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

(15)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Network Security Trends

EtherNet/IP Industrial Automation & Control System Network

15

 Open by default to allow both

technology coexistence and device interoperability for Industrial

Automation and Control System (IACS) Networks

 Secured by configuration:  Protect the network

- Electronic Security Perimeter

 Defend the edge

- Industrial DMZ (IDMZ)

 Defense-in-Depth

(16)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Defense in Depth

 Layered Security Model

Shield potential targets behind multiple levels of protection to reduce security risks

 Defense in Depth

Use multiple security countermeasures to protect integrity of components or systems

 Openness

Consideration for participation of a variety of vendors in our security solutions

 Flexibility

Able to accommodate a customer’s needs, including policies & procedures

 Consistency

Solutions that align with Government directives and Standards Bodies

(17)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Assessing & Mitigating

Threat Sources

© 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

(18)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial Security Risk & Threats

 91% = number of cybersecurity breaches that took hours or less to perpetrate

 62% = number of cybersecurity breaches that took months or years to discover

 53% = number of cybersecurity breaches that took months or more to contain

 21% = number of successful Intellectual Property external cybersecurity breaches that had internal help, and 80% of those exploited normal users, not administrators

 10% = number of cybersecurity breaches detected by internal resource

(19)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Is Your Company Protected?

“Some organizations will be a target regardless of what they do, but most become a target because of what they do…”

Compromising network security is a $6 billion global underground industry of which $300 million is directly tied to manufacturing

(20)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Historical Industrial Control System (ICS)

 Common Traits to Historical ICS

 Proprietary

 Complete vertical solutions  Customized

 Specialized communications

 Wired, fiber, microwave, dialup, serial, etc.  100s of different protocols

 Slow; e.g. 1200 baud

 Long service lifetimes: 15–20 years

(21)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved. Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server

(22)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Technology Trends in ICS

 COTS (Commercial-Off-The-Shelf) technologies

 Operating systems—Windows, WinCE, embedded RTOSes  Applications—Databases, web servers, web browsers, etc.  IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc.  Networking equipment—switches, routers, firewalls, etc.

 Connectivity of ICS to enterprise LAN

 Improved business visibility, business process efficiency  Remote access to control center and field devices

 IP Networking

 Common in higher level networks, gaining in lower levels  Many legacy protocols wrapped in TCP or UDP

(23)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Availability, Integrity and Confidentiality

 Enterprise networks require C-I-A

 Confidentiality of intellectual property matters most

 Industrial Control Systems require A-I-C

 Availability and integrity of control matters most

 control data has low entropy—little need for confidentiality  Many ICS vendors provide “six 9’s” of availability

 Ensuring availability is hard

 Cryptography does not help (directly)

 DOS protection, rate limiting, resource management, QoS, redundancy, robust

hardware with high MTBF

(24)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

DoS and DDoS Attacks

 Denial of Service (DoS) attack overwhelms a system with too many packets/requests

 Exhausts TCP stack or application resources  Defenses include connection limits in firewall

 Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system

 No single point of attack

 Requires sophisticated, coordinated defenses

 Weapon of choice for hackers, hacktivists, cyber-extortionists

(25)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Unpatched Systems

 Many ICS systems are not patched “current”  Particularly Windows servers

 No patches available for older versions of windows

 OS and application patches can break ICS

 OS patches are commonly tested for enterprise apps not ICS

 Uncertified patches can invalidate warranty

 Patching often requires system reboot

 Before installation of a patch:

 Vendor certification—typically one week  Lab testing by operator

(26)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Limited use of Host Anti-Virus

 AV operations can cause significant system disruption at inopportune times

 3am is no better than any other time for a full disk scan on a system that

operates 24x7x365

 ICS vendors only beginning to support anti-virus  Anti-virus is only as good as the signature set

 Signatures may require testing just like patches

 AV may be losing ground in enterprise deployments  Impact on hosts, endpoint security not getting better

 Virus writers have learned to test against dominant AV

(27)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Poor Authentication and Authorization

 Machine-to-machine comms involve no “user”

 Many ICS have poor authentication mechanisms and very limited authorization mechanisms

 Many protocols use cleartext passwords

 Many ICS devices lack crypto support

 Sometimes passwords left at vendor default

 Device passwords are hard to manage appropriately  Often one password is shared amongst all devices

(28)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Requirements for 3rd Party Access

 Firmware updates and PLC, IED programming are sometimes performed by vendor

 Many ICS have open maintenance ports

 Infected vendor laptops can bring down an ICS

 Partners may require continuous status information  Partner access is often poorly secured

 Partner channels can serve as backdoors

 3rd parties may include:

 ISO, transmission provider or grid neighbor, equipment vendor,

(29)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

People Issues

 ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network

 ICS personnel are not IT or networking experts  IT personnel are not ICS experts

 Significant portion of control systems workforce is older and nearing retirement

(30)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Ways to Address Risk

There are four ways to deal with risk:

1.

Risk Mitigation – address it head on

2.

Risk Acceptance – i.e. the Risk Tautology

(it is what it is)

3.

Risk Transference – i.e. insurance

4.

Risk Avoidance – Project X is risky…let’s

(31)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Recommendations for Defending ICS

 Separate control network from enterprise network  Harden connection to enterprise network

 Protect all points of entry with strong authentication  Make reconnaissance difficult from outside

 Harden interior of control network

 Make reconnaissance difficult from inside  Avoid single points of vulnerability

 Frustrate opportunities to expand a compromise

 Harden field sites and partner connections  Mutual distrust

 Monitor both perimeter and inside events

(32)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Network & Security Services

-at a Glance

ASSESS

• WHY is my network not operating according to operational / availability baselines?

• IS the network architecture robust enough to protect my intellectual property and assets? • HOW do I know if issues I have on my network are security related, and how do I fix them?

DESIGN

• DOES my existing “As-Is” architecture protect against malware attacks?

• WHAT do I need to do to ensure my architecture scales to accommodate demands? • HOW do I prioritize technology refresh tasks to maximize operational availability? IMPLEMENT

• HOW do I configure devices to best interface with Process Controls network?

• WHAT will the impact be if I upgrade to “X” and how do I go about making changes? • HOW do I securely dispose of old equipment to ensure my data is not exposed?

GOVERNANCE

• AM I required to be compliant with any regulations, and if so WHAT are they and HOW do I comply?

• WHAT is the risk if I am not compliant and HOW long do I have to become compliant?

MANAGE/MONITOR

• HOW do I securely access my network remotely?

• DOES Rockwell Automaton provide a Virtual Support Engineer to help me maintain availability?

(33)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Rockwell Automation

Industrial Security Resources

 Security-enhanced Products and Technologies

 Rockwell Automation product and technologies with security capabilities

that help increase overall control system system-level security.

 http://www.rockwellautomation.com/security

 EtherNet/IP Plantwide Reference Architectures

 Control system validated designs and security best-practices that complement

recommended layered security/defence-in-depth measures.

 http://www.ab.com/networks/architectures.html



 Network & Security Services (NSS)

 RA consulting specialists that conduct security risk assessments and make

recommendations for how to avert risk and mitigate vulnerabilities.

 http://www.rockwellautomation.com/services/security

 Remote Asset Monitoring Services

 The Virtual Support Engineer is a service that offers a simple and secure approach to

monitoring your equipment and collecting valuable performance analytics.



(34)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Rockwell Automation:

Industrial Security Resources

http://rockwellautomation.com

/security

Assessment Services Security Technology Security FAQ Assessment Services Security Resources Reference Architectures Security Services [email protected]

(35)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

Industrial IP Advantage Website

 A new ‘go-to’ resource for educational, technical and thought leadership information about industrial

network communication

 Visit Industrial IP Advantage to learn more SANS Training Material

 Security policy blueprint (for IACS) available  EX: Remote Access Policy, Router Security Policy

 Visit https://www.sans.org/ to learn more

www.industrial-ip.org

(36)

Copyright © 2013 Rockwell Automation, Inc. All rights reserved.

References

Related documents

Best Narrative Film, Atlanta Jewish Film Festival, 2008.. Director and Writer:

The material used as substrate for coatings deposition is AISI 316L stainless steel, with a chemical composition showed in Table 1 (Cordes SA, Argentina).. Before coating, the

During the course of the life-span of a particular saros series, each member eclipse will occur closer to the nodal axis, (north or south node) slowly reducing the orb between

There are two important goals to be obtained from these tests: (1) the safety distance of autonomous vehicle, and (2) the sensor performance under different weather conditions, as

On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based email, suitable care should be taken to determine where the data may reside and

With the establishment of the Pelagic Fisheries Division in the early 1980s, research activities were centered around developing a valuable time series database on the

In this paper, we analyze the co-evolution of a fixed-price platform (i.e., an in- stitution of centralized trade at a uniform, market clearing price) and a bargaining platform

It will (a) support the Office of the Prime Minister and the National Statistical Office to develop a policy and strategy for child-sensitive monitoring