Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Security in the
Connected Enterprise
© 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright © 2013 Rockwell Automation, Inc. All Rights Reserved. 2
Supply Chain
Optimized for Rapid Value Creation
Supply Chain Integration Collaborative, Demand
Driven
Compliant and Sustainable
AGILITY AGILITY PRODUCTIVITY PRODUCTIVITY Enterprise Distribution Center Smart Grid Customers COMPANY CONFIDENTIAL
THE CONNECTED ENTERPRISE
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
CONTROLLER
CONTROLLER
Active Energy Management
INDUSTRIAL
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
The Internet of Things – IoT
Continuing Trend in Industrial Applications
More “Things” are being embedded with smart sensors and gaining the ability to communicate
“Things” become the tools for better understanding complex processes and can adapt to changes quickly
“Things” are linked through wired & wireless
networks using the same network technology as the internet – Ethernet IP (Internet Protocol)
Smarter machines can be better controlled - there-by increasing efficiency– “Plant-wide Optimization”
Securing the architecture from attacks, data authentication & access control become increasingly important
Faster Time to Market
Improved Asset Utilization
Lower Total Cost
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Connected Enterprise
-The IoT at work for Industrial Applications
Big Data & Analytics
Information available to manage the supply chain
& complex processes
Cloud Computing & Virtualization
Mobility & BYOD
Speed up deployment, Increase longevity, reliability & provide
disaster recovery
Improve maintainability, uptime, asset longevity,
safety and cost control
Machine data is expected to grow by a factor of >15
Centers around IT -Information Technology
Workforce is mobile during typical work day
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Risks and Threats
Security risks increase potential for disruption to
System uptime, safe operation, and a loss of IP
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation’s
Approach to Industrial Security
Build in Security Quality by…
Providing control system solutions
that follow global standards and regulatory security requirements
Utilizing common secure design
requirements for our products
Leading the industry in Responsible
Disclosure policies and processes
8
Create Security Value by…
Building compelling security related
products, features and functionality
Supply detailed and useful system
architecture recommendations
Provide access to experts in control
system security to help customers design and maintain robust systems
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. Network Hardening
Tamper Detection
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Connected Enterprise
-Collaboration of Partners
Rockwell
Automation Cisco Panduit NetworksFluke
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security Trends
Established Industrial Security Standards11
International Society of Automation
ISA/IEC-62443 (Formerly ISA-99)
Industrial Automation and Control Systems (IACS) Security Defence-in-Depth
IDMZ Deployment
National Institute of Standards and Technology
NIST 800-82
Industrial Control System (ICS) Security Defence-in-Depth
IDMZ Deployment
Department of Homeland Security / Idaho National Lab
DHS INL/EXT-06-11478
Control Systems Cyber Security: Defence-in-Depth Strategies Defence-in-Depth
IDMZ Deployment
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security Trends
Industrial vs Enterprise Network RequirementsSwitches
Managed
Layer 2 and Layer 3 Traffic types
Voice, Video, Data Performance
Low Latency, Low Jitter
Data Prioritization – QoS – Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Switches
Managed and Unmanaged Layer 2 is predominant Traffic types
Information, control, safety, motion, time
synchronization, energy management
Performance
Low Latency, Low Jitter
Data Prioritization – QoS – Layer 2 & 3 IP Addressing
Static Security
Industrial security policies are inconsistently deployed
Open by default, must close by configuration and architecture
Enterprise Requirements
12 Industrial Requirements
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security Trends
Policies - Industrial vs. Enterprise Network Requirements
13
Industrial (IAT) Network Enterprise (IT) Network
Focus 24/7 operations, high OEE Protecting intellectual property and company assets Precedence of Priorities Availability Integrity Confidentiality Confidentiality Integrity Availability
Types of Data Traffic Converged network of data,
control, information, safety and motion
Converged network of data, voice and video
Access Control Strict physical access
Simple network device access
Strict network authentication and access policies
Implications of a Device Failure
Production is down
($$’s/hour … or worse) Work-around or wait
Threat Protection Isolate threat but keep operating Shut down access to detected threat
Upgrades Scheduled
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. 14
Network Security Framework
Converged Plant-wide Ethernet (CPwE) Reference Architectures
Structured and Hardened IACS Network Infrastructure
Industrial security policy Pervasive security, not a
bolt-on component
Security framework utilizing defense-in-depth approach
Industrial DMZ implementation Remote partner access policy, with
robust & secure implementation
Network Security Services
Must Not Compromise Operations of
the IACS Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O
Physical or Virtualized Servers
• Patch Management
• Remote Gateway Services
• Application Mirror
• AV Server
Network Device Resiliency VLANs
Standard DMZ Design Best Practices
Network Infrastructure Access Control and
Hardening
Physical Port Security
Level 0 - Process Level 1 - Controller
Plant Firewall:
Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal
Server proxy
VLANs, Segmenting Domains of Trust AAA - Application
Authentication Server, Active Directory (AD),
Remote Access Server
Client Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
Drive
Level 2 – Area Supervisory Control
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security Trends
EtherNet/IP Industrial Automation & Control System Network
15
Open by default to allow both
technology coexistence and device interoperability for Industrial
Automation and Control System (IACS) Networks
Secured by configuration: Protect the network
- Electronic Security Perimeter
Defend the edge
- Industrial DMZ (IDMZ)
Defense-in-Depth
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Defense in Depth
Layered Security Model
Shield potential targets behind multiple levels of protection to reduce security risks
Defense in Depth
Use multiple security countermeasures to protect integrity of components or systems
Openness
Consideration for participation of a variety of vendors in our security solutions
Flexibility
Able to accommodate a customer’s needs, including policies & procedures
Consistency
Solutions that align with Government directives and Standards Bodies
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Assessing & Mitigating
Threat Sources
© 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial Security Risk & Threats
91% = number of cybersecurity breaches that took hours or less to perpetrate
62% = number of cybersecurity breaches that took months or years to discover
53% = number of cybersecurity breaches that took months or more to contain
21% = number of successful Intellectual Property external cybersecurity breaches that had internal help, and 80% of those exploited normal users, not administrators
10% = number of cybersecurity breaches detected by internal resource
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Is Your Company Protected?
“Some organizations will be a target regardless of what they do, but most become a target because of what they do…”
Compromising network security is a $6 billion global underground industry of which $300 million is directly tied to manufacturing
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Historical Industrial Control System (ICS)
Common Traits to Historical ICS
Proprietary
Complete vertical solutions Customized
Specialized communications
Wired, fiber, microwave, dialup, serial, etc. 100s of different protocols
Slow; e.g. 1200 baud
Long service lifetimes: 15–20 years
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Technology Trends in ICS
COTS (Commercial-Off-The-Shelf) technologies
Operating systems—Windows, WinCE, embedded RTOSes Applications—Databases, web servers, web browsers, etc. IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. Networking equipment—switches, routers, firewalls, etc.
Connectivity of ICS to enterprise LAN
Improved business visibility, business process efficiency Remote access to control center and field devices
IP Networking
Common in higher level networks, gaining in lower levels Many legacy protocols wrapped in TCP or UDP
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Availability, Integrity and Confidentiality
Enterprise networks require C-I-A
Confidentiality of intellectual property matters most
Industrial Control Systems require A-I-C
Availability and integrity of control matters most
control data has low entropy—little need for confidentiality Many ICS vendors provide “six 9’s” of availability
Ensuring availability is hard
Cryptography does not help (directly)
DOS protection, rate limiting, resource management, QoS, redundancy, robust
hardware with high MTBF
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
DoS and DDoS Attacks
Denial of Service (DoS) attack overwhelms a system with too many packets/requests
Exhausts TCP stack or application resources Defenses include connection limits in firewall
Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system
No single point of attack
Requires sophisticated, coordinated defenses
Weapon of choice for hackers, hacktivists, cyber-extortionists
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Unpatched Systems
Many ICS systems are not patched “current” Particularly Windows servers
No patches available for older versions of windows
OS and application patches can break ICS
OS patches are commonly tested for enterprise apps not ICS
Uncertified patches can invalidate warranty
Patching often requires system reboot
Before installation of a patch:
Vendor certification—typically one week Lab testing by operator
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Limited use of Host Anti-Virus
AV operations can cause significant system disruption at inopportune times
3am is no better than any other time for a full disk scan on a system that
operates 24x7x365
ICS vendors only beginning to support anti-virus Anti-virus is only as good as the signature set
Signatures may require testing just like patches
AV may be losing ground in enterprise deployments Impact on hosts, endpoint security not getting better
Virus writers have learned to test against dominant AV
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Poor Authentication and Authorization
Machine-to-machine comms involve no “user”
Many ICS have poor authentication mechanisms and very limited authorization mechanisms
Many protocols use cleartext passwords
Many ICS devices lack crypto support
Sometimes passwords left at vendor default
Device passwords are hard to manage appropriately Often one password is shared amongst all devices
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Requirements for 3rd Party Access
Firmware updates and PLC, IED programming are sometimes performed by vendor
Many ICS have open maintenance ports
Infected vendor laptops can bring down an ICS
Partners may require continuous status information Partner access is often poorly secured
Partner channels can serve as backdoors
3rd parties may include:
ISO, transmission provider or grid neighbor, equipment vendor,
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
People Issues
ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network
ICS personnel are not IT or networking experts IT personnel are not ICS experts
Significant portion of control systems workforce is older and nearing retirement
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Ways to Address Risk
There are four ways to deal with risk:
1.
Risk Mitigation – address it head on
2.
Risk Acceptance – i.e. the Risk Tautology
(it is what it is)
3.
Risk Transference – i.e. insurance
4.
Risk Avoidance – Project X is risky…let’s
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Recommendations for Defending ICS
Separate control network from enterprise network Harden connection to enterprise network
Protect all points of entry with strong authentication Make reconnaissance difficult from outside
Harden interior of control network
Make reconnaissance difficult from inside Avoid single points of vulnerability
Frustrate opportunities to expand a compromise
Harden field sites and partner connections Mutual distrust
Monitor both perimeter and inside events
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Network & Security Services
-at a Glance
ASSESS
• WHY is my network not operating according to operational / availability baselines?
• IS the network architecture robust enough to protect my intellectual property and assets? • HOW do I know if issues I have on my network are security related, and how do I fix them?
DESIGN
• DOES my existing “As-Is” architecture protect against malware attacks?
• WHAT do I need to do to ensure my architecture scales to accommodate demands? • HOW do I prioritize technology refresh tasks to maximize operational availability? IMPLEMENT
• HOW do I configure devices to best interface with Process Controls network?
• WHAT will the impact be if I upgrade to “X” and how do I go about making changes? • HOW do I securely dispose of old equipment to ensure my data is not exposed?
GOVERNANCE
• AM I required to be compliant with any regulations, and if so WHAT are they and HOW do I comply?
• WHAT is the risk if I am not compliant and HOW long do I have to become compliant?
MANAGE/MONITOR
• HOW do I securely access my network remotely?
• DOES Rockwell Automaton provide a Virtual Support Engineer to help me maintain availability?
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation
Industrial Security Resources
Security-enhanced Products and Technologies
Rockwell Automation product and technologies with security capabilities
that help increase overall control system system-level security.
http://www.rockwellautomation.com/security
EtherNet/IP Plantwide Reference Architectures
Control system validated designs and security best-practices that complement
recommended layered security/defence-in-depth measures.
http://www.ab.com/networks/architectures.html
Network & Security Services (NSS)
RA consulting specialists that conduct security risk assessments and make
recommendations for how to avert risk and mitigate vulnerabilities.
http://www.rockwellautomation.com/services/security
Remote Asset Monitoring Services
The Virtual Support Engineer is a service that offers a simple and secure approach to
monitoring your equipment and collecting valuable performance analytics.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation:
Industrial Security Resources
http://rockwellautomation.com
/security
Assessment Services Security Technology Security FAQ Assessment Services Security Resources Reference Architectures Security Services [email protected]Copyright © 2013 Rockwell Automation, Inc. All rights reserved.
Industrial IP Advantage Website
A new ‘go-to’ resource for educational, technical and thought leadership information about industrial
network communication
Visit Industrial IP Advantage to learn more SANS Training Material
Security policy blueprint (for IACS) available EX: Remote Access Policy, Router Security Policy
Visit https://www.sans.org/ to learn more
www.industrial-ip.org
Copyright © 2013 Rockwell Automation, Inc. All rights reserved.