AUP28 - Implementing Security and IP Protection

(1)

PUBLIC INFORMATION

AUP28 -

Implementing Security and IP Protection

Features in the Integrated Architecture

Mads Laier

(2)

PUBLIC INFORMATION

Agenda

2

Key Takeaways – Design Considerations

Defense in depth

Why IACS Security Now!

(3)

(4)

Industrial Market Drivers

4

Improve Asset Utilization

Maximize return on your automation investment

Innovation

Drive Speed & Innovation

Speed time to market; manage brand equity

Manage Risk

Implement systems and procedures to address

market dynamics and regulatory requirements

Reduce

Energy usage

Contextualize

(5)

(6)

PUBLIC INFORMATION 6

Cyber Security in the News

In 2015 the game changed.

(7)

Hackers have found “Remote Access is an

easy way to get into the Industrial network



New Havex malware variants target industrial control system and SCADA

users



During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program

called Havex by hacking into the websites of industrial control system (ICS) manufacturers and poisoning

their legitimate software downloads



F-Secure did not name the affected vendors, but said that two of them develop ICS remote management

software and the third supplies high-precision industrial cameras and related software. According to the

security firm, the vendors are based in Germany, Switzerland and Belgium.



The attackers modified the legitimate software installers to drop and execute an additional file on

computers. The file is called mbcheck.dll and is actually the Havex malware.



That conclusion is also supported by the existence of a new malicious Havex component whose purpose

is to scan local area networks for devices that respond to OPC (Open Platform Communications)

requests.



The Havex component leverages the OPC standard to gather information about industrial control devices

and then sends that information back to its command-and-control (C&C) server for the attackers to

Following the discovery of the

Stuxnet

industrial sabotage malware in 2010, which

is believed to have destroyed up to 1,000

uranium enrichment centrifuges in Iran,

security

researchers sounded the alarm

about the insecurity of industrial control

systems and the ease with which they can

be targeted by attackers. Despite those

concerns,

widespread malware attacks

against ICS and SCADA systems never

became a reality

, making the new Havex

campaigns a rare occurrence,

but possibly

(8)

Hackers damage Steel Plant.

8



Hackers infiltrated a German steel mill and made it impossible to safely

shut down a furnace, according to a German security report

quietly

(9)

It is becoming the LAW

Many countries are

(10)

Industrial Network Security Trends

Established Industrial Security Standards

10



International Society of Automation



ISO/IEC-62443 (Formerly ISA-99)



Industrial Automation and Control Systems (IACS) Security



Defense-in-Depth



IDMZ Deployment



National Institute of Standards and Technology



NIST 800-82



Industrial Control System (ICS) Security



Defense-in-Depth



IDMZ Deployment



Department of Homeland Security / Idaho National Lab



DHS INL/EXT-06-11478



Control Systems Cyber Security: Defense-in-Depth Strategies



Defense-in-Depth



IDMZ Deployment

(11)

Agenda

Key Takeaways – Design Considerations

Defense in depth

Why ISC Security Now!

(12)

What Risk

(13)

From Who?

Security Threat Actors

(14)

Rockwell Automation

Focus on Industrial Cyber Security

Reduce risks to safe and reliable operation

…Control system architecture with layered security to

help maintain operational integrity under threat

Protect assets & information

…Product and system features to help

control access, tamper-proof and limit

information exposure

Government and Standards Alignment

…Responsible disclosure with control system solutions that follow

global standards and help fulfill independent & regulatory security requirements

(15)

Defense-in-Depth



No single product, technology or

methodology can fully secure Industrial

Automation and Control System (IACS)

applications.



Protecting IACS assets requires a

defense-in-depth security approach,

which addresses internal and external

security threats.



This approach utilizes multiple layers of

defense (physical, procedural and

(16)

Recommendations for Defending ICS



Separate control network from enterprise network



Harden connection to enterprise network



Protect all points of entry with strong authentication



Make reconnaissance difficult from outside



Harden interior of control network



Make reconnaissance difficult from inside



Avoid single points of vulnerability



Frustrate opportunities to expand a compromise



Harden field sites and partner connections



Mutual distrust



Monitor both perimeter and inside events

(17)

Two Critical Elements to Industrial Cyber

Security

• A balanced Security Program must

address both Technical and

Non-Technical Risks and Controls

• Technical Controls (firewalls,

layer-3 ACLs, etc.)…

…provide restrictive measures for…

• Non-technical Controls (rules for

Technical

(18)

Defense-in-Depth

Industrial Security Policies Drive Technical Controls

18



Physical – limit physical access to authorized personnel Cells/Areas, control panels,

devices, cabling, and control room



Network – security framework

– e.g. firewall policies, access control list (ACL)

policies for switches and routers, AAA, intrusion

detection and prevention systems (IDS/IPS)



Computer Hardening – patch management,

Anti-X software, removal of unused applications/

protocols/services, closing unnecessary

logical ports, protecting physical ports



Application – authentication, authorization, and

accounting (AAA) software



Device Hardening – change management,

(19)

Defense-in-Depth

Application Security - Examples

• FactoryTalk® Security

–

Centralized authentication & access control

–

Verifies user identity before granting system

access

–

Grants or denies requests to perform actions

• FactoryTalk® AssetCentre

–

Centralized storage of audit records

–

Limits access to product and system data

–

Offers back-up and archive of application files

• Studio 5000™ Programming

Software

–

Control access to routines and AOIs with

source protection

–

Control access to tags with Data Access

Control

(20)



Physical procedure:



Restrict Industrial Automation and Control System (IACS) access to authorized

personnel only



Control panels, devices, cabling, and control room



Locks, gates, key cards



Video Surveillance



Other Authentication Devices (biometric, keypad, etc.).



Switch the Logix Controller key to “RUN”

20

Defense in depth

(21)

Defense in Depth.

Controller Hardening Electronic Design

Protect the Source

Embedded Change Log

FactoryTalk Security

Data Access Control

Trusted Slot with

(22)

Defense-in-Depth

Computer Hardening - Examples



Security Patch Management: establish and document a security patch management

program for tracking, evaluating, testing, and installing applicable cyber security software

patches



Keep computers up-to-date on service packs and hot fixes



Disable automatic updates



Check software vendor website



Test patches before implementing



Schedule patching during downtime



Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection

software



Disable automatic updates and automatic scanning



Test definition updates before implementing



Schedule manually initiated scanning during downtime



Uninstall unused Windows components



Protocols and Services



Protect unused or infrequently used USB, parallel or serial interfaces

(23)

Industrial Network Security

Industrial vs. Enterprise Network Requirements



Switches



Managed



Layer 2 and Layer 3



Traffic types



Voice, Video, Data



Performance



Low Latency, Low Jitter



Data Prioritization – QoS – Layer 3



IP Addressing



Dynamic



Security



Pervasive



Switches



Managed and Unmanaged



Layer 2 is predominant



Traffic types



Information, control, safety, motion, time

synchronization, energy management



Performance



Low Latency, Low Jitter



Data Prioritization – QoS – Layer 2 & 3

(24)

Industrial Network Security Trends

Industrial vs. Enterprise Network Requirements

24

(25)

Industrial Network Security

Collaboration of Partners

The Established

#1 Industrial Ethernet

Physical Layer Network Infrastructure

Wireless, Security,

Switching/Routing

Leader in

(26)

The Purdue Model and Rockwell Automation

26



Rockwell Automation and CISCO Systems have defined a

(27)

Network Security Framework

Industrial Demilitarized Zone

Level 5

Level 4

Level 3

Level 2

Level 1

Remote Gateway Services Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

(28)

Network Security Framework

Industrial Demilitarized Zone (IDMZ)



All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic

does not directly traverse the IDMZ



Only path between zones



No common protocols in each logical firewall



No control traffic into the IDMZ, CIP stays home



No primary services are permanently housed

in the IDMZ



IDMZ shall not permanently house data



Application data mirror to move data into and

out of the Industrial Zone



Limit outbound connections from the IDMZ



Be prepared to “turn-off” access via the firewall

_{No Direct}

(29)

Scalable Network Security Framework

One Size Does Not Fit All

Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and

alignment with IACS Security Standards

(30)

Network Security Framework

Converged Plant-wide Ethernet (CPwE) Reference Architectures



Structured and Hardened IACS

Network Infrastructure



Industrial security policy



Pervasive security, not a

bolt-on component



Security framework utilizing

defense-in-depth approach



Industrial DMZ implementation



Remote partner access policy, with

robust & secure implementation

Network Security Services

Must Not Compromise Operations of

the IACS

Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O

Physical or Virtualized Servers

• Patch Management • Remote Gateway Services • Application Mirror • AV Server

Network Device Resiliency VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security

Level 0 - Process Level 1 - Controller

Plant Firewall:

 Inter-zone traffic segmentation

 ACLs, IPS and IDS

 VPN Services

 Portal and Terminal Server proxy

VLANs, Segmenting Domains of Trust AAA - Application

Authentication Server, Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

(31)

Secure Remote Access

CPwE - Solution

Demilitarized Zone (DMZ)

Enterprise Zone

Levels 4 and 5

Internet

Enterprise Zone

Levels 4 and 5

Remote Engineer

(32)

Secure Remote Access

CPwE - Solution

Levels 0–2 Cell/Area Zones Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Industrial Zone Site Operations and Control

Level 3 Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Data Center Remote Engineer

or Partner

IPS

Cisco VPN Client

E

C

VP

N

Enterprise Edge Firewall

(33)

Secure Remote Access

CPwE - Solution

Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Data Center Gbps Link Failover Detection Firewall (Active) Firewall (Standby) Patch Management Terminal Services Application Mirror AV Server Cisco ASA 5500 Remote Engineer or Partner Enterprise Connected Engineer Enterprise Edge Firewall Cisco VPN Client

IPS

E

C

VP

N

SSL

V

P

N

HTTPS

1. Remote engineer or partner

establishes VPN to corporate

network; access is restricted to IP

address of plant DMZ firewall

2. Portal on plant firewall enables

access to industrial application

data and files



Intrusion protection system (IPS) on

(34)

Secure Remote Access

CPwE - Solution

Levels 0–2 Cell/Area Zones Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Industrial Zone Site Operations and Control

Level 3 Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Data Center Gbps Link Failover Detection Firewall (Active) Firewall (Standby) Patch Management Terminal Services Application Mirror AV Server Cisco ASA 5500

Remote Access Server

Catalyst 6500/4500 Remote Engineer or Partner Enterprise Connected Engineer Enterprise Edge Firewall HTTPS Cisco VPN Client Remote Desktop Protocol (RDP)

IPS

E

C

VP

N

SSL

V

P

N

1. Remote engineer or partner

establishes VPN to corporate

network; access is restricted to IP

address of plant DMZ firewall

2. Portal on plant firewall enables

access to industrial application

data and files



Intrusion protection system (IPS) on

plant firewall detects and protects

against attacks from remote host

(35)

FactoryTalk Application Servers •View

Secure Remote Access

CPwE - Solution

1. Remote engineer or partner

establishes VPN to corporate

network; access is restricted to IP

address of plant DMZ firewall

2. Portal on plant firewall enables

access to industrial application

data and files



Intrusion protection system (IPS) on

plant firewall detects and protects

against attacks from remote host

3. Firewall proxies a client session to

remote access server

4. Access to applications on remote

access server is restricted to

specified plant floor resources

through industrial application

(36)

Network Security Framework

Stratix 5900

Unified Threat Management (UTM)

36

Enterprise-wide

Business Systems

Levels 4 & 5 – Data Center Enterprise Zone

Level 3 - Site Operations Industrial Zone

Physical or Virtualized Servers

• FactoryTalk Application Servers & Services Platform

• Network Services – e.g. DNS, AD, DHCP, AAA

• Remote Access Server (RAS)

• Call Manager

• Storage Array

Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ

Remote Site #1

Local Cell/Area Zone #1

Local OEM Skid / Machine #1

(37)

Network Security Framework

Physical Port Security



Keyed solutions for

copper and fiber



Lock-in, Blockout

products secure

connections



Data Access Port

(38)

IACS Security

EtherNet/IP Industrial Automation & Control System Network

38



Open by default to allow both

technology coexistence and device

interoperability for Industrial

Automation and Control System

(IACS) Networks



Secured by configuration:



Protect the network

- Electronic Security Perimeter



Defend the edge

- Industrial DMZ (IDMZ)



Defense-in-Depth

(39)

Network & Security Services:

(40)



Align with Industrial Automation and Control System Security Standards



DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly

ISA-99)



Implement Defense-in-Depth approach: no single product, methodology,

nor technology fully secures IACS networks



Establish an open dialog between Industrial Automation and IT groups



Establish an industrial security policy



Establish an IDMZ between the Enterprise and Industrial Zones



Work with trusted partners knowledgeable in automation & security



"Good enough" security now, is better than "perfect" security ...never.

(Tom West, Data General)

40

IACS Security

(41)

Additional Material

Industrial Security Resources

(42)

Additional Material

42



Websites



Reference Architectures



Design Guides



Converged Plant-wide Ethernet (CPwE)



CPwE Resilient Ethernet Protocol (REP)



Application Guides



Fiber Optic Infrastructure Application Guide



Wireless Design Considerations for Industrial Applications



Whitepapers



Top 10 Recommendations for Plant-wide EtherNet/IP

Deployments



Securing Manufacturing Computer and Controller Assets



Production Software within Manufacturing Reference Architectures



Achieving Secure Remote Access to plant-floor Applications and

Data



Design Considerations for Securing Industrial Automation and

(43)

Additional Material



A new ‘go-to’ resource for educational, technical and

thought leadership information about industrial

communications



Standard Internet Protocol (IP) for

Industrial Applications



Coalition of like-minded companies

(44)

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.

Connect with us on LinkedIn.

Rev 5058-CO900F

PUBLIC INFORMATION

44 Please remember to tidy up your work area for the next session.

We want your feedback! Please complete the session survey!