abid ali, network and security consultant. · author: rpurkay created date: 3/15/2015 11:38:46 pm
TRANSCRIPT
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Securing the Connected Enterprise
ABID ALI,
Network and Security Consultant.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Why Infrastructure MattersRapidly Growing Markets
2
Global Network Infrastructure and Security Markets
• 13.7% CAGR over the next five years• 2012 $1.7B market for Industrial Security• NIST 800 cyber security framework • Internet of Things – over $3T in Manufacturing
• 12.1% CAGR over the next five years• 2012 $8.3B market ($900M industrial switches)• Shift to Ethernet, Virtualization and COTS• Disruptive technologies not included
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Basic Network Parameters
� Basic business requirements:� Confidentiality� Integrity� Availability
� Secure usability and manageability requirements:� Low end-user or end-device impact and high end-user transparency� Manageability� Low performance impact� Authentication, authorization, and auditing� Support integration with enterprise applications and remote users
Integrity
Confidentiality
Availability
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Assets to Protect
� Endpoints� Infrastructure
� Network infrastructure
� Systems infrastructure
� Applications � Data in rest and in motion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Threats
� Malicious code (malware)� Distributed denial-of-service (DDoS) attack� Eavesdropping attacks� Collateral damage� Unauthorized access attacks� Unauthorized use of assets, resources, or information� Reconnaissance attacks
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Security Approach
� Assess the network� Security Policy� Security enforcement techniques� Identification� Mitigation� Documentation
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Assess the Network
� Network devices and topology:� Switches, routers, firewalls
� End-points:� Servers, PCs, HMIs, Programmable Controllers
� Protocols:� CIP, PROFINET, SCADA, MODBUS, PTP, HTTPS, SSH, SNMP
� Applications:� Studio 5000, TIA Portal, Factory Talk
� Organization structure:� Information Technology and Operations Technology departments� Administrators and users, remote support
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Security Policy
� Organizations should have a security policy.
� The security policy enables an organization to follow a consistent program for maintaining an acceptable level
of security.
� The security policy defines and constrains behaviors by both personnel and components within the system.
� The security policy identifies vulnerability mitigation.
� The security policy components are as follows:
� Network device hardening
� End-device hardening
� Protecting the interior
� Remote access policy
� Security, management, analysis and response system
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network Device Threats
� Remote access threats:� Unauthorized remote access
� Local access and physical threats:� Damage to equipment� Password recovery� Device theft� Malicious end-point inserts to the network
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network Device Security Components
� Access control lists (ACLs) to control remote access to a switch� Switch-based authentication to manage network security� VLANs for Layer 2 segmentation in the network� Secure management and monitoring:
� Secure Shell (SSH) and HTTPS switch access
� SNMPv3 support for encryption of important protocol used to manage and monitor the network infrastructure
� Port-based security to prevent access from unauthorized devices, including the following:
� Limited number of allowed MAC addresses on a physical port
� Limited allowance of MAC address range on a switch port
� MAC address notification
� Control-plane policing for switches and routers
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Software Updates
� Network devices:
� The Cisco Product Security Incident Response Team (PSIRT) addresses security issues in Cisco products.
� http://www.cisco.com/go/psirt
� The Cisco PSIRT publishes:
� Cisco Security Advisories
� Cisco Security Responses
� Cisco Security Notices
� Cisco Notification Service
� Cisco IOS upgrade to fix security issues
Caution: The Cisco IOS upgrade requires downtime. Schedule a maintenance window to
perform upgrades.
� HMI, servers, and computers OS:
� Patch OS to fix security issues
� Disable automatic updates
� Test patches before implementing them
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Device-Based Authentication
� Password protection:� Enable secret password� Enable secret password� Line password
� Username and password:� Local database� Remote database
� AAA:� Authentication� Authorization� Accounting
Console
Ethernet
TelnetSSHhttphttps
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Switch-Based Authentication (Cont.)
Configuring the Enable Secret Password
IE2K-1(config)# enable secret <password>IE2K-1(config)# service password-encryption
1
2
3
4
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Switch-Based Authentication (Cont.)
Configuring the Username and Password PairsIE2K-1(config)# username STUDENT password 0 cisco123IE2K-1(config)# aaa new-modelIE2K-1(config)# aaa authentication login default local
3
2
4
1
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Device Management
� Remote access to CLI:� Telnet� SSH
� Remote access to GUI:� HTTP� HTTPS
TelnetSSHhttphttps
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Device Management (Cont.)
Configuring the SSH Serverswitch(config)# hostname IE2K-1IE2K-1(config)# ip domain-name cisco.comIE2K-1(config)# crypto key generate rsaThe name for the keys will be: IE2K-1.cisco.comChoose the size of the key modulus in the range of 360 to 4096 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 5 seconds)
IE2K-1(config)# ip ssh version 2IE2K-1(config)# line vty 0 15IE2K-1(config-line)# transport input ssh
IE2K-1# show ip sshSSH Enabled - version 2.0Authentication timeout: 120 secs; Authentication retries: 3Minimum expected Diffie Hellman key size : 1024 bitsIOS Keys in SECSH format(ssh-rsa, base64 encoded):ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQCULoJUd+DOnTQUmNyAKo9Z5X0mBU4Q569sz6e38bAsDz1qSRgIJrqZSHSH/aapnyC+hqi6q1ONj4LoIGQx9dfdnEXRAXH5TjuNJowN+07z3vwjZxKBLDWEayGupsF9x6c=
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Device Management (Cont.)
PuTTY Terminal Emulator Settings – SSH connection
1
2 3
4
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Device Management (Cont.)
PuTTY Terminal Emulator Settings – SSH version
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Device Management (Cont.)
HTTPS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
� The SNMP provides a message format for communication between
network devices and network management.
� SNMP Versions:� SNMPv1� SNMPv2C� SNMPv3
� Most secure
� Username authentication
� Encrypted communication
Remote Device Management (Cont.)
Simple Network Management Protocol
SNMPManager
SNMP
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Port Security
Port security allows you to configure interfaces to allow inbound traffic only from a restricted set of MAC addresses.
IE2K-1(config)# interface FastEthernet1/4IE2K-1(config-if)# switchport mode accessIE2K-1(config-if)# switchport access vlan 21IE2K-1(config-if)# switchport port-securityIE2K-1(config-if)# switchport port-security mac-address 0000.02000.0004
IE2K-1(config)# interface FastEthernet1/5IE2K-1(config-if)# switchport mode accessIE2K-1(config-if)# switchport access vlan 21IE2K-1(config-if)# switchport port-securityIE2K-1(config-if)# switchport port-security mac-address 0000.02000.0005
0000.02000.0005Nonsecure MAC address0000.1111.5555
FE 1/4 FE 1/5
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
VLAN Design Considerations
� Always use a dedicated native VLAN ID for all trunk ports.
� Disable all unused ports and put them in an unused VLAN.
� Do not use VLAN 1 for anything.
� Configure all end device-facing ports as nontrunking (DTP off).
� Explicitly configure trunking on infrastructure ports.
� Set the default port status to disable.
Nontrunking
Cisco Catalyst 3750Switch Stack
Nontrunking
Trunking
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Traffic Filtering with ACLs
� An ACL is a list of permit and deny statements.
� An ACL identifies traffic based on the information
within the packet.
� After traffic is identified, different actions can be
taken.
� ACLs can be used on routers
switches, firewalls, and other
network devices.
� Traffic Filtering with ACLs:
� Inbound
� Outbound
IE2K-1(config)# ip access-list extended REMOTE_MGMTIE2K-1(config-ext-nacl)# permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255IE2K-1(config-ext-nacl)# exitIE2K-1(config)# interface Gigabit Ethernet1/1IE2K-1(config-if)# ip access-group REMOTE_MGMT in
GE1/1 GE1/1
ACLs
10.1.1.51
10.1.1.21
10.1.1.41
10.1.1.31
10.2.2.0/24
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Firewalls
� Firewalls control traffic flow:� Isolate interfaces from each other� Control connections with security and translation policies
� Firewalls provide:� Inter-zone traffic segmentation� Access Control Lists (ACLs)� Intrusion Prevention System (IPS)� VPN Services
Enterprise Network
DMZ
X
Internet
Industrial Network
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Intrusion Prevention System
� The IPS prevents attacks
against devices:� Standalone or integrated in Cisco ASA
� Inline versus promiscuous mode
Enterprise Network
DMZ
Site Manufacturing Operations and Control
IPS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
VPNs and Benefits
� VPN usage:� Connecting headquarters, plant, and business partners
� VPN characteristics:� Virtual – information within a private network is transported over a public network.
� Private – traffic is separated by a tunnel so traffic can be encrypted to keep the data confidential.
� VPN benefits:� Cost savings
WAN
Internet
HQ
Business Partner
Plant
Site-to-site VPN
Remote Access VPN
Consultant
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
IPsec
� IPsec acts at the network layer, protecting, and authenticating IP packets.
� IPsec is a framework of open standards that is algorithm-independent.
� IPsec services provide four critical functions:� Confidentiality� Data integrity� Authentication� Anti-replay protection
Internet
IPsec Tunnel
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Cisco SSL VPN Solutions
Cisco Catalyst 3750Switch Stack
Internet
Cisco AnyConnect Client SSL VPN Tunnel
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Identify Security Incidents
� Port mirroring on routers and switches that feed IPS� Cisco IOS NetFlow from routers to flow collectors� Network Management System� Selected security event types to log
Event Type Source Events
Attribution DHCP server IP assignments to machine, MAC address
VPN server IP assignments to user, WAN address
NAT gateway IP assignment translation to RFC 1918
802.1x auth IP assignment to user, MAC address
System activity Server syslog • Authentication and authorization• Services starting and stopping• Configuration changes• Security events
Firewall logs Network firewall Accepted, denied connections
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Identify Security Incidents (Cont.)
� You can use the port mirroring to identify security incidents.
� The SPAN feature allows traffic to be copied from one or more source ports or source
VLANs to one or more destination ports on the same switch for capture and analysis.
� SPAN sources:
� Fast Ethernet
� Gigabit Ethernet
� EtherChannel
� VLANs
Switched Port Analyzer
Switch
Copies Are Received Here
SPAN Destination Port
True Destination PortSPAN
SPAN – Switched Port Analyzer
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Identify Security Incidents (Cont.)
� Configure SPAN to identify security incidents – CLI example:� You suspect attempt to DoS attack.� Attack comes from outside.
IE2K-1(config)# monitor session 1 source interface GigabitEthernet 1/1IE2K-1(config)# monitor session 1 filter vlan 105IE2K-1(config)# monitor session 1 destination interface FastEthernet 1/3
IE2K-1 # show monitor session 1Session 1---------Type : Local SessionSource Ports :Both : Gi1/1Destination Ports : Fa1/3Encapsulation : NativeIngress : DisabledFilter VLANs : 105
GE1/1FE1/3
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Identify Security Incidents (Cont.)
� Configure SPAN to identify security incidents – Device Manager:� Configure > Smartports
2
3
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Identify Security Incidents (Cont.)
� Use Wire Shark to identify security incidents.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Document Security Incidents
Who?
IP Address
Host Group
Country
Who?
IP Address
Host Group
Country
When?
Active Duration 3 minutes 30 seconds
Total Duration 2 days 5 hours 56 minutes
Feb 13, 2014 8:15:00 AMFeb 15, 2014 2:11:00 PM
How?
Service http (tcp:80)
Application HTTP
How much?
100.11 MBytes
108.3 k packets
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Summary
� As industrial applications become connected to enterprise systems, industrial applications are exposed to the same types of threats as traditional IT networks.
� Maintaining up to date IOS and firmware revisions increases device security.
� Username and passwords are used to prevent unauthorized access to switches and routers.
� SSH and HTTPS provide secure remote management.
� VLAN security measures prevent unauthorized access to the network.
� ACLs are used to control traffic to the network.
� Firewalls and IPS are used to protect the control network from threats that could come from the enterprise network.
� VPNs are used to protect sensitive data sent over public networks.
� Traffic monitoring can provide information about attacks.
� Certain information, such as the source IP addresses and target applications, should be gathered and documented during suspected security incidents.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 36
Network Security Service OfferingsConverged Plant-wide Ethernet (CPwE) Reference Architectures
� Structured and Hardened
IACS Network Infrastructure
� Industrial security policy
� Pervasive security, not a
bolt-on component
� Security framework utilizing
defense-in-depth approach
� Industrial DMZ
implementation
� Remote partner access
policy, with robust & secure
implementation
EnterpriseWAN
Catalyst 3750StackWise
Switch Stack
Firewall(Active)
Firewall(Standby)
MCC
HMI
IndustrialDemilitarized Zone(IDMZ)
Enterprise ZoneLevels 4-5
CiscoASA 5500
Controllers, I/O, Drives
Catalyst6500/4500
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server
Network DeviceResiliency
VLANs
Standard DMZ Design Best Practices
Network Infrastructure Access Control and
Hardening
Physical Port Security
Level 0 - ProcessLevel 1 - Controller
Plant Firewall:� Inter-zone traffic
segmentation� ACLs, IPS and IDS� VPN Services� Portal and Terminal
Server proxy
VLANs, Segmenting Domains of Trust
AAA - Application
Authentication Server,Active Directory (AD),
Remote Access Server
Client Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
This image
cannot currently be displayed.
Drive
This image cannot currently be displayed.
Level 2 – Area Supervisory Control
Controller Hardening, Physical Security
FactoryTalk Client
Unified Threat Management (UTM)
Controller Hardening, Encrypted Communications
Controller
AAA - Network
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Global SolutionsBringing you a world of experience
37
� Consistent methodology deployed in all locations
� The right team for your project from our worldwide talent
� All major industries
� Any production environment
� Combining technology & application knowledge
� Based on PMI ® PMBOK®
� Certified project managers
� Repeatable, measurable, auditable
� Risk management
DomainExpertise
Global Execution
Information | Process | Discrete Automation | Power Motion | Sustainable Production | Technology Migration | Hardware Integration
80 Countries | 20 Languages | 2500+ Employees | Average 13+ Years Experience | Single point of contact
Project Management
Helping you exceed your business goals
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.
Thank you for participating!
Your feedback is valuable!
Please complete the session survey.
E-Mail us – [email protected]