abid ali, network and security consultant. · author: rpurkay created date: 3/15/2015 11:38:46 pm

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Securing the Connected Enterprise

ABID ALI,

Network and Security Consultant.


Why Infrastructure MattersRapidly Growing Markets

2

Global Network Infrastructure and Security Markets

• 13.7% CAGR over the next five years• 2012 $1.7B market for Industrial Security• NIST 800 cyber security framework • Internet of Things – over $3T in Manufacturing

• 12.1% CAGR over the next five years• 2012 $8.3B market ($900M industrial switches)• Shift to Ethernet, Virtualization and COTS• Disruptive technologies not included


Basic Network Parameters

� Basic business requirements:� Confidentiality� Integrity� Availability

� Secure usability and manageability requirements:� Low end-user or end-device impact and high end-user transparency� Manageability� Low performance impact� Authentication, authorization, and auditing� Support integration with enterprise applications and remote users

Integrity

Confidentiality

Availability


Assets to Protect

� Endpoints� Infrastructure

� Network infrastructure

� Systems infrastructure

� Applications � Data in rest and in motion


Threats

� Malicious code (malware)� Distributed denial-of-service (DDoS) attack� Eavesdropping attacks� Collateral damage� Unauthorized access attacks� Unauthorized use of assets, resources, or information� Reconnaissance attacks


Security Approach

� Assess the network� Security Policy� Security enforcement techniques� Identification� Mitigation� Documentation


Assess the Network

� Network devices and topology:� Switches, routers, firewalls

� End-points:� Servers, PCs, HMIs, Programmable Controllers

� Protocols:� CIP, PROFINET, SCADA, MODBUS, PTP, HTTPS, SSH, SNMP

� Applications:� Studio 5000, TIA Portal, Factory Talk

� Organization structure:� Information Technology and Operations Technology departments� Administrators and users, remote support


Security Policy

� Organizations should have a security policy.

� The security policy enables an organization to follow a consistent program for maintaining an acceptable level

of security.

� The security policy defines and constrains behaviors by both personnel and components within the system.

� The security policy identifies vulnerability mitigation.

� The security policy components are as follows:

� Network device hardening

� End-device hardening

� Protecting the interior

� Remote access policy

� Security, management, analysis and response system


Network Device Threats

� Remote access threats:� Unauthorized remote access

� Local access and physical threats:� Damage to equipment� Password recovery� Device theft� Malicious end-point inserts to the network


Network Device Security Components

� Access control lists (ACLs) to control remote access to a switch� Switch-based authentication to manage network security� VLANs for Layer 2 segmentation in the network� Secure management and monitoring:

� Secure Shell (SSH) and HTTPS switch access

� SNMPv3 support for encryption of important protocol used to manage and monitor the network infrastructure

� Port-based security to prevent access from unauthorized devices, including the following:

� Limited number of allowed MAC addresses on a physical port

� Limited allowance of MAC address range on a switch port

� MAC address notification

� Control-plane policing for switches and routers


Software Updates

� Network devices:

� The Cisco Product Security Incident Response Team (PSIRT) addresses security issues in Cisco products.

� http://www.cisco.com/go/psirt

� The Cisco PSIRT publishes:

� Cisco Security Advisories

� Cisco Security Responses

� Cisco Security Notices

� Cisco Notification Service

� Cisco IOS upgrade to fix security issues

Caution: The Cisco IOS upgrade requires downtime. Schedule a maintenance window to

perform upgrades.

� HMI, servers, and computers OS:

� Patch OS to fix security issues

� Disable automatic updates

� Test patches before implementing them


Device-Based Authentication

� Password protection:� Enable secret password� Enable secret password� Line password

� Username and password:� Local database� Remote database

� AAA:� Authentication� Authorization� Accounting

Console

Ethernet

TelnetSSHhttphttps


Switch-Based Authentication (Cont.)

Configuring the Enable Secret Password

IE2K-1(config)# enable secret <password>IE2K-1(config)# service password-encryption

1

2

3

4


Switch-Based Authentication (Cont.)

Configuring the Username and Password PairsIE2K-1(config)# username STUDENT password 0 cisco123IE2K-1(config)# aaa new-modelIE2K-1(config)# aaa authentication login default local

3

2

4

1


Remote Device Management

� Remote access to CLI:� Telnet� SSH

� Remote access to GUI:� HTTP� HTTPS

TelnetSSHhttphttps


Remote Device Management (Cont.)

Configuring the SSH Serverswitch(config)# hostname IE2K-1IE2K-1(config)# ip domain-name cisco.comIE2K-1(config)# crypto key generate rsaThe name for the keys will be: IE2K-1.cisco.comChoose the size of the key modulus in the range of 360 to 4096 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 5 seconds)

IE2K-1(config)# ip ssh version 2IE2K-1(config)# line vty 0 15IE2K-1(config-line)# transport input ssh

IE2K-1# show ip sshSSH Enabled - version 2.0Authentication timeout: 120 secs; Authentication retries: 3Minimum expected Diffie Hellman key size : 1024 bitsIOS Keys in SECSH format(ssh-rsa, base64 encoded):ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQCULoJUd+DOnTQUmNyAKo9Z5X0mBU4Q569sz6e38bAsDz1qSRgIJrqZSHSH/aapnyC+hqi6q1ONj4LoIGQx9dfdnEXRAXH5TjuNJowN+07z3vwjZxKBLDWEayGupsF9x6c=



PuTTY Terminal Emulator Settings – SSH connection

1

2 3

4



PuTTY Terminal Emulator Settings – SSH version



HTTPS


� The SNMP provides a message format for communication between

network devices and network management.

� SNMP Versions:� SNMPv1� SNMPv2C� SNMPv3

� Most secure

� Username authentication

� Encrypted communication


Simple Network Management Protocol

SNMPManager

SNMP


Port Security

Port security allows you to configure interfaces to allow inbound traffic only from a restricted set of MAC addresses.

IE2K-1(config)# interface FastEthernet1/4IE2K-1(config-if)# switchport mode accessIE2K-1(config-if)# switchport access vlan 21IE2K-1(config-if)# switchport port-securityIE2K-1(config-if)# switchport port-security mac-address 0000.02000.0004

IE2K-1(config)# interface FastEthernet1/5IE2K-1(config-if)# switchport mode accessIE2K-1(config-if)# switchport access vlan 21IE2K-1(config-if)# switchport port-securityIE2K-1(config-if)# switchport port-security mac-address 0000.02000.0005

0000.02000.0005Nonsecure MAC address0000.1111.5555

FE 1/4 FE 1/5


VLAN Design Considerations

� Always use a dedicated native VLAN ID for all trunk ports.

� Disable all unused ports and put them in an unused VLAN.

� Do not use VLAN 1 for anything.

� Configure all end device-facing ports as nontrunking (DTP off).

� Explicitly configure trunking on infrastructure ports.

� Set the default port status to disable.

Nontrunking

Cisco Catalyst 3750Switch Stack

Nontrunking

Trunking


Traffic Filtering with ACLs

� An ACL is a list of permit and deny statements.

� An ACL identifies traffic based on the information

within the packet.

� After traffic is identified, different actions can be

taken.

� ACLs can be used on routers

switches, firewalls, and other

network devices.

� Traffic Filtering with ACLs:

� Inbound

� Outbound

IE2K-1(config)# ip access-list extended REMOTE_MGMTIE2K-1(config-ext-nacl)# permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255IE2K-1(config-ext-nacl)# exitIE2K-1(config)# interface Gigabit Ethernet1/1IE2K-1(config-if)# ip access-group REMOTE_MGMT in

GE1/1 GE1/1

ACLs

10.1.1.51

10.1.1.21

10.1.1.41

10.1.1.31

10.2.2.0/24


Firewalls

� Firewalls control traffic flow:� Isolate interfaces from each other� Control connections with security and translation policies

� Firewalls provide:� Inter-zone traffic segmentation� Access Control Lists (ACLs)� Intrusion Prevention System (IPS)� VPN Services

Enterprise Network

DMZ

X

Internet

Industrial Network


Intrusion Prevention System

� The IPS prevents attacks

against devices:� Standalone or integrated in Cisco ASA

� Inline versus promiscuous mode

Enterprise Network

DMZ

Site Manufacturing Operations and Control

IPS


VPNs and Benefits

� VPN usage:� Connecting headquarters, plant, and business partners

� VPN characteristics:� Virtual – information within a private network is transported over a public network.

� Private – traffic is separated by a tunnel so traffic can be encrypted to keep the data confidential.

� VPN benefits:� Cost savings

WAN

Internet

HQ

Business Partner

Plant

Site-to-site VPN

Remote Access VPN

Consultant


IPsec

� IPsec acts at the network layer, protecting, and authenticating IP packets.

� IPsec is a framework of open standards that is algorithm-independent.

� IPsec services provide four critical functions:� Confidentiality� Data integrity� Authentication� Anti-replay protection

Internet

IPsec Tunnel


Cisco SSL VPN Solutions

Cisco Catalyst 3750Switch Stack

Internet

Cisco AnyConnect Client SSL VPN Tunnel


Identify Security Incidents

� Port mirroring on routers and switches that feed IPS� Cisco IOS NetFlow from routers to flow collectors� Network Management System� Selected security event types to log

Event Type Source Events

Attribution DHCP server IP assignments to machine, MAC address

VPN server IP assignments to user, WAN address

NAT gateway IP assignment translation to RFC 1918

802.1x auth IP assignment to user, MAC address

System activity Server syslog • Authentication and authorization• Services starting and stopping• Configuration changes• Security events

Firewall logs Network firewall Accepted, denied connections


Identify Security Incidents (Cont.)

� You can use the port mirroring to identify security incidents.

� The SPAN feature allows traffic to be copied from one or more source ports or source

VLANs to one or more destination ports on the same switch for capture and analysis.

� SPAN sources:

� Fast Ethernet

� Gigabit Ethernet

� EtherChannel

� VLANs

Switched Port Analyzer

Switch

Copies Are Received Here

SPAN Destination Port

True Destination PortSPAN

SPAN – Switched Port Analyzer



� Configure SPAN to identify security incidents – CLI example:� You suspect attempt to DoS attack.� Attack comes from outside.

IE2K-1(config)# monitor session 1 source interface GigabitEthernet 1/1IE2K-1(config)# monitor session 1 filter vlan 105IE2K-1(config)# monitor session 1 destination interface FastEthernet 1/3

IE2K-1 # show monitor session 1Session 1---------Type : Local SessionSource Ports :Both : Gi1/1Destination Ports : Fa1/3Encapsulation : NativeIngress : DisabledFilter VLANs : 105

GE1/1FE1/3



� Configure SPAN to identify security incidents – Device Manager:� Configure > Smartports

2

3



� Use Wire Shark to identify security incidents.


Document Security Incidents

Who?

IP Address

Host Group

Country

Who?

IP Address

Host Group

Country

When?

Active Duration 3 minutes 30 seconds

Total Duration 2 days 5 hours 56 minutes

Feb 13, 2014 8:15:00 AMFeb 15, 2014 2:11:00 PM

How?

Service http (tcp:80)

Application HTTP

How much?

100.11 MBytes

108.3 k packets


Summary

� As industrial applications become connected to enterprise systems, industrial applications are exposed to the same types of threats as traditional IT networks.

� Maintaining up to date IOS and firmware revisions increases device security.

� Username and passwords are used to prevent unauthorized access to switches and routers.

� SSH and HTTPS provide secure remote management.

� VLAN security measures prevent unauthorized access to the network.

� ACLs are used to control traffic to the network.

� Firewalls and IPS are used to protect the control network from threats that could come from the enterprise network.

� VPNs are used to protect sensitive data sent over public networks.

� Traffic monitoring can provide information about attacks.

� Certain information, such as the source IP addresses and target applications, should be gathered and documented during suspected security incidents.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 36

Network Security Service OfferingsConverged Plant-wide Ethernet (CPwE) Reference Architectures

� Structured and Hardened

IACS Network Infrastructure

� Industrial security policy

� Pervasive security, not a

bolt-on component

� Security framework utilizing

defense-in-depth approach

� Industrial DMZ

implementation

� Remote partner access

policy, with robust & secure

implementation

EnterpriseWAN

Catalyst 3750StackWise

Switch Stack

Firewall(Active)

Firewall(Standby)

MCC

HMI

IndustrialDemilitarized Zone(IDMZ)

Enterprise ZoneLevels 4-5

CiscoASA 5500

Controllers, I/O, Drives

Catalyst6500/4500

Soft Starter

I/O

Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server

Network DeviceResiliency

VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security

Level 0 - ProcessLevel 1 - Controller

Plant Firewall:� Inter-zone traffic

segmentation� ACLs, IPS and IDS� VPN Services� Portal and Terminal

Server proxy

VLANs, Segmenting Domains of Trust

AAA - Application

Authentication Server,Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

This image

cannot currently be displayed.

Drive

This image cannot currently be displayed.

Level 2 – Area Supervisory Control

Controller Hardening, Physical Security

FactoryTalk Client

Unified Threat Management (UTM)

Controller Hardening, Encrypted Communications

Controller

AAA - Network


Global SolutionsBringing you a world of experience

37

� Consistent methodology deployed in all locations

� The right team for your project from our worldwide talent

� All major industries

� Any production environment

� Combining technology & application knowledge

� Based on PMI ® PMBOK®

� Certified project managers

� Repeatable, measurable, auditable

� Risk management

DomainExpertise

Global Execution

Information | Process | Discrete Automation | Power Motion | Sustainable Production | Technology Migration | Hardware Integration

80 Countries | 20 Languages | 2500+ Employees | Average 13+ Years Experience | Single point of contact

Project Management

Helping you exceed your business goals


www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.

Thank you for participating!

Your feedback is valuable!

Please complete the session survey.

E-Mail us – [email protected]

abid ali, network and security consultant. · author: rpurkay created date: 3/15/2015 11:38:46 pm

Documents