industrial cybersecurity: the never-ending journey...cpwe architectures - industrial network...
TRANSCRIPT
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Industrial Cybersecurity: The Never-Ending Journey Abid Ali
RAOTM, 22nd January 2019
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
IT/OT Convergence - the Opportunity
“Smart Manufacturing & the Internet of Things , can foster tremendous business outcomes”. Source : survey of 418 manufacturing line of business executives & Plant managers by SCM World & CISCO,
A Robust & Secure OT Network Infrastructure key to “Smart Manufacturing”
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
It’s not IF ….. But WHEN
IT/OT Convergence the Risk
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
IT and OT – The Same, but Different
IT FOCUS OT FOCUS
Confidentiality # 1 Availability # 1
Traffic, Data, Voice & Video.
Traffic Data, Control Information,
Safety, & Motion.
Security Strict network
authentication & Access Policies.
Security Strict physical access & Simple
network device access.
Access Shut down access to
detected threats. Access
Isolate threat & keep working..
Different Focus & Priorities - Different Performance & Security Requirements - Different Architectures & Support Models
!"#$%&'(%($&)(*%$(+&
!"#$%&!,*-($-&.&&/*-%$0",*%#1(*&
23)-&
'4!5'/!&!)67658'/-&
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
!! International Society of Automation !! ISA/IEC-62443 (Formerly ISA-99) !! Industrial Automation and Control Systems (IACS) Security !! Defense-in-Depth !! IDMZ Deployment
!! National Institute of Standards and Technology !! NIST 800-82 !! Industrial Control System (ICS) Security !! Defense-in-Depth !! IDMZ Deployment
!! Department of Homeland Security / Idaho National Lab !! DHS INL/EXT-06-11478 !! Control Systems Cyber Security: Defense-in-Depth Strategies !! Defense-in-Depth !! IDMZ Deployment
Established Industrial Security Standards Industrial Security Trends
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
6
!! Tested, validated and documented reference architectures !! Based on use cases - customer and application !! Tested for performance, availability, repeatability, scalability and security !! Comprised of nine (9) Cisco Validated Designs
!! Built on technology and industry standards !! “Future-ready” network design
!! Content relevant to both IT Network Engineers and Control System Engineers
!! Deliverables !! Recommendations, best practices, design and implementation !! guidance, documented test results and configuration settings !! Simplified design, quicker deployment, reduced risk in deploying new technology
!! Enabler for OT/IT Convergence, Industrial IoT and The Connected Enterprise
Industrial IT - OT/IT Convergence Converged Plantwide Ethernet (CPwE)
Tested for performance, availability, repeatability, scalability and security Tested for performance, availability, repeatability, scalability and security IT
Recommendations, best practices, design and implementation guidance, documented test results and configuration settings Simplified design, quicker deployment, reduced risk in deploying new technology
Recommendations, best practices, design and implementation guidance, documented test results and configuration settings Simplified design, quicker deployment, reduced risk in deploying new technology
OT
Industrial IT
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
“With this implementation guide, for the first time IT and manufacturing professionals can share a common document for planning a converged IP network including the factory floor and automation equipment.”
– Harry Forbes, ARC Advisory Group
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
7
Holistic Defense-in-Depth CPwE Architectures - Industrial Network Security Framework
MCC
Enterprise Zone: Levels 4-5
Soft Starter
I/O
Physical or Virtualized Servers •! Patch Management •! AV Server •! Application Mirror •! Remote Desktop Gateway Server
Level 0 - Process Level 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk Client
Controller
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3 Authentication, Authorization and Accounting (AAA)
LWAP
SSID 2.4 GHz
SSID 5 GHz WGB
I/O
I/O
I/O I/O
Active
Wireless LAN Controller (WLC)
Standby
Core Switches
Distribution Switch Stack
Control System Engineers
Control System Engineers in Collaboration with IT
Network Engineers (Industrial IT)
IT Security Architects in Collaboration with Control
Systems Engineers
Enterprise
Identity Services
External DMZ/ Firewall
Internet
FactoryTalk
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Lack of Skilled Resources Skilled Resources
Out of Date Infrastructure
Example INDUSTRIAL CYBER RISK EQUATION
Impact to: Human Health & Safety
Product Quality Environmental
Unplanned Production Loss
Countermeasures Must add capabilities to defend
Manufacturing Digital Environment across the Attack Continuum
Infrastructure Wiper/Ransomware Spillover from Nation State Campaigns
Vulnerability Threats Consequence
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
79:/;<&=4>?:4& 6>@4:&
Attack Continuum
INDUSTRIAL CYBER SECURITY
SERVICES
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
79:/;<&=4>?:4& 6>@4:&
Security Roadmap Step 1: What do I have?
INDUSTRIAL CYBER SECURITY
SERVICES
Backup Management
Qualified Patch Management
Vulnerability and Risk Assessments
Application Whitelisting Deployment
Real-Time Threat Detection Services
ICS Security Zone and IDMZ Segmentation
FactoryTalk Security Implementation Services
Remote Monitoring and Administration Services
Network Access Control Deployment
Incident Response and Disaster Recovery Planning Services
Incident Handling and Response*
Cyber Security Awareness Training
Asset Inventory Services
Policy & Procedure Development
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
79:/;<&=4>?:4& 6>@4:&
Security Roadmap Step 2: Implement Basic Hygiene
INDUSTRIAL CYBER SECURITY
SERVICES
Backup Management
Qualified Patch Management
Vulnerability and Risk Assessments
Application Whitelisting Deployment
Real-Time Threat Detection Services
ICS Security Zone and IDMZ Segmentation
FactoryTalk Security Implementation Services
Remote Monitoring and Administration Services
Network Access Control Deployment
Incident Response and Disaster Recovery Planning Services
Incident Handling and Response*
Cyber Security Awareness Training
Asset Inventory Services
Policy & Procedure Development
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
79:/;<&=4>?:4& 6>@4:&
Security Roadmap Step 3: Persistent Countermeasures
INDUSTRIAL CYBER SECURITY
SERVICES
Backup Management
Qualified Patch Management
Vulnerability and Risk Assessments
Application Whitelisting Deployment
Real-Time Threat Detection Services
ICS Security Zone and IDMZ Segmentation
FactoryTalk Security Implementation Services
Remote Monitoring and Administration Services
Network Access Control Deployment
Incident Response and Disaster Recovery Planning Services
Incident Handling and Response*
Cyber Security Awareness Training
Asset Inventory Services
Policy & Procedure Development
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.
79:/;<&=4>?:4& 6>@4:&
Addressed Throughout the Journey : People and Policy
INDUSTRIAL CYBER SECURITY
SERVICES
Backup Management
Qualified Patch Management
Vulnerability and Risk Assessments
Application Whitelisting Deployment
Real-Time Threat Detection Services
ICS Security Zone and IDMZ Segmentation
FactoryTalk Security Implementation Services
Remote Monitoring and Administration Services
Network Access Control Deployment
Incident Response and Disaster Recovery Planning Services
Incident Handling and Response*
Cyber Security Awareness Training
Asset Inventory Services
Policy & Procedure Development
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
INDUSTRIAL CYBER SECURITY
SERVICES
Asset Inventory through Passive Network Analysis
Auto Baseline Development and Behavioral Anomaly Detection Security and Operational Event Monitoring and Response
Powered by
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Individually Managed Site Appliance
Centrally Managed Services
OT Assets
•! Validate Operational Tasks to reduce risk, and maintain process integrity
•! Near Real Time Detection of Cyber Threats (conficker, wannacry, etc)
•! Recover from Security Incidents with Highly-Trained Professionals
•! Reduce Risk of Downtime with 24x7 Response
•! Behavioral Anomaly Detection •! Real-Time Change Detection •! Alert on Operational and
Security Events •! Incident Response Services
Capabilities Benefits
Secu
rity an
d Op
erati
onal
Monit
oring
THREAT DETECTION SERVICES
•! Comprehensive Asset Inventorying
•! Passive Network Monitoring •! Vendor and Protocol Agnostic •! Fine grained DPI Model
•! Continuous Monitoring without Interrupting Production
•! Single Solution for Many ICS Vendors •! Collect Information on How Assets are
configured, communicate and change •! Discover issues with full visibility of
ICS Networks Asse
t Mon
itorin
g
Powered by THREAT DETECTION SERVICES
Centrally Managed Services
IT Assets
Individually Managed Individually Managed
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
PUBLICPUBLIC
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Plan, Design, and Implement
Individually Managed Site Appliance OT Assets
IT Assets
Deep Packet Inspection (DPI)
on IT and OT Data Streams
Alerts & Events Alerts & Events
Managed Service Provider with OT Knowledge
Centralized Self Management (IT SOC)
And / Or
Respond, Recover
-! Review infrastructure and documentation -! Definition of Asset Criticality -! Appliance implementation -! Review and sterilization of baseline results for immediate remediation
Manage, Monitor and Detect Manage, Monitor and Detect Manage, Monitor and Detect
-! Response and Recovery Plan Development and Review -! Containment, eradication, and recovery workflows -! Characterize and scope potential impact -! Set Course of Action and Incident Reporting
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Architecture Options !! Central Office Architecture !! The Industrial DMZ
separates IT and OT Networks.
!! The data across separate sites is collected at the central Appliance.
Level 3.5 – Industrial DMZ
Large Compressor Control System
Level 0 - 3 Cell/Area Zone and Site Operations
Level 4 –Corporate LAN
IDMZ Firewalls
Rockwell Automation Managed Anomaly Detection Ops Center
IT SOC
Proxy Services
Managed Anomaly Detection Central Appliance Site OT Network
IT Core Switch and Firewall
OT Core Switch
IDMZ IDMZ IDMZ Firewalls Firewalls Firewalls
OT Core Switch OT Core Switch
Managed Anomaly Detection Ops Center Managed Anomaly Detection Ops Center and Firewall and Firewall
SPAN Traffic
Encrypted (SSH) Alert Traffic
Enterprise Central
Appliance
Managed Anomaly Detection Small Compressor Control System
Large Compressor Managed Anomaly Detection Managed Anomaly Detection Managed Anomaly Detection Managed Anomaly Detection Small Compressor Managed Anomaly Detection Managed Anomaly Detection Central Appliance
Managed Anomaly Detection Managed Anomaly Detection
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Architecture Options !! Small Site with compute
available on-site. !! Site appliances forwards
alerts to Central Appliance
PLC A PLC B PLC C
HMI EWS
Compressor Control System
Level 0 - 3 Site Operations
Level 3 – OT Network
Access Switch Configured with SPAN
ClarOTy Appliance and
Dashboard
Core Switch and Firewall
Configured with SPAN
and Firewall
SPAN Traffic
Encrypted (SSH) Alert Traffic
Access Switch Access Switch Configured with SPAN
ClarOTyAppliance and
Dashboard Dashboard
Access Switch Configured with SPAN
Access Switch Access Switch Configured with SPAN
EWS EWS HMI HMI
Access Switch Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN
EWS
Configured with SPAN
HMI
Configured with SPAN
HMI HMI
Configured with SPAN Configured with SPAN Configured with SPAN
OT Network Workstation
Managed Anomaly Detection Central Appliance for Site OT Network
Rockwell Automation Central Management
Enterprise Central
Appliance
And/Or
Managed Anomaly Detection
Central Management
PLC C
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Architecture Options !! Small Site without on-site
compute !! Site Switch Sends
SPAN traffic to Central Appliance
!! Depending on architecture and size of these sites “brick” style compute can be deployed.
PLC A PLC B PLC C
HMI EWS
Compressor Control System
Level 0 – 2 Site Operations
Level 3 – OT Network
Access Switch Configured with SPAN
Rockwell Automation Central Management OT Network
Workstation
Managed Anomaly Detection Central Appliance
For Local OT Network
Core Switch and Firewall
Configured with SPAN
EWS HMI HMI
Configured with SPAN Configured with SPAN
EWS HMI
Configured with SPAN
HMI HMI
Configured with SPAN Configured with SPAN Configured with SPAN
and Firewall
Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Access Switch Access Switch
Configured with SPAN
Managed Anomaly Detection Central Appliance
For Local OT Network
Access Switch Configured with SPAN
Managed Anomaly Detection Central Appliance
For Local OT Network
Access Switch Access Switch Configured with SPAN
Access Switch Configured with SPAN
SPAN Traffic
Encrypted (SSH) Alert Traffic
Enterprise Central
Appliance
And/Or
Managed Anomaly Detection
Central Management
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC
Industrial Cyber Security Services Portfolio Rockwell Automation offers the following services to help our customers improve their security posture and reduce cyber risk within their Industrial Control System (ICS) environment: •! Qualified Patch Management Services – Provide Rockwell Automation tested and approved Anti-Virus Definitions and Microsoft Windows patch lists to your on-site WSUS
responsible for managing patches of your ICS software systems (FactoryTalk Software). This will insure a timely and disciplined approach to addressing OS related vulnerabilities. (Additional management options available)
•! Security Assessment – Understand risk posture of your ICS environment to identify areas of improvement against established ICS Cyber Security Standards such as ISA/IEC 62443, NIST 800-82 and NIST CSF.
•! Security Control Implementations - provide turnkey implementation of security controls that help address gaps/risks that have been identified in specific areas such as zone based segmentation, device hardening and application whitelisting (Symantec CSP), threat/anomaly detection (Claroty), network access control (Cisco ISE)
•! Network Assessments including onsite visit to collect data, identify issues, and analyze the gap with Industry best practices to insure your infrastructure is meeting the availability requirements of your control systems.
•! Network Design and Implementation– provide a turnkey Network Infrastructure which is scalable, resilient and future ready, based on Industry best practices such as CPwE Converged Plantwide Ethernet.
•! iDMZ Design and Implementation – Secure the data flow between Enterprise systems and plant systems, plus optionally setup secure remote access for OEMs and vendors.
•! FactoryTalk Security: Consulting on how to best utilize the security features available through Rockwell Automation products.
•! Anomaly and Threat Detection Services. Provide visibility into control systems, protocols and networks, real-time monitoring and analytics to detect anomalies and threats that may impact the security and operational integrity of your ICS systems.
•! TechConnect. Knowledgebase email alerts on Rockwell Automation product security with access to the latest SW and Firmware updates.
•! Remote Monitoring / Administration. !Converged IT/OT monitoring and administration support of infrastructure, end nodes and industrial applications throughout their lifecycle.
•! Incident Response. We partner with top security firms to help customers respond to incidents in the event of a breach.
•! Training:! we offer IMINS and IMINS 2, trainings to prepare for Industrial Networking and Security certification
www.rockwellautomation.com
PUBLIC
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21
www.rockwellautomation.com
PUBLIC
www.rockwellautomation.com
PUBLIC
www.rockwellautomation.com www.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.com
PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 21
Thank You Please help us know your Queries