secure network refresh (snr) - honeywell · 2017-10-09 · 9 • routers were previously installed...

Honeywell Industrial Cyber SecurityMohamed Abdelkader

September 27, 2017SECURE NETWORK REFRESH (SNR)

Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.

Why I Don’t Upgrade My Network1


Secure Network Refresh2

Honeywell User Group 2017Mohamed Abdelkader


Agenda

• Safety Moment

• Introductions

• Secure Network Refresh Defined

• Identifying the Need for a Refresh

• Securely Refreshing a Process Control Network

o Hardware Refresh

o Software Refresh

o Architecture Refresh

• Summary of Secure Network Refresh

• Wrap up / Q&A


Email Safety4


How Do You Know if You Need a Network Refresh?5

Honeywell Internal

… you definitely need a network refresh.

If you are still using one of these…

or

Cisco 1900


Secure Network Refresh Defined• What it is?

- Replacing out of date software - End of life hardware - Securing critical network infrastructure- Hardening of systems- Enabling migration of legacy components- Implementing secure communications- Updating network architecture

• What it is not- Experion upgrade- Controller upgrade- Release dependent

6


Foundation for ELCN/EUCN Migrations


Switch Obsolescence8

• Announced End-of-Life (EOL) for many Cisco and other switches- Switches: 2900s, 2950s, 2960s, 3550s - Slower processing & interfaces- Some obsolete as of 2009- NOT UPGRADEABLE

• Big Issue: Security- Older switches do NOT support encryption- Configuration via Telnet only – IN THE CLEAR- Extremely vulnerable to TAKE OVER- New Switches & Routers support encryption for their communications and configuration

files- Other manufacturer’s Switches & Routers that do not encrypt their configuration files and

access should also be replaced

• Configurations of upstream devices may also need to be checked as well


Router Obsolescence 9

• Routers were previously installed to support reliable connections- Routers today need more restricted configurations to strengthen security- Control of traffic between zones supports containment and protection- Router’s Access Control Lists define communication between networks

• Announced End-of-Life (EOL) for many Cisco Routers as well- Routers: 3560s, 3750s- Slower processing & interfaces- Some obsolete as of 2009- NOT UPGRADEABLE

• Same issues with security- Older routers do NOT support encryption- Configuration via Telnet only – IN THE CLEAR- Extremely vulnerable to TAKE OVER- New Routers support encryption for their communications and configuration files- Other manufacturer’s Routers that do not encrypt their configuration files and access should

also be replaced• Configurations of connecting devices should also be revisited


FTE Qualified Cisco Switches and IOS10

Honeywell Internal


Architecture Refresh11

Router

ESC ESF ESTACE ExperionServer

ESVT SafetyManager

TerminalServer

Qualified Cisco Switches

HSRPRouter

Domain Controller ESF EAS

PHDServer

ExperionServer

Firewall

3RD Party App SubsystemInterface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

TerminalServer

PatchMgmtServer

AntiVirusServer

RelayServer

PHD ShadowServer

Level 2 Domain Controller

pe o et o e e s

Level 1

Lim

ited

L2.5

to L

3

L 2.5 RouterPrimary

L2.5 RouterSecondary

Domain Controller

Blade Server NASNAS

vCenterServer

Level 2.5

Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET

13X14X

11X12X

23X24X

STATRPSPoE MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT



13X14X

11X12X

23X24X


MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Risk Manager

Service Node

Firewall


Router


ESVT SafetyManager

TerminalServer

Qualified Cisco Switches

HSRPRouter

Domain Controller ESF EAS

PHDServer

ExperionServer

Firewall

3RD Party App SubsystemInterface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

TerminalServer

PatchMgmtServer

AntiVirusServer

RelayServer

PHD ShadowServer


pe o et o e e s

Level 1

Lim

ited

L2.5

to L

3

L 2.5 RouterPrimary


Domain Controller

Blade Server NASNAS

vCenterServer

Level 2.5



13X14X

11X12X

23X24X


MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT



13X14X

11X12X

23X24X


MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Risk Manager

Service Node

Firewall

Architecture Refresh12

oute


ESVT SafetyManager

TerminalServer

Soute

e e 3


L 2.5 RouterPrimary


o a Co t o e

ade Se e SS

Ce teSe e

Level 2.5

Cata yst 960Se es oS SUSOCOCIS 3 5 6 89 0 3 5 6 89 0 3

O O 3 3S So 3 5 6S S

3 5 6S S/O

/O 3

adeCe te SCata yst 960Se es oS SUSO

COCIS 3 5 6 89 0 3 5 6 89 0 3

O O 3 3S So 3 5 6S S

3 5 6S S/O

/O 3

adeCe te S

Se eade

C e t


Summary

- Replace out of date software - Replace end of life hardware - Secure critical network infrastructure- Harden systems- Migrate of legacy components- Implement secure communications- Update network architecture

13

secure network refresh (snr) - honeywell · 2017-10-09 · 9 • routers were previously installed...

Documents