secure network refresh (snr) - honeywell · 2017-10-09 · 9 • routers were previously installed...
TRANSCRIPT
Honeywell Industrial Cyber SecurityMohamed Abdelkader
September 27, 2017SECURE NETWORK REFRESH (SNR)
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Why I Don’t Upgrade My Network1
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Secure Network Refresh2
Honeywell User Group 2017Mohamed Abdelkader
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Agenda
• Safety Moment
• Introductions
• Secure Network Refresh Defined
• Identifying the Need for a Refresh
• Securely Refreshing a Process Control Network
o Hardware Refresh
o Software Refresh
o Architecture Refresh
• Summary of Secure Network Refresh
• Wrap up / Q&A
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Email Safety4
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
How Do You Know if You Need a Network Refresh?5
Honeywell Internal
… you definitely need a network refresh.
If you are still using one of these…
or
Cisco 1900
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Secure Network Refresh Defined• What it is?
- Replacing out of date software - End of life hardware - Securing critical network infrastructure- Hardening of systems- Enabling migration of legacy components- Implementing secure communications- Updating network architecture
• What it is not- Experion upgrade- Controller upgrade- Release dependent
6
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Foundation for ELCN/EUCN Migrations
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Switch Obsolescence8
• Announced End-of-Life (EOL) for many Cisco and other switches- Switches: 2900s, 2950s, 2960s, 3550s - Slower processing & interfaces- Some obsolete as of 2009- NOT UPGRADEABLE
• Big Issue: Security- Older switches do NOT support encryption- Configuration via Telnet only – IN THE CLEAR- Extremely vulnerable to TAKE OVER- New Switches & Routers support encryption for their communications and configuration
files- Other manufacturer’s Switches & Routers that do not encrypt their configuration files and
access should also be replaced
• Configurations of upstream devices may also need to be checked as well
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Router Obsolescence 9
• Routers were previously installed to support reliable connections- Routers today need more restricted configurations to strengthen security- Control of traffic between zones supports containment and protection- Router’s Access Control Lists define communication between networks
• Announced End-of-Life (EOL) for many Cisco Routers as well- Routers: 3560s, 3750s- Slower processing & interfaces- Some obsolete as of 2009- NOT UPGRADEABLE
• Same issues with security- Older routers do NOT support encryption- Configuration via Telnet only – IN THE CLEAR- Extremely vulnerable to TAKE OVER- New Routers support encryption for their communications and configuration files- Other manufacturer’s Routers that do not encrypt their configuration files and access should
also be replaced• Configurations of connecting devices should also be revisited
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
FTE Qualified Cisco Switches and IOS10
Honeywell Internal
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Architecture Refresh11
Router
ESC ESF ESTACE ExperionServer
ESVT SafetyManager
TerminalServer
Qualified Cisco Switches
HSRPRouter
Domain Controller ESF EAS
PHDServer
ExperionServer
Firewall
3RD Party App SubsystemInterface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
TerminalServer
PatchMgmtServer
AntiVirusServer
RelayServer
PHD ShadowServer
Level 2 Domain Controller
pe o et o e e s
Level 1
Lim
ited
L2.5
to L
3
L 2.5 RouterPrimary
L2.5 RouterSecondary
Domain Controller
Blade Server NASNAS
vCenterServer
Level 2.5
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
ServerBlade
VM Client
Firewall
PLC
Risk Manager
Service Node
Firewall
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Router
ESC ESF ESTACE ExperionServer
ESVT SafetyManager
TerminalServer
Qualified Cisco Switches
HSRPRouter
Domain Controller ESF EAS
PHDServer
ExperionServer
Firewall
3RD Party App SubsystemInterface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
TerminalServer
PatchMgmtServer
AntiVirusServer
RelayServer
PHD ShadowServer
Level 2 Domain Controller
pe o et o e e s
Level 1
Lim
ited
L2.5
to L
3
L 2.5 RouterPrimary
L2.5 RouterSecondary
Domain Controller
Blade Server NASNAS
vCenterServer
Level 2.5
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEEDMODECOCIS 1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
ServerBlade
VM Client
Firewall
PLC
Risk Manager
Service Node
Firewall
Architecture Refresh12
oute
ESC ESF ESTACE ExperionServer
ESVT SafetyManager
TerminalServer
Soute
e e 3
Level 2 Domain Controller
L 2.5 RouterPrimary
L2.5 RouterSecondary
o a Co t o e
ade Se e SS
Ce teSe e
Level 2.5
Cata yst 960Se es oS SUSOCOCIS 3 5 6 89 0 3 5 6 89 0 3
O O 3 3S So 3 5 6S S
3 5 6S S/O
/O 3
adeCe te SCata yst 960Se es oS SUSO
COCIS 3 5 6 89 0 3 5 6 89 0 3
O O 3 3S So 3 5 6S S
3 5 6S S/O
/O 3
adeCe te S
Se eade
C e t
Honeywell Proprietary - © 2017 by Honeywell International Inc. All rights reserved.
Summary
- Replace out of date software - Replace end of life hardware - Secure critical network infrastructure- Harden systems- Migrate of legacy components- Implement secure communications- Update network architecture
13