Architecture Intégrée | Sécurité et protection de la propriété

Transcription

AUP28 - Implementing Security and IP Protection
Features in the Integrated Architecture
Mads Laier
DK Commercial Engineer – Logix & Networks
PUBLIC INFORMATION
Rev 5058-CO900E
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
Agenda
Why IACS Security Now!
Defense in depth
Key Takeaways – Design Considerations
Additional Information
PUBLIC INFORMATION
2
The threat is real!
PUBLIC INFORMATION
Industrial Market Drivers
Improve Asset Utilization
Maximize return on your automation investment
Drive Speed & Innovation
Innovation
Speed time to market; manage brand equity
Reduce
Energy usage
Contextualize
Data into Information
Manage Risk
Implement systems and procedures to address
market dynamics and regulatory requirements
PUBLIC INFORMATION
4
Cyber Security in the News?
First there was Stuxnet
PUBLIC INFORMATION
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Copyri5
Cyber Security in the News
In 2015 the game changed.
Cyber security issues caused the CEO of a large US company to resign
This showed highlighted that Manufacturing is the new back door.
PUBLIC INFORMATION
6
Hackers have found “Remote Access is an
easy way to get into the Industrial network
 New Havex malware variants target industrial control system and SCADA
users





PUBLIC INFORMATION
During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program
the discovery
the Stuxnet
called Havex by hackingFollowing
into the websites
of industrialofcontrol
system (ICS) manufacturers and poisoning
industrial
sabotage malware in 2010, which
their legitimate software
downloads
is believed to have destroyed up to 1,000
F-Secure did not name the affected vendors, but said that two of them develop ICS remote management
uranium enrichment centrifuges in Iran,
software and the third supplies high-precision industrial cameras and related software. According to the
security researchers sounded the alarm
security firm, the vendors are based in Germany, Switzerland and Belgium.
about the insecurity of industrial control
The attackers modifiedsystems
the legitimate
installers
to dropthey
and execute
and software
the ease
with which
can an additional file on
computers. The file is called
mbcheck.dll
is actuallyDespite
the Havex
malware.
be targeted
by and
attackers.
those
concerns,
malware
attacksHavex component whose purpose
That conclusion is also supported
bywidespread
the existence of
a new malicious
against
andthat
SCADA
never
is to scan local area networks
forICS
devices
respondsystems
to OPC (Open
Platform Communications)
became a reality, making the new Havex
requests.
campaigns a rare occurrence, but possibly
The Havex component leverages the OPC standard to gather information about industrial control devices
an indication of things to come.
and then sends that information back to its command-and-control (C&C) server for the attackers to
analyze, the F-Secure researchers said. “It appears that this component is used as a tool for intelligence
gathering. So far, we have not seen any payloads that attempt to control the connected hardware.”
7
Hackers damage Steel Plant.
 Hackers infiltrated a German steel mill and made it impossible to safely
shut down a furnace, according to a German security report quietly
published before the new year. The breach, which caused “massive”
damage, marks just the second time a digital attack caused physical
damage, highlighting growing fears that cyberwarfare will soon impact
more than computers and networks.
PUBLIC INFORMATION
8
It is becoming the LAW
Many countries are
enacting laws to protect
their Critical Infrastructure
PUBLIC INFORMATION
9
Industrial Network Security Trends
Established Industrial Security Standards
 International Society of Automation
 ISO/IEC-62443 (Formerly ISA-99)
 Industrial Automation and Control Systems (IACS) Security
 Defense-in-Depth
 IDMZ Deployment
 National Institute of Standards and Technology
 NIST 800-82
 Industrial Control System (ICS) Security
 IDMZ Deployment
 Department of Homeland Security / Idaho National Lab
 DHS INL/EXT-06-11478
 Control Systems Cyber Security: Defense-in-Depth Strategies
 IDMZ Deployment
A secure application depends on multiple layers of protection.
Industrial security must be implemented as a system.
PUBLIC INFORMATION
10
Agenda
Why ISC Security Now!
Defense in depth
Key Takeaways – Design Considerations
Additional Information
PUBLIC INFORMATION
11
What Risk
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.
12
From Who?
Security Threat Actors
Human
System
PUBLIC INFORMATION
• Malicious
• Ignorant
• Misconfiguration
• Lack of Privilege
Control
13
Rockwell Automation
Focus on Industrial Cyber Security
Reduce risks to safe and reliable operation
…Control system architecture with layered security to
help maintain operational integrity under threat
Protect assets & information
…Product and system features to help
control access, tamper-proof and limit
information exposure
Government and Standards Alignment
…Responsible disclosure with control system solutions that follow
global standards and help fulfill independent & regulatory security requirements
PUBLIC INFORMATION
14
Defense-in-Depth
 No single product, technology or
methodology can fully secure Industrial
Automation and Control System (IACS)
applications.
 Protecting IACS assets requires a
defense-in-depth security approach,
which addresses internal and external
security threats.
 This approach utilizes multiple layers of
defense (physical, procedural and
electronic) at separate IACS levels by
applying policies and procedures that
address different types of threats.
PUBLIC INFORMATION
15
Recommendations for Defending ICS
 Separate control network from enterprise network
Harden connection to enterprise network
 Protect all points of entry with strong authentication
 Make reconnaissance difficult from outside

 Harden interior of control network
Make reconnaissance difficult from inside
 Avoid single points of vulnerability
 Frustrate opportunities to expand a compromise

 Harden field sites and partner connections

Mutual distrust
 Monitor both perimeter and inside events
 Periodically scan for changes in security posture
Two Critical Elements to Industrial Cyber
Security
• A balanced Security Program must
address both Technical and NonTechnical Risks and Controls
NonTechnical
Technical
• Technical Controls (firewalls,
layer-3 ACLs, etc.)…
…provide restrictive measures for…
• Non-technical Controls (rules for
environments, i.e. policy,
procedure, etc.)
PUBLIC INFORMATION
17
Defense-in-Depth
Industrial Security Policies Drive Technical Controls
 Physical – limit physical access to authorized personnel Cells/Areas, control panels,
devices, cabling, and control room
 Network – security framework
– e.g. firewall policies, access control list (ACL)
policies for switches and routers, AAA, intrusion
detection and prevention systems (IDS/IPS)
 Computer Hardening – patch management,
Anti-X software, removal of unused applications/
protocols/services, closing unnecessary
logical ports, protecting physical ports
 Application – authentication, authorization, and
accounting (AAA) software
 Device Hardening – change management,
communication encryption, and restrictive access
PUBLIC INFORMATION
18
Defense-in-Depth
Application Security - Examples
• FactoryTalk® Security
– Centralized authentication & access control
– Verifies user identity before granting system
access
– Grants or denies requests to perform actions
• FactoryTalk® AssetCentre
– Centralized storage of audit records
– Limits access to product and system data
– Offers back-up and archive of application files
PUBLIC INFORMATION
• Studio 5000™ Programming
Software
– Control access to routines and AOIs with
source protection
– Control access to tags with Data Access
Control
– Detect unauthorized modification with
Change Detection
19
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Funda
Defense in depth
Controller Hardening Physical Procedure
 Physical procedure:


PUBLIC INFORMATION
Restrict Industrial Automation and Control System (IACS) access to authorized
personnel only

Control panels, devices, cabling, and control room

Locks, gates, key cards

Video Surveillance

Other Authentication Devices (biometric, keypad, etc.).
Switch the Logix Controller key to “RUN”
20
Defense in Depth.
Controller Hardening Electronic Design
Protect the Source
Embedded Change Log
FactoryTalk Security
Data Access Control
PUBLIC INFORMATION
Trusted Slot with
Embedded VPN Module
21
Defense-in-Depth
Computer Hardening - Examples
 Security Patch Management: establish and document a security patch management
program for tracking, evaluating, testing, and installing applicable cyber security software
patches
 Keep computers up-to-date on service packs and hot fixes





Disable automatic updates
Check software vendor website
Test patches before implementing
Schedule patching during downtime
Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection
software

Disable automatic updates and automatic scanning
Test definition updates before implementing

Schedule manually initiated scanning during downtime

 Uninstall unused Windows components
 Protocols and Services
 Protect unused or infrequently used USB, parallel or serial interfaces
PUBLIC INFORMATION
22
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Funda
Industrial Network Security
Industrial vs. Enterprise Network Requirements
Industrial Requirements
 Switches
 Managed and Unmanaged
 Layer 2 is predominant
 Traffic types
 Information, control, safety, motion, time
synchronization, energy management
 Performance
 Low Latency, Low Jitter
 Data Prioritization – QoS – Layer 2 & 3
 IP Addressing
 Static
 Security
 Industrial security policies are
inconsistently deployed
 Open by default, must close by
configuration and architecture
Enterprise Requirements
 Switches
 Managed
 Layer 2 and Layer 3
 Traffic types
 Voice, Video, Data
 Performance
 Low Latency, Low Jitter
 Data Prioritization – QoS – Layer 3
 IP Addressing
 Dynamic
 Security
Similarities and
 Pervasive
differences?
 Strong policies
23
Industrial Network Security Trends
Industrial vs. Enterprise Network Requirements
Convergence Operation Technology(OT) with Information Technology (IT)
PUBLIC INFORMATION
24
Industrial Network Security
Collaboration of Partners
Wireless, Security,
Switching/Routing
Leader in
Industrial Network
Infrastructure
The Established
#1 Industrial Ethernet
Physical Layer Network Infrastructure
Application Layer
Reduce Risk
PUBLIC INFORMATION
Simplify Design
Speed Deployment
25
The Purdue Model and Rockwell Automation
 Rockwell Automation and CISCO Systems have defined a
manufacturing framework to created a foundation for network
segmentation, management and policy enforcement maximising the
seamless of the Industrial Cyber Security Technical Countermeasures and
minimising the risks to be assumed by our customers:
PUBLIC INFORMATION
26
Network Security Framework
Industrial Demilitarized Zone
Enterprise Network
Level 5
Level 4
E-Mail, Intranet, etc.
Site Business Planning and Logistics Network
Remote
Gateway
Services
Patch
Management
Application
Mirror
Enterprise
Security
Zone
Firewall
AV
Server
Web Services
Operations
Web
E-Mail
CIP
Application
Server
Industrial
DMZ
Firewall
Level 3
Level 2
FactoryTalk
Application
Server
FactoryTalk
Directory
Engineering
Workstation
Remote
Access
Server
Site Operations
and Control
Area
Supervisory
Control
Operator
Interface
FactoryTalk
Client
FactoryTalk
Client
Operator
Interface
Engineering
Workstation
Basic Control
Level 1
Level 0
Batch
Control
Sensors
Discrete
Control
Drive
Control
Drives
Continuous
Process
Control
Actuators
Industrial
Security
Zone
Safety
Control
Robots
Cell/Area
Zone
Process
Logical Model – Industrial Automation and Control System (IACS)
Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
PUBLIC INFORMATION
27
Industrial Demilitarized Zone (IDMZ)
 All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic
does not directly traverse the IDMZ
 Only path between zones
 No common protocols in each logical firewall
 No control traffic into the IDMZ, CIP stays home
Trusted? Untrusted?
 No primary services are permanently housed
Enterprise
in the IDMZ
Disconnect Point
Security
Zone
 IDMZ shall not permanently house data
 Application data mirror to move data into and
Replicated
IDMZ
out of the Industrial Zone
Services
 Limit outbound connections from the IDMZ
 Be prepared to “turn-off” access via the firewall
No Direct
Traffic
Disconnect Point
Industrial
Security
Zone
Trusted
PUBLIC INFORMATION
28
Scalable Network Security Framework
One Size Does Not Fit All
Enterprise-wide Network
Switch
with VLANs
Plant-wide Network
Plant-wide Network
Plant-wide Network
Figure 1
Figure 2
Plant-wide Network
Figure 3
Figure 4
Not Recommended
Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and
alignment with IACS Security Standards
IDMZ
Firewall
Router
(Zone Based FW)
Plant-wide Network
Plant-wide Network
Plant-wide Network
Good
Better
Best
Figure 5
PUBLIC INFORMATION
Figure 6
Figure 7
29
Converged Plant-wide Ethernet (CPwE) Reference Architectures
 Structured and Hardened IACS
Network Infrastructure
Enterprise Zone
Levels 4-5
 Industrial security policy
Industrial
Demilitarized Zone
(IDMZ)
 Pervasive security, not a
bolt-on component
 Security framework utilizing defense-indepth approach
 Industrial DMZ implementation
 Remote partner access policy, with
robust & secure implementation
Standard DMZ Design Best Practices
Enterprise
WAN
VLANs
Physical or Virtualized Servers
•
•
•
•
Cisco
ASA 5500
Patch Management
Remote Gateway Services
Application Mirror
AV Server
Firewall
(Standby)
Firewall
(Active)
Plant Firewall:
 Inter-zone traffic
segmentation
 ACLs, IPS and IDS
 VPN Services
 Portal and Terminal
Server proxy
Network Status
and Monitoring
AAA - Application
Catalyst
6500/4500
Authentication Server,
Active Directory (AD),
AAA - Network
Network Device
Resiliency
Remote Access Server
Catalyst 3750
StackWise
Switch Stack
Level 3 – Site Operations
Network Infrastructure
Access Control and
Hardening
FactoryTalk Client
Client Hardening
Level 2 – Area Supervisory Control
HMI
VLANs, Segmenting
Domains of Trust
Controllers,
I/O, Drives
Physical Port Security
Unified Threat
Management (UTM)
Controller Hardening,
Physical Security
Network Security Services
Must Not Compromise Operations of
the IACS
PUBLIC INFORMATION
Controller Hardening,
Encrypted Communications
I/O
Controller
Level 1 - Controller
Drive
Controller
Level 0 - Process
MCC
Soft
Starter
30
Secure Remote Access
CPwE - Solution
Remote Engineer
or Partner
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
PUBLIC INFORMATION
CPwE - Solution
Remote Engineer
or Partner
Enterprise
Data Center
IPSEC VPN
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted to IP
address of plant DMZ firewall
Cisco VPN Client
Internet
Enterprise Edge
Firewall
Enterprise Zone
Levels 4 and 5
Enterprise
WAN
Enterprise Zone
Levels 4 and 5
Industrial Zone
Level 3
Cell/Area Zones
Levels 0–2
PUBLIC INFORMATION
CPwE - Solution
2. Portal on plant firewall enables
access to industrial application
data and files
Intrusion protection system (IPS) on
plant firewall detects and protects
against attacks from remote host
IPSEC VPN
Enterprise
Data Center
SSL VPN

Remote Engineer
or Partner
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
Failover
Detection
Cisco
ASA 5500
Firewall
(Standby)
Firewall
(Active)
Industrial Zone
Level 3
Cell/Area Zones
Levels 0–2
PUBLIC INFORMATION
CPwE - Solution
data and files
3. Firewall proxies a client session to
remote access server
IPSEC VPN
Enterprise
Data Center
SSL VPN

Remote Engineer
or Partner
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
Failover
Detection
Cisco
ASA 5500
Firewall
(Standby)
Catalyst
6500/4500
Remote Desktop
Protocol (RDP)
Firewall
(Active)
Industrial Zone
Level 3
Cell/Area Zones
Levels 0–2
PUBLIC INFORMATION
CPwE - Solution
data and files
3. Firewall proxies a client session to
remote access server
4. Access to applications on remote
access server is restricted to
specified plant floor resources
through industrial application
security
IPSEC VPN
Enterprise
Data Center
Cisco VPN Client
Internet
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
Failover
Detection
Cisco
ASA 5500
Remote Desktop
Protocol (RDP)
Firewall
(Active)
Firewall
(Standby)
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre
Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
Catalyst
6500/4500
• RSLogix 5000
• FactoryTalk View Studio
Catalyst 3750
StackWise
Switch Stack
EtherNet/IP
PUBLIC INFORMATION
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
SSL VPN

Remote Engineer
or Partner
Industrial Zone
Level 3
Cell/Area Zones
Levels 0–2
Stratix 5900 Unified Threat Management (UTM)
Enterprise-wide
Business Systems
Levels 4 & 5 – Data Center
Enterprise Zone
Level 3.5 - IDMZ
Plant-wide
Site-wide
Operation Systems
Site-to-Site
Connection
Physical or Virtualized Servers
•
•
•
•
•
Level 3 - Site Operations
Industrial Zone
FactoryTalk Application Servers & Services Platform
Network Services – e.g. DNS, AD, DHCP, AAA
Remote Access Server (RAS)
Call Manager
Storage Array
Levels 0-2
Cell/Area Zones
Stratix 5900
2) Cell/Area Zone Firewall
Stratix 5900
1) Site-to-Site Connection
Stratix 5900
3) OEM Integration
UTM
UTM
UTM
Remote Site #1
Local Cell/Area Zone #1
Local OEM Skid / Machine #1
PUBLIC INFORMATION
36
Physical Port Security
 Keyed solutions for
copper and fiber
 Lock-in, Blockout
products secure
connections
 Data Access Port
(keyed cable and jack)
PUBLIC INFORMATION
37
IACS Security
EtherNet/IP Industrial Automation & Control System Network
 Open by default to allow both
technology coexistence and device
interoperability for Industrial
Automation and Control System
(IACS) Networks
 Secured by configuration:



PUBLIC INFORMATION
Protect the network
- Electronic Security Perimeter
Defend the edge
- Industrial DMZ (IDMZ)
Defense-in-Depth
– Multiple layers of security
38
Network & Security Services:
Life Cycle Approach to Services and Solutions
ASSESS
PUBLIC INFORMATION
DESIGN
IMPLEMENT
VALIDATE
MANAGE
39
IACS Security
Design and Implementation Considerations
 Align with Industrial Automation and Control System Security Standards

DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA99)
 Implement Defense-in-Depth approach: no single product, methodology,
nor technology fully secures IACS networks
 Establish an open dialog between Industrial Automation and IT groups
 Establish an industrial security policy
 Establish an IDMZ between the Enterprise and Industrial Zones
 Work with trusted partners knowledgeable in automation & security
 "Good enough" security now, is better than "perfect" security ...never.
(Tom West, Data General)
PUBLIC INFORMATION
40
Additional Material
Industrial Security Resources
Security
Resources
Assessment
Services
Security
Advisory Index
Security
Technology
Security
FAQ
MS Patch
Qualification
Security
Services
Reference
Architectures
Assessment
Services
Leadership &
Standards
[email protected]
http://rockwellautomation.com/security
PUBLIC INFORMATION
41
Additional Material
 Websites
 Reference Architectures
 Design Guides
 Converged Plant-wide Ethernet (CPwE)
 CPwE Resilient Ethernet Protocol (REP)
 Application Guides
 Fiber Optic Infrastructure Application Guide
 Wireless Design Considerations for Industrial Applications
 Whitepapers
 Top 10 Recommendations for Plant-wide EtherNet/IP
Deployments
 Securing Manufacturing Computer and Controller Assets
 Production Software within Manufacturing Reference Architectures
 Achieving Secure Remote Access to plant-floor Applications and
Data
 Design Considerations for Securing Industrial Automation and
Control System Networks
PUBLIC INFORMATION
42
Additional Material
 A new ‘go-to’ resource for educational, technical and
thought leadership information about industrial
communications
 Standard Internet Protocol (IP) for
Industrial Applications
 Coalition of like-minded companies
www.industrial-ip.org
PUBLIC INFORMATION
43
Thank you for participating!
Please remember to tidy up your work area for the next session.
We want your feedback! Please complete the session survey!
PUBLIC INFORMATION
Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
www.rockwellautomation.com
Rev 5058-CO900F
44
Copyright © 2015 Rockwell Automation,
Inc. All Rights Reserved.

Architecture Intégrée | Sécurité et protection de la propriété

Transcription

Similar documents

PlantPAx System Overview

EnWin Utilities Reduces Main Breaks by 21 Percent with Model

Satellite Transportable Terminal (STT)

Process Solutions User Group (PSUG)

Process Solutions User Group (PSUG)

Title: Process Solutions User Group

Integrated building management at O`Hare International Airport

Process Solutions User Group

Press Futures - Full Automation, Part I

Presentation

The Company - Rhythmsoft

Siebel Test Automation

RSTechED 2013 Session Selection Guide

Telling Stories: Norman Rockwell from the collections of George

2/e, by William Stallings and Lawrie Brown, Chapter 9