Architecture Intégrée | Sécurité et protection de la propriété
Transcription
Architecture Intégrée | Sécurité et protection de la propriété
AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer – Logix & Networks PUBLIC INFORMATION Rev 5058-CO900E Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Agenda Why IACS Security Now! Defense in depth Key Takeaways – Design Considerations Additional Information PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 2 The threat is real! PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Industrial Market Drivers Improve Asset Utilization Maximize return on your automation investment Drive Speed & Innovation Innovation Speed time to market; manage brand equity Reduce Energy usage Contextualize Data into Information Manage Risk Implement systems and procedures to address market dynamics and regulatory requirements PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 4 Cyber Security in the News? First there was Stuxnet PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Copyri5 Cyber Security in the News In 2015 the game changed. Cyber security issues caused the CEO of a large US company to resign This showed highlighted that Manufacturing is the new back door. PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 6 Hackers have found “Remote Access is an easy way to get into the Industrial network New Havex malware variants target industrial control system and SCADA users PUBLIC INFORMATION During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program the discovery the Stuxnet called Havex by hackingFollowing into the websites of industrialofcontrol system (ICS) manufacturers and poisoning industrial sabotage malware in 2010, which their legitimate software downloads is believed to have destroyed up to 1,000 F-Secure did not name the affected vendors, but said that two of them develop ICS remote management uranium enrichment centrifuges in Iran, software and the third supplies high-precision industrial cameras and related software. According to the security researchers sounded the alarm security firm, the vendors are based in Germany, Switzerland and Belgium. about the insecurity of industrial control The attackers modifiedsystems the legitimate installers to dropthey and execute and software the ease with which can an additional file on computers. The file is called mbcheck.dll is actuallyDespite the Havex malware. be targeted by and attackers. those concerns, malware attacksHavex component whose purpose That conclusion is also supported bywidespread the existence of a new malicious against andthat SCADA never is to scan local area networks forICS devices respondsystems to OPC (Open Platform Communications) became a reality, making the new Havex requests. campaigns a rare occurrence, but possibly The Havex component leverages the OPC standard to gather information about industrial control devices an indication of things to come. and then sends that information back to its command-and-control (C&C) server for the attackers to analyze, the F-Secure researchers said. “It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.” Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 7 Hackers damage Steel Plant. Hackers infiltrated a German steel mill and made it impossible to safely shut down a furnace, according to a German security report quietly published before the new year. The breach, which caused “massive” damage, marks just the second time a digital attack caused physical damage, highlighting growing fears that cyberwarfare will soon impact more than computers and networks. PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 8 It is becoming the LAW Many countries are enacting laws to protect their Critical Infrastructure PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 9 Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISO/IEC-62443 (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 10 Agenda Why ISC Security Now! Defense in depth Key Takeaways – Design Considerations Additional Information PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 11 What Risk Copyright © 2015 Rockwell Automation, Inc. All rights reserved. 12 From Who? Security Threat Actors Human System PUBLIC INFORMATION • Malicious • Ignorant • Misconfiguration • Lack of Privilege Control Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 13 Rockwell Automation Focus on Industrial Cyber Security Reduce risks to safe and reliable operation …Control system architecture with layered security to help maintain operational integrity under threat Protect assets & information …Product and system features to help control access, tamper-proof and limit information exposure Government and Standards Alignment …Responsible disclosure with control system solutions that follow global standards and help fulfill independent & regulatory security requirements PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 14 Defense-in-Depth No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats. This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats. PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 15 Recommendations for Defending ICS Separate control network from enterprise network Harden connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside Harden interior of control network Make reconnaissance difficult from inside Avoid single points of vulnerability Frustrate opportunities to expand a compromise Harden field sites and partner connections Mutual distrust Monitor both perimeter and inside events Periodically scan for changes in security posture Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Two Critical Elements to Industrial Cyber Security • A balanced Security Program must address both Technical and NonTechnical Risks and Controls NonTechnical Technical • Technical Controls (firewalls, layer-3 ACLs, etc.)… …provide restrictive measures for… • Non-technical Controls (rules for environments, i.e. policy, procedure, etc.) PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 17 Defense-in-Depth Industrial Security Policies Drive Technical Controls Physical – limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room Network – security framework – e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening – patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application – authentication, authorization, and accounting (AAA) software Device Hardening – change management, communication encryption, and restrictive access PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 18 Defense-in-Depth Application Security - Examples • FactoryTalk® Security – Centralized authentication & access control – Verifies user identity before granting system access – Grants or denies requests to perform actions • FactoryTalk® AssetCentre – Centralized storage of audit records – Limits access to product and system data – Offers back-up and archive of application files PUBLIC INFORMATION • Studio 5000™ Programming Software – Control access to routines and AOIs with source protection – Control access to tags with Data Access Control – Detect unauthorized modification with Change Detection 19 Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Funda Defense in depth Controller Hardening Physical Procedure Physical procedure: PUBLIC INFORMATION Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Switch the Logix Controller key to “RUN” Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 20 Defense in Depth. Controller Hardening Electronic Design Protect the Source Embedded Change Log FactoryTalk Security Data Access Control PUBLIC INFORMATION Trusted Slot with Embedded VPN Module Copyright © 2011 Rockwell Automation, Inc. All rights reserved. Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 21 Defense-in-Depth Computer Hardening - Examples Security Patch Management: establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches Keep computers up-to-date on service packs and hot fixes Disable automatic updates Check software vendor website Test patches before implementing Schedule patching during downtime Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection software Disable automatic updates and automatic scanning Test definition updates before implementing Schedule manually initiated scanning during downtime Uninstall unused Windows components Protocols and Services Protect unused or infrequently used USB, parallel or serial interfaces PUBLIC INFORMATION 22 Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.Funda Industrial Network Security Industrial vs. Enterprise Network Requirements Industrial Requirements Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Enterprise Requirements Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization – QoS – Layer 3 IP Addressing Dynamic Security Similarities and Pervasive differences? Strong policies Copyright © 2015 Rockwell Automation, Inc. All rights reserved. 23 Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Convergence Operation Technology(OT) with Information Technology (IT) PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 24 Industrial Network Security Collaboration of Partners Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Application Layer Reduce Risk PUBLIC INFORMATION Simplify Design Speed Deployment Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 25 The Purdue Model and Rockwell Automation Rockwell Automation and CISCO Systems have defined a manufacturing framework to created a foundation for network segmentation, management and policy enforcement maximising the seamless of the Industrial Cyber Security Technical Countermeasures and minimising the risks to be assumed by our customers: PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 26 Network Security Framework Industrial Demilitarized Zone Enterprise Network Level 5 Level 4 E-Mail, Intranet, etc. Site Business Planning and Logistics Network Remote Gateway Services Patch Management Application Mirror Enterprise Security Zone Firewall AV Server Web Services Operations Web E-Mail CIP Application Server Industrial DMZ Firewall Level 3 Level 2 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server Site Operations and Control Area Supervisory Control Operator Interface FactoryTalk Client FactoryTalk Client Operator Interface Engineering Workstation Basic Control Level 1 Level 0 Batch Control Sensors Discrete Control Drive Control Drives Continuous Process Control Actuators Industrial Security Zone Safety Control Robots Cell/Area Zone Process Logical Model – Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 27 Network Security Framework Industrial Demilitarized Zone (IDMZ) All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home Trusted? Untrusted? No primary services are permanently housed Enterprise in the IDMZ Disconnect Point Security Zone IDMZ shall not permanently house data Application data mirror to move data into and Replicated IDMZ out of the Industrial Zone Services Limit outbound connections from the IDMZ Be prepared to “turn-off” access via the firewall No Direct Traffic Disconnect Point Industrial Security Zone Trusted PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 28 Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Figure 2 Plant-wide Network Figure 3 Figure 4 Not Recommended Recommended – Depends …. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Enterprise-wide Network Enterprise-wide Network IDMZ Firewall Router (Zone Based FW) Plant-wide Network Plant-wide Network Plant-wide Network Good Better Best Figure 5 PUBLIC INFORMATION Enterprise-wide Network Figure 6 Figure 7 Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 29 Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Structured and Hardened IACS Network Infrastructure Enterprise Zone Levels 4-5 Industrial security policy Industrial Demilitarized Zone (IDMZ) Pervasive security, not a bolt-on component Security framework utilizing defense-indepth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Standard DMZ Design Best Practices Enterprise WAN VLANs Physical or Virtualized Servers • • • • Cisco ASA 5500 Patch Management Remote Gateway Services Application Mirror AV Server Firewall (Standby) Firewall (Active) Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Network Status and Monitoring AAA - Application Catalyst 6500/4500 Authentication Server, Active Directory (AD), AAA - Network Network Device Resiliency Remote Access Server Catalyst 3750 StackWise Switch Stack Level 3 – Site Operations Network Infrastructure Access Control and Hardening FactoryTalk Client Client Hardening Level 2 – Area Supervisory Control HMI VLANs, Segmenting Domains of Trust Controllers, I/O, Drives Physical Port Security Unified Threat Management (UTM) Controller Hardening, Physical Security Network Security Services Must Not Compromise Operations of the IACS PUBLIC INFORMATION Controller Hardening, Encrypted Communications I/O Controller Level 1 - Controller Drive Controller Level 0 - Process MCC Soft Starter Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 30 Secure Remote Access CPwE - Solution Remote Engineer or Partner Cisco VPN Client Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–2 PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Secure Remote Access CPwE - Solution Remote Engineer or Partner Enterprise Data Center IPSEC VPN 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall Cisco VPN Client Internet Enterprise Edge Firewall Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–2 PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host IPSEC VPN Enterprise Data Center SSL VPN Remote Engineer or Partner Cisco VPN Client Internet Enterprise Zone Levels 4 and 5 Enterprise Edge Firewall Enterprise Connected Engineer Enterprise WAN HTTPS Enterprise Zone Levels 4 and 5 Patch Management Terminal Services Application Mirror AV Server Demilitarized Zone (DMZ) Gbps Link Failover Detection Cisco ASA 5500 Firewall (Standby) Firewall (Active) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–2 PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server IPSEC VPN Enterprise Data Center SSL VPN Remote Engineer or Partner Cisco VPN Client Internet Enterprise Zone Levels 4 and 5 Enterprise Edge Firewall Enterprise Connected Engineer Enterprise WAN HTTPS Enterprise Zone Levels 4 and 5 Patch Management Terminal Services Application Mirror AV Server Demilitarized Zone (DMZ) Gbps Link Failover Detection Cisco ASA 5500 Firewall (Standby) Catalyst 6500/4500 Remote Desktop Protocol (RDP) Firewall (Active) Demilitarized Zone (DMZ) Remote Access Server Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–2 PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server 4. Access to applications on remote access server is restricted to specified plant floor resources through industrial application security IPSEC VPN Enterprise Data Center Cisco VPN Client Internet Enterprise Connected Engineer Enterprise WAN HTTPS Enterprise Zone Levels 4 and 5 Patch Management Terminal Services Application Mirror AV Server Demilitarized Zone (DMZ) Gbps Link Failover Detection Cisco ASA 5500 Remote Desktop Protocol (RDP) Firewall (Active) Firewall (Standby) Demilitarized Zone (DMZ) FactoryTalk Application Servers • • • • View Historian AssetCentre Transaction Manager FactoryTalk Services Platform • Directory • Security/Audit Data Servers Remote Access Server Catalyst 6500/4500 • RSLogix 5000 • FactoryTalk View Studio Catalyst 3750 StackWise Switch Stack EtherNet/IP PUBLIC INFORMATION Enterprise Zone Levels 4 and 5 Enterprise Edge Firewall SSL VPN Remote Engineer or Partner Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–2 Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Stratix 5900 Unified Threat Management (UTM) Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3.5 - IDMZ Plant-wide Site-wide Operation Systems Site-to-Site Connection Physical or Virtualized Servers • • • • • Level 3 - Site Operations Industrial Zone FactoryTalk Application Servers & Services Platform Network Services – e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Levels 0-2 Cell/Area Zones Stratix 5900 2) Cell/Area Zone Firewall Stratix 5900 1) Site-to-Site Connection Stratix 5900 3) OEM Integration UTM UTM UTM Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 36 Network Security Framework Physical Port Security Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack) PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 37 IACS Security EtherNet/IP Industrial Automation & Control System Network Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: PUBLIC INFORMATION Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth – Multiple layers of security Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 38 Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS PUBLIC INFORMATION DESIGN IMPLEMENT VALIDATE MANAGE Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 39 IACS Security Design and Implementation Considerations Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA99) Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks Establish an open dialog between Industrial Automation and IT groups Establish an industrial security policy Establish an IDMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security ...never. (Tom West, Data General) PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 40 Additional Material Industrial Security Resources Security Resources Assessment Services Security Advisory Index Security Technology Security FAQ MS Patch Qualification Security Services Reference Architectures Assessment Services Leadership & Standards [email protected] http://rockwellautomation.com/security PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 41 Additional Material Websites Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) CPwE Resilient Ethernet Protocol (REP) Application Guides Fiber Optic Infrastructure Application Guide Wireless Design Considerations for Industrial Applications Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 42 Additional Material A new ‘go-to’ resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies www.industrial-ip.org PUBLIC INFORMATION Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. 43 Thank you for participating! Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey! PUBLIC INFORMATION Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Rev 5058-CO900F 44 Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.