Infrastructures réseaux industrielles, virtualisation et cyber sécurité

Transcription

AUP38
Infrastructure réseaux industriels,
virtualisation et cyber sécurité
Pierre Paterni
Responsable Europe développement marchés
Services Réseaux et Sécurité
Mars 2016
PUBLIC
Copyright © 2016 Rockwell Automation, Inc. All Rights Reserved.
1
Agenda
L’Entreprise Connectée
La convergence IT/OT et la Sécurité
6 étapes pour sécuriser l’Entreprise Connectée
Les Services Réseaux Rockwell
Références / Quiz
PUBLIC
2
Our Three Core Platforms deliver…
THE CONNECTED ENTERPRISE
Faster Time
to Market
Lower Total Cost
of OwnershipHeadquarters
Production
Improved Asset
Utilization
Enterprise Risk
Management
Customers
Supply Chain
Field-Based
Assets
Distribution Center
Smart Grid
Integrated Architecture
Intelligent Motor Control
Solutions & Services
Usine Nouvelle Mars 2015
Rockwell Automation Usine de Twinsburg - Ohio
«Pour parvenir à cette usine connectée, il a fallu relever des défis techniques,
notamment la mise en place d’un réseau traversant l’entreprise depuis les
capteurs jusqu’à l’ERP, commente Bob Rossol. Mais les défis sont aussi
organisationnels, car il a fallu supprimer toute distinction entre les
informaticiens traditionnels et les informaticiens de terrain. »
PUBLIC
• Niveau de qualité doublé en 5 ans
• Gain de 4 à 5 % de productivité par an
• 50 % de réduction de temps de production global
4
Scalable Computing
(Control, Edge,
Cloud)
Information Management
& Analytics
Mobility &
Visualization
Multi-discipline
Control & Information
Smart
Assets
Secure Network
Infrastructure
Technology shifts are accelerating convergence
PUBLIC
5
Agenda
Références / Quiz
PUBLIC
6
Collaboration Is Key
To Realizing The Connected Enterprise
...
Standards,
Academia, Industry
Initiatives
IT
COMMON SECURE
NETWORK INFRASTRUCTURE
OT
...
7
IT / OT
Security Policies - Similarities and Differences
Criteria
Industrial OT Network
Enterprise IT Network
Focus
24/7 operations, high OEE
Protecting intellectual property and company assets
Availability
Precedence of Priorities
Integrity
Confidentiality
Converged network of data,
Types of Data Traffic
control, information, safety and motion
Strict physical access
Access Control
Simple network device access
Confidentiality
Integrity
Availability
Converged network of data,
voice and video
Strict network authentication
and access policies
Implications of a
Device Failure
Production is down
($$’s/hour … or worse)
Work-around or wait
Threat Protection
Isolate threat but keep operating
Shut down access to
detected threat
Scheduled during downtime
Automatically pushed during uptime
Upgrades
PUBLIC
8
8
Cas pratiques - convergence IT/OT
 Exemples de situations où la collaboration IT/OT est cruciale:
 Implémentation d’un projet MES – connection avec l’ERP
 Projets de migration, par exemple de RSView®32™ vers FactoryTalk® View Site Edition (SE)
 Centralisation d’un parc de serveurs physiques vers une infrastructure virtualisée centralisée
 Projet de mobilité
 Rajout d’une ligne de production
 Cyber Sécurité – accès sécurisé à distance pour un OEM
PUBLIC
9
The Threat is real!
PUBLIC
10
Agenda
Références / Quiz
PUBLIC
11
6 Steps
To Securing the Connected Enterprise
Step 1
Network &
Security
Assessment
PUBLIC
Step 2
Educate Your
People
Step 3
Secure &
Upgrade,
Networks and
ICS
Step 4
Virtualize
Servers &
Consolidate
into Industrial
Data Centers
Step 5
Manage &
Monitor your
Networks &
ICS
Step 6
Develop and
Practice a
Disaster
Recovery Plan
12
12
Industrial Infrastructure
Today’s Plant Floor - Reality
Conventional Servers
Disparate Flat Networks
PUBLIC
13
Network Assessment
Audit Réseau
–On site customer collaboration
–Assess all layers of OSI model
• Physical layer
• Logical layer
• Application layer
–Defense in Depth security evaluation
–Assess against industry and
company standards
–Deliverables
• Detailed report of findings
• Prioritized critical issues
• Remediation's/suggestions
PUBLIC
14
CCNA Industrial
Training and Certification - OT/IT Convergence
 Cisco Industrial Networking
Specialist Training and
Certification


Classroom training

Managing Industrial Networks
with Cisco Networking
Technologies (IMINS)

Exam: 200-401 IMINS

CPwE Design Considerations
and Best Practices
Rockwell France
30 May, 12 Sept, 28 Nov 2016
PUBLIC
 CCNA Industrial Training and
Certification
Classroom training

Managing Industrial Networks
for Manufacturing with Cisco
Technologies (IMINS2)

Exam: 200-601 IMINS2

CPwE Design Considerations
and Best Practices
Rockwell France
20 June, 26 Sept, 12 Dec 2016
15
CPwE Converged Plantwide Ethernet
Industrial Automation & Control System Convergence
Flat and Open
IACS Network Infrastructure
Structured and Hardened
IACS Network Infrastructure
PUBLIC
16
CPwE
Convergence IT/OT
Wide Area Network (WAN)
Data Center - Virtualized Servers
•
•
•
•
•
IT
Internet
Enterprise
ERP - Business Systems
Email, Web Services
Security Services - Active Directory (AD),
Identity Services (AAA)
Network Services – DNS, DHCP
Call Manager
Identity Services
External DMZ/
Firewall
Enterprise Zone
Levels 4-5
Plant Firewalls
Physical or Virtualized Servers
•
•
•
•
•
•
•
•
•
Patch Management
AV Server
Application Mirror
Remote Desktop Gateway Server
Physical or Virtualized Servers
•
•
•
Active
Wireless
LAN Controller
(WLC)
Level 3 - Site Operations
Standby
(Control Room)
Industrial IT
Core
Switches
Identity Services
FactoryTalk Application Servers and
Services Platform
Network & Security Services – DNS, AD,
DHCP, Identity Services (AAA)
Storage Array
Industrial
Demilitarized Zone
(IDMZ)
Active/Standby
Inter-zone traffic segmentation
ACLs, IPS and IDS
VPN Services
Portal and Remote Desktop Services proxy
Industrial Zone
Levels 0–3
Distribution
Switch Stack
Remote
Access
Server
Cell/Area Zone
Levels 0–2
Distribution
Switch Stack
Cell/Area Zone
Levels 0–2
LWAP
Camera
LWAP
LWAP
AP
SSID
2.4 GHz
Phone
WGB
SSID
5 GHz
WGB
Drive
HMI
Rockwell Automation
Stratix 5000/8000
Layer 2 Access Switch
OT
Controller
Controller
(Plant-wide Network)
SSID
5 GHz
Safety
Controller
Safety
I/O
WGB
Soft
Starter
Instrumentation
I/O
Controller
Servo
Drive
HMI
Safety
I/O
Robot
Cell/Area Zone - Levels 0–2
Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN
(Lines, Machines, Skids, Equipment)
Ring Topology - Resilient Ethernet Protocol (REP)
Unified Wireless LAN
Linear/Bus/Star Topology
Autonomous Wireless LAN
PUBLIC
Enterprise Security Policies,
Collaboration Tools, Unified Wireless,
Business Application Optimization
Secure Application and Data
Share, Inter-zone Segmentation,
Access Control, Threat Protection
Industrial Security Policies,
Site Operations,
Resiliency, Routing,
Network and Security Management
EtherNet/IP (Industrial Protocol),
Real-Time Control and Information,
Wired and Wireless LANs
(Unified and Autonomous WLAN),
Fast Network Resiliency,
Traffic Segmentation,
Industrial Security Policies,
Ease of Use
17
Industrial Security Trends
Established Industrial Security Standards



PUBLIC
International Society of Automation




ISA/IEC-62443 (Formerly ISA-99)
Industrial Automation and Control Systems (IACS) Security
Defense-in-Depth
IDMZ Deployment




NIST 800-82
Industrial Control System (ICS) Security
Defense-in-Depth
IDMZ Deployment




DHS INL/EXT-06-11478
Control Systems Cyber Security: Defense-in-Depth Strategies
Defense-in-Depth
IDMZ Deployment
National Institute of Standards and Technology
Department of Homeland Security / Idaho National Lab
18
Industrial Automation Security
APPLICATION
PHYSICAL
COMPUTER
NETWORK
DEVICE
PUBLIC
19
Additional Material
CPwE Architectures - Cisco and Rockwell Automation
 Whitepapers










PUBLIC
ENET-WP022B-EN-P - Top 10 Recommendations for Plant-wide EtherNet/IP Deployments
ENET-WP009A-EN-P - Achieving Secure Remote Access to plant-floor Applications and Data
ENET-WP031A-EN-P - Design Considerations for Securing Industrial Automation and Control System
Networks
ENET-WP033A-EN-P - Resilient Ethernet Protocol in a Converged Plantwide Ethernet (CPwE)
Architecture
ENET-WP034A-EN-P - Deploying 802.11 Wireless LAN Technology within a Converged Plantwide
Ethernet Architecture
ENET-WP036A-EN-P - Deploying Network Address Translation within a Converged Plantwide Ethernet
Architecture
ENET-WP037A-EN-P - Deploying Identity Services within a Converged Plantwide Ethernet Architecture
ENET-WP038A-EN-P - Securely Traversing IACS Data Across the Industrial Demilitarized Zone
ENET-WP039B-EN-P - A Resilient Converged Plantwide Ethernet Architecture
ENET-WP040A-EN-P - Migrating Legacy IACS Networks to a Converged Plantwide Ethernet Architecture
20
Converged Plantwide Ethernet
Enterprise Zone
Levels 4, 5
PUBLIC
INDUSTRIAL NETWORK AND SECURITY INFRASTRUCTURE
ENABLING THE CONNECTED ENTERPRISE
Manufacturing zone
iDMZ Level 3.5
Levels 3 to 0
21
Network & Security Services
Pre-Engineered Solutions
Simplify and Accelerate CPwE Deployment Inclusive of Support
PUBLIC
22
Network Design
Conception Réseau
 Network Design Deliverable Package
 Functional Requirements
 Bill of Material
 Cable Selection
 Physical Hardware Connectivity
 Access and Distribution Layer Topology
 Physical Layer Drawings
 VLANs
 Addressing schema
 Switch and Network Configuration
 Redundancy
 Remote Access
 Security
PUBLIC
23
Network Implementation
Implémentation Réseau
 Implementation Package

Procurement

Configuration

Installation

Testing

Start Up

Transition to Support

Turn Key Projects: Based on RA Design Service

Pre-Engineered Solutions: Industrial Data Center, Industrial De-Militarized Zone, Zone

PUBLIC
Enclosures, Secure Remote Access
The Power of Rockwell Automation Partnerships
Custom: based on the role you need RA NSS to play (materials, labor, project mgmt)
24
The Industrial Data Center
Server Consolidation
SERVER
CONSOLIDATION
BIG
DATA
2
Exabytes
Manufacturing generates more
BIG DATA than any other sector.
Industrial Data Centre
PUBLIC
Virtualize Servers and Improve Security
25
The Industrial Data Center
Rockwell Automation leverages Panduit’s Physical Infrastructure for the Industrial Data Center.
Benefits of virtualization through a pre-engineered, scalable infrastructure offering.
 Complete turn key solution including:
 Hardware
 Software
 Factory assembly
 On-site configuration
 Documentation
 TechConnectSM support
Model Shown: E3000
Standard pre-engineered industrial solution to simplify deployment
making commissioning and maintenance easier, scalable, and more supportable .
PUBLIC
27
Scalable Remote Support Solutions
Industrial Data Center
Remote Support - One Number to call for support…
RA Tech Support has Certified personal on staff
• CCNP (Cisco Network Professional)
• CCNA (Cisco Network Associate)
• CCNA Security (Cisco Security)
• CCENT (Entry Network Technician)
• CISSP (Information Systems Security Professional)
• VMware Certified Associate
• VMware Certified Professional
Data Center Remote
Monitoring
8x5 Support Included
(24x7 Support Optional)
PUBLIC
Value
Data Center
Administration
28
Secure Remote Access
Solutions Sécurisées d’Accès à Distance
Enterprise Network
Level 5
Level 4
E-Mail, Intranet, etc.
Site Business Planning and Logistics Network
Virtual Support
Engineer - Remote
Desktop Gateway
Patch
Management
Application
Mirror
Enterprise
Security
Zone
Firewall
AV
Server
Web Services
Operations
Web
E-Mail
CIP
Application
Server
Industrial
DMZ
Firewall
Level 3
Level 2
Level 1
Level 0
FactoryTalk
Application
Server
FactoryTalk
Directory
Engineering
Workstation
FactoryTalk
Client
Sensors
Site Operations
and Control
Discrete
Control
Drives
Remote Monitoring
Cell/Area
Service
Basic
Control
Engineering
Workstation
Drive
Control
Continuous
Process
Control
Actuators
Industrial
Security
Zone
Area
Supervisory
Control
Operator
Interface
FactoryTalk
Client
Operator
Interface
Batch
Control
VSE- Remote
Access Client
Safety
Control
Robots
Zone
•
•
•
Remote Access
Monitor and Alarm Mgmt.
Process
Maintenance Tools
Logical Model – Industrial Automation and Control System (IACS)
Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
PUBLIC
29
Managing Your Production Assets
Cloud based Remote Monitoring Solutions
Asset Performance
Management
Manufacturing Intelligence
Inventories
Consumables
Business KPIs
Transactional Data
Performance Management
Equipment and Process
Behavior and Optimization
LAN
Wireless
Cell
Satellite
Cloud
Gateway
Automation
Systems
PUBLIC
30
Agenda
Références / Quiz
PUBLIC
31
Why Rockwell Automation
NSS Network & Security Services
Differentiation





Converged skill set of operational technology (OT) and information technology (IT)
Experience across industrial control applications and networks
Ability to address security risks without sacrificing productivity
Full life cycle service offering with global delivery capability
Global Capability
• For plant personnel, who need secure industrial infrastructure, NSS is a
team of industrial automation and IT experts that assess, implement and
support plant-wide network infrastructure.
•
Network &
Security Services
PUBLIC
Unlike large IT vendors and resellers, we offer a comprehensive and
tailored solution that balances both IT requirements and production goals of
your company.
Because Infrastructure Matters…
32
Network & Security Services
Portfolio
Supported World Wide by NSS Professionals
Global Support.
Local Address.
Peace of Mind.
PUBLIC
33
Leading Metals Producer
New Process Network
CHALLENGES
SOLUTION
• Existing network architecture was “flat” and previous
efforts to expand the “flat” network resulted in
availability issues.
RESULTS
• Concern that a security event would proliferate quickly
and cause the entire network to be compromised.
PUBLIC
•
•
•
•
Designed and deployed a separate Process Network.
Design included network segmentation per cell.
Hardware was implemented per cell requirements.
DMZ created to separate the production network from
the business network, however some legacy systems
were left in place to accommodate the need to maintain
older Unix systems.
• Implementation of a segregated network isolates high payload data to
reduce potential latency issues.
• Increased productivity on the plant floor.
• Single point of accountability enforced via review of auditable events.
• Centralized authentication.
34
PUBLIC
35
Agenda
Références / Quiz
PUBLIC
36
Additional Material
Rockwell Automation
PUBLIC
http://rockwellautomation.com/security
37
Because Infrastructure Matters
PUBLIC
www.rockwellautomation.com
39

Infrastructures réseaux industrielles, virtualisation et cyber sécurité

Transcription

Similar documents

Management Suite

Superior marking performance and adhesion on wet

Committee of Ministers

CRÉDITS ET REMERCIEMENTS

Présentation du séminaire web « ce chat est

Cisco Networking Academy France

France

Les activités du groupe Bosch

delta-gesfor 2.0

Liste des EXPOSANTS 2015

CLA-VAL - CleanTuesday

fondationhds.ca • 450 377-3667

Katalog Spannwerkzeuge

Tutorial – Wavy Triangle

rapport annuel - la fondation de ma vie

La parole aux membr

الشرطة وحقوق االنسان - African Commission on Human and Peoples

1979 - Union of International Associations

French Publishers Directory Annuaire d`éditeurs français

ó AEF_2015_BAT_BIEF

DIRECTORY OF OFFSHORE WIND POWER

Photo pleine page