Connected Mine Ecosystem · • Network Design – Core, Distribution and access layers •...

Hosts: Roland Plett (Cisco) & Neal Pinto (Westburne)Guests: Jeff Brown (Westburne) & Mike Wooten (Cisco)April 28 & 30, 2020

Week 4 – Industrial SecurityConnected Mine Ecosystem

© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.

Welcome!


The Series…

Week 1The Connected Mine Site Outdoor Industrial WirelessPresenters: Ian Procyk (Cisco), Grenn Holden (3D-P)Tuesday, April 7th – 12:00PM EDT (9:00AM PDT)Thursday, April 9th – 4:00PM EDT (1:00PM PDT)

Week 2The Connected Mine SiteMine Network OperationPresenters: Ian Procyk (Cisco), Indy Kar (FTP Solutions)Tuesday, April 14th – 12:00PM EDT (9:00AM PDT)Thursday, April 16th – 4:00PM EDT (1:00PM PDT)


The Series…

Week 3The Connected Plant for the Mining IndustryIndustrial NetworkingPresenters: Jeff Brown (Westburne), Kevin Turek (Cisco)Tuesday April 21st – 12:00PM EDT (9:00AM PDT)Thursday, April 23rd – 4:00PM EDT (1:00PM PDT)

Week 4The Connected Plant for the Mining IndustryIndustrial SecurityPresenters: Jeff Brown (Westburne), Mike Wooten (Cisco)Tuesday April 28th – 12:00PM EDT (9:00AM PDT)Thursday, April 30th – 4:00PM EDT (1:00PM PDT)


Housekeeping…WebEx Teams Room

WebEx Event Center Review

Questions & Answers

© 2019 Cisco and/or its affiliates. All rights reserved.

Industrial Networkfor a Connected Mine Jeff Brown

Connected Solutions Manager


Design for Security


• Risk management policies and overall tolerance to risk• Business practices• Corporate/local standards• Application requirements

• Applicable industry standards – e.g. NERC CIP

• Government regulations and compliance• Alignment with industrial safety standards

such as IEC 61508 – SIL3 and EN 954-1 -Cat 4

§ Enterprise and industrial safety and security policies and procedures - access control

§ Network ownership policies§ Alignment with industrial security standards

such as IEC-62443 (formerly ISA 99), NIST 800-82 and ICS-CERT

§ Network capabilities (segmentation into domains of trust)

What’s Driving This?

SAFETY!!


Source: Industrial Control Systems 2017 Report: Connected and Vulnerable, Positive Technologies

Control System Vulnerabilities Types 2017


Source: Industrial Control Systems 2017 Report: Connected and Vulnerable, Positive Technologies

Control System Internet Accessibility 2017


Source: Dragos - Adversaries

Real-world Threats to Industrial Systems


Security Lifecycle


Cyber Defense Matrix

Credit: Sounil Yu RSA conference 2016


Cyber Defense MatrixLeft and Right of “Boom”


Cyber Defense MatrixCase: Define Security Design Patterns


Cyber Defense MatrixCase: Balancing the Portfolio


Network Security FrameworkIndustrial Demilitarized Zone

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Gateway Services

Patch Management

AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

FactoryTalkApplication

Server

FactoryTalk Directory

Engineering Workstation

Remote Access Server

FactoryTalkClient

Operator Interface

FactoryTalkClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

EnterpriseSecurity Zone

IndustrialDMZ

IndustrialSecurity Zone

Cell/Area Zone

WebE-MailCIP

Firewall

Firewall

Site Operationsand Control

Area Supervisory

Control

Basic Control

Process

Logical Model – Industrial Control System (ICS)Converged Multi-discipline Industrial Network

No Direct Traffic Flow between Enterprise and Industrial Zone


Islands of Automation with Isolated LANsSegmentation

VFDDrive

HMII/O I/O

VFDDrive

HMI

I/O

I/O

Instrumentation

Controller

VFDDriveHMI

I/O

I/O

ServoDrive

Sneakernet

Controller ServoDrive

Controller

Industrial Internet of Things (IIoT)


Multiple Network Interface Cards (NICs)Segmentation

§ Benefits§ Clear network ownership demarcation line

§ Challenges§ Limited visibility to control network devices

for asset management§ Limited future-ready capability§ Smaller PACs may not support

§ Benefits§ Plant-wide information sharing for data

collection and asset management§ Future-ready

§ Challenges§ Blurred network ownership demarcation

line

Converged networks - logical segmentation - two NICs for scalability, performance, capacity and flexibility

Layer 2 Network

Segmented (using VLANs),

Layer 2 Network

VLAN 103

VLAN 102

Converged Network

Control NetworkLevels 0-2

Plant NetworkLevel 3

Control NetworkLevels 0-2

Layer 3 Network

Plant NetworkLevel 3

Isolated networks - two NICs for physical network segmentation


Switch Hierarchy, Virtual LANs (VLANs)Segmentation

• Multi-Layer Switch• Layer 2 VLAN Trunking• Layer 3 Inter-VLAN routing

= VLAN 42 – Scanners/Cameras

= VLAN 102 – EtherNet/IP Device

= VLAN 10 - VoIP

Drive

ControllerHMI

= VLAN 42 – Scanners/Cameras

= VLAN 102 – EtherNet/IP Device

= VLAN 10 - VoIP

Drive

ControllerHMI

Layer 3 Switch

Layer 2 NetworkMultiple VLANs Layer 2 Network

Multiple VLANs

StratixLayer 2 Switch

StratixLayer 2 Switch


Switch Hierarchy, Virtual LANs (VLANs)Segmentation

Layer 2

Ring

Plant-wide IACS

Machine #1OEM #1

Machine #2OEM #2

EWSOWS

Plant-wide IACSVLAN 40IP Subnet 172.16.40.0/24

Large Flat LANLarger Layer 2 Broadcast

Domain

Machine #1 (OEM #1)VLAN 20IP Subnet 10.20.20.0/24 VLAN 10IP Subnet 10.10.10.0/24

Machine #2 (OEM #2)VLAN 30IP Subnet 192.168.30.0/24VLAN 5IP Subnet 192.168.1.0/24

Plant-wide IACSVLAN 40IP Subnet 172.16.40.0/24

VLAN10 Ring

Plant-wide IACS

Machine #1OEM #1

Machine #2OEM #2

EWSOWS

Layer 3

VLAN20

VLAN30

VLAN5

Small Connected LANsSmaller Layer 2 Broadcast

Domains


Structure and Hierarchy

Levels 0–2

Phone

Controller

SafetyController

Camera

Safety I/O

Instrumentation

HMI

Cell/Area Zones

Layer 2 Access Switch

Switch Stack

Media & Connectors

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

Cell/Area Zone #3Bus/Star Topology

MCC

Layer 3 Distribution

SwitchLayer 2

Access Switch

Soft Starter

Level 2 HMI

Level 0 Drive

I/O

Layer 3Building Block


Level 1 Controller


ServoDrive



What Can You Do Now to Mitigate Risk?

Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security

1.Control who has network access2.Employ firewalls and intrusion detection/prevention 3.Use Anti Virus Protection and patch your system (When

Possible)4.Manage & protect your passwords5.Turn the processor key(s) to the Run Mode and remove key6.Utilize features embedded in the ICS7.Develop a process to manage removable media8.Block access ports (example: key connectors)


Westburne [email protected]

• Network Design – Core, Distribution and access layers• Wireless Surveys and Design (WAP’s)• NGFW Implementation• IDMZ Design• Patch Panels• Cabling – Bulk, Patch cords, fiber• POE Lighting• Servers and PC’s• Industrial Hazardous location, temperature resistant

PC’s and Tablets• Hardware specification


Intermission…Questions & Answers

Prizes!


OT Asset Visibility and Risk Mike Wooten

IoT Solution Architect


Lack of visibility is a problem in ICS environments

RTU Relay Meter

Volt/VarIEDController

UtilitiesRTU Relay Meter

Volt/VarIEDController

Utilities

Most customers don’t have an

accurate asset inventory

55% have no or low confidence that they know all devices in

their network

They are blindto what their

assets are communicating with

Myriad industrial protocols supported by a diverse

set of suppliers

You can’t secure what you can’t see


Two Worlds Converging

Security is the Top Driver


Challenges of securing industrial networks

Skills ShortageHow to streamline OT

cybersecurity tasks with existing OT and IT staff?

Growing Threats

53% of industrial companies have already suffered cyber attacks.

Are you ready?

ComplianceMust comply with new regulatory constraints

(NERC CIP, EU-NIS…) and show shareholders that risks are under controlSource: IBM report 2017

AgilityConverging OT & IT

securely to capture the benefits of industry

digitization


IE 3400 Switch IR 1101 Gateway

SensorSensor

Catalyst 9000 Series Switch

SensorSensor

IE 3400 Heavy Duty

Cisco Cyber Vision

Network-Sensors(Deep Packet Inspection built into network-elements eliminating the need for SPAN)

Sensor

IC3000 Industrial Compute

Hardware-Sensor(SPAN based to support brownfield)

Cyber Vision Center(Centralized Analytics)

Operational Insights for OT

Threat Detection for IT

Security that scales with your network infrastructure

ApplicationFlow


Cisco Cyber Vision

Application-FlowLightweightMetadata

ICSnetwork

Cyber Vision Center

Sensor Sensor Sensor

Sensor Sensor

SensorCyber Vision Sensors embedded into industrial network equipment

No additional hardware needed

No need for an out-of-band monitoring network

No impact on performance

Reduce TCO by eliminating the need to invest in an ever-growing SPAN collection network

Visibility built into your network infrastructure


Cisco Cyber VisionAsset Inventory & Security Platform for the Industrial IoT

ICS VisibilityAsset Inventory

Communication PatternsDevice Vulnerability

Operational InsightsIdentify configuration changesRecord control system events

relevant to the integrity of the system

Threat DetectionBehavioral Anomaly Detection

Signature based IDSReal-time alerting

Cisco Cyber Vision helps companies protect their industrial control systems against cyber risks


Gain Visibility and Operational Insights

Sensor

Sensor

Cyber Vision Center(Centralized analytics)

Network-Sensors(Built in Deep Packet Inspection)

Comprehensive asset inventory

Dynamic communication map

Track variable changes

Detect changes in the control system

ApplicationFlow

Sensor


Cyber Vision Tags to Drive Data Analysis

Cyber VisionUniversal OT Language

• Messages exchanged between assets are translated to Tags any user can understand

• Asset characteristics are shown as Tags

• A common language, whatever the vendor reference

• Users do not need to be protocol experts to understand what is going on

36

150+ tags available


Cyber Vision Threat Detection

Vulnerabilities Intrusion Control System Modifications C2 Callback

Cyber Vision Vulnerability Detection

Cyber VisionIntrusion Detection System

Cyber VisionIntrusion Detection System

Cyber Vision Behavioral Analytics

Patch Vulnerabilities Before They Are Exploited

Detect Malicious Intrusions From IT Domain

Detect Attempts to Scan & Modify OT Assets

Detect Attempts to Communicate With Attacker

Holistic Threat Detection Techniques


Cyber Vision understands ICS protocols you use

Cisco’s Deep Packet Inspection understands all process information even when using proprietary protocols


Cisco components

Industrial DMZ

• Access control lists (ACLs)• Intrusion detection systems (IDS) and

intrusion prevention systems (IPS)• VPN services• Portal and remote desktop services• Application and data mirrors

Industrial zone

• AAA identity services• Network management• Asset inventory• Anomaly detection• Plant-wide services• Traffic enforcement (plant to IDMZ, north/south)

Area zone

• Traffic Enforcement (Cell to Cell, East/West )• QoS Prioritization• SXP• Netflow

Inter-cell (ISA3000)

• Industrial deep packet inspection (DPI)• Stateful firewall and intrusion prevention (IPS)• Hardware bypass

Cell zone

• PoE/PoE+• Layer 2 NAT• 802.1X• MAC Authentication Bypass (MAB)• Quality of Service marking• Netflow (IE3x00 and IE4000 only)• TrustSec tagging (IE3x00 and IE4000 only)• Edge compute (IE3x00 only)

Cyber Vision architecture

Industrial Zone

Purdue level 3

Area ZonePurdue level 2

Cell ZonePurdue level 0-1

Cyber VisionCenter

Cisco NGFW and IPS solutions

Industrial core

ISA3000

IT network

IT core

DMZ

Enterprise Zone

Purdue level 4-5

User AccessRESTful API

(HTTPS)SIEM (Syslog)

ISE/DNA-C (PxGrid)

ISA3000

Sensor Sensor

Sensor SensorSensor

IC3000SPAN/RSPAN

IE3x00

PLC/RTU/IEDSIS

SCADA/HMI

HISTORIAN MES

Sensor Sensor

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Security for Industrial IoT

A fully integrated IT-OT security solutionWorking together to define & apply IoT security policies

Cisco ISEAccess Control

Cisco FirepowerTraffic Filtering

Cisco StealthwatchNetwork Flow Analysis

Cisco DNA-CNetwork Management

Cyber Vision CenterOperational Insights

Threat Detection

V I S I B I L I T Y

C O N T E X T C O N T E X T

Industrial Routing

Industrial Wi-Fi

Industrial Switching

IoT GatewaysCompute

Cyber Vision SensorsDeep Packet Inspection built into your Cisco industrial network


Thank you!!Questions & Answers

Prizes

Thank you!

Connected Mine Ecosystem · • Network Design – Core, Distribution and access layers •...

Documents

Transcript of Connected Mine Ecosystem · • Network Design – Core, Distribution and access layers •...