Industrial Cybersecurity: The Never-Ending Journey...CPwE Architectures - Industrial Network...

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

Industrial Cybersecurity: The Never-Ending Journey Abid Ali

RAOTM, 22nd January 2019

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

IT/OT Convergence - the Opportunity

“Smart Manufacturing & the Internet of Things , can foster tremendous business outcomes”. Source : survey of 418 manufacturing line of business executives & Plant managers by SCM World & CISCO,

A Robust & Secure OT Network Infrastructure key to “Smart Manufacturing”

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.

It’s not IF ….. But WHEN

IT/OT Convergence the Risk


IT and OT – The Same, but Different

IT FOCUS OT FOCUS

Confidentiality # 1 Availability # 1

Traffic, Data, Voice & Video.

Traffic Data, Control Information,

Safety, & Motion.

Security Strict network

authentication & Access Policies.

Security Strict physical access & Simple

network device access.

Access Shut down access to

detected threats. Access

Isolate threat & keep working..

Different Focus & Priorities - Different Performance & Security Requirements - Different Architectures & Support Models

!"#$%&'(%($&)(*%$(+&

!"#$%&!,*-($-&.&&/*-%$0",*%#1(*&

23)-&

'4!5'/!&!)67658'/-&


!! International Society of Automation !! ISA/IEC-62443 (Formerly ISA-99) !! Industrial Automation and Control Systems (IACS) Security !! Defense-in-Depth !! IDMZ Deployment

!! National Institute of Standards and Technology !! NIST 800-82 !! Industrial Control System (ICS) Security !! Defense-in-Depth !! IDMZ Deployment

!! Department of Homeland Security / Idaho National Lab !! DHS INL/EXT-06-11478 !! Control Systems Cyber Security: Defense-in-Depth Strategies !! Defense-in-Depth !! IDMZ Deployment

Established Industrial Security Standards Industrial Security Trends


6

!! Tested, validated and documented reference architectures !! Based on use cases - customer and application !! Tested for performance, availability, repeatability, scalability and security !! Comprised of nine (9) Cisco Validated Designs

!! Built on technology and industry standards !! “Future-ready” network design

!! Content relevant to both IT Network Engineers and Control System Engineers

!! Deliverables !! Recommendations, best practices, design and implementation !! guidance, documented test results and configuration settings !! Simplified design, quicker deployment, reduced risk in deploying new technology

!! Enabler for OT/IT Convergence, Industrial IoT and The Connected Enterprise

Industrial IT - OT/IT Convergence Converged Plantwide Ethernet (CPwE)

Tested for performance, availability, repeatability, scalability and security Tested for performance, availability, repeatability, scalability and security IT

Recommendations, best practices, design and implementation guidance, documented test results and configuration settings Simplified design, quicker deployment, reduced risk in deploying new technology

Recommendations, best practices, design and implementation guidance, documented test results and configuration settings Simplified design, quicker deployment, reduced risk in deploying new technology

OT

Industrial IT

Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.

“With this implementation guide, for the first time IT and manufacturing professionals can share a common document for planning a converged IP network including the factory floor and automation equipment.”

– Harry Forbes, ARC Advisory Group


7

Holistic Defense-in-Depth CPwE Architectures - Industrial Network Security Framework

MCC

Enterprise Zone: Levels 4-5

Soft Starter

I/O

Physical or Virtualized Servers •! Patch Management •! AV Server •! Application Mirror •! Remote Desktop Gateway Server

Level 0 - Process Level 1 - Controller

Level 3 – Site Operations

Controller

Drive

Level 2 – Area Supervisory Control

FactoryTalk Client

Controller

Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3 Authentication, Authorization and Accounting (AAA)

LWAP

SSID 2.4 GHz

SSID 5 GHz WGB

I/O

I/O

I/O I/O

Active

Wireless LAN Controller (WLC)

Standby

Core Switches

Distribution Switch Stack

Control System Engineers

Control System Engineers in Collaboration with IT

Network Engineers (Industrial IT)

IT Security Architects in Collaboration with Control

Systems Engineers

Enterprise

Identity Services

External DMZ/ Firewall

Internet

FactoryTalk

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

Lack of Skilled Resources Skilled Resources

Out of Date Infrastructure

Example INDUSTRIAL CYBER RISK EQUATION

Impact to: Human Health & Safety

Product Quality Environmental

Unplanned Production Loss

Countermeasures Must add capabilities to defend

Manufacturing Digital Environment across the Attack Continuum

Infrastructure Wiper/Ransomware Spillover from Nation State Campaigns

Vulnerability Threats Consequence


79:/;<&=4>?:4& 6>@4:&

Attack Continuum

INDUSTRIAL CYBER SECURITY

SERVICES

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.

79:/;<&=4>?:4& 6>@4:&

Security Roadmap Step 1: What do I have?


SERVICES

Backup Management

Qualified Patch Management

Vulnerability and Risk Assessments

Application Whitelisting Deployment

Real-Time Threat Detection Services

ICS Security Zone and IDMZ Segmentation

FactoryTalk Security Implementation Services

Remote Monitoring and Administration Services

Network Access Control Deployment

Incident Response and Disaster Recovery Planning Services

Incident Handling and Response*

Cyber Security Awareness Training

Asset Inventory Services

Policy & Procedure Development



79:/;<&=4>?:4& 6>@4:&

Security Roadmap Step 2: Implement Basic Hygiene


SERVICES

Backup Management
















79:/;<&=4>?:4& 6>@4:&

Security Roadmap Step 3: Persistent Countermeasures


SERVICES

Backup Management
















79:/;<&=4>?:4& 6>@4:&

Addressed Throughout the Journey : People and Policy


SERVICES

Backup Management
















SERVICES

Asset Inventory through Passive Network Analysis

Auto Baseline Development and Behavioral Anomaly Detection Security and Operational Event Monitoring and Response

Powered by


Individually Managed Site Appliance

Centrally Managed Services

OT Assets

•! Validate Operational Tasks to reduce risk, and maintain process integrity

•! Near Real Time Detection of Cyber Threats (conficker, wannacry, etc)

•! Recover from Security Incidents with Highly-Trained Professionals

•! Reduce Risk of Downtime with 24x7 Response

•! Behavioral Anomaly Detection •! Real-Time Change Detection •! Alert on Operational and

Security Events •! Incident Response Services

Capabilities Benefits

Secu

rity an

d Op

erati

onal

Monit

oring

THREAT DETECTION SERVICES

•! Comprehensive Asset Inventorying

•! Passive Network Monitoring •! Vendor and Protocol Agnostic •! Fine grained DPI Model

•! Continuous Monitoring without Interrupting Production

•! Single Solution for Many ICS Vendors •! Collect Information on How Assets are

configured, communicate and change •! Discover issues with full visibility of

ICS Networks Asse

t Mon

itorin

g

Powered by THREAT DETECTION SERVICES

Centrally Managed Services

IT Assets

Individually Managed Individually Managed


PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16 Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

PUBLICPUBLIC

PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. PUBLIC

Plan, Design, and Implement

Individually Managed Site Appliance OT Assets

IT Assets

Deep Packet Inspection (DPI)

on IT and OT Data Streams

Alerts & Events Alerts & Events

Managed Service Provider with OT Knowledge

Centralized Self Management (IT SOC)

And / Or

Respond, Recover

-! Review infrastructure and documentation -! Definition of Asset Criticality -! Appliance implementation -! Review and sterilization of baseline results for immediate remediation

Manage, Monitor and Detect Manage, Monitor and Detect Manage, Monitor and Detect

-! Response and Recovery Plan Development and Review -! Containment, eradication, and recovery workflows -! Characterize and scope potential impact -! Set Course of Action and Incident Reporting


Architecture Options !! Central Office Architecture !! The Industrial DMZ

separates IT and OT Networks.

!! The data across separate sites is collected at the central Appliance.

Level 3.5 – Industrial DMZ

Large Compressor Control System

Level 0 - 3 Cell/Area Zone and Site Operations

Level 4 –Corporate LAN

IDMZ Firewalls

Rockwell Automation Managed Anomaly Detection Ops Center

IT SOC

Proxy Services

Managed Anomaly Detection Central Appliance Site OT Network

IT Core Switch and Firewall

OT Core Switch

IDMZ IDMZ IDMZ Firewalls Firewalls Firewalls

OT Core Switch OT Core Switch

Managed Anomaly Detection Ops Center Managed Anomaly Detection Ops Center and Firewall and Firewall

SPAN Traffic

Encrypted (SSH) Alert Traffic

Enterprise Central

Appliance

Managed Anomaly Detection Small Compressor Control System

Large Compressor Managed Anomaly Detection Managed Anomaly Detection Managed Anomaly Detection Managed Anomaly Detection Small Compressor Managed Anomaly Detection Managed Anomaly Detection Central Appliance

Managed Anomaly Detection Managed Anomaly Detection


Architecture Options !! Small Site with compute

available on-site. !! Site appliances forwards

alerts to Central Appliance

PLC A PLC B PLC C

HMI EWS

Compressor Control System

Level 0 - 3 Site Operations

Level 3 – OT Network

Access Switch Configured with SPAN

ClarOTy Appliance and

Dashboard

Core Switch and Firewall

Configured with SPAN

and Firewall

SPAN Traffic


Access Switch Access Switch Configured with SPAN

ClarOTyAppliance and

Dashboard Dashboard



EWS EWS HMI HMI

Access Switch Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN

EWS


HMI


HMI HMI

Configured with SPAN Configured with SPAN Configured with SPAN

OT Network Workstation

Managed Anomaly Detection Central Appliance for Site OT Network

Rockwell Automation Central Management

Enterprise Central

Appliance

And/Or

Managed Anomaly Detection

Central Management

PLC C


Architecture Options !! Small Site without on-site

compute !! Site Switch Sends

SPAN traffic to Central Appliance

!! Depending on architecture and size of these sites “brick” style compute can be deployed.

PLC A PLC B PLC C

HMI EWS

Compressor Control System

Level 0 – 2 Site Operations

Level 3 – OT Network


Rockwell Automation Central Management OT Network

Workstation

Managed Anomaly Detection Central Appliance

For Local OT Network

Core Switch and Firewall


EWS HMI HMI

Configured with SPAN Configured with SPAN

EWS HMI


HMI HMI

Configured with SPAN Configured with SPAN Configured with SPAN

and Firewall

Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Configured with SPAN Access Switch Access Switch









SPAN Traffic


Enterprise Central

Appliance

And/Or

Managed Anomaly Detection

Central Management


Industrial Cyber Security Services Portfolio Rockwell Automation offers the following services to help our customers improve their security posture and reduce cyber risk within their Industrial Control System (ICS) environment: •! Qualified Patch Management Services – Provide Rockwell Automation tested and approved Anti-Virus Definitions and Microsoft Windows patch lists to your on-site WSUS

responsible for managing patches of your ICS software systems (FactoryTalk Software). This will insure a timely and disciplined approach to addressing OS related vulnerabilities. (Additional management options available)

•! Security Assessment – Understand risk posture of your ICS environment to identify areas of improvement against established ICS Cyber Security Standards such as ISA/IEC 62443, NIST 800-82 and NIST CSF.

•! Security Control Implementations - provide turnkey implementation of security controls that help address gaps/risks that have been identified in specific areas such as zone based segmentation, device hardening and application whitelisting (Symantec CSP), threat/anomaly detection (Claroty), network access control (Cisco ISE)

•! Network Assessments including onsite visit to collect data, identify issues, and analyze the gap with Industry best practices to insure your infrastructure is meeting the availability requirements of your control systems.

•! Network Design and Implementation– provide a turnkey Network Infrastructure which is scalable, resilient and future ready, based on Industry best practices such as CPwE Converged Plantwide Ethernet.

•! iDMZ Design and Implementation – Secure the data flow between Enterprise systems and plant systems, plus optionally setup secure remote access for OEMs and vendors.

•! FactoryTalk Security: Consulting on how to best utilize the security features available through Rockwell Automation products.

•! Anomaly and Threat Detection Services. Provide visibility into control systems, protocols and networks, real-time monitoring and analytics to detect anomalies and threats that may impact the security and operational integrity of your ICS systems.

•! TechConnect. Knowledgebase email alerts on Rockwell Automation product security with access to the latest SW and Firmware updates.

•! Remote Monitoring / Administration. !Converged IT/OT monitoring and administration support of infrastructure, end nodes and industrial applications throughout their lifecycle.

•! Incident Response. We partner with top security firms to help customers respond to incidents in the event of a breach.

•! Training:! we offer IMINS and IMINS 2, trainings to prepare for Industrial Networking and Security certification

www.rockwellautomation.com

PUBLIC

Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21


PUBLIC


PUBLIC

www.rockwellautomation.com www.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.comwww.rockwellautomation.com

PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC PUBLIC

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 21

Thank You Please help us know your Queries

Industrial Cybersecurity: The Never-Ending Journey...CPwE Architectures - Industrial Network...

Documents

Transcript of Industrial Cybersecurity: The Never-Ending Journey...CPwE Architectures - Industrial Network...