Practical Approaches to Securely Integrating Business and Production
-
Upload
jim-gilsinn -
Category
Technology
-
view
143 -
download
0
Transcript of Practical Approaches to Securely Integrating Business and Production
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
Presenter
• Jim Gilsinn– Senior Investigator, Kenexis– ISA99, Co-Chair– ISA99-WG2, Co-Chair– CEH, CISSP– ISA/IEC 62443 Expert– 25 Years Eng. Experience– MSEE
Overview
• Why Integrate Business & Production?• Things to Consider• Potential Solutions• Questions
Why Integrate Business & Production?
• Production to Business– Production Data– Historical Data– Regulatory Requirements– Network/Security Monitoring
• Business to Production– Remote Maintenance– Patch Management– File Exchange– Configuration Data
Complete isolation is rarely an option
THINGS TO CONSIDER
Things to Consider
• Isolated Zones• Network Segmentation• Wireless Integration• Remote Connections• Public Infrastructure Integration• File/Data Transfer• Monitoring
Isolated Zones
• Are there zones that require network isolation?• Safety-related systems are a good example• Set it & forget it!• May require re-calibration over time• Can be connected via signal wiring
Network Segmentation
• Firewall vs. Data Diode– Is bidirectional communication required?– Human interaction vs. automated bi-directional communication– “Air-gap” requirement– Mixed firewall & data diode
• Multi-legged vs. Dual Firewall– Establish DMZ– Product diversity– IT/OT
Wireless Integration
• Will wireless be used?• What communication protocols?• What frequency bands?• Point-to-point vs. omnidirectional?• Star vs. mesh topology?• Bandwidth requirements?• Tolerance for drop-outs?• Where to integrate into architecture?
Remote Connections
• Personnel, vendors, contractors, MSSP?• On-site vs. off-site access?• Continuous vs. scheduled vs. sporadic connectivity?• Method of connectivity?• Single-factor vs. multi-factor authentication?• Connection points within architecture?• Types of communication allowed?
Public Infrastructure Integration
• More of an issue with SCADA• Wired vs. terrestrial wireless vs. satellite• Dedicated vs. leased-line connections• Service level agreements for ISP• Contingencies for backup/secondary communications
File/Data Transfer
• Restricting data flows through zone boundaries• Direct communications vs. servers in DMZ• File transfer server vs. removable media• File transfer through remote management connections
Monitoring
• Malware checking• Ingress/egress filtering• Continuous monitoring vs. human interaction• Push vs. pull of monitoring data• Legacy equipment• HIDS/NIDS• Non-networked equipment
People Will Get Things Done
• One way or another, people will get their job done• Security can’t be seen as an impediment to that• Provide methods that work easily, but are more secure
POTENTIAL SOLUTIONS
Engineering User
File Transfer
Administrator User – Patch Management
Remote Maintenance
Historian Replication
Domain Controllers
Web Access – License Activation Server
SUMMARY
Summary
• There are benefits to connecting business and production networks• There are a variety of things that need to be considered when
connecting business and production networks• There are practical solutions for security
Questions
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Thank You for Attending!
Enjoy the rest of the conference.