Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed...
Transcript of Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed...
![Page 1: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/1.jpg)
Securing Industrial Control SystemsICS, SCADA, IIoT, Industrial Cloud
![Page 2: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/2.jpg)
Challenges with Legacy OT Cybersecurity Approaches
POOR NETWORK VISIBILITY
INCREASING SURFACES FOR
ATTACK
TIGHTENING REGULATIONS
STOPPING ADVANCED THREATS
COMPLEXITY & SCALABILITY OF
POINT SOLUTIONS
IT-OT Integration
OT ModernizationOT TRAFFIC?
RISKS?
THREATS?
![Page 3: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/3.jpg)
PALO ALTO NETWORKS PLATFORM
NETWORK SECURITY ADVANCED ENDPOINT PROTECTION CLOUD SECURITY
WildFireThreat Prevention URL Filtering AutoFocus Logging Service MineMeld
NEXT-GEN SECURITY SERVICES
MG
Magnifier
![Page 4: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/4.jpg)
Platform Benefits for OT
COMPLETE, OT-SPECIFIC
VISIBILITY
CYBERSAFE INTEGRATION OF
IT-OT
MEET AND EXCEED REGULATORY COMPLIANCE
STOP KNOWN AND UNKNOWN
THREATS
HIGHLY SCALABLE,
REDUCED TCO
![Page 5: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/5.jpg)
Next-generation Firewall – Unique Architecture
5 | © 2018, Palo Alto Networks. All Rights Reserved.
Secure ICS Protocols and Applications
Enforce user and user-group controls
Secure content, stop malicious content
• High-performance, low-latency, high-availability architecture
• Native correlation of data
App-ID User-ID Content-ID
Next-generation Firewall
SP3
• Unique single pass, parallel processing engine (SP3)
• The only true Next-gen Firewall
![Page 6: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/6.jpg)
Natively Integrated Security Services
6 | © 2018, Palo Alto Networks. All Rights Reserved.
• Protect unpatched or un-patchable systems from known threats to ICS (malware, exploits, C2)
• Quickly detect and stop 0-day malware, i.e. the next Black Energy, CrashOverride, Wannacry
• Safely enable internet access from OT, E.G to vendor support website
• Secure network access for mobile devices in OT, E.G. maintenance laptops, tablet HMIs
Threat Prevention
Global Protect
WildFire
URL Filtering
![Page 7: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/7.jpg)
Powerful Network Segmentation with the NGFW and Services
7 | © 2018, Palo Alto Networks. All Rights Reserved.
• Maximize visibility over OT traffic
• Reduce the attack surface • Granular inter-zone policy (L7)• Secure mobile/internet access as allowed
• Stop known exploits, malware, C2 traffic
• Quickly discover and stop 0-day threatsNGFW as a
Security “Conduit” (ISA 62443)
Zone 1
Zone 2
Zone 3
![Page 8: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/8.jpg)
Platform Security Use Cases for OT
Operator Zone
Historian DEV Zone
Engineering Zone
IT-OT DMZ Zone
Jump Patch Web
Site
/Cel
l Zon
e
Process-specific
L0
L1
L2
L3
L3.5
L4
SCADA Server Zone
PLC Zone
Corporate IT Zone
Historian ReplicaAdvanced Threat Prevention with the WF-500 Appliance
PLC Zone
NGFW as “conduit” for granular segmentation (L7)
Panorama Central Management
Secure Remote access: Jump-box or VPN
8 |©2015, PaloAltoNetworks
Virtual Patching of OT hosts with Threat Prevention
Engineering WSHMI
§ Layer 3
§ Layer 2 / VLAN
§ VWIRE “bump-in-the wireRemote Access
![Page 9: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/9.jpg)
App-IDs for Industrial Protocols and Applications
9 | © 2018, Palo Alto Networks. All Rights Reserved.
Protocol / Application Protocol / Application Protocol / Application Protocol / Application Protocol /Application
n DNP3 n Modbus n Siemens S7 n Schneider/Wonderware SuiteLink n R-GOOSE
n IEC 60870-5-104 n CIP EtherNet IP n Siemens FactoryLink n Schneider OaSys n GE-Historian
n ICCP (IEC 60870-6 / TASE.2) n BACnet n Siemens Profinet IO n Rockwell FactoryTalk n Fanuc-Focas
n Synchrophasor (IEEE C.37.118) n OPC UA n ABB Network Manager n GE iFIX n Fisher-ROC
n Elcom 90 n MQTT n Honeywell/Matrikon OPC Tunneller n GE EGD n Cygnet SCADA
n DLMS / COSEM / IEC 62056 n RTCM (GPS/IP) n OSIsoft PI Systems
• Base App-IDs per above
• Function-level App-IDs: Modbus, DNP3, ICCP, S7, BACnet, IEC 60870-5-104
• Custom App-ID Decoders for ICS: Modbus, ICCP, DNP3
• Online request process for new App-ID
![Page 10: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/10.jpg)
Granular Control over ICS Protocol
10 | © 2018, Palo Alto Networks. All Rights Reserved.
MODBUS
DNP3 ICCP BACnet
S7
IEC “104”
![Page 11: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/11.jpg)
Consistent Network Security Across Your Industrial Enterprise
11 | © 2018, Palo Alto Networks. All Rights Reserved.
PA-220
PA-800 SERIES
PA-5200 SERIES
PA-7000 SERIES
PA-220R
Plant Perimeter / ICS Core
SCADA Core / Control Center / PCN / MES
OT Datacenter
Plant Perimeter / ICS Core
Industrial Cloud (AWS, Azure, Google)
VM-Series Virtualized NGFW
Panorama Network Security
Management
Harsh Environments
PA-3200 SERIES
![Page 12: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/12.jpg)
CONSISTENT SECURITY FOR INDUSTRIAL DEPLOYMENTS
Prevention of known and unknown threats, including ICS-specific threats
Range of ICS / SCADA App-IDs supported with PAN-OS
Extended operating range for temperature
Certified for industrial use in harsh environments
Fan-less design, no moving parts for higher reliability
High availability and dual DC power supplies for redundancy
PA-220ROil & GasWater Utilities
Electric Transmission & Distribution
Power Generation
Manufacturing Transportation
12 | © 2018, Palo Alto Networks. All Rights Reserved.
![Page 13: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/13.jpg)
Traps Advanced Endpoint Protection Overview
• Secures endpoints from known and unknown malware and exploits
• Multi-method prevention of malware and exploits in a single endpoint agent
• Light-weight agent uses low CPU resources
• Supports legacy operating systems
• Controls installation of unapproved software
• Facilitates regulatory compliance
13 | © 2018, Palo Alto Networks. All Rights Reserved.
![Page 14: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/14.jpg)
Platform Security Use Cases for OT
Operator Zone
Historian DEV Zone
Engineering Zone
IT-OT DMZ Zone
Jump Patch Web
Site
/Cel
l Zon
e
Process-specific
L0
L1
L2
L3
L3.5
L4
SCADA Server Zone
PLC Zone
Corporate IT Zone
Historian ReplicaAdvanced Threat Prevention with the WF-500 Appliance
PLC Zone
NGFW as “conduit” for granular segmentation (L7)
Panorama Central Management
Secure Remote access: Jump-box or VPN
14 |©2015, PaloAltoNetworks
Virtual Patching of OT hosts with Threat Prevention
Engineering WSHMI
§ Layer 3
§ Layer 2 / VLAN
§ VWIRE “bump-in-the wireRemote Access
Advanced Endpoint Protection for OT hosts
Endpoint Security Manager
![Page 15: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/15.jpg)
Case Study – Electric Utilities Transmission
• Deployed Palo Alto Networks platform• Next-generation Firewall
• 2 Control Centers & 17 Substations• Threat Prevention and URL filtering services• All high-availability
• Threat Intelligence Cloud• Wildfire services
• Central Management• Panorama for 38 distributed appliances
• Customer Value • Facilitate NERC CIP Compliance• Layer-7 Visibility and Zero-trust segmentation• Advanced Threat Prevention• Ease-of-use/Consolidation/TCO reduction
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
![Page 16: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/16.jpg)
Case Studies - Oil & Gas (Full-Platform Deployment)
§ Next-generation Firewalls§ 114 FWs in PCN core & 40+ plants§ Native Services: Threat Prevention, URL
filtering, Wildfire
§ Wildfire Service§ Protection against unknown threats
traversing the network
§ Traps Advanced Endpoint Protection§ Securing high-risk endpoint assets in
PCN & plants§ 200 Windows Server (2003 and newer)
and 250 Desktop (XP and newer)
§ Central Management§ Panorama for Next-generation FWs§ Traps Endpoint Security Manager
16 | ©2015, Palo Alto Networks16 |©2015, PaloAltoNetworks
![Page 17: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/17.jpg)
Industrial Cybersecurity Partnerships
17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
![Page 18: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/18.jpg)
Get hands-on with our platform
18 | © 2015, Palo Alto Networks. Confidential and Proprietary.
ControlNetwork
Security Lifecycle Review (SLR) ICS Hands-on Workshop
• Hands-on labs for ICS cybersecurity using Palo Alto Networks platform
• Virtualized ICS environment including HMIs and PLCs
• Learn how your control network is being used and what risks may exist
• Summary report provided as part of SLR
• Free, passive, and confidential
![Page 19: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/19.jpg)
Learn more about our ICS solution – Reference Blueprint
§ Free, downloadable whitepaper
§ Overview of our solution for ICS
§ www.paloaltonetworks.com/ics-security-blueprint
19 | © 2015, Palo Alto Networks. Confidential and Proprietary.
![Page 20: Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &](https://reader030.fdocuments.in/reader030/viewer/2022040823/5e6cc9fd2fc49425e44e5a68/html5/thumbnails/20.jpg)
Thank You!