CyberSecurity for the Industry 4.0 Andrea Bonomi Enzo M Tieghi
Internet of Things gi qui. E adesso?
CyberSecurity for the Industry 4.0
Andrea Bonomi
Enzo M Tieghi
Fondata a Bolzano nel 2003 da un team di esperti delle reti, fanatici di LinuxIl risultato della collaborazione la creazione di sofisticate soluzioni UTM basate su tecnologia Open SourceDal 2011 Endian sviluppa soluzioni dedicate all Industrial Internet of ThingsPi di 4000 aziende in oltre 50 paesi hanno scelto i prodotti EndianChi Endian?
Endian US - HoustonEndian - Bolzano e MilanoEndian Germany - MunichEndian Japan - TokyoEndian - Turkey
Fondata a Milano nel 1979Dal 1985 distribuisce e supporta prodotti di GE Intelligent Platforms per lo sviluppo di applicazioni industriali: HMI/SCADA, Supervisione, Monitoraggio e Plant Intelligence sui dati di impiantoAttiva nei settori Industriali (farmaceutico, alimentare, chimico, cemento, vetro, metalli, oil&gas, ecc.), delleUtility(acque, gas, telecontrollo, trasporti, energia), building management, ecc.www.servitecno.it Chi ServiTecno?
Internet of Things (IoT), numeri e tendenze
20204Billion$4Trillion25+Million25+Billion50Trillion Connected People
Revenue Opportunity
Apps
Embedded and Intelligent Systems
GBs of Data
Mancano solo1.000 giorni lavorativientro il
Internet il mezzo che assolve ad un bisogno: COMUNICAREQuindi abbiamo bisogno di rendere gli oggetti (sensori, macchine, impianti, M2M, Devices,) capaci di PARLAREConcentriamoci sull Industrial Internet Of Things, ovvero Internet of Important Things
Internet Of Things: tutto e tutti sono collegati
Ci sono molti protocolli e standard per far comunicare i dispositivi tra loro
PERO, non esiste uno standard per la sicurezza IoT
INFATTI, abbiamo:elevato numero di device, basso livello di protezione dei dispositivi, eterogeneit,
Questo porta a limitazioni nelle regole e diverse policy di SecurityIoT: tutto e tutti sono collegati
ad esempio (chi non conosce Suki?)
Rete in stabilimento (processo continuo): accesso da remoto per manutenzione
Connessioni protette: VPN, IPSec, OpenVPN
Esempio di rete stabilimento (produzione batch)
Zones & Conduits (ISA99/IEC62443)
Esempio di Security Architecture nei sistemi di automazione e controllo
Enterprise Control NetworkManufacturing OperationsNetworkPerimeter Control NetworkControl System NetworkProcess Control NetworkSource: Byres Security
According to the Siemens documentation, a high security site is separated into at five networks and four security zones as follows:
The Enterprise Control Network (pink) zone is the corporate network. It hosts the business users and corporate accounting and planning systems. Security of this zone is typically managed by the corporate IT group.The Manufacturing Operations Network (yellow) zone hosts the SIMATIC IT servers that exchange information between the control system and applications on the Enterprise Control Network (such as an Enterprise Resource Planning (ERP) system).The Perimeter Network (Brown) zone hosts servers that manage equipment in the control system, as well as servers that provide information to end users on the Enterprise Control Network. This is a common location for servers responsible for providing software patches and updates, including Windows security updates and anti-virus updates. Many of the servers within this zone provide information to end users via web servers and web services. People sometimes refer to this zone as a demilitarized zone or DMZ.The final security zone hosts two networks: The green Process Control Network and the blue Control System Network. The Process Control Network hosts the 24x7 plant operators on their Human Machine Interface (HMI) workstations. It also connects to the WinCC/PCS 7 control system servers. The Control System Network connects to the Programmable Logic Controllers (PLCs). It also connects directly to the WinCC/PCS 7 control system servers.
How Stuxnet Spreads Byres Security Inc. 201112
Endian 4i Industrial IoT SecurityEndian la linea 4i Edge
Come mantenere la sicurezza dei sistemi in una rete aperta?UN APPROCCIO DATATO Security through obscurity:
Basata sulla discrezione del personaleBasata sulla segretezza delle componenti del sistemaBasata sulla segretezza dei dati e delle chiavi di accesso LA VISIONE MODERNA Protezione IT:
Sistemi semplici ma sicuriConnessione sicura e comunicazione criptata Allarmi e procedure in caso di intrusione
Firewall VPN sicuraIntrusion Detection / Prevention Regolazione e filtraggio del traffico datiAntiVirus Cosa significa protezione IT in una rete aperta?
ASSOLUTAMENTE NON INTRUSIVA SUGLI IMPIANTI
Issue: complessit di accesso
Concentratore VPNPannello di controlloSi presenta come modulo add-on per qualsiasi soluzione Endian serverPiattaforma per la distribuzione di servizi cloudChe cos Endian Switchboard? Dare accesso a molti utenti (singoli o gruppi) secondo regole differentiBloccare rapidamente laccesso divenuto indesiderato (ad es. al termine del rapporto di lavoro) Impedire tentativi di intrusione su macchinari importantiAvere un rapporto dettagliato sugli accessi (regole di compliance)Assicurare agli utenti accesso semplice agli endpoint protetti (HMI, PLC, ecc)Cosa posso fare con lo Switchboard?
TextRoles/PermissionsApplicationsSecureConnectivityGatewaysEndpointsSoluzione: accesso role based a endpoints e applicazioni
IT InfrastructurePerformance Analysis4i Edge 313Equipment/Server
Machine SettingsSupport/IT Staff4i Edge 200Industrial Equipment
Technical StaffAccess to Data4i Edge 515Industrial Equipment
Layer 1 Access Restricted: Solo le connessioni pre approvate (M2M, P2M, D2M) possono essere stabilite Layer 2 - Service/Port Restriction: Decidendo quale porta deve essere bloccata si garantisce un ulteriore livello di protezione da virus e minacce di altro genereLayer 3 - Denial of Service Protection: La nostra soluzione intercetta gli attacchi e vi protegge dalle interruzioni di servizio Layer 4 - Malformed Packet Rejection: Il firewall stateful vi protegge dai cosiddetti malformed packets che possono arrecare gravi danni ai sistemi Layer 5 - Intrusion Detection Alerts: Il costante monitoraggio di network e sistemi ci consente di dare un allarme istantaneo in caso di attivit sospetta o violazione delle policy Layer 6 - SCADA Protocol Filtering: Su richiesta, possiamo fornire il protocollo di filtraggio Modbus TCP per gli appliance 4i EdgeEndian 4i offre livelli multipli di protezione
Endian Switchboard e 4i Edge Series Key Features
Endian 4i Edge 112Powerful desktop industrial solutionPerformance4i Edge 112Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps
Recommended for:InfrastructureHealthcareCommunications
Highlights:0 to +60C operating temperatureSimple, secure VPN accessPower input 24V DC
Highlights:0 to +60C operating temperatureSimple, secure VPN access3G Module (optional)Power input 24V DC Endian 4i Edge 313The DIN rail industrial solutionPerformance4i Edge 313Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps
Recommended for:Machine buildingManufacturingInfrastructure
Highlights:-20 to +70C operating temperatureSimple, secure VPN access3G Module (optional)Dual power input 24V DC Endian 4i Edge 515The most robust industrial solutionPerformance4i Edge 515Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps
Recommended for:Machine buildingManufacturingInfrastructureHealthcareCommunications
GrazieAppuntamento al 14 Ottobre 2015Hands-on tecnico SwitchboardDomande?Agenda:Endian presenta: linea Endian 4i Edge e UTMIntroduzione tecnica allarchitettura dello Switchboard e alle sue funzionalitPerch scegliere Endian 4i Edge rispetto ad un comune connettore VPNPresentazione di un caso applicativoEndian Switchboard in funzione: dimostrazione pratica delluso del prodotto
Endian Switchboard Featurelist
ConnectionsSecure connections through OpenVPNConnect with one single click to endpoints, gateways or entire remote networksOpen applications directly from the Connect AppConnection status of all devicesSee whether devices are available or other users are already connected
User Management UsersAutomatic VPN account creation for all usersCan be members or administrators of an unlimited number of user groupsCan connect to single devices or all devices in a group they have access toCan modify and create single devices or device groupsPermissions: Superuser, Group creation and management, Application management, API usage, access to internal networksEndian Network account data for device registration (provisioning)
Users GroupsCan contain an unlimited number of usersPermission management for devices and device groupsUser permission management (member/administrator of group)Device Management GatewaysAutomatic VPN account creation for all gateways (OpenVPN support on the gateway required)Endpoint configurationProvisioning options for Endian gatewaysUser/User group permission management (connect/manage)Can be part of an unlimited number of device groupsExportable logs in CSV format
EndpointsConfigurable for each gatewayApplication profile assignment to launch applications with a single click from Connect AppCustom attribute definitions can be used with the API Every single endpoint can be reached through its own Virtual IP addressExportable logs in CSV format
Device GroupsCan have their own virtual IP pool (configurable)Can contain an unlimited number of gatewaysUser/User group permission management (connect/manage)
Application Management ApplicationsProgram callsURL callsPlaceholders for program paths, URLs and IP addresses
Application ProfilesGroup multiple applicationsCan be assigned to Endpoints
SettingsFully configurable OpenVPN modesOpenVPN fallback support through multi-server configurationVirtual IP configuration for simultaneous connections to many endpoints with the same IP addressVirtual IP Pools configurable globally and for single device groupsExclusive access configuration (on gateway level, on endpoint level, disabled)
ProvisioningGateway model configuration for provisioningEncryption support for provisioning filesAutomatic gateway registration on Endian NetworkProvisioning modules forBase system informationNetwork settingsVPN Gateway-to-Gateway configurationUpstream proxyPort forwardingSource NAT
APICan be activated/deactivatedSecured with API TokenSuperuser API with full read and write accessUser APIActivate/deactivate user-gateway connectionsActivate/deactivate user-endpoint connections
Connect AppOne-click application callsShows only available functionalities based on user permissionsLocal application managementAutomatic OpenVPN connection on program startAutomatic reconnection on failureSupport for connection through HTTP Proxy (basic/NTLM authentication)Includes auto-update routineIntegrated Downloader (logs and provisioning files)No administrator privileges needed after the installation
GrazieEndian - Securing everyThing
Domande?