Top Banner
CyberSecurity for the Industry 4.0 Andrea Bonomi Enzo M Tieghi
27

2015 tis servi_tecno_endian-v4_emt2

Apr 11, 2017

Download

Technology

Enzo M. Tieghi
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript

Internet of Things gi qui. E adesso?

CyberSecurity for the Industry 4.0

Andrea Bonomi

Enzo M Tieghi

Fondata a Bolzano nel 2003 da un team di esperti delle reti, fanatici di LinuxIl risultato della collaborazione la creazione di sofisticate soluzioni UTM basate su tecnologia Open SourceDal 2011 Endian sviluppa soluzioni dedicate all Industrial Internet of ThingsPi di 4000 aziende in oltre 50 paesi hanno scelto i prodotti EndianChi Endian?

Endian US - HoustonEndian - Bolzano e MilanoEndian Germany - MunichEndian Japan - TokyoEndian - Turkey

Fondata a Milano nel 1979Dal 1985 distribuisce e supporta prodotti di GE Intelligent Platforms per lo sviluppo di applicazioni industriali: HMI/SCADA, Supervisione, Monitoraggio e Plant Intelligence sui dati di impiantoAttiva nei settori Industriali (farmaceutico, alimentare, chimico, cemento, vetro, metalli, oil&gas, ecc.), delleUtility(acque, gas, telecontrollo, trasporti, energia), building management, ecc.www.servitecno.it Chi ServiTecno?

Internet of Things (IoT), numeri e tendenze

20204Billion$4Trillion25+Million25+Billion50Trillion Connected People

Revenue Opportunity

Apps

Embedded and Intelligent Systems

GBs of Data

Mancano solo1.000 giorni lavorativientro il

Internet il mezzo che assolve ad un bisogno: COMUNICAREQuindi abbiamo bisogno di rendere gli oggetti (sensori, macchine, impianti, M2M, Devices,) capaci di PARLAREConcentriamoci sull Industrial Internet Of Things, ovvero Internet of Important Things

Internet Of Things: tutto e tutti sono collegati

Ci sono molti protocolli e standard per far comunicare i dispositivi tra loro

PERO, non esiste uno standard per la sicurezza IoT

INFATTI, abbiamo:elevato numero di device, basso livello di protezione dei dispositivi, eterogeneit,

Questo porta a limitazioni nelle regole e diverse policy di SecurityIoT: tutto e tutti sono collegati

ad esempio (chi non conosce Suki?)

Rete in stabilimento (processo continuo): accesso da remoto per manutenzione

Connessioni protette: VPN, IPSec, OpenVPN

Esempio di rete stabilimento (produzione batch)

Zones & Conduits (ISA99/IEC62443)

Esempio di Security Architecture nei sistemi di automazione e controllo

Enterprise Control NetworkManufacturing OperationsNetworkPerimeter Control NetworkControl System NetworkProcess Control NetworkSource: Byres Security

According to the Siemens documentation, a high security site is separated into at five networks and four security zones as follows:

The Enterprise Control Network (pink) zone is the corporate network. It hosts the business users and corporate accounting and planning systems. Security of this zone is typically managed by the corporate IT group.The Manufacturing Operations Network (yellow) zone hosts the SIMATIC IT servers that exchange information between the control system and applications on the Enterprise Control Network (such as an Enterprise Resource Planning (ERP) system).The Perimeter Network (Brown) zone hosts servers that manage equipment in the control system, as well as servers that provide information to end users on the Enterprise Control Network. This is a common location for servers responsible for providing software patches and updates, including Windows security updates and anti-virus updates. Many of the servers within this zone provide information to end users via web servers and web services. People sometimes refer to this zone as a demilitarized zone or DMZ.The final security zone hosts two networks: The green Process Control Network and the blue Control System Network. The Process Control Network hosts the 24x7 plant operators on their Human Machine Interface (HMI) workstations. It also connects to the WinCC/PCS 7 control system servers. The Control System Network connects to the Programmable Logic Controllers (PLCs). It also connects directly to the WinCC/PCS 7 control system servers.

How Stuxnet Spreads Byres Security Inc. 201112

Endian 4i Industrial IoT SecurityEndian la linea 4i Edge

Come mantenere la sicurezza dei sistemi in una rete aperta?UN APPROCCIO DATATO Security through obscurity:

Basata sulla discrezione del personaleBasata sulla segretezza delle componenti del sistemaBasata sulla segretezza dei dati e delle chiavi di accesso LA VISIONE MODERNA Protezione IT:

Sistemi semplici ma sicuriConnessione sicura e comunicazione criptata Allarmi e procedure in caso di intrusione

Firewall VPN sicuraIntrusion Detection / Prevention Regolazione e filtraggio del traffico datiAntiVirus Cosa significa protezione IT in una rete aperta?

ASSOLUTAMENTE NON INTRUSIVA SUGLI IMPIANTI

Issue: complessit di accesso

Concentratore VPNPannello di controlloSi presenta come modulo add-on per qualsiasi soluzione Endian serverPiattaforma per la distribuzione di servizi cloudChe cos Endian Switchboard? Dare accesso a molti utenti (singoli o gruppi) secondo regole differentiBloccare rapidamente laccesso divenuto indesiderato (ad es. al termine del rapporto di lavoro) Impedire tentativi di intrusione su macchinari importantiAvere un rapporto dettagliato sugli accessi (regole di compliance)Assicurare agli utenti accesso semplice agli endpoint protetti (HMI, PLC, ecc)Cosa posso fare con lo Switchboard?

TextRoles/PermissionsApplicationsSecureConnectivityGatewaysEndpointsSoluzione: accesso role based a endpoints e applicazioni

IT InfrastructurePerformance Analysis4i Edge 313Equipment/Server

Machine SettingsSupport/IT Staff4i Edge 200Industrial Equipment

Technical StaffAccess to Data4i Edge 515Industrial Equipment

Layer 1 Access Restricted: Solo le connessioni pre approvate (M2M, P2M, D2M) possono essere stabilite Layer 2 - Service/Port Restriction: Decidendo quale porta deve essere bloccata si garantisce un ulteriore livello di protezione da virus e minacce di altro genereLayer 3 - Denial of Service Protection: La nostra soluzione intercetta gli attacchi e vi protegge dalle interruzioni di servizio Layer 4 - Malformed Packet Rejection: Il firewall stateful vi protegge dai cosiddetti malformed packets che possono arrecare gravi danni ai sistemi Layer 5 - Intrusion Detection Alerts: Il costante monitoraggio di network e sistemi ci consente di dare un allarme istantaneo in caso di attivit sospetta o violazione delle policy Layer 6 - SCADA Protocol Filtering: Su richiesta, possiamo fornire il protocollo di filtraggio Modbus TCP per gli appliance 4i EdgeEndian 4i offre livelli multipli di protezione

Endian Switchboard e 4i Edge Series Key Features

Endian 4i Edge 112Powerful desktop industrial solutionPerformance4i Edge 112Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps

Recommended for:InfrastructureHealthcareCommunications

Highlights:0 to +60C operating temperatureSimple, secure VPN accessPower input 24V DC

Highlights:0 to +60C operating temperatureSimple, secure VPN access3G Module (optional)Power input 24V DC Endian 4i Edge 313The DIN rail industrial solutionPerformance4i Edge 313Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps

Recommended for:Machine buildingManufacturingInfrastructure

Highlights:-20 to +70C operating temperatureSimple, secure VPN access3G Module (optional)Dual power input 24V DC Endian 4i Edge 515The most robust industrial solutionPerformance4i Edge 515Firewall Throughput120 MbpsVPN Throughput30 MbpsIPS Throughput20 Mbps

Recommended for:Machine buildingManufacturingInfrastructureHealthcareCommunications

GrazieAppuntamento al 14 Ottobre 2015Hands-on tecnico SwitchboardDomande?Agenda:Endian presenta: linea Endian 4i Edge e UTMIntroduzione tecnica allarchitettura dello Switchboard e alle sue funzionalitPerch scegliere Endian 4i Edge rispetto ad un comune connettore VPNPresentazione di un caso applicativoEndian Switchboard in funzione: dimostrazione pratica delluso del prodotto

Endian Switchboard Featurelist

ConnectionsSecure connections through OpenVPNConnect with one single click to endpoints, gateways or entire remote networksOpen applications directly from the Connect AppConnection status of all devicesSee whether devices are available or other users are already connected

User Management UsersAutomatic VPN account creation for all usersCan be members or administrators of an unlimited number of user groupsCan connect to single devices or all devices in a group they have access toCan modify and create single devices or device groupsPermissions: Superuser, Group creation and management, Application management, API usage, access to internal networksEndian Network account data for device registration (provisioning)

Users GroupsCan contain an unlimited number of usersPermission management for devices and device groupsUser permission management (member/administrator of group)Device Management GatewaysAutomatic VPN account creation for all gateways (OpenVPN support on the gateway required)Endpoint configurationProvisioning options for Endian gatewaysUser/User group permission management (connect/manage)Can be part of an unlimited number of device groupsExportable logs in CSV format

EndpointsConfigurable for each gatewayApplication profile assignment to launch applications with a single click from Connect AppCustom attribute definitions can be used with the API Every single endpoint can be reached through its own Virtual IP addressExportable logs in CSV format

Device GroupsCan have their own virtual IP pool (configurable)Can contain an unlimited number of gatewaysUser/User group permission management (connect/manage)

Application Management ApplicationsProgram callsURL callsPlaceholders for program paths, URLs and IP addresses

Application ProfilesGroup multiple applicationsCan be assigned to Endpoints

SettingsFully configurable OpenVPN modesOpenVPN fallback support through multi-server configurationVirtual IP configuration for simultaneous connections to many endpoints with the same IP addressVirtual IP Pools configurable globally and for single device groupsExclusive access configuration (on gateway level, on endpoint level, disabled)

ProvisioningGateway model configuration for provisioningEncryption support for provisioning filesAutomatic gateway registration on Endian NetworkProvisioning modules forBase system informationNetwork settingsVPN Gateway-to-Gateway configurationUpstream proxyPort forwardingSource NAT

APICan be activated/deactivatedSecured with API TokenSuperuser API with full read and write accessUser APIActivate/deactivate user-gateway connectionsActivate/deactivate user-endpoint connections

Connect AppOne-click application callsShows only available functionalities based on user permissionsLocal application managementAutomatic OpenVPN connection on program startAutomatic reconnection on failureSupport for connection through HTTP Proxy (basic/NTLM authentication)Includes auto-update routineIntegrated Downloader (logs and provisioning files)No administrator privileges needed after the installation

GrazieEndian - Securing everyThing

Domande?