PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Design Considerations for Securing EtherNet/IP Networks
May 13, 2015
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
PUBLIC INFORMATION
Design Considerations for Securing EtherNet/IP Networks
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
We care what you think!
2
On the mobile app: 1. Locate session using Schedule or
Agenda Builder
2. Click on the thumbs up icon on the
lower right corner of the session
detail
3. Complete survey
4. Click the Submit Form button
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Agenda
4
Key Takeaways – Design Considerations
Demonstration – Architectural Security Framework
Lecture – Trends, Defense-in-Depth, Architectural Security Framework
Additional Information
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 5
Industrial Security Trends Security for the Connected Enterprise
Scalable, robust, secure and future-
ready infrastructure for the
Connected Enterprise:
Application
Software
Network
Holistic Defense-in-Depth
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 6
Industrial Security Trends Security Quips
"Good enough" security now, is better than "perfect" security ... never
(Tom West, Data General)
Security ultimately relies - and fails - on the degree to which you are
thorough. People don't like to be thorough. It gets in the way of being
done. (Dave Piscitello)
Your absolute security is only as strong as your weakest link
Concentrate on known, probable threats
Security is not a static end state, it is an interactive process
You only get to pick two of the three: fast, secure, cheap (Brett
Eldridge)
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Industrial Security Trends Established Industrial Security Standards
7
International Society of Automation ISA/IEC-62443 (Formerly ISA-99)
Industrial Automation and Control Systems (IACS) Security
Defense-in-Depth
IDMZ Deployment
National Institute of Standards and Technology NIST 800-82
Industrial Control System (ICS) Security
Defense-in-Depth
IDMZ Deployment
Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478
Control Systems Cyber Security: Defense-in-Depth Strategies
Defense-in-Depth
IDMZ Deployment
A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 8
Industrial Security Trends EtherNet/IP Industrial Automation & Control System Network
Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks
Secured by configuration: Protect the network
- Electronic Security Perimeter
Defend the edge - Industrial DMZ (IDMZ)
Defense-in-Depth – multiple layers of security
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 9
Holistic Defense-in-Depth Multiple Layers to Protect and Defend the Edge
No single product, technology or
methodology can fully secure Industrial
Automation and Control System (IACS)
applications.
This approach utilizes multiple layers of
defense (physical, procedural and
electronic) at separate IACS levels by
applying policies and procedures that
address different types of threats.
Protecting IACS assets requires a holistic
defense-in-depth security approach, which
addresses internal and external security
threats.
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-Depth Critical Elements to Industrial Security
10
A balanced Industrial Security Program must
address both Technical and Non-Technical
Elements
Non-technical controls - rules for environments:
e.g. standards, policies, procedures, and risk
management
Technical controls – technology to provide
restrictive measures for non-technical controls:
e.g. Firewalls, Group Policy Objects, Layer 3
access control lists (ACLs)
Security is only as strong as the weakest link
Vigilance and Attention to Detail are KEY to the
long-term security success
“one-size-fits-all”
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls
11
Physical – limit physical access to authorized personnel: Cells/Areas, control
panels, devices, cabling, and control room …. locks, gates, key cards, biometrics.
This may also include policies, procedures and technology
to escort and track visitors
Network – security framework
– e.g., firewall policies, access control list (ACL)
policies for switches and routers, AAA, intrusion
detection and prevention systems (IDS/IPS)
Computer Hardening – patch management,
Anti-X software, removal of unused applications/
protocols/services, closing unnecessary
logical ports, protecting physical ports
Application – authentication, authorization, and
accounting (AAA) software
Device Hardening – change management,
communication encryption, and restrictive access
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 12
Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures
Structured and Hardened IACS Network Infrastructure
Flat and Open IACS Network Infrastructure
Flat and Open IACS Network Infrastructure
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures
Structured and hardened network
infrastructure
Scalable framework utilizing holistic
defense-in-depth approach
Security is pervasive, not a
bolt-on component
Alignment with industrial security
standards (e.g. ISA, NIST)
Industrial security policy:
A-I-C vs. C-I-A
Industrial DMZ implementation
Remote partner access policy,
with robust & secure implementation
Network Security Services Must Not Compromise Plant/Site Operations
13
Enterprise WAN
Catalyst 3750 StackWise
Switch Stack
Firewall (Active)
Firewall (Standby)
MCC
HMI
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone Levels 4-5
Cisco ASA 5500
Controllers, I/O, Drives
Catalyst 6500/4500
Soft Starter
I/O
Physical or Virtualized Servers • Patch Management • Remote Desktop Gateway Server • Application Mirror • AV Server
Network Device Resiliency
VLANs
Standard DMZ Design Best Practices
Network Infrastructure • Hardening • Access Control
Physical Port Security
Level 0 - Process Level 1 - Controller
Plant Firewall: Inter-zone traffic
segmentation ACLs, IPS and IDS VPN Services Portal and Remote
Desktop Services proxy
VLANs, Segmenting Domains of Trust
AAA – FactoryTalk
Authentication Server, Active Directory (AD),
Remote Access Server
OS Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
Drive
Level 2 – Area Supervisory Control
Device Hardening, Electronic
FactoryTalk Client
Zone Firewall
Device Hardening, Encrypted Communications
Controller
AAA – Radius / ISE
Device Hardening • Physical Security • Procedural
Internet
External DMZ/ Firewall
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Demonstration Scenario Defense-in-Depth Security
14
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Demonstration Scenario Defense-in-Depth Security
15
Stratix 8300
REP Ring Stratix 8000
Stratix 5700
Plant-wide IACS
ControlLogix 1756-EN2T
1734 Point I/O
CompactLogix 5370 L3
1732E Slim ArmorBlock I/O
EWS OWS
Flat and Open IACS Network Infrastructure
Stratix 8300
REP Ring Stratix 8000
Stratix 5700
Plant-wide IACS
ControlLogix 1756-EN2T
EWS OWS
Data Port
CompactLogix 5370 L3
1732E Slim ArmorBlock I/O
1734 Point I/O
Structured and Hardened IACS Network Infrastructure
Stratix 5900
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework VLANs, Segmenting Domains of Trust
16
Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24
Layer 2
Stratix 8300
Ring
Stratix 5700
Stratix 8000
Plant-wide IACS
Machine #1 OEM #1
Machine #2 OEM #2
EWS OWS
CompactLogix 5370 L3
1732E Slim ArmorBlock I/O
1734 Point I/O
ControlLogix 1756-EN2T
Machine #1 (OEM #1)
VLAN 20
IP Subnet 10.20.20.0/24
Machine #2 (OEM #2)
VLAN 30
IP Subnet 172.16.30.0/24
Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24
Layer 2 Layer 2
Stratix 8300
Ring
Stratix 5700
Stratix 8000
Plant-wide IACS
Machine #1 OEM #1
Machine #2 OEM #2
EWS OWS
CompactLogix 5370 L3
1732E Slim ArmorBlock I/O
1734 Point I/O
ControlLogix 1756-EN2T
Layer 3
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized
personnel only
Control panels, devices, cabling, and control room
Locks, gates, key cards
Video Surveillance
Other Authentication Devices (biometric, keypad, etc.).
Switch the Logix Controller key to “RUN”
Electronic design: Logix Controller Source Protection
Logix Controller Data Access Control
Trusted Slot Designation
17
Architectural Security Framework Controller Hardening
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Network Infrastructure Access Control and Hardening
18
Cryptographic Image HTTPS (HTTP Secure)
Secure Shell (SSH)
SNMPv3
Restrict Access Port Security – Dynamic learning of
MAC addresses
ACL (Access Control List) Local
Authentication through AAA Server
Resiliency Layer 2 Loop Prevention
Quality of Service (QoS) Minimize Impact of DDoS Attacks
Disable Unnecessary Services MOP (Maintenance Operations
Protocol)
IP redirects
Proxy ARP
Attack Prevention DHCP Snooping
Rogue DHCP Server Protection
DHCP Starvation Protection
Dynamic ARP Inspection ARP Spoofing, man-in-the-middle
attack
Storm Control Thresholds Denial-of-service (DoS) attach
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 19
Architectural Security Framework Network Infrastructure Access Control and Hardening
All ACLs have an implied “Deny Any Any” at the end
Any traffic not specifically allowed will be dropped
Does not inspect traffic Example - Stratix 8300 Access Control Lists (ACL)
Action Protocol Source Destination and Mask Port
Permit ICMP Any 10.20.20.0 0.0.0.255
Permit TCP Any 10.20.20.0 0.0.0.255 80 (WWW)
Permit TCP Any 10.20.20.0 0.0.0.255 443 (SSL)
Permit UDP Any 10.20.20.0 0.0.0.255 161 (SNMP)
Permit UDP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP)
Permit TCP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP)
Deny IP Any Any
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Physical Port Security
20
Keyed solutions for copper and fiber
Lock-in, Blockout products secure connections
Data Access Port (keyed cable and jack)
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Physical Port Security - Keyed Connectors
21
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Network Infrastructure Access Control and Hardening
22
Cryptographic Image HTTPS (HTTP Secure)
Secure Shell (SSH)
SNMPv3
Restrict Access Port Security – Dynamic learning of
MAC addresses
ACL (Access Control List) Local
Authentication through AAA Server
Resiliency Layer 2 Loop Prevention
Quality of Service (QoS) Minimize Impact of DDoS Attacks
Disable Unnecessary Services MOP (Maintenance Operations
Protocol)
IP redirects
Proxy ARP
Attack Prevention DHCP Snooping
Rogue DHCP Server Protection
DHCP Starvation Protection
Dynamic ARP Inspection ARP Spoofing, man-in-the-middle
attack
Storm Control Thresholds Denial-of-service (DoS) attach
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Stratix 5900 Services Router
23
Enterprise-wide Business Systems Levels 4 & 5 – Data Center
Enterprise Zone
Physical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array
Level 3.5 - IDMZ
Remote Site #1 Local Cell/Area Zone #1
Local OEM Skid / Machine #1
Plant-wide Site-wide
Operation Systems
Stratix 5900 1) Site-to-Site Connection
Site-to-Site Connection
Stratix 5900 3) OEM Integration
Stratix 5900 2) Cell/Area Zone Firewall
Industrial Zone
Level 3 - Site Operations
Cell/Area Zones Levels 0-2
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Zone
Firewall
Architectural Security Framework Cell/Area Zone Firewall – Policy Enforcement (example)
24
Industrial
IACS
Zone
Cell/Area
IACS
Zone
CIP Class 3 CIP Class 1
icmp - ping CIP Class 3
CIP Class 3 CIP Class 1
http icmp - ping CIP Class 3
SNMP Sweep Ping Sweep
icmp - ping
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework Network Device Resiliency
25
• Distribution switches typically provide first hop (default gateway) redundancy – StackWise (3750X), stack management
– Hot Standby Router Protocol (HSRP)
– Virtual Router Redundancy Protocol (VRRP)
– Gateway Load Balancing Protocol (GLBP)
Catalyst 3750x Switch Stack
HSRP Active
HSRP Standby
Catalyst 3560
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Align with Industrial Automation and Control System Security Standards
DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA/IEC-62443 (Formerly ISA-99)
Implement a Holistic Defense-in-Depth approach: no single product,
methodology, nor technology fully secures IACS networks
Establish an open dialog between Industrial Automation and IT groups
Establish a Industrial security policy, unique from and in addition to the
Enterprise security policy
Establish an IDMZ between the Industrial and Enterprise Zones
Work with trusted partners knowledgeable in automation & security
"Good enough" security now, is better than "perfect" security ... never.
(Tom West, Data General)
26
Key Takeaways
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material ODVA
27
Website: http://www.odva.org/
Securing EtherNet/IP Networks http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Se
curing_EtherNetIP_Networks.pdf
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material Industrial Security Resources
28
http://rockwellautomation.com/security
Assessment
Services
Security
Technology
Security
FAQ
Assessment
Services
Security
Resources
Reference
Architectures Security
Services
Leadership &
Standards
MS Patch
Qualification
Security
Advisory Index
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
29
Websites Reference Architectures
Design Guides Converged Plant-wide Ethernet (CPwE)
CPwE Resilient Ethernet Protocol (REP)
Application Guides Fiber Optic Infrastructure Application Guide
Wireless Design Considerations for Industrial Applications
Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments
Securing Manufacturing Computer and Controller Assets
Production Software within Manufacturing Reference Architectures
Achieving Secure Remote Access to plant-floor Applications and Data
Design Considerations for Securing Industrial Automation and Control
System Networks
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material Training & Certifications
30
http://www.cisco.com/web/learning/training-index.html
ICND1
ICND2
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
31
A new „go-to‟ resource for educational, technical and
thought leadership information about industrial
communications
Standard Internet Protocol (IP) for
Industrial Applications
Coalition of like-minded companies
www.industrial-ip.org
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
We care what you think!
32
On the mobile app: 1. Locate session using Schedule or
Agenda Builder
2. Click on the thumbs up icon on the
lower right corner of the session
detail
3. Complete survey
4. Click the Submit Form button
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Design Considerations for Securing
EtherNet/IP Networks