Design Considerations for Securing EtherNet/IP Networks

PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.

PUBLIC INFORMATION

Design Considerations for Securing EtherNet/IP Networks


We care what you think!

2

On the mobile app: 1. Locate session using Schedule or

Agenda Builder

2. Click on the thumbs up icon on the

lower right corner of the session

detail

3. Complete survey

4. Click the Submit Form button

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


Agenda

4

Key Takeaways – Design Considerations

Demonstration – Architectural Security Framework

Lecture – Trends, Defense-in-Depth, Architectural Security Framework

Additional Information

PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 5

Industrial Security Trends Security for the Connected Enterprise

Scalable, robust, secure and future-

ready infrastructure for the

Connected Enterprise:

Application

Software

Network

Holistic Defense-in-Depth


Industrial Security Trends Security Quips

"Good enough" security now, is better than "perfect" security ... never

(Tom West, Data General)

Security ultimately relies - and fails - on the degree to which you are

thorough. People don't like to be thorough. It gets in the way of being

done. (Dave Piscitello)

Your absolute security is only as strong as your weakest link

Concentrate on known, probable threats

Security is not a static end state, it is an interactive process

You only get to pick two of the three: fast, secure, cheap (Brett

Eldridge)


Industrial Security Trends Established Industrial Security Standards

7

International Society of Automation ISA/IEC-62443 (Formerly ISA-99)

Industrial Automation and Control Systems (IACS) Security

Defense-in-Depth

IDMZ Deployment

National Institute of Standards and Technology NIST 800-82

Industrial Control System (ICS) Security

Defense-in-Depth

IDMZ Deployment

Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478

Control Systems Cyber Security: Defense-in-Depth Strategies

Defense-in-Depth

IDMZ Deployment

A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Industrial Security Trends EtherNet/IP Industrial Automation & Control System Network

Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks

Secured by configuration: Protect the network

- Electronic Security Perimeter

Defend the edge - Industrial DMZ (IDMZ)

Defense-in-Depth – multiple layers of security


Holistic Defense-in-Depth Multiple Layers to Protect and Defend the Edge

No single product, technology or

methodology can fully secure Industrial

Automation and Control System (IACS)

applications.

This approach utilizes multiple layers of

defense (physical, procedural and

electronic) at separate IACS levels by

applying policies and procedures that

address different types of threats.

Protecting IACS assets requires a holistic

defense-in-depth security approach, which

addresses internal and external security

threats.


Holistic Defense-in-Depth Critical Elements to Industrial Security

10

A balanced Industrial Security Program must

address both Technical and Non-Technical

Elements

Non-technical controls - rules for environments:

e.g. standards, policies, procedures, and risk

management

Technical controls – technology to provide

restrictive measures for non-technical controls:

e.g. Firewalls, Group Policy Objects, Layer 3

access control lists (ACLs)

Security is only as strong as the weakest link

Vigilance and Attention to Detail are KEY to the

long-term security success

“one-size-fits-all”


Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls

11

Physical – limit physical access to authorized personnel: Cells/Areas, control

panels, devices, cabling, and control room …. locks, gates, key cards, biometrics.

This may also include policies, procedures and technology

to escort and track visitors

Network – security framework

– e.g., firewall policies, access control list (ACL)

policies for switches and routers, AAA, intrusion

detection and prevention systems (IDS/IPS)

Computer Hardening – patch management,

Anti-X software, removal of unused applications/

protocols/services, closing unnecessary

logical ports, protecting physical ports

Application – authentication, authorization, and

accounting (AAA) software

Device Hardening – change management,

communication encryption, and restrictive access

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures

Structured and Hardened IACS Network Infrastructure

Flat and Open IACS Network Infrastructure



Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures

Structured and hardened network

infrastructure

Scalable framework utilizing holistic

defense-in-depth approach

Security is pervasive, not a

bolt-on component

Alignment with industrial security

standards (e.g. ISA, NIST)

Industrial security policy:

A-I-C vs. C-I-A

Industrial DMZ implementation

Remote partner access policy,

with robust & secure implementation

Network Security Services Must Not Compromise Plant/Site Operations

13

Enterprise WAN

Catalyst 3750 StackWise

Switch Stack

Firewall (Active)

Firewall (Standby)

MCC

HMI

Industrial Demilitarized Zone (IDMZ)

Enterprise Zone Levels 4-5

Cisco ASA 5500

Controllers, I/O, Drives

Catalyst 6500/4500

Soft Starter

I/O

Physical or Virtualized Servers • Patch Management • Remote Desktop Gateway Server • Application Mirror • AV Server

Network Device Resiliency

VLANs

Standard DMZ Design Best Practices

Network Infrastructure • Hardening • Access Control

Physical Port Security

Level 0 - Process Level 1 - Controller

Plant Firewall: Inter-zone traffic

segmentation ACLs, IPS and IDS VPN Services Portal and Remote

Desktop Services proxy

VLANs, Segmenting Domains of Trust

AAA – FactoryTalk

Authentication Server, Active Directory (AD),

Remote Access Server

OS Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

Device Hardening, Electronic

FactoryTalk Client

Zone Firewall

Device Hardening, Encrypted Communications

Controller

AAA – Radius / ISE

Device Hardening • Physical Security • Procedural

Internet

External DMZ/ Firewall


Demonstration Scenario Defense-in-Depth Security

14


Demonstration Scenario Defense-in-Depth Security

15

Stratix 8300

REP Ring Stratix 8000

Stratix 5700

Plant-wide IACS

ControlLogix 1756-EN2T

1734 Point I/O

CompactLogix 5370 L3

1732E Slim ArmorBlock I/O

EWS OWS


Stratix 8300

REP Ring Stratix 8000

Stratix 5700

Plant-wide IACS


EWS OWS

Data Port



1734 Point I/O

Structured and Hardened IACS Network Infrastructure

Stratix 5900


Architectural Security Framework VLANs, Segmenting Domains of Trust

16

Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24

Layer 2

Stratix 8300

Ring

Stratix 5700

Stratix 8000

Plant-wide IACS

Machine #1 OEM #1

Machine #2 OEM #2

EWS OWS



1734 Point I/O


Machine #1 (OEM #1)

VLAN 20

IP Subnet 10.20.20.0/24

Machine #2 (OEM #2)

VLAN 30

IP Subnet 172.16.30.0/24

Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24

Layer 2 Layer 2

Stratix 8300

Ring

Stratix 5700

Stratix 8000

Plant-wide IACS

Machine #1 OEM #1

Machine #2 OEM #2

EWS OWS



1734 Point I/O


Layer 3


Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized

personnel only

Control panels, devices, cabling, and control room

Locks, gates, key cards

Video Surveillance

Other Authentication Devices (biometric, keypad, etc.).

Switch the Logix Controller key to “RUN”

Electronic design: Logix Controller Source Protection

Logix Controller Data Access Control

Trusted Slot Designation

17

Architectural Security Framework Controller Hardening


Architectural Security Framework Network Infrastructure Access Control and Hardening

18

Cryptographic Image HTTPS (HTTP Secure)

Secure Shell (SSH)

SNMPv3

Restrict Access Port Security – Dynamic learning of

MAC addresses

ACL (Access Control List) Local

Authentication through AAA Server

Resiliency Layer 2 Loop Prevention

Quality of Service (QoS) Minimize Impact of DDoS Attacks

Disable Unnecessary Services MOP (Maintenance Operations

Protocol)

IP redirects

Proxy ARP

Attack Prevention DHCP Snooping

Rogue DHCP Server Protection

DHCP Starvation Protection

Dynamic ARP Inspection ARP Spoofing, man-in-the-middle

attack

Storm Control Thresholds Denial-of-service (DoS) attach



All ACLs have an implied “Deny Any Any” at the end

Any traffic not specifically allowed will be dropped

Does not inspect traffic Example - Stratix 8300 Access Control Lists (ACL)

Action Protocol Source Destination and Mask Port

Permit ICMP Any 10.20.20.0 0.0.0.255

Permit TCP Any 10.20.20.0 0.0.0.255 80 (WWW)

Permit TCP Any 10.20.20.0 0.0.0.255 443 (SSL)

Permit UDP Any 10.20.20.0 0.0.0.255 161 (SNMP)

Permit UDP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP)

Permit TCP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP)

Deny IP Any Any


Architectural Security Framework Physical Port Security

20

Keyed solutions for copper and fiber

Lock-in, Blockout products secure connections

Data Access Port (keyed cable and jack)


Architectural Security Framework Physical Port Security - Keyed Connectors

21



22

Cryptographic Image HTTPS (HTTP Secure)

Secure Shell (SSH)

SNMPv3

Restrict Access Port Security – Dynamic learning of

MAC addresses

ACL (Access Control List) Local

Authentication through AAA Server

Resiliency Layer 2 Loop Prevention

Quality of Service (QoS) Minimize Impact of DDoS Attacks

Disable Unnecessary Services MOP (Maintenance Operations

Protocol)

IP redirects

Proxy ARP

Attack Prevention DHCP Snooping

Rogue DHCP Server Protection

DHCP Starvation Protection

Dynamic ARP Inspection ARP Spoofing, man-in-the-middle

attack

Storm Control Thresholds Denial-of-service (DoS) attach


Architectural Security Framework Stratix 5900 Services Router

23

Enterprise-wide Business Systems Levels 4 & 5 – Data Center

Enterprise Zone

Physical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array

Level 3.5 - IDMZ

Remote Site #1 Local Cell/Area Zone #1

Local OEM Skid / Machine #1

Plant-wide Site-wide

Operation Systems

Stratix 5900 1) Site-to-Site Connection

Site-to-Site Connection

Stratix 5900 3) OEM Integration

Stratix 5900 2) Cell/Area Zone Firewall

Industrial Zone

Level 3 - Site Operations

Cell/Area Zones Levels 0-2


Zone

Firewall

Architectural Security Framework Cell/Area Zone Firewall – Policy Enforcement (example)

24

Industrial

IACS

Zone

Cell/Area

IACS

Zone

CIP Class 3 CIP Class 1

icmp - ping CIP Class 3

CIP Class 3 CIP Class 1

http icmp - ping CIP Class 3

SNMP Sweep Ping Sweep

icmp - ping


Architectural Security Framework Network Device Resiliency

25

• Distribution switches typically provide first hop (default gateway) redundancy – StackWise (3750X), stack management

– Hot Standby Router Protocol (HSRP)

– Virtual Router Redundancy Protocol (VRRP)

– Gateway Load Balancing Protocol (GLBP)

Catalyst 3750x Switch Stack

HSRP Active

HSRP Standby

Catalyst 3560


Align with Industrial Automation and Control System Security Standards

DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA/IEC-62443 (Formerly ISA-99)

Implement a Holistic Defense-in-Depth approach: no single product,

methodology, nor technology fully secures IACS networks

Establish an open dialog between Industrial Automation and IT groups

Establish a Industrial security policy, unique from and in addition to the

Enterprise security policy

Establish an IDMZ between the Industrial and Enterprise Zones

Work with trusted partners knowledgeable in automation & security

"Good enough" security now, is better than "perfect" security ... never.

(Tom West, Data General)

26

Key Takeaways


Additional Material ODVA

27

Website: http://www.odva.org/

Securing EtherNet/IP Networks http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Se

curing_EtherNetIP_Networks.pdf

http://www.odva.org/

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securing_EtherNetIP_Networks.pdf

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securing_EtherNetIP_Networks.pdf


Additional Material Industrial Security Resources

28

http://rockwellautomation.com/security

Assessment

Services

Security

Technology

Security

FAQ

Assessment

Services

Security

Resources

Reference

Architectures Security

Services

[email protected]

Leadership &

Standards

MS Patch

Qualification

Security

Advisory Index



http://www.rockwellautomation.com/solutions/security/assessment.html

http://www.rockwellautomation.com/solutions/security/technology.html

http://www.rockwellautomation.com/solutions/security/faqs.html

http://www.rockwellautomation.com/services/security/

http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/acct_login.php?p_sid=-ytq52bj&p_lva=&p_sp=&p_li=&p_next_page=std_adp.php&p_faqid=35530&p_created=&p_accessibility=&p_redirect=

http://www.ab.com/networks/architectures.html

http://www.rockwellautomation.com/services/security/

mailto:[email protected]?Subject=Security Web Inquiry

http://www.rockwellautomation.com/solutions/security/faqs.html




Additional Material

29

Websites Reference Architectures

Design Guides Converged Plant-wide Ethernet (CPwE)

CPwE Resilient Ethernet Protocol (REP)

Application Guides Fiber Optic Infrastructure Application Guide

Wireless Design Considerations for Industrial Applications

Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments

Securing Manufacturing Computer and Controller Assets

Production Software within Manufacturing Reference Architectures

Achieving Secure Remote Access to plant-floor Applications and Data

Design Considerations for Securing Industrial Automation and Control

System Networks

http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page?

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf





http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td003_-en-e.pdf



http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp022_-en-e.pdf














Additional Material Training & Certifications

30

http://www.cisco.com/web/learning/training-index.html

ICND1

ICND2





Additional Material

31

A new „go-to‟ resource for educational, technical and

thought leadership information about industrial

communications

Standard Internet Protocol (IP) for

Industrial Applications

Coalition of like-minded companies

www.industrial-ip.org

http://www.industrial-ip.org/




We care what you think!

32

On the mobile app: 1. Locate session using Schedule or

Agenda Builder

2. Click on the thumbs up icon on the

lower right corner of the session

detail

3. Complete survey

4. Click the Submit Form button

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Design Considerations for Securing

EtherNet/IP Networks

Design Considerations for Securing EtherNet/IP Networks

Technology

industrial security

perfect security

absolute security

depth security approach

rockwell automation

secure industrial automation

probable threats security

external security threats