0
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
PUBLIC INFORMATION
Design Consideration...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
We care what you think!
2
 On the mobi...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Agenda
4
Key Takeaways – Design Conside...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 5
Industrial Security Trends
Security f...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 6
Industrial Security Trends
Security Q...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Industrial Security Trends
Established ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 8
Industrial Security Trends
EtherNet/I...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 9
Holistic Defense-in-Depth
Multiple La...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-Depth
Critical Elem...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-Depth
Industrial Se...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 12
Architectural Security Framework
Cis...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Cisco ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Demonstration Scenario
Defense-in-Depth...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Demonstration Scenario
Defense-in-Depth...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
VLANs,...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
 Physical procedure:
 Restrict Indust...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Networ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 19
Architectural Security Framework
Net...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Physic...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Physic...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Networ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Strati...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Zone
Firewall
Architectural Security Fr...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Architectural Security Framework
Networ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
 Align with Industrial Automation and ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
ODVA
27
 Website:
...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
Industrial Security...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
29
 Websites
 Ref...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
Training & Certific...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
Additional Material
31
 A new „go-to‟ ...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
We care what you think!
32
 On the mob...
PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.
www.rsteched.com
Follow RSTechED on Fac...
Upcoming SlideShare
Loading in...5
×

Design Considerations for Securing EtherNet/IP Networks

1,587

Published on

Reviews considerations to help you design and deploy a secure plant-wide / site-wide EtherNet/IP network infrastructure. Topics include a defense-in-depth holistic security approach, network security framework and solutions developed by Rockwell Automation and our partners to help improve the availability, integrity and confidentiality of the EtherNet/IP network. A prior understanding of general Ethernet concepts, or attendance of NW01 is recommended.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,587
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
626
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Design Considerations for Securing EtherNet/IP Networks"

  1. 1. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Design Considerations for Securing EtherNet/IP Networks
  2. 2. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. We care what you think! 2  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  3. 3. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Agenda 4 Key Takeaways – Design Considerations Demonstration – Architectural Security Framework Lecture – Trends, Defense-in-Depth, Architectural Security Framework Additional Information
  4. 4. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 5 Industrial Security Trends Security for the Connected Enterprise  Scalable, robust, secure and future- ready infrastructure for the Connected Enterprise:  Application  Software  Network Holistic Defense-in-Depth
  5. 5. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 6 Industrial Security Trends Security Quips  "Good enough" security now, is better than "perfect" security ... never (Tom West, Data General)  Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)  Your absolute security is only as strong as your weakest link  Concentrate on known, probable threats  Security is not a static end state, it is an interactive process  You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)
  6. 6. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Industrial Security Trends Established Industrial Security Standards 7  International Society of Automation  ISA/IEC-62443 (Formerly ISA-99)  Industrial Automation and Control Systems (IACS) Security  Defense-in-Depth  IDMZ Deployment  National Institute of Standards and Technology  NIST 800-82  Industrial Control System (ICS) Security  Defense-in-Depth  IDMZ Deployment  Department of Homeland Security / Idaho National Lab  DHS INL/EXT-06-11478  Control Systems Cyber Security: Defense-in-Depth Strategies  Defense-in-Depth  IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.
  7. 7. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 8 Industrial Security Trends EtherNet/IP Industrial Automation & Control System Network  Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks  Secured by configuration:  Protect the network - Electronic Security Perimeter  Defend the edge - Industrial DMZ (IDMZ)  Defense-in-Depth – multiple layers of security
  8. 8. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 9 Holistic Defense-in-Depth Multiple Layers to Protect and Defend the Edge  No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.  This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.  Protecting IACS assets requires a holistic defense-in-depth security approach, which addresses internal and external security threats.
  9. 9. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Holistic Defense-in-Depth Critical Elements to Industrial Security 10  A balanced Industrial Security Program must address both Technical and Non-Technical Elements  Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management  Technical controls – technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs)  Security is only as strong as the weakest link  Vigilance and Attention to Detail are KEY to the long-term security success “one-size-fits-all”
  10. 10. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls 11  Physical – limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room …. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors  Network – security framework – e.g., firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS)  Computer Hardening – patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports  Application – authentication, authorization, and accounting (AAA) software  Device Hardening – change management, communication encryption, and restrictive access
  11. 11. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 12 Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures Structured and Hardened IACS Network Infrastructure Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure
  12. 12. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures  Structured and hardened network infrastructure  Scalable framework utilizing holistic defense-in-depth approach  Security is pervasive, not a bolt-on component  Alignment with industrial security standards (e.g. ISA, NIST)  Industrial security policy: A-I-C vs. C-I-A  Industrial DMZ implementation  Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Plant/Site Operations 13 Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O Physical or Virtualized Servers • Patch Management • Remote Desktop Gateway Server • Application Mirror • AV Server Network Device Resiliency VLANs Standard DMZ Design Best Practices Network Infrastructure • Hardening • Access Control Physical Port Security Level 0 - ProcessLevel 1 - Controller Plant Firewall:  Inter-zone traffic segmentation  ACLs, IPS and IDS  VPN Services  Portal and Remote Desktop Services proxy VLANs, Segmenting Domains of Trust AAA – FactoryTalk Authentication Server, Active Directory (AD), Remote Access Server OS Hardening Level 3 – Site Operations Controller Network Status and Monitoring Drive Level 2 – Area Supervisory Control Device Hardening, Electronic FactoryTalk Client Zone Firewall Device Hardening, Encrypted Communications Controller AAA – Radius / ISE Device Hardening • Physical Security • Procedural Internet External DMZ/ Firewall
  13. 13. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Demonstration Scenario Defense-in-Depth Security 14
  14. 14. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Demonstration Scenario Defense-in-Depth Security 15 Stratix 8300 REP RingStratix 8000 Stratix 5700 Plant-wide IACS ControlLogix 1756-EN2T 1734 Point I/O CompactLogix 5370 L3 1732E Slim ArmorBlock I/O EWS OWS Flat and Open IACS Network Infrastructure Stratix 8300 REP RingStratix 8000 Stratix 5700 Plant-wide IACS ControlLogix 1756-EN2T EWS OWS Data Port CompactLogix 5370 L3 1732E Slim ArmorBlock I/O 1734 Point I/O Structured and Hardened IACS Network Infrastructure Stratix 5900
  15. 15. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework VLANs, Segmenting Domains of Trust 16 Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24 Layer 2 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Machine #1 OEM #1 Machine #2 OEM #2 EWS OWS CompactLogix 5370 L3 1732E Slim ArmorBlock I/O 1734 Point I/O ControlLogix 1756-EN2T Machine #1 (OEM #1) VLAN 20 IP Subnet 10.20.20.0/24 Machine #2 (OEM #2) VLAN 30 IP Subnet 172.16.30.0/24 Plant-wide IACS VLAN 40 IP Subnet 192.168.1.0/24 Layer 2 Layer 2 Stratix 8300 Ring Stratix 5700 Stratix 8000 Plant-wide IACS Machine #1 OEM #1 Machine #2 OEM #2 EWS OWS CompactLogix 5370 L3 1732E Slim ArmorBlock I/O 1734 Point I/O ControlLogix 1756-EN2T Layer 3
  16. 16. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.  Physical procedure:  Restrict Industrial Automation and Control System (IACS) access to authorized personnel only  Control panels, devices, cabling, and control room  Locks, gates, key cards  Video Surveillance  Other Authentication Devices (biometric, keypad, etc.).  Switch the Logix Controller key to “RUN”  Electronic design:  Logix Controller Source Protection  Logix Controller Data Access Control  Trusted Slot Designation 17 Architectural Security Framework Controller Hardening
  17. 17. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Network Infrastructure Access Control and Hardening 18  Cryptographic Image  HTTPS (HTTP Secure)  Secure Shell (SSH)  SNMPv3  Restrict Access  Port Security – Dynamic learning of MAC addresses  ACL (Access Control List)  Local  Authentication through AAA Server  Resiliency  Layer 2 Loop Prevention  Quality of Service (QoS)  Minimize Impact of DDoS Attacks  Disable Unnecessary Services  MOP (Maintenance Operations Protocol)  IP redirects  Proxy ARP  Attack Prevention  DHCP Snooping  Rogue DHCP Server Protection  DHCP Starvation Protection  Dynamic ARP Inspection  ARP Spoofing, man-in-the-middle attack  Storm Control Thresholds  Denial-of-service (DoS) attach
  18. 18. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. 19 Architectural Security Framework Network Infrastructure Access Control and Hardening  All ACLs have an implied “Deny Any Any” at the end  Any traffic not specifically allowed will be dropped  Does not inspect traffic Example - Stratix 8300 Access Control Lists (ACL) Action Protocol Source Destination and Mask Port Permit ICMP Any 10.20.20.0 0.0.0.255 Permit TCP Any 10.20.20.0 0.0.0.255 80 (WWW) Permit TCP Any 10.20.20.0 0.0.0.255 443 (SSL) Permit UDP Any 10.20.20.0 0.0.0.255 161 (SNMP) Permit UDP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP) Permit TCP Any 10.20.20.0 0.0.0.255 162 (SNMPTRAP) Deny IP Any Any
  19. 19. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Physical Port Security 20  Keyed solutions for copper and fiber  Lock-in, Blockout products secure connections  Data Access Port (keyed cable and jack)
  20. 20. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Physical Port Security - Keyed Connectors 21
  21. 21. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Network Infrastructure Access Control and Hardening 22  Cryptographic Image  HTTPS (HTTP Secure)  Secure Shell (SSH)  SNMPv3  Restrict Access  Port Security – Dynamic learning of MAC addresses  ACL (Access Control List)  Local  Authentication through AAA Server  Resiliency  Layer 2 Loop Prevention  Quality of Service (QoS)  Minimize Impact of DDoS Attacks  Disable Unnecessary Services  MOP (Maintenance Operations Protocol)  IP redirects  Proxy ARP  Attack Prevention  DHCP Snooping  Rogue DHCP Server Protection  DHCP Starvation Protection  Dynamic ARP Inspection  ARP Spoofing, man-in-the-middle attack  Storm Control Thresholds  Denial-of-service (DoS) attach
  22. 22. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Stratix 5900 Services Router 23 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Physical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems Stratix 5900 1) Site-to-Site Connection Site-to-Site Connection Stratix 5900 3) OEM Integration Stratix 5900 2) Cell/Area Zone Firewall Industrial Zone Level 3 - Site Operations Cell/Area Zones Levels 0-2
  23. 23. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Zone Firewall Architectural Security Framework Cell/Area Zone Firewall – Policy Enforcement (example) 24 Industrial IACS Zone Cell/Area IACS Zone CIP Class 3 CIP Class 1 icmp - ping CIP Class 3 CIP Class 3 CIP Class 1 http icmp - ping CIP Class 3 SNMP Sweep Ping Sweep icmp - ping
  24. 24. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Architectural Security Framework Network Device Resiliency 25 • Distribution switches typically provide first hop (default gateway) redundancy – StackWise (3750X), stack management – Hot Standby Router Protocol (HSRP) – Virtual Router Redundancy Protocol (VRRP) – Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack HSRP Active HSRP Standby Catalyst 3560
  25. 25. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved.  Align with Industrial Automation and Control System Security Standards  DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA/IEC-62443 (Formerly ISA-99)  Implement a Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks  Establish an open dialog between Industrial Automation and IT groups  Establish a Industrial security policy, unique from and in addition to the Enterprise security policy  Establish an IDMZ between the Industrial and Enterprise Zones  Work with trusted partners knowledgeable in automation & security  "Good enough" security now, is better than "perfect" security ... never. (Tom West, Data General) 26 Key Takeaways
  26. 26. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Additional Material ODVA 27  Website:  http://www.odva.org/  Securing EtherNet/IP Networks  http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Se curing_EtherNetIP_Networks.pdf
  27. 27. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Additional Material Industrial Security Resources 28 http://rockwellautomation.com/security Assessment Services Security Technology Security FAQ Assessment Services Security Resources Reference Architectures Security Services secure@ra.rockwell.com Leadership & Standards MS Patch Qualification Security Advisory Index
  28. 28. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Additional Material 29  Websites  Reference Architectures  Design Guides  Converged Plant-wide Ethernet (CPwE)  CPwE Resilient Ethernet Protocol (REP)  Application Guides  Fiber Optic Infrastructure Application Guide  Wireless Design Considerations for Industrial Applications  Whitepapers  Top 10 Recommendations for Plant-wide EtherNet/IP Deployments  Securing Manufacturing Computer and Controller Assets  Production Software within Manufacturing Reference Architectures  Achieving Secure Remote Access to plant-floor Applications and Data  Design Considerations for Securing Industrial Automation and Control System Networks
  29. 29. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Additional Material Training & Certifications 30  http://www.cisco.com/web/learning/training-index.html ICND1 ICND2
  30. 30. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. Additional Material 31  A new „go-to‟ resource for educational, technical and thought leadership information about industrial communications  Standard Internet Protocol (IP) for Industrial Applications  Coalition of like-minded companies www.industrial-ip.org
  31. 31. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. We care what you think! 32  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  32. 32. PUBLIC INFORMATION Copyright © 2014 Rockwell Automation, Inc. All rights reserved. www.rsteched.com Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Design Considerations for Securing EtherNet/IP Networks
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×