Industrial Demilitarized Zone Design Principles
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Industrial Demilitarized Zone Design Principles

on

  • 411 views

There are many organizations and standards bodies that recommend separating the enterprise zone from the industrial zones by utilizing an industrial demilitarized zone (IDMZ). This session will ...

There are many organizations and standards bodies that recommend separating the enterprise zone from the industrial zones by utilizing an industrial demilitarized zone (IDMZ). This session will describe and demonstrate the basic principals and strategies of designing an IDMZ to separate these two zones. Attendance of the Design Considerations for Securing EtherNet/IP Networks session is recommended.

Statistics

Views

Total Views
411
Views on SlideShare
411
Embed Views
0

Actions

Likes
0
Downloads
44
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Industrial Demilitarized Zone Design Principles Presentation Transcript

  • 1. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC INFORMATION Industrial Demilitarized Zone Design Principles Jason J. Dely, CISSP, CISM Principal Security Consultant, Network & Security Services jdely@ra.rockwell.com
  • 2. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Course Description  There are many organizations and standards bodies that recommend separating the enterprise zone from the industrial zones by utilizing an industrial demilitarized zone (iDMZ).  This session will describe the basic principals and strategies of designing an iDMZ to separate these two zones.  A prior understanding of general Ethernet concepts, or attendance of the Fundamentals of EtherNet/IP session is recommended.
  • 3. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3 Agenda Methodology What is a DMZ? Network Segmentation
  • 4. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Industrial Network Convergence Continuing Trend 4 EtherNet/IP - Enabling/Driving Convergence of Control and Information Converged Plantwide EtherNet/IP Industrial Network Model Corporate Network Sensors and other Input/Output Devices Motors, Drives Actuators Supervisory Control Robotics Back-Office Mainframes and Servers (ERP, MES, etc.) Office Applications, Internetworking, Data Servers, Storage Human Machine Interface (HMI) Safety Controller Traditional – 3 Tier Industrial Network Model Corporate Network Sensors and other Input/Output Devices Controller Motors, Drives ActuatorsRobotics Back-Office Mainframes and Servers (ERP, MES, etc.) Office Applications, Internetworking, Data Servers, Storage Control Network Gateway Human Machine Interface (HMI) Supervisory Control Camera Phone Industrial NetworkIndustrial Network Safety I/O I/O Controller
  • 5. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Industrial Network Convergence Continued Trend – Demilitarized Zone (DMZ) 5 Converged Plantwide EtherNet/IP Industrial Network Model Corporate Network Sensors and other Input/Output Devices Motors, Drives Actuators Supervisory Control Robotics Back-Office Mainframes and Servers (ERP, MES, etc.) Office Applications, Internetworking, Data Servers, Storage Human Machine Interface (HMI) Safety Controller Camera Phone Industrial Network Safety I/O I/O Controller DMZStandby Active Link for Failover Firewalls for separation Unified Threat Management Authentication & Authorization Application & Data Sharing via replication or terminal services Patch Management Remote Access Services Application Mirrors Anti-Virus Servers
  • 6. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Demilitarized Zone (DMZ)  Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network UNTRUSTED TRUSTED BROKER DMZ Internet Web Proxy
  • 7. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Controlling Access to the Manufacturing Zone No Direct Traffic Flow from Enterprise to Manufacturing Zone Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Terminal Services Patch Management AV Server Historian Mirror Web Services Operations Application Server Router Enterprise Network Site Business Planning and Logistics NetworkE-Mail, Intranet, etc. FactoryTalk® Application Server FactoryTalk Directory Engineering Workstation Domain Controller FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Sensors Drives Actuators Robots Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Manufacturing Operations and Control Area Supervisory Control Basic Control Process
  • 8. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 8 Agenda Methodology What is a DMZ? Network Segmentation
  • 9. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Methodology 9  Develop a scientific method to develop repeatable, measureable and maintainable solution(s)  Look at the problem “holistically” and drill down to each system
  • 10. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. DMZ / Network Reconnaissance (Design Pre-work) 10 Identify Assets Or Asset Classes Identify Asset Owners Identify “types” of Assets in Manufacturing Zone and those that support Manufacturing Document Assets by documentation, interviews and network scanning ACTION Identify “who” owns the hardware and software on the asset. Document Asset Owners and Schedule Interviews ACTION Requirements Phase Architectural Phase Tech. Design Phase Implement Maintain Design Phase Recon Phase
  • 11. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Classify Asset Types 11 Goal: Identify assets that support manufacturing process. Goal: Identify if asset belongs in the Mfg. or Enterprise Zone.
  • 12. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Diagram Data Sources Feeding Higher Level Assets 12
  • 13. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Identify System Owners / Users 13
  • 14. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Interview Process 14  Interview process identifies how the owners and clients of the assets  Operate  Configure  Patch  Upgrade  Identifies where the data is produced and consumed  This process is used to gather requirements
  • 15. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. DMZ / Network Design Methodology 15 Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220- 1994) Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION High level architectural recommendations that are proposed to meet the customer requirements. Produce high level documentation and drawings to meet every requirement ACTION Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL’s ACTION The system components are brought together and tested during this phase per the testing plan Verify, “was the product built right” and Validate, “was the right product built” process ACTION System has been Verified and Validated and is maintained by Operations and Maintenance Modify configurations and assets to fix anomalies or required operational changes. ACTION
  • 16. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. High Level Architecture 16
  • 17. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. How to Derive High Level Architecture 17 Enterprise Manufacturing Actor Historian Client MES No Control Protocols Through the Firewall(s) Industrial DMZ QC Systems Order Entry
  • 18. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Move the Assets Around To Minimize Cross Zone Traffic – Especially Control Protocols 18 Enterprise Manufacturing Actor Historian Client MES Industrial DMZ QC Systems Order Entry Historian Historian Mirror Data Proxy
  • 19. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. High Level Architecture – Review All Use Cases and Meet All Requirements 19 Remote Desktop Gateway Use Case – Configure Historian from Enterprise
  • 20. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. High Level Architecture – Review Use Cases 20 Historian Mirror Use Case – Move Data From Manufacturing Historian to Enterprise Historian
  • 21. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. DMZ / Network Design Methodology 21 Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220- 1994) Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION High level architectural recommendations that are proposed to meet the customer requirements. Produce high level documentation and drawings to meet every requirement ACTION Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL’s ACTION The system components are brought together and tested during this phase per the testing plan Verify, “was the product built right” and Validate, “was the right product built” process ACTION System has been Verified and Validated and is maintained by Operations and Maintenance Modify configurations and assets to fix anomalies or required operational changes. ACTION
  • 22. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 22 Agenda Methodology What is a DMZ? Network Segmentation
  • 23. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Manufacturing Zone – Architecture to support DMZ  Division of plant into functional areas for secured access  ISA-SP99 “Zones and Conduit” model  OEM’s Participation  IP Address  VLAN ID’s  Access layer to Distribution layer cooperation  System design requires full cooperation of all System Integrators, OEM’s, IT and Engineering Copy
  • 24. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Catalyst 3750 StackWise Switch Stack FactoryTalk Application Servers • View • Historian • AssetCentre • Transaction Manager FactoryTalk Services Platform • Directory • Security/Audit Data Servers Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) I/O Levels 0–2 HMI Cell/Area Zones Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Rockwell Automation Stratix 8000 Layer 2 Access Switch Cisco ASA 5500 Cisco Catalyst Switch Industrial Zone Site Operations and Control Level 3 Remote Access Server Catalyst 6500/4500 Patch Management Terminal Services Application Mirror AV Server ERP, Email, Wide Area Network (WAN) Network Services • DNS, DHCP, syslog server • Network and security mgmt Drive Controller HMI Controller Drive Controller Drive HMI I/O I/O VLAN 102 VLAN 101 VLAN 103 VLAN 104 VLAN 105 VLAN 42 VLAN 43 VLAN 44 VLAN 41 Cell/Area #1 Cell/Area #2 Cell/Area #3 Layer 2 Access Link Layer 2 Interswitch Link/ 802.1Q Trunk Layer 3 Link Security Availability Data Link / Network Layers Security Availability Control Systems are Designed with Availability Requirement First!
  • 25. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Structure and Hierarchy Network Segmentation: Building Block for Availability • The Cell/Area zone is a Layer 2 network for a functional area of the plant floor. Key network considerations include: – Structure and hierarchy using smaller Layer 2 building blocks – Logical segmentation for traffic management and policy enforcement to accommodate time- sensitive applications Levels 0–2 Level 1 Controller Layer 3 Distribution Switch Drive Controller HMI I/O Cell/Area Zones Rockwell Automation Stratix 8000 Layer 2 Access Switch Catalyst 3750 StackWise Switch Stack Level 0 Drive Level 2 HMI Layer 2 Access Switch Media & Connectors Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) Cell/Area Zone #3 Bus/Star Topology I/O I/O Drive Drive Controller Controller HMI HMI Layer 2 Building Block Layer 2 Building Block Layer 2 Building Block Layer 3 Building Block Security Availability
  • 26. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Machine Types Building Blocks for Security Specifications Security Availability Drive Controller HMI HMI I/O HMI Cell/Area Zones Levels 0-2 Rockwell Automation Stratix 8000 Layer 2 Access Switch Catalyst 3750 StackWise Switch Stack Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) Cell/Area Zone #3 Bus/Star Topology I/O I/O I/O Controller Controller Drive Drive • Availability Requirements • Networking, Routing • Information Requirements • Interfaces • Controller data structure • Security Requirements (C,I,A) Machine or Cell Level Interfaces Historian OS Patch AV Server Workstations Remote Session Hosts HMI Servers
  • 27. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. We care what you think!  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button 27 Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  • 28. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. www.rsteched.com Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Questions?