Integrated Architecture Tools for Securing your Control System
Upcoming SlideShare
Loading in...5
×
 

Integrated Architecture Tools for Securing your Control System

on

  • 141 views

Learn how you can reduce risk and enhance protection of your industrial control system against security threats. Discussion and demonstration will focus on practical recommendations for installing, ...

Learn how you can reduce risk and enhance protection of your industrial control system against security threats. Discussion and demonstration will focus on practical recommendations for installing, commissioning and improving the security of Integrated Architecture including new capabilities in Logix controllers and how to use FactoryTalk Security to control user access to key assets and information.

Statistics

Views

Total Views
141
Views on SlideShare
141
Embed Views
0

Actions

Likes
0
Downloads
26
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Integrated Architecture Tools for Securing your Control System Integrated Architecture Tools for Securing your Control System Presentation Transcript

  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC INFORMATION Integrated Architecture® Tools for Securing your Control System
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2 Cyber Security in the News
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3 Cyber Security in the News
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4 Cyber Security in the News
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Security Threat Vectors Unintended employee actions Theft Unauthorized actions by employees Unauthorized access Denial of Service Application of patches Unauthorized remote access Natural or Man-made disasters Sabotage Worms and viruses
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Security Comes from Defense-in-Depth 6
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Connected Enterprise Machine data is expected to grow by a factor of >15 Shift from CapEx to flexible & scalable OpEx Workforce is mobile during typical work day Big Data & Analytics Information Technology (IT) influence is increasing in the automation buying decisions Cloud & Virtualization Mobility & BYOD Enables IT functionality off-premise for improved reliability, support, and disaster recovery Access to actionable Information at your fingertips anytime, anywhere, regardless of device Unlock latent value by contextualizing and analyzing data "hidden" in devices throughout the plant
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 8 Tools for a Secure Network Converged Plant-wide Ethernet (CPwE) Reference Architectures Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) MCC HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500 Soft Starter I/O Physical or Virtualized Servers • Patch Management • Remote Gateway Services • Application Mirror • AV Server Network Device Resiliency VLANs Standard DMZ Design Best Practices Network Infrastructure Access Control and Hardening Physical Port Security Level 0 - ProcessLevel 1 - Controller Plant Firewall:  Inter-zone traffic segmentation  ACLs, IPS and IDS  VPN Services  Portal and Terminal Server proxy VLANs, Segmenting Domains of Trust AAA - Application Authentication Server, Active Directory (AD), Remote Access Server Client Hardening Level 3 – Site Operations Controller Network Status and Monitoring Drive Level 2 – Area Supervisory Control Controller Hardening, Physical Security FactoryTalk Client Unified Threat Management (UTM) Controller Hardening, Encrypted Communications Controller AAA - Network
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Network Network Segmentation 9 Recommended Not Recommended Enterprise-wide Network Plant-wide Network Enterprise-wide Network Plant-wide Network Plant-wide Network Enterprise-wide Network Plant-wide Network Enterprise-wide Network Switch with VLANs Plant-wide Network Enterprise-wide Network Firewall Better Plant-wide Network Enterprise-wide Network IDMZ Best Plant-wide Network Enterprise-wide Network Router (Zone Based FW) Good
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 10 Tools for a Secure Network Network and Security Services ASSESS DESIGN IMPLEMENT VALIDATE MANAGE
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Layer 2 and Layer 3 switching for simple to complex networks applications  Advanced security services  Plant-floor and Enterprise integration Technology that offersProducts that offer  Advanced switching, routing & security features  Common tools for Controls & IT  Improved Maintainability & Operations and IT Addressing the needs of Automation Tools for a Secure Network The Stratix™ Portfolio
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Optimize network performance  QoS – Quality of Service - default configurations are set to ODVA standards for EtherNet/IP industrial applications for discrete, motion, safety and process applications  IEEE1588 (CIP Sync) - ODVA implementation of the IEEE 1588 precision time protocol ensures performance when connecting EtherNet/IP devices Simplify design, deployment and maintainability  DHCP per port - assign a specific IP address to each port, ensuring that the device attached to a given port will get the same IP address  Broken Wire Detection - detect cabling problems like, open, broken, cut or shorted twisted- pair wires, with status availability in Logix  Network Address Translation – NAT – A 1:1 IP address translation to help segment machine level network devices from the plant network, translate only the devices that need to be visible to the plant network Designed & developed for Industrial EtherNet/IP applications Tools for a Secure Network The Stratix Portfolio
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. The Stratix 5100 enables IP based communications, like EtherNet/IP, via wireless media using the 802.11a/b/g/n wireless standard. Additional features include:  3x4 MIMO (multiple-input multiple-output) technology with 3 spacial streams  Dual-band 2.4 GHz / 5 GHz radios  Default configuration for QoS on EtherNet/IP  Enterprise-class silicon and optimized radios deliver a robust mobility experience  Security: • 802.11i, Wi-Fi Protected Access 2 (WPA2), WPA • 802.1X • Advanced Encryption Standards (AES), Temporal Key Integrity Protocol (TKIP)  See Wireless Design Guide for Industrial Wireless Applications 13 Tools for a Secure Network Stratix 5100™ Wireless Access Point
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Network Stratix 5900™ Layer 2 & Layer 3 Services Router  Premiere routing and security services for Layer 2 or Layer 3  Router + Firewall  Virtual Private Network (VPN)  Network Address Translation (NAT)  Access Control Lists (ACL)  Intrusion Prevention Systems (IPS)  Connections:  1 Gigabit WAN  4 Fast Ethernet  Industrially hardened, DIN rail mountable  Ideal for Site to Site Connections, Cell/Zone Area Firewall & OEM Integration
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 15 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial ZonePhysical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems Site-to-Site Connection Stratix 5900 1) Site-to-Site Connection Stratix 5900 3) OEM Integration Stratix 5900 2) Cell/Area Zone Firewall Tools for a Secure Network Stratix 5900 Layer 2 & Layer 3 Services Router
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Network Stratix 8000™ & Stratix 8300™ Layer 2 & Layer 3 Modular Managed  Configurable up to 26 ports  Base Unit - 6 or 10 port  Expansion Modules  Cooper, Fiber, SFP & PoE extensions  SFP for multi & single mode fiber  Wide variety of SFPs available  Power over Ethernet (PoE)  PoE & PoE+ port configurable  CompactFlash card  Stores configuration and IOS for easy device replacement  Advanced feature set to address:  EtherNet/IP applications  Security  Resiliency & Redundancy  Operating Temp: -40ºC to 60ºC Data Ports 10/100 Copper Dual Purpose Uplink Ports 10/100/1000 Copper or SFP SFP Fiber Transceiver 100M and 1G Multimode and Singlemode Copper, fiber, SFP & PoE Expansion Modules
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Network Stratix 5700™ Family Layer 2 Managed Fixed Port  3 base platforms offering 20 configurations  6, 10 & 20 port base units  2 Gig port option  SFP slots support multi & single mode fiber  Wide variety of SFPs available  SecureDigital flash card (optional)  Stores configuration and IOS of switch  Two software packages  Lite & Full software versions  Advanced feature set  Same feature set as the Stratix 8000  Integrated NAT functionality  Simple static routing  Power over Ethernet (PoE)  PoE & PoE+ port configurable *Combo ports can be either copper or SFP SD card for backup
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Stratix 5700 Demo 18
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Application FactoryTalk® AssetCentre Auditing 19  Centrally collect records of all interactions with the control system
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Application Controller Change Detection  Every Logix PAC™ exposes a Change Detection Audit Value  When something happens that can impact the behavior of the controller, the value changes  Audit Value is available in RSLogix™ 5000 and Studio 5000 Logix Designer™, in other software applications and in other controllers via a message instruction  The set of events that causes the Audit Value to change can be configured 20
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Application Controller Change Detection  The Audit Value is stored in every Controller Log entry  FactoryTalk® AssetCentre (in version 4.1), can monitor the Audit Value and read in the Controller Log 21Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Change Detection Demo 22
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  External Access Attribute – Read/Write, Read Only, or None  Controls which tags can be modified from an HMI or other external application  Constant Attribute  Controls which tags can be modified by controller logic  Changes to Constants bump the Audit Value  FactoryTalk Security can control permission to change Constants 23 Tools for a Secure Application Data Access Control
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Data Access Control Demo 24
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Tools for a Secure Application FactoryTalk Security Use FactoryTalk Security to… Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system. • Authenticate the User • Authorize Use of Applications • Authorize Access to Specific Devices FactoryTalk Directory (All FactoryTalk Security enabled software) 25
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Administrators can manage  User Accounts  Windows  FactoryTalk  User Groups  Custom group or role  Windows Group  Computers  Computer Groups  System Policies  Product Policies  Product Actions 26 Tools for a Secure Application FactoryTalk Security
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PC #2 2727 PC #1 Logix 5000 Project FactoryTalk Services Security Authority Security Administration Logix 5000 Project FactoryTalk Services Security Administration ID = 795D5EF-12... ID = A73R5CG – 89... ID= 795D5EF-12.. Security Authority ID = 795D5EF-12… EtherNet/IP ID’s Match ID’s Don’t Match Tools for a Secure Application FactoryTalk Security
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. FactoryTalk Security Demo 28
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Scenario/Recognizing an Issue  An employee, or 3rd party, needs access to the control system from a network outside the production zone to assist in troubleshooting and maintenance  Good Solution  Stratix 5900  Better Solution  Good solution + expanded technical enforcement of the security perimeter-using FactoryTalk Security  Best Solution  Better solution + expanded technical enforcement of the security perimerter-though the implementation of Remote Access Gateways with in an Industrial DMZ 29 Putting it Together Secure Remote Access – Good, Better, Best Unauthorized remote access Worms and viruses Theft Sabotage Risk/Threat $$$ Unplanned Downtime Quality Issues-Brand Image
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Unintended employee actions  Scenario/Recognizing an Issue  Contractor connecting to plant network to make change or integrate new line- causes downtime by introducing virus or unintentional configuration changes  Good Solution  Detect unauthorized changes with change detection audit value  Use managed switches to segment the architecture with VLANs  Scan contractor devices  Better Solution  Good solution + Enforce VLAN access with Access Control Lists  Best Solution  Better solution + limit access with FactoryTalk Security with Security Authority Binding enabled 30 Putting it Together Unintended Action Protection– Good, Better, Best Risk/Threat Lost $$$ Damage to product or assets Unauthorized actions by employees
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Industrial Security Resources Security-enhanced Products and Technologies  Rockwell Automation product and technologies with security capabilities that help increase overall control system system-level security.  http://www.rockwellautomation.com/security EtherNet/IP Plantwide Reference Architectures  Control system validated designs and security best-practices that complement recommended layered security/defense-in-depth measures.  http://www.ab.com/networks/architectures.html Network & Security Services (NSS)  RA consulting specialists that conduct security risk assessments and make recommendations for how to avert risk and mitigate vulnerabilities.  http://www.rockwellautomation.com/services/security 31
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Industrial Security Landing Pad http://rockwellautomation.com/security Assessment Services Security Technology Security FAQ Assessment Services Security Resources Reference ArchitecturesSecurity Services secure@ra.rockwell.com Pretty Good Privacy (PGP) Public Key Leadership & Standards MS Patch Qualification Security Advisory Index 32
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. We care what you think!  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button 33 Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  • Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. www.rsteched.com Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Questions?