Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Transcription

1 Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco

2 Vendor offers a remote firmware update and PLC programming. Contractor asks for access to SCADA from pipeline pump station Available industrial security guidelines do not detail Secure Access 2

3 Agenda Risks and Benefits Secure Remote Access into an IACS Secure Local Access into an IACS Secure Direct Access enabled by NAC Summary 3

4 Remote and Local Access Parties Authorized employees, contractors, vendors External Security Center Standalone Remote Embedded Device Remote Center And others. Do not forget Portable Storage Media 4

5 Cyber Security Risks Unauthorized/Unknown Access Inability to Limited Access Malicious and Mobile Code Accidental Misconfiguration Disgruntled Insiders 5

6 Business Risks Loss of Revenue Unanticipated Costs Fines Due to Violation of Legal and Regulatory Requirements Safety Incident Adverse Press Coverage 6

7 7

8 Level 4 Cisco Secure Architecture for IACS ISA SP95 and SP99 Si Si Corporate/ Business Network VPN/SSL Concentrator Internet/ Intranet/ PSTN/WAN Level 5 Level 3.5 (DMZ) LAN/WAN ASA 5500 Cisco Security Manager Access Server CS-MARS Level 3 Level 2 Level 1 Level 8 0 8

9 Business Benefits Reduce Total Cost of Ownership Improve Operational Efficiency Low-cost External Manufacturing and Engineering Support Mobile Workers Reduce Errors of Manual Input Regulatory Compliance: Logging, Audit and Reporting of Access Attempts 9

10 Agenda Risks and Benefits Secure Remote Access into an IACS Secure Local Access into an IACS Secure Direct Access enabled by NAC Summary 10

11 11

12 DMZ Principles Disconnect Point Terminal Services Patch Mgmt. AV Server Decryption and Inspection L2 Segmentation (PVLANS) Historian Web Services Operations No Pass Through Direct Traffic Disconnect Point 12

13 Other DMZ considerations of RA Client Less VPN Role Based Access Bandwidth Adjustment Intrusion Protection Split tunneling should be avoided RDP Session Recording (metadata analytics) 13

14 Options of Secure Remote Access Type 1: SSL VPN and WEB Portal Type 2: Service-Oriented RA Type 3: Corporate IT best-practice RA 14

15 DMZ Architecture for unmanaged devices Type 1. SSL VPN/Web portal TS Emulation by ASA Corporate Network DMZ VLAN 1 DMZ VLAN 3 DMZ VLAN 4 Adaptive Security Appliance (ASA) Network 15

16 DMZ Architecture for unmanaged devices Type 1. SSL VPN/Web portal No need for a Terminal Server Only SSL VPN mode Protocols doesn t pass through a DMZ firewall Available Single SignOn Terminal Session is not captured 16

17 DMZ - Exteneded control for unmnaged access Type 2. Service-Oriented RA Virtualized Machines Server Role-based VLAN Mapping Corporate Network 802.1q (VLAN 2,3,4) DMZ VLAN q (VLANs 2,3,4,5,6) Adaptive Security Appliance (ASA) DMZ VLAN 6 Network 17

18 DMZ - Extended control for unmanaged access Type 2. Service-Oriented RA IPSec and SSL VPNs All types of Authentication Granular Role-based Access Model Session Recording Single SignOn available (for TS Access) 18

19 DMZ Enhanced Architecture Type 3. Corporate IT RA Virtualized Machines Server Corporate Network 802.1q (VLAN 2,3,4) DMZ VLAN q (VLANs 2,3,4,5,6) Adaptive Security Appliance (ASA) DMZ VLAN 6 Network 19

20 DMZ Enhanced Architecture Type 3. Corporate IT RA Enhanced and adjusted version of Type 2 Corporate IT VPN Security Best Practice Security Policy Enforcement Quarantine and Remediate Managed and Unmanaged Endpoints 20

21 Agenda Risks and Benefits Secure Remote Access into an IACS Secure Local Access into an IACS Secure Direct Access enabled by NAC Summary 21

22 Level 4 Secure Local Access into an IACS Type 1. VPN-Based Local Access Si Si Corporate/ Business Network VPN/SSL Concentrator Level Corporate Applications 5 Unified Communications Level 3.5 (DMZ) LAN/WAN ASA 5500 Cisco Security Manager Access Server IPSec / SSL VPN Tunnel CS-MARS Level 3 User Traffic Level 2 Level 1 Level 220 Quality of Service Virtualization User Web-based authentication Dynamic ACL (IPSec and SSL only) Rate-Limit and QoS Enforcement 22

23 Secure Local Access into an IACS Type 2. Web-Portal Based Local Access Level 3 Multiple Functional Subzones Level 2 Remote Access VLAN to ASA ports interconnect low-speed WAN Production Supervisory Optimizing HMI Historian Site Operations and Supervisory Engineering Station HMI Area Supervisory Remote Zone Terminal Services/VNC Traffic Port Security QoS Smart Ports 23 Level 1 Level 0 Batch Discrete Optional Firewall and IDS Continuous Web-Portal / SSL VPN Terminal Services/VNC Emulation Hybrid Basic Process

24 Agenda Risks and Benefits Secure Remote Access into an IACS Secure Local Access into an IACS Secure Direct Access enabled by NAC Summary 24

25 Secure e Direct Access into an IACS Network Admission Level 3 Multiple Functional Subzones interconnect low-speed WAN Client Authentication Production Optimizing Historian Engineering Station Site Operations and Remote Zone Level 2 Supervisory HMI Supervisory HMI Area Supervisory Port Security QoS Smart Ports Level 1 Level 0 Batch Discrete Optional Firewall and IDS Continuous Hybrid Direct Access Traffic Basic Process 25

26 Network Admission (NAC) Authenticates clients (users and devices) before allowing network (wired/wireless) access Checks client devices for security policy compliance Running HIPS (e.g. CSA), AV, patch current? Clients that fail posture assessment placed on remediation VLAN Helps prevent infection of ICS by mobile devices NAC Profiler identifies devices and enforces roles PLC? Vendor laptop? Employee? Network admin? Role based VLAN assignment Appropriate for both DMZ (Remote access) and Zone (local access) 26

27 NAC Components The Appliance Deployed out of band in CZ for device and user role enforcement Deployed in band in DMZ to enforce remote access user roles NAC Profiler Collector runs on NAC Appliance The Profiler Server Resides in DMZ, works with multiple NAC Appliances The Manager Resides in DMZ, controls multiple NAC Appliances Device & user profiles specified on NAC Manager 27

28 NAC Profiler: Automated Profiling of Devices NAC Profiler PCs Non-PCs CZ Devices Printer AP PLC Discovery Monitoring Endpoint Profiling Discover all network endpoints by type and location Maintain real time and historical contextual data for all endpoints Behavior Monitoring Monitor the state of the network endpoints Detect events such as MAC spoofing, port swapping, etc. Automated process populates devices into the NAC Manager; and subsequently, into appropriate NAC policy 28

29 NAC Profiler Components NAC Profiler Server Aggregates all data from Collectors and manages database of endpoint information. Updates the Cisco NAC Appliance Manager, where roles are applied. Collector NAC Collector Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling Co resident with NAC Appliance Server 29

30 NAC Profiler Collector (NPC) Gathers information about the endpoints associated with that NAC Appliance (CAS) Information gathered includes data from SNMP, Network Traffic Analysis, and/or Active Profiling It s a PLC! Distributed Collector model allows many NPCs to work with a single NAC Profiler Server (NPS) NPC resides on NAC Appliance (CAS) 30

31 NAC Profiler and Collector Remote Location NAC Manager NAC API NAC Profiler Server (NPS) SPAN NAC Appliance with Collector (NPC) AAA Server May not be a DMZ Windows AD 31

32 In-Band NAC Deployment for Remote Access NAC Appliance deployed in-line between ASA and Switch Remote users authenticate to ASA, e.g. via SSL VPN NAC Appliance then enforces user role by granting user access to appropriate VLANs and preventing access to others. This would be the NAC deployment model in the DMZ where remote access to the control systems network is controlled. ASA NAC Appliance Protected DMZ Protected resources Resources in the DMZ 32

33 NAC Deployment Guidelines for IACS Profiler Guidelines Profile creation not trivial Easy when you have similar devices (ports, protocols) Architecture/Design Practice Out of band placement of the appliances (DMZ, Enterprise) In band placement problems and lessons Others Cost issues Configuration 33

34 Agenda Risks and Benefits Secure Remote Access into an IACS Secure Local Access into an IACS Secure Direct Access enabled by NAC Summary 34

35 Key takeaways Secure Access provides a clear value for organizations Different Secure Access options available to fit various needs NAC Enables Security for a Direct Access 35

36 36 THANK YOU...