Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists

Transcription

1 Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists Sonny Kailola Customer Support & Maintenance (CSM) Rev 5058-CO900D Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.

2 The Connected Enterprise Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.

3 Get the Right Information to the Right Person, at the Right Time - Securely Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Operator View Simplify your machine operations Diagnostics where you need them Plant Management View Provide performance rollup View asset utilization/yields Maintenance View Keeping machines running in peak conditions increases OEE Identify root cause to minimize MTTR z 3

4 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. TRANSFORMATION INTEGRATED CONTROL AND INFORMATION ENABLER Common Secure Ethernet Infrastructure Automation Infrastructure Enterprise Infrastructure One Common Environment CONVENTIONAL: SEPARATE AUTOMATION & IT FUTURE: UNIFIED INFRASTRUCTURE

5 Manufacturing and IT Convergence Creating challenges and opportunities Business Innovation Model Technology Convergence Business Agility Competitive Advantage Business Model Innovation Network Convergence Organizational Convergence Cultural Convergence Wide Ethernet Deployment Increasing Business Pressures Copyright 2010 Rockwell Automation, Inc. All rights reserved. Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 5

6 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Industrial Network Infrastructure Common Customer Pain Points Inefficiency Vulnerability Inflexibility Fear of Lock-In Low Competency in Market (automation/it) Networks Evolved over Time (never designed) High MTTR (issue identification/resolution) High Capital Expense Security is After Thought Aging Industrial Control Systems Commonly Reported Business Disruptions Evolving Industrial Security Standards Project Dependence upon IT Organization Lack of Scalable Architectures Legacy Asset Islands Too Much Data, Lack of Actionable Information Heterogeneous Control Environments New Technologies (e.g. Big data, mobile, cloud) Rapidly Evolving Proprietary Network Protocols Rapidly Evolving Industrial IT Environment

7 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 7 The Evolving, Persistent Security Threat Was the Internet ever designed to be secure? Was your plant-floor network ever designed? (if not how can it be secure?) Thieves are breaking into networks around the world, companies large and small, governments, agencies and industrial control systems (ICS) Technology that helped us grow is also a risk to keeping our company and our customers and partners confidential information safe. Traditional security controls are no longer enough We must respond to these fast growing cyber threats against us, our customers and eco-system partners.

8 The cost of Industrial Cyber Security* Cyber incidents cost US organizations: $558K in revenue losses $481K in brand damage $366K in compliance fines $174K in lost productivity DAY Incidents are costing US industry $6M per day or $20B per year. USA industrial cybersecurity maturity is ~5 years ahead Europe & ROW. Companies that implement cybersecurity best practices see the ROI 2½ times less likely to experience a major cyber attack 3½ times less likely to experience unplanned downtime * Source: Belden Industrial Ethernet Infrastructure Design Seminar. Greg Hale, the Editor and Founder of ISSSource.com. October 2012 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8

9 Physical Layer - Installation Pitfalls It s strange to think that the same people that demand organization, efficiency, and strict adherence to application requirements Yet it happens all the time, in many industrial automation facilities. wouldn t demand the same standards in their plant floor level communication systems. Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 9

10 Critical Manufacturing Assets are at Risk to Downtime, Security, Performance Network Infrastructure 80%+ of network problems are physical installation issues 10 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.

11 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 11 The Issues Best practices are not followed Unorganized, inefficient Poor cabling practice Difficult troubleshooting Poorly identified Security risks Reliability Thermal management Connectivity performance Power and grounding

12 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. What should an installation look like? Easier to maintain, manage, troubleshoot and upgrade In partnership with Panduit Eliminate Server sprawl Industrial Data Center

13 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. What s the #1 Issue with Industrial Networks? Most people think it s malicious attacks Viruses and malware Unauthorized access It s about latency not bandwidth But reality, it s starts with a poor (or never) designed network, poorly maintained physical infrastructure, legacy servers and operating systems and lack of traffic segmentation, creating latency and security issues! As a result customers are experiencing efficiency and flexibility issues that are hindering manufacturing performance and leaving ICS s vulnerable to problems! Inefficiency Vulnerability Inflexibility Fear of Lock-In

14 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 14 Network & Security Services Global Industry Trends/Direction Convergence of IT and manufacturing Real time information throughout manufacturing and enterprise Rapid adoption of Ethernet on the factory floor Security concerns managing risk Wireless, video, and voice intermixed with real time control on the manufacturing network infrastructure The Network & Security Services team is comprised of manufacturing Engineers and IT professionals. NSS can provide a family of services to assess, design, implement, validate and manage new and existing industrial control and information networks and the security technology, policies and procedures for those networks and the personnel that use them.

15 Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 15

16 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Network and Security Services What we do! Agility Choice Reduced CapEx,OpEx and total cost of ownership Reduced Risk while Improving Overall Equipment Effectiveness (OEE) Reduced project dependence upon IT organization Long software lifecycle vs. short hardware lifecycle Network Scalability, Virtualization Economics, Reduction in Support Security without Sacrificing Productivity Bring new assets online in days vs. weeks Your Control System, Your Infrastructure

17 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Why Rockwell Automation Network and Security Services (NSS) Differentiation Converged skill set of operational technology (OT) and information technology (IT) Experience across industrial control applications and networks Breadth of industry standard committee (ISA, NIST, INL, DHS ) participation Ability to address security risks without sacrificing productivity Full life cycle service offering with global delivery capability Network & Security Services For plant personnel, who need secure industrial infrastructure, NSS is a team of industrial automation and IT experts that assess, implement and support plant-wide network infrastructure. Unlike large IT vendors and resellers, we offer a comprehensive and tailored solution that balances both IT requirements and production goals of your company. Because Infrastructure Matters

18 Network and Security Service Global Capability Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Product Manager Operations Business Development

19 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 19 Example Bio of Our Team Members Principal Network & Security Consultant, Network & Security Services CISSP (Certified Information Systems Security Professional) CISA (Certified Information Systems Auditor) ISO 27001:2005 Lead Auditor COBIT Foundation Certificate ITIL Foundation Certificate CCNP (CISCO Certified Networking Professional Security Certificate) CISCO IPS Specialist CISCO Firewall Specialist CISCO Information Security Specialist Additional Certs and Awards: CISCO SND: Securing Network Devices, CISCO SNRS: Securing Networks with Cisco Routers and Switches, CISCO SNPA: Securing Networks with PIX and ASA, CISCO CCNA: Certified Network Associate CISCO Systems Infrastructure and Ethical Hacking Instructor 5+ Years Industrial Control System Experience Network and Security Infrastructure Team Leadership and Project Management: o High Level Design/Low Level Design multi-sector: IACS and Critical Infrastructure, Data Centre, Internet Service Provider, Multi-Enterprise Sectors,, etc. Risk Management, Business Continuity & Disaster Recovery Planning, Incident Response (Government & multiple private sectors) Team Leader and Project Manager implementing and auditing ISO/IEC in multiple Government Units Team Leader implementing Secure Development Lifecycle in multiple Government Units SIEM (Security Information and Event Management) complex heterogeneous strategies & deployments across multiple public/private Sectors Offensive Penetration Tester and Security Assessments across multiple public/private Sectors Multi-Vendor deployment : CISCO, JUNIPER, Checkpoint, HP, Hirschmann, Fortinet, F5, ArcSight, Palo Alto Networks, Tipping Point, RSA, Bluecoat, etc.

20 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 20 Partner Relationships Strategic Alliances and Technologies Global systems technology integrator (STI) and service sub contract Global service sub contract and contract manufacturing agreement Global solution provider Global solution provider and OEM agreement Global reseller agreement Key technology partner of NSS team tools Several Security Service Relationships and Regional Partners

21 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Today s Plant Floor - Reality Large installed base of proprietary networks Protocol converters prevalent Limited plant-floor segmentation or security Insecure Remote Access solutions Limited Governance - lack of policies and procedures Large installed base of aging server infrastructure & legacy operating systems No process for patching or endpoint anti-virus protection with negative impact to production Server sprawl (one application, running on one operating system on one server) Increasingly more applications to satisfy growing business requirements (i.e. production management, performance reporting, data historian, etc.) Lack of plant based on-site IT resource.

22 NSS helps customer s migrate from this.. Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.

23 To This. Converged Plant-wide Ethernet (CPwE) ERP, , Wide Area Network (WAN) Enterprise Zone Levels 4 and 5 Patch Management Remote Gateway Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre, Transaction Manager FactoryTalk Services Platform Racks Catalyst Patching 6500/4500 Cable Management Copper/Fiber Directory Remote Catalyst 3750 Security/Audit Data Servers Access Server Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Cisco ASA 5500 StackWise Switch Stack Demilitarized Zone (DMZ) Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Industrial Zone Site Operations and Control Level 3 Network Services DNS, DHCP, syslog server Network and security mgmt Industrial Data Center (IDC) NSS Services Security Services Cell/Area Zones Levels 0 2 Copper, Fiber, Wireless Testers Network Discovery Protocol Statistics Drive Controller HMI I/O Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency I/O Rockwell Automation Stratix 8000 Layer 2 Access Switch Controller I/O HMI Drive Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) Physical Logical Common Framework Toolsets HMI I/O Cell/Area Zone #3 Bus/Star Topology Controller Drive End Device Control Panel Network Zone Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 23

24 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 24 Industrial Data Centers Replace Conventional Servers Virtualizing App s improves Security & Resiliency

25 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 25 What is the Industrial Data Center? Industry-leading partners collaborating with Rockwell Automation to help your business realize the benefits of virtualization through a pre-engineered, scalable infrastructure offering. Complete turn key solution including: Hardware Software Factory assembly On-site configuration Documentation TechConnect SM support Model Shown: E3000 Standard pre-engineered industrial solution to simplify deployment making commissioning and maintenance easier, scalable, and more supportable.

26 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 26 Value of the Industrial Data Center Save time and money One purchase delivers all necessary components Factory assembly Cabinet will always be assembled following best practices Reduced cost of ownership Virtualization decreases the server footprint Uptime Reliability Improve application availability with fault tolerance and automated fault recovery (high availability) Simplify Support One number to call for all your support needs, from people who understand automation

27 Cost (USD) Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 27 Why Virtualization? Reduce required IT administration and support Centralized management Ability to move virtual machines dynamically Transparent and seamless to end user Reduce the impact of downtime events Shrink physical server footprint and energy consumption Consolidation and improved server utilization Extend the software lifecycle Run legacy software on newer hardware Speed to deployment Rapid virtual machine creation $3,500,000 $3,000,000 $2,500,000 $2,000,000 $1,500,000 $1,000,000 $500,000 $- Total Cost of Ownership Initial Cost Partial Total Cost of Ownership: 5 years Traditional System, $2,872,388 Virtualization, $1,357,630 Full Total Cost of Ownership: 20 years Note: initial cost of virtualization is higher than traditional

28 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 28 Why Factory Assembly and On-Site Configuration? It saves you time and engineering resources. Consider the following: Status quo Design time engineering days Required specialty certifications / experience CCNA - Cisco VCP - Vmware Storage experienced engineers Final approval from IT Fabrication/test time Seven to eight days Requires trained technician With Industrial Data Center One order for all components that ships complete Upfront virtualization design confirmation Remote one day On-site configuration, commissioning support Three days plus travel

29 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 29 Industrial Data Center E2000 (Essentials) Resilient compute resources for small industrial data centers Supports up to 60 virtual machines VMware HA and FT Maximum 3 physical servers Maximum 75 disks USE CASE: Multiple Line/Small Plant 4 PASS/HMI servers FactoryTalk Batch FactoryTalk Historian FactoryTalk Asset Centre 15 Operator stations 5 Engineering Stations Domain controllers and other management services

30 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 30 Industrial Data Center E3000 (Essentials+) Fully redundant, fully scalable information infrastructure for the plant floor Supports up to 150 virtual machines VMware HA, FT and DRS Max 6 servers Max 100 disks USE CASE: Small/Large Plate Wide Control 6-8 PASS/HMI Servers FactoryTalk Batch FactoryTalk Metrics FactoryTalk Historian FactoryTalk Asset Centre Anti-Virus Secure Remote Access 50 Operator stations 20 Engineering Stations Domain Controllers and other management services

31 Value Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 31 Scalable Remote Support Solutions Industrial Data Center One Number to Dial for Support of all of Your Industrial Assets Data Center Administration Optional Remote Monitoring Optional 8x5 Support Included (24x7 Support Optional)

32 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 32 The Power of Collaboration Bundle includes: Servers and switches from Cisco Cables, patch cords, cable management, testing, validation and assembly from Panduit Storage from EMC² Virtualization software from VMware Engineering and Support from Rockwell Automation

33 Virtual Machine Capacity Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 33 Solution Continuum Enterprise Data Centers Single Server Cisco, HP, Dell, Redundant Servers Stratus Industrial Data Center E2000 (Essentials) E3000 (Essentials+) Custom VCE Flexpod HP Dell E1000 High Availability and Fault Tolerance

34 Enabling Plant-wide Network Convergence What are the similarities and differences? Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 34

35 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 35 Plant-Floor and Enterprise Requirements Policies - Similarities and Differences Focus Precedence of Priorities Types of Data Traffic Access Control Implications of a Device Failure Threat Protection Upgrades Plant-Floor Network 24/7 Operations, High OEE Availability Integrity Confidentiality Converged Network of Data, Control, Information, Safety and Motion Strict Physical Access Simple Network Device Access Production is Down ($$ s/hour or Worse) Isolate Threat but Keep Operating Scheduled During Downtime Enterprise Network Protecting Intellectual Property and Company Assets Confidentiality Integrity Availability Converged Network of Data, Voice and Video Strict Network Authentication and Access Policies Work-around or Wait Shut Down Access to Detected Threat Automatically Pushed During Uptime

36 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 36 RA s Industrial Network and Security Resources Security-enhanced Products and Technologies Rockwell Automation product and technologies with security capabilities that help increase overall control system system-level security. EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that complement recommended layered security/defense-in-depth measures. Network & Security Services (NSS) RA consulting specialists that provide Industrial Network assessments and designs on how to maximize performance, avert risk and mitigate vulnerabilities.

37 Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 37

38 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Assessment Service Assessment Process: On site customer collaboration Assess all layers of OSI model Physical layer Logical layer Application layer Defense in Depth security evaluation Assess against industry and company standards Deliverables Detailed report of findings Prioritized critical issues Remediation's/suggestions Standard: on site observational and interview based Comprehensive: on site technically determined via tools

39 RESULTS Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 39 Drilling Technology Company Multi-phased project to assess availability and security issues, standardize and replicate network architectures with segregation CHALLENGES Multiple manufacturing and production facilities with different network architectures and platforms. No standardization for device lifecycle refresh or asset management. Network availability issues. Concerns regarding recent industry security breaches. Land and sea-based facilities. Lack of secure access capability to permit external communications to the production networks by employees and vendors. Absence of current physical and logical network drawings. SOLUTION Document and categorize all assets in all facilities and document the As-Is. Identify stakeholders and operations personnel from IT and production critical to project success and obtain buyin. Perform security and network assessments to establish baselines. Develop and deploy a proof of concept To-Be security architecture inclusive of a DMZ, Secure Remote Access Capability and centralized virus signature endpoint solution. Roll-out proof of concept as a Full Operating Capability. Simplified technology migration. Decreased labor and service call costs due to implementation of Secure Remote Access capability. Ability to identify and track user access and activities. Centralized service to distribute virus signatures. Evolution of collaborative team to quickly and productively resolve emerging challenges and issues.

40 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 40 Design Service The Design Service is the foundation upon which organizations can ensure the performance and reliability of the production processes and sustain growth through the implementation of manufacturing convergence. Multiple considerations must be managed Availability of the Infrastructure Integrity of the Processes Confidentiality of the Intellectual Property Information Accessibility Industrial Data Centre Fault Tolerance Reliability and Resiliency High-level Performance Scalability Operations Safety Remote Access Future Readiness Standards/Frameworks must be considered CISCO and Rockwell CPwE ODVA ISA95 ISA99/IEC62433 NIST NERC CIP ISO Series ISO 22301/BS UK CPNI US Department of Homeland Security Idaho National Laboratory And many more..

41 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Design Service Deliverable Network Design Deliverable Package Functional Requirements Bill of Material Cable Selection Physical Hardware Connectivity Access and Distribution Layer Topology Physical Layer Drawings VLANs Addressing schema Switch and Network Configuration Redundancy Remote Access Security Standard: logical and physical conceptual design Comprehensive: detailed logical, physical with ports and protocols design

42 RESULTS Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 42 Leading Food Producer Expansion at existing facility CHALLENGES Global pet food company wants to increase site production capability by adding new production lines and requires a validation of existing infrastructure, plus guidelines on new infrastructure design. Lack of ownership of existing Production Networks. Lack of network knowledgeable personnel at Production level. Several different OEM s delivering different production lines that need to interlock SOLUTION Network Assessment delivered, where issues were raised, and recommendations where made. The Network Assessment was followed by a Remediation service to apply the recommendations Training was provided to plant local resources Guidelines for the new expansion were provided, based on the issues raised from the existing infrastructure. Production downtime due to the network issues drastically reduced from 15 mins/day to zero Network performance improved and scalable for expansion Network configuration consistency across different OEM s Network knowledge obtained at site Expansion project ran smoothly

43 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Implementation Services Implementation Package Procurement Configuration Installation Testing Start Up Transition to Support Factors to be considered: High availability Loop prevention protocols Segmentation and traffic classification Quality of Service (QoS) and prioritization Multicast management Effective Security Controls Turn Key Projects: Based on RA Design Service Pre-Engineered Solutions: Industrial Data Center, Zone Enclosures, Secure Remote Access Custom: based on the role you need RA NSS to play (materials, labor, project management) Leverage the Power of Rockwell Automation Partnerships

44 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. Validation Service Validation Deliverable Package Audit current architecture compared to governing body (ODVA, IEEE, ANSI, TIA, ISA-95) Audit security program compared to governing body (NERC CIP, ISA-99, NIST , NIST ) Services includes all networks Data Highway DeviceNet ControlNet Ethernet Fieldbus Standard: known industry standard Custom: customer specific standard

45 RESULTS Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 45 Global Automobile Manufacturer Greenfield facility needing network validation CHALLENGES New construction facility with limited skilled labor force. Compounded attention being levied as a result of government audits pertaining to financial investments. Concern that a security event would proliferate quickly and cause reputational and brand damage. Absence of physical and logical network drawings and vendor specifications SOLUTION Perform independent network performance validation tests to ensure operational baselines are achieved. Execute infrastructure cable verification tests. Discuss and negotiate findings to ensure compliance with regulations and vendor operational specification thresholds. Prioritize findings and recommend corrective actions in accordance with customer stated objectives. Authority to operate obtained. Projected availability benchmarks tuned to reflect more appropriate baselines. Ability to mitigate potential network issues before suffering an outage. Increased corporate financial performance.

46 Value Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 46 Scalable Infrastructure Support TechConnect Managed Services Remote Support Services RA Tech Support has Certified personal on staff CCNP (Cisco Network Professional) CCNA (Cisco Network Associate) CCNA Security (Cisco Security) CCENT (Entry Network Technician) VMware Certified Associate VMware Certified Professional Infrastructure Administration Asset Health Monitoring One number to call for support Secure Remote Access Infrastructure TechConnect

47 Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 47 Manage / Monitor Service Remote Support Delivered Network, Firewall, Virtualized Infrastructure, Automation Devices and Applications Dedicated 24 x 7 x 365 phone line and Avg. response time of <3 minutes Diagnostics & Troubleshooting Remote Monitoring IT approved remote access Remote notification of system alarms and events Immediate support action and engagement Knowledge Management System Administration Program manager Dedicated central doc database Faster resolution to issues Reduced training time

48 Complete Support Infrastructure Hardware and Software Applications Customer Rockwell will monitor and alarm Customer will own and manage Operating System Hypervisor Device Layer Network Layer Rockwell Automation Rockwell will monitor and manage the operating system, hypervisor, physical server stack including the rack, hosts, memory, storage area network (SAN), and uninterruptible power supply (UPS). Environment Customer Customer will be responsible for the physical space including maintaining proper ambient conditions, security and power Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.

49 Thank You Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. Rev 5058-CO900D Copyright 2015 Rockwell Automation, Inc. All Rights Reserved.