FRP15 Approche de la Cyber Sécurité par Rockwell Automation avec Cisco

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "FRP15 Approche de la Cyber Sécurité par Rockwell Automation avec Cisco"

Transcription

1 FRP15 Approche de la Cyber Sécurité par Rockwell Automation avec Cisco Christophe Magitteri, Cisco, Solutions Architect Iot Pierre Paterni, Rockwell Automation, Services Réseaux et Sécurité Mars 2016 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 1

2 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 2

3 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. Our Three Core Platforms deliver THE CONNECTED ENTERPRISE Faster Time to Market Lower Total Cost of Ownership Headquarters Production Improved Asset Utilization Customers Enterprise Risk Management Supply Chain Smart Grid Field-Based Assets Distribution Center Integrated Architecture Intelligent Motor Control Solutions & Services

4 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 4

5 Cisco and Rockwell Automation Technology, Network, Cultural and Organizational Convergence Common Technology View: Achieve flexibility, visibility and efficiency through a converged plant-wide / site-wide network architecture, using open, industry standard networking technologies, such as EtherNet/IP Converged Plantwide Ethernet (CPwE) Architectures: Plant-wide / site-wide focused tested, validated and documented reference architectures, comprised of Rockwell Automation and Cisco expertise, provide a foundation to successfully deploy the latest technologies optimized for both industrial automation and IT professionals Joint Product and Solution Collaboration: Stratix 5900 Services Router, Stratix 5100 Wireless Access Point/ Workgroup Bridge, and Stratix 5000 /Stratix 8000 families of managed industrial Ethernet switches, combine the best of both Rockwell Automation and Cisco People and Process Optimization: Services, education and certification to facilitate industrial automation and information technology convergence and successful architecture deployment, so that critical resources can focus on increasing innovation and productivity Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 5

6 Rockwell Automation Product Portfolio collaboration with Cisco Seamless, secure integration between plant and enterprise networks - addressing the needs of both IT and OT Managed Switches Multicast management services Diagnostic information Network Address Translation (NAT) Segmentation / VLAN capabilities Prioritization services (QoS) Network resiliency Security Appliances Secure real-time control communication Routing and firewall capabilities Intrusion protection Access control lists Quality of Service (QoS) Wireless Technology Connect hard-to-reach areas Mobile access to equipment and key business systems Minimizes hardware and wiring Premier Integration to the Rockwell Automation Integrated Architecture system and embedded Cisco Technology Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 6

7 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background : Trends, Threats - Best Practices CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 7

8 Common IACS Security Issues Weak Access controls to HMI and other equipment Separation of duty for operator, administrator, audit Little or no Password management Physical segmentation of the IACS network Dual-homed servers or PLCs act as Firewall Segmented network has only physical security Unauthenticated command execution Communication is un-encrypted Outdated operating systems left unpatched Rogue wireless access points without encryption Insufficient controls on users, contractors (i.e. access policy, laptops, etc ) Humans are writing the IACS system software Aging infrastructures: machines, OS, softwares. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 8

9 ICS Threat Agents Threat Agent General hackers Botnet operators and spammers Organized crime group (e.g. gangs and crime syndicates) Insiders Phishers Foreign intelligence services Industrial spies Activists and terrorists Profile Looking for individual prestige Having the same skillsets as general hackers, but with the intent of further distributing and operating various botnets. These botnets may be rented out to other threat agents. Looking to obtain money, either as random against the threat of a disruptive attack, or through direct monetary theft Including disgruntled employees, technology or business partners, or recently terminated employees or partners Attempting to attract individual users to web sites loaded with malicious software in order to compromise the user devices State-sponsored entities, possibly paramilitary, usually operating from identifiable networks or geographic regions (if you can trace them) Mercenary type entities hired to target specific corporate assets and industries Ideologically motivated entities typically without the resources to develop exploits independently, but with enough resources to hire compromised devices from botnet operators or leverage off-the-shelf exploit kits Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 9

10 Consequences of Successful Attacks on Industrial Networks Incident Type Change in a system, operating system, or application configuration Change in programmable logic in PLCs, RTUs, and other controllers Potential Impact Introduction of command and control channels into otherwise secure system Suppression of alarms and reports to hide malicious activity Alteration of expected behavior to produce unwanted and unpredictable results Damage to equipment and/or facilities Malfunction of the process (e.g. shutdown) Disabling control over a process Misinformation reported to operators Causing inappropriate actions in response to misinformation that could result in a change in programmable logic Hiding or obfuscating malicious activity, including the incident itself or injected code (i.e., a rootkit) Tampering with safety systems or other controls Malicious software (malware) infection Preventing expected operations, fail safes, and other safeguards with potentially damaging consequences May initiate additional incident scenarios May impact production, or force assets to be taken offline for forensic analysis, cleaning, and/or replacement May open assets up to further attacks, information theft, alteration, or infection Information theft Sensitive information such as a recipe or chemical formula are stolen Information alteration Sensitive information such as a recipe or chemical formula is altered in order to adversely affect the manufactured product Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 10

11 Industrial Security Trends Established Industrial Security Standards International Society of Automation ISA/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 11

12 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background : Trends, Threats - Best Practices CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 12

13 IACS Security Objectives Restricting logical access to the ICS network and network activity Restricting physical access to the ICS network and devices Protecting individual ICS components from exploitation Maintaining functionality during adverse conditions. Restoring system after an incident. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 13

14 Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls Education and awareness programs - training of OT personnel on industrial security policies and procedures on how to respond to a security incident Physical limit physical access to authorized personnel: control room, cells/areas, control panels, IACS devices. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors Network industrial security framework Computer Hardening patch management, anti-x software, removal of unused applications/protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) Device Hardening change management, communication encryption, and restrictive access Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 14

15 Threat model protection Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall AAA VPN IPS -IDS Network Access Control Web security Network Behavior Analysis Posture Assessment Advanced Malware Protection Visibility and Context Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 15

16 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 16

17 Built on Industry Standards Purdue Reference Model & ISA95 Enterprise Zone Enterprise Network Level 5 DMZ Site Business Planning and Logistics Network Demilitarized Zone Shared Access Level 4 Manufacturing Zone Site Manufacturing Operations and Control Level 3 Cell/Area Zone Area Control Level 2 Basic Control Level 1 Process Level 0 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 17

18 Holistic Defense-in-Depth CPwE Architectures - Industrial Network Security Framework Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Authentication, Authorization and Accounting (AAA) Core Switches Wireless LAN (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack LWAP SSID 2.4 GHz SSID 5 GHz WGB Level 1 - I/O Soft Starter MCC Level 0 - Process I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 18

19 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 19

20 Network Technology Convergence Continued Trend - Single Industrial Network Technology Flat and Unstructured Network Infrastructure Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 20

21 Segmentation Cell Area Cell/Area Zone #1 VLAN 10 I/O VFD HMI Multiple VLAN Routing on Stratix 8000 (REP) Ring Safety I/O HMI Drive Cell/Area Zone #2 VLAN 20 Stratix 8000 (Layer 2) Switches Management VLAN VLAN 50 VFD Drive I/O I/O Catalyst 3750 StackWise Switch Stack HMI Cell/Area Zone #3 VLAN 30 Cell/Area Zone #4 VLAN 40 Servo Drive I/O I/O I/O Industrial Zone Cell/Area Zones Levels 0 2 HMI Servo Drive VFD Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 21

22 Segmentation NAT Machine to Machine Send message to Machine 2 CompactLogix Plant network switch Stratix 8300 TM Send message to Machine 2 CompactLogix Machine 1 NAT Machine 2 NAT Within a Machine Between Machine and Line Network Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 22

23 Segmentation IDMZ Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP Industrial DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Basic Control Safety Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 23

24 Holistic Defense-in-Depth Industrial DMZ positionning Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN (WLC) Active Standby Distribution Switch Stack SSID 2.4 GHz LWAP SSID 5 GHz WGB I/O Soft Starter MCC I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 24

25 Industrial Demilitarized Zone (IDMZ) Controlling Access to the Industrial Zone Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise Security Zone TRUSTED? UNTRUSTED? Industrial DMZ BROKER Industrial Security Zone TRUSTED Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 25

26 Industrial Demilitarized Zone (IDMZ) Design Tenants -Best practices All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Security Zone Industrial Security Zone Trusted IDMZ No Direct Traffic Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 26

27 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Remote Desktop Gateway Engineer Remote Access Level 3 Site Operations Web Reports Permit Remote Access Server Web Proxy Block Untrusted Access to Enterprise Zone Levels 0-2 Cell/Area Zone Plant Manager Permit Untrusted Block VantagePoint PAC Untrusted FactoryTalk Client IO Block Untrusted Access to Industrial Zone Drive Block Distribution switch MCC Core switches Firewalls (Active/Standby) Core switches PAC LWAP PAC WLC (Enterprise) ISE (Enterprise) ISE WGB WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 27

28 Typical Systems involved in IDMZ Designs Use Case Enterprise Zone: Levels 4-5 User Wants Historian Data and Reports Historian Domain Replication Domain User Wants Web Reports Web Reports User Wants to Send / Retrieve Files Secure File Transfer Configure, Troubleshoot Industrial Zone Asset Remote Desktop Client Update AV and Install O.S Patches O.S Patch Anti Virus Update Synchronized Time Across All Zones NTP Master Server Firewall (Inspect) 2 1 Industrial Demilitarized Zone (IDMZ) PI to PI Connector Domain Reverse Web Proxy Secure File Transfer Gateway Remote Desktop Gateway Anti Virus & WSUS Server IDMZ NTP Server Firewall (Inspect) Industrial Zone: Levels 0-3 Historian Domain Web Servers File Server Terminal Server Servers, Desktops, Laptops Ind. Zone NTP Server Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 28

29 Holistic Defense-in-Depth Cell / Zone Firewall positionning Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Identity Services Industrial Zone: Levels 0-3 Core Switches Wireless LAN (WLC) Active Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz LWAP SSID 5 GHz WGB Level 1 - I/O Soft Starter MCC Level 0 - Process I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 29

30 Protocol Inspection Cell/Area Zone Firewall Policy Enforcement (example) Industrial Zone SNMP Sweep Ping Sweep CIP Class 3 CIP http Class 1 icmp - CIP icmp Class - ping3 CIP Class 3 Zone Firewall Cell/Area Zone CIP Class 3 CIP Class 1 icmp - ping Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 30

31 Firewall IDS/IPS products Cisco ASA 5515-X Available ISA3000-4C-K9/Stratix5950 Coming Soon!! Industrial DMZ firewall Rack mount, High performances, HA. Cell / Zone firewall Din Rail, Industrially hardened Firewall : Segmentation, NAT, L3-L4 Stateful inspection IDS/IPS : Content security, threat signatures, ICS protocol Inspection Remote Access : Encrypted VPN, clientless remote access SSL, Anyconnect client Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 31

32 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 32

33 Secure Access Consolidating access for employee/contractors/vendors Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN plant 1, zone 2 Headquarters When? Weekends (8:00am 5:00pm) PST Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 33

34 ISE Unifying policy for all mediums VPN VPN Louise Plant tech Zone 2 WIfi Kevin LOB Engr Lan ISE AD Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 34

35 Examples of Non-User Endpoints Printers IP Cameras Alarm Systems Fax Machines Wireless APs Turnstiles Video Conferencing Stations IP Phones Hubs Managed UPS Cash Registers Medical Imaging Machines HVAC Systems RMON Probes Vending Machines... and many others Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 35

36 ISE Profiler Profiling Probes OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP Collection Classification ID Group Assignment The Network Full conn Full zone only HMI1 + HMI2 HMI1 Negated ISE Apply Policies Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 36

37 ISE Policy Enforcement VLANs and dacls VLAN Assignment VLANs ISE Authorization policy sets VLAN. Infrastructure provides enforcement Typical VLAN examples: Quarantine/Remediation VLAN Guest VLAN Employee VLAN. Typically requires IP change and/or VLANs trunked throughout 802.1X/MAB/Web Auth ACL Download ISE AD CA dacls ISE Authorization policy pushes dacl or named ACL to NAD. ACL source (any) automatically converted to specific host address. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 37

38 Adding ISE to CPwE Site Operations Level 3 Camera WGB Phone ISE PSN LWAP SSID 5 GHz WGB LWAP Cell/Area Zone - Levels 0-2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN ISE ADMIN Primary WLC Secondary WLC Catalyst 2960 UCS Remote Access Server LWAP SSID 2.4 GHz Drive FIRE Enterprise Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch Firewall (Standby) FIREASA 5500 HMI Catalyst 3750X StackWise Switch Stack Soft Starter Cell/Area Zone - Levels 0-2 Ring Topology - Resilient Ethernet Protocol (REP) Unified Wireless LAN I/O External DMZ/ Firewall Instrumentation Internet Plant Firewalls Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Servo Drive Safety HMI Cell/Area Zone Levels 0-2 Cell/Area Zone Levels 0-2 Robot Safety I/O Employee Remote Access Enterprise Zone Levels 4 and 5 Industrial Demilitarized Zone (IDMZ) AP Industrial Zone Levels 0-3 SSID 5 GHz Safety I/O WGB NOTES 1) All endpoints must authenticate before being allowed on the network. 2) Centralizing authentication for all three mediums (wired, wireless, remote access) 3) Centralizing your network policy/privileges 4) Full reporting capability on every endpoint accessing the network. -- Device type -- Username/MAC/IP -- Where they Auth d from Cell/Area Zone - Levels 0-2 Linear/Bus/Star Topology Autonomous Wireless LAN Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 38

39 Example Wired Secure access Contractor/Vendor ISE ADMIN AD Enterprise External DMZ/ Firewall Internet Employee Remote Access Enterprise Zone Levels 4 and 5 Catalyst 2960 FIRE Link for Failover Detection Firewall (Active) Firewall (Standby) FIRE ASA 5500X Plant Firewalls Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Industrial Demilitarized Zone (IDMZ) ISE PSN AD UCS Catalyst 6500/4500 Catalyst 3750X StackWise Switch Stack Cell/Area Zone Levels 0-2 NOTES 1. Employee endpoint is examined by ISE Site Operations Level 3 Camera WGB Phone LWAP SSID 5 GHz WGB Primary WLC LWAP Secondary WLC Cell/Area Zone - Levels 0-2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN RAS LWAP SSID 2.4 GHz Drive Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch I/O HMI Soft Starter Instrumentation Ring Topology - Resilient Ethernet Protocol (REP) Unified Wireless LAN Servo Drive Safety HMI Robot RDP - Studio5000 Safety I/O AP SSID 5 GHz Safety I/O WGB 2. ISE sends back a dacl allowing access to that zone, but denies communication to other zones. 3. Employee has Studio 5000 on laptop, and receives direct access to controller Cell/Area Zone - Levels 0-2 Linear/Bus/Star Topology Autonomous Wireless LAN Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 39

40 Example Wireless Secure access Contractor/Vendor ISE ADMIN AD Enterprise External DMZ/ Firewall Internet Employee Remote Access Enterprise Zone Levels 4 and 5 ISE PSN PKI AD Catalyst 2960 UCS FIRE Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Firewall (Standby) FIRE ASA 5500X Catalyst 3750X StackWise Switch Stack Industrial Demilitarized Zone (IDMZ) RDP Mgmt Software NOTES Contractor /Vendor access restricted to devices via RDP machine Site Operations dacl Level 3 RAS WLC Camera Phone WGB LWAP SSID 5 GHz WGB LWAP AP SSID 2.4 GHz Drive Layer 2 switch I/O HMI Soft Starter Instrumentation Servo Drive Safety HMI Robot Safety I/O AP SSID 5 GHz Safety I/O WGB Redundant Star Topology Ring Topology - Linear/Bus/Star Topology Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 40

41 Example - Remote Access FTView SE Server for Configuration Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Remote Desktop Gateway Industrial Zone: Levels 0-3 Terminal Server View SE Client View SE Server RSLinx Enterprise FT Live Data Level 3 Site Operations Levels 0-2 Cell/Area Zone Remote Desktop Client PAC 1 2 Enterprise WAN Distribution switch External DMZ / Firewall Core switches Firewalls (Active/Standby) Core switches LWAP Internet WLC (Enterprise) ISE (Enterprise) ISE WGB WLC (Active) WLC (Standby) Propose High Level Architecture Place Assets in the Enterprise or Industrial Security Zone Place proposed Assets in IDMZ Draw communication lines between the assets and asset owners to make sure requirement are met FactoryTalk Client IO Drive MCC PAC PAC Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 41

42 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 42

43 Why Rockwell Automation NSS Network & Security Services Differentiation Converged skill set of operational technology (OT) and information technology (IT) Experience across industrial control applications and networks Ability to address security risks without sacrificing productivity Full life cycle service offering with global delivery capability Global Capability Network & Security Services For plant personnel, who need secure industrial infrastructure, NSS is a team of industrial automation and IT experts that assess, implement and support plant-wide network infrastructure. Unlike large IT vendors and resellers, we offer a comprehensive and tailored solution that balances both IT requirements and production goals of your company. Because Infrastructure Matters Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 43

44 Network & Security Services Pre-Engineered Solutions Simplify and Accelerate CPwE Deployment Inclusive of Support Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 44

45 Network & Security Services Portfolio Supported World Wide by NSS Professionals Global Support. Local Address. Peace of Mind. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 45

46 Additional Material CPwE Architectures - Cisco and Rockwell Automation Whitepapers ENET-WP022B-EN-P - Top 10 Recommendations for Plant-wide EtherNet/IP Deployments ENET-WP009A-EN-P - Achieving Secure Remote Access to plant-floor Applications and Data ENET-WP031A-EN-P - Design Considerations for Securing Industrial Automation and Control System Networks ENET-WP033A-EN-P - Resilient Ethernet Protocol in a Converged Plantwide Ethernet (CPwE) Architecture ENET-WP034A-EN-P - Deploying Wireless LAN Technology within a Converged Plantwide Ethernet Architecture ENET-WP036A-EN-P - Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture ENET-WP037A-EN-P - Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-WP038A-EN-P - Securely Traversing IACS Data Across the Industrial Demilitarized Zone ENET-WP039B-EN-P - A Resilient Converged Plantwide Ethernet Architecture ENET-WP040A-EN-P - Migrating Legacy IACS Networks to a Converged Plantwide Ethernet Architecture Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 46

47 Additional Material Rockwell Automation ENISA Protecting Industrial Control systems (2011) ANSSI La cybersécurité des systèmes industriels (2014) NIST SP Guide to Industrial Control systems Security (2011) CPNI UK (2011) https://www.cpni.gov.uk/advi ce/cyber/scada/ Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 47

48 Because Infrastructure Matters Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 48

Securing The Connected Enterprise

Securing The Connected Enterprise Securing The Connected Enterprise Pack Expo 2015 Las Vegas Chelsea An Business Development Lead, Network & Security PUBLIC Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8 Connected Enterprise

More information

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples

More information

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect"

More information

AUP28 - Implementing Security and IP Protection

AUP28 - Implementing Security and IP Protection AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer Logix & Networks Rev 5058-CO900E Agenda Why IACS Security Now! Defense in depth

More information

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects

More information

T46 - Integrated Architecture Tools for Securing Your Control System

T46 - Integrated Architecture Tools for Securing Your Control System T46 - Integrated Architecture Tools for Securing Your Control System PUBLIC PUBLIC - 5058-CO900G Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. The Connected Enterprise PUBLIC Copyright

More information

Scalable Secure Remote Access Solutions

Scalable Secure Remote Access Solutions Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,

More information

Industrial Security Solutions

Industrial Security Solutions Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats

More information

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) AUP28 Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) Clive Barwise, Rockwell Automation European Product Manager Networks and Security

More information

ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions

ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions Network Segmentation Methodology Application Guide ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions By Josh Matson and Gregory

More information

Les clés de l Ethernet Industriel : Comment se faire comprendre par votre département I.T.

Les clés de l Ethernet Industriel : Comment se faire comprendre par votre département I.T. Les clés de l Ethernet Industriel : Comment se faire comprendre par votre département I.T. Alexis Malchair, Business Development Manager, Internet of Things Group March 2015 IoT Is Here Now and Growing!

More information

Industrial Security in the Connected Enterprise

Industrial Security in the Connected Enterprise Industrial Security in the Connected Enterprise Presented by Rockwell Automation 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. THE CONNECTED ENTERPRISE Optimized for Rapid

More information

REFERENCE ARCHITECTURES FOR MANUFACTURING

REFERENCE ARCHITECTURES FOR MANUFACTURING Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence

More information

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks

More information

PR03. High Availability

PR03. High Availability PR03 High Availability Related Topics NI10 Ethernet/IP Best Practices NI15 Enterprise Data Collection Options NI16 Thin Client Overview Solution Area 4 (Process) Agenda Overview Controllers & I/O Software

More information

Securing the Connected Enterprise

Securing the Connected Enterprise Securing the Connected Enterprise ABID ALI, Network and Security Consultant. Why Infrastructure Matters Rapidly Growing Markets Global Network Infrastructure and Security Markets 13.7% CAGR over the next

More information

Simplifying the Transition to Virtualization TS17

Simplifying the Transition to Virtualization TS17 Simplifying the Transition to Virtualization TS17 Name Sandeep Redkar Title Manager Process Solutions Date 11 th February 2015 Agenda Overview & Drivers Virtualization for Production Rockwell Automation

More information

Production Software Within Manufacturing Reference Architectures

Production Software Within Manufacturing Reference Architectures Production Software Within Manufacturing Reference Architectures Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard Ethernet for manufacturing

More information

Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application

Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application By: Josh Matson Various Time Synchronization Protocols From the earliest days of networked

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Computer System Security Updates

Computer System Security Updates Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),

More information

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security

More information

IACS Network Security and the Demilitarized Zone

IACS Network Security and the Demilitarized Zone CHAPTER 6 IACS Network Security and the Demilitarized Zone Overview This chapter focuses on network security for the IACS network protecting the systems, applications, infrastructure, and end-devices.

More information

Design Considerations for Securing Industrial Automation and Control System Networks

Design Considerations for Securing Industrial Automation and Control System Networks Design Considerations for Securing Industrial Automation and Control System Networks Synopsis Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using

More information

Achieving Secure, Remote Access to Plant-Floor Applications and Data

Achieving Secure, Remote Access to Plant-Floor Applications and Data Achieving Secure, Remote Access to Plant-Floor Applications and Data Abstract To increase the flexibility and efficiency of production operations, manufacturers are adopting open networking standards for

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security for. Industrial. Automation. Considering the PROFINET Security Guideline Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures

More information

Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture

Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Industrial Ethernet networking is advancing technology applications throughout the plant. These applications are rapidly

More information

Chapter 1 The Principles of Auditing 1

Chapter 1 The Principles of Auditing 1 Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls

More information

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

IT Security and OT Security. Understanding the Challenges

IT Security and OT Security. Understanding the Challenges IT Security and OT Security Understanding the Challenges Security Maturity Evolution in Industrial Control 1950s 5/4/2012 # 2 Technology Sophistication Security Maturity Evolution in Industrial Control

More information

Network & Security Services (NSS) Because Infrastructure Matters

Network & Security Services (NSS) Because Infrastructure Matters Network & Security Services (NSS) Because Infrastructure Matters Andrew Ballard Commercial Director Services & Support - EMEA Rev 5058-CO900E THE CONNECTED ENTERPRISE Headquarters Optimized for Rapid Value

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Architecting the Internal Cloud Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Building the Internal Cloud Virtualization is the Key How Virtualization Affects

More information

Manufacturing and the Internet of Everything

Manufacturing and the Internet of Everything Manufacturing and the Internet of Everything Johan Arens, CISCO (joarens@cisco.com) Business relevance of the Internet of everything Manufacturing trends Business imperatives and outcomes A vision of the

More information

Scalable Secure Remote Access Solutions for OEMs

Scalable Secure Remote Access Solutions for OEMs Scalable Secure Remote Access Solutions for OEMs Introduction Secure remote access to production assets, data, and applications, along with the latest collaboration tools, provides manufacturers with the

More information

Industrial Control Systems Security Guide

Industrial Control Systems Security Guide Industrial Control Systems Security Guide Keith Stouffer, Engineering Lab National Institute of Standards and Technology NIST SP 800-82, Rev 2 and ICS Cybersecurity Testbed Keith Stouffer Project Leader,

More information

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Utilities WHITE PAPER May 2013 INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT Table of Contents Introduction...3 Problem Statement...4 Solution Requirements...5 Components of an Integrated

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

IP Telephony Management

IP Telephony Management IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient

More information

Securing Manufacturing Computing and Controller Assets

Securing Manufacturing Computing and Controller Assets Securing Manufacturing Computing and Controller Assets Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using open, industry standard networking

More information

Industrial Security for Process Automation

Industrial Security for Process Automation Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical

More information

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release PB526545 Cisco ASA Software Release 8.2 offers a wealth of features that help organizations protect their networks against new threats

More information

AUD20 - Industrial Network Security

AUD20 - Industrial Network Security AUD20 - Industrial Network Security Lesley Van Loo EMEA Senior Commercial engineer - Rockwell Automation Rev 5058-CO900B Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda Connected

More information

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen Das sollte jeder ITSpezialist über Automations- und Produktionsnetzwerke wissen Frank Schirra, Rockwell Automation Solution Architect Edi Truttmann, Cisco Systems Network Solution Sales Specialist 2012

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

Stratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer

Stratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer Written By: Mark Devonshire, Product Manager Dave VanGompel, Principal Application Engineer Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Redesigning automation network security

Redesigning automation network security White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

Secure Access into Industrial Automation and Control Systems Best Practice and Trends

Secure Access into Industrial Automation and Control Systems Best Practice and Trends Secure Access into Industrial Automation and Systems Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Collaborating to Advance System Security Vendor offers a remote firmware update and

More information

PlantPAx op weg naar Connected Enterprise.

PlantPAx op weg naar Connected Enterprise. AUP 46 PlantPAx op weg naar Connected Enterprise. Wim van der Heide Solution Architect Copyright 2015 Rockwell Automation, Inc. All rights reserved. 2 Agenda 1. Waarom zou u moeten migreren? 1. Connected

More information

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations

More information

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

ARCHITECT S GUIDE: Mobile Security Using TNC Technology ARCHITECT S GUIDE: Mobile Security Using TNC Technology December 0 Trusted Computing Group 855 SW 5rd Drive Beaverton, OR 97006 Tel (50) 69-056 Fax (50) 644-6708 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Implementing Cisco IOS Network Security v2.0 (IINS)

Implementing Cisco IOS Network Security v2.0 (IINS) Implementing Cisco IOS Network Security v2.0 (IINS) Course Overview: Implementing Cisco IOS Network Security (IINS) v2.0 is a five-day instructor-led course that is presented by Cisco Learning Partners

More information

Implementing Core Cisco ASA Security (SASAC)

Implementing Core Cisco ASA Security (SASAC) 1800 ULEARN (853 276) www.ddls.com.au Implementing Core Cisco ASA Security (SASAC) Length 5 days Price $6215.00 (inc GST) Overview Cisco ASA Core covers the Cisco ASA 9.0 / 9.1 core firewall and VPN features.

More information

Innovative Defense Strategies for Securing SCADA & Control Systems

Innovative Defense Strategies for Securing SCADA & Control Systems 1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet

More information

RuggedCom Solutions for

RuggedCom Solutions for RuggedCom Solutions for NERC CIP Compliance Rev 20080401 Copyright RuggedCom Inc. 1 RuggedCom Solutions Hardware Ethernet Switches Routers Serial Server Media Converters Wireless Embedded Software Application

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Virtualized System Reduces Client s Capital and Maintenance Costs

Virtualized System Reduces Client s Capital and Maintenance Costs Virtualized System Reduces Client s Capital and Maintenance Costs Insert Photo Here Steve Malyszko, P. E. President Steve Schneebeli Lead Systems Engineer Rockwell Automation Process Solutions User Group

More information

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists

Cisco TrustSec How-To Guide: Planning and Predeployment Checklists Cisco TrustSec How-To Guide: Planning and Predeployment Checklists For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents...

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

T07 - Talking to IT about Secure Remote Access

T07 - Talking to IT about Secure Remote Access T07 - Talking to IT about Secure Remote Access PUBLIC INFORMATION Rev 5058-CO900E Why is Secure Remote Access Important? What s Driving the Need? 3 The Modern Enterprise Global Locations, Partners & Suppliers

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Process Control Networks Secure Architecture Design

Process Control Networks Secure Architecture Design Process Control Networks Secure Architecture Design Guest Speaker Robert Alston Principle Lead Network and Security Consultant Over 25 years network experience including design, implementation, troubleshooting

More information

CompTIA Network+ (Exam N10-005)

CompTIA Network+ (Exam N10-005) CompTIA Network+ (Exam N10-005) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate

More information

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing. 3203 1346_06_2000_c1_sec3

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing. 3203 1346_06_2000_c1_sec3 Securing E-Commerce 1 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 2 The Security Dilemma Internet Business Value Internet Access Corporate Intranet Internet Presence

More information

Best Practices for DanPac Express Cyber Security

Best Practices for DanPac Express Cyber Security March 2015 - Page 1 Best Practices for This whitepaper describes best practices that will help you maintain a cyber-secure DanPac Express system. www.daniel.com March 2015 - Page 2 Table of Content 1 Introduction

More information

Cisco EXAM - 500-451. Enterprise Network Unified Access Essentials. Buy Full Product. http://www.examskey.com/500-451.html

Cisco EXAM - 500-451. Enterprise Network Unified Access Essentials. Buy Full Product. http://www.examskey.com/500-451.html Cisco EXAM - 500-451 Enterprise Network Unified Access Essentials Buy Full Product http://www.examskey.com/500-451.html Examskey Cisco 500-451 exam demo product is here for you to test the quality of the

More information

Plant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Plant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved. Plant-wide Network Infrastructure Agenda Additional On-site Information EtherNet/IP Considerations Logical Design Considerations Physical Layer Design Consideration Testing Considerations Plant-Floor and

More information

Implementing Cisco IOS Network Security

Implementing Cisco IOS Network Security Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles

More information

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs

CompTIA Network+ N Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs CompTIA Network+ N10 005 Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs Domain 1.0: Network Concepts 1.1 Compare the layers of the OSI and TCP/IP Models TCP/IP Model Layer Matching

More information

Managing Enterprise Security with Cisco Security Manager

Managing Enterprise Security with Cisco Security Manager Managing Enterprise Security with Cisco Security Manager Course SSECMGT v4.0; 5 Days, Instructor-led Course Description: The Managing Enterprise Security with Cisco Security Manager (SSECMGT) v4.0 course

More information

Passguide 500-451 35q

Passguide 500-451 35q Passguide 500-451 35q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 18.5 Cisco 500-451 Cisco Unified Access Systems Engineer Exam 100% Valid in US, UK, Australia, India and Emirates.

More information

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014 QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Dr. György Kálmán gyorgy@mnemonic.no

Dr. György Kálmán gyorgy@mnemonic.no COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats

More information

DeltaV Cyber Security Solutions

DeltaV Cyber Security Solutions TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Building Secure Networks for the Industrial World

Building Secure Networks for the Industrial World Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data

More information

APPENDIX 3 LOT 3: WIRELESS NETWORK

APPENDIX 3 LOT 3: WIRELESS NETWORK APPENDIX 3 LOT 3: WIRELESS NETWORK A. TECHNICAL SPECIFICATIONS MAIN PURPOSE The Wi-Fi system should be capable of providing Internet access directly to a user using a smart phone, tablet PC, ipad or Laptop

More information

Security Testing in Critical Systems

Security Testing in Critical Systems Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base

More information

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff

More information

Policy Based Networks in Process Control Design and Deployment Techniques. Steve Hargis Enterasys Networks

Policy Based Networks in Process Control Design and Deployment Techniques. Steve Hargis Enterasys Networks Policy Based Networks in Process Control Design and Deployment Techniques Steve Hargis Enterasys Networks The Evolving Process Control Network Significant increase in use (and dependencies) on standards-based

More information

Agile Cyber Security Security for the Real World, Architectural Approach

Agile Cyber Security Security for the Real World, Architectural Approach Agile Cyber Security Security for the Real World, Architectural Approach Osama Al-Zoubi Senior Manger, Systems Engineering Fahad Aljutaily Senior Solution Architect, Security Market Trends Welcome to the

More information

http://www.velocis.in Extending Collaboration to BYOD Devices

http://www.velocis.in Extending Collaboration to BYOD Devices Extending Collaboration to BYOD Devices Extending Collaboration to BYOD Devices Device Freedom without Compromising the IT Network Today s employees are increasingly on the move, using mobile devices throughout

More information