FRP15 Approche de la Cyber Sécurité par Rockwell Automation avec Cisco

Transcription

1 FRP15 Approche de la Cyber Sécurité par Rockwell Automation avec Cisco Christophe Magitteri, Cisco, Solutions Architect Iot Pierre Paterni, Rockwell Automation, Services Réseaux et Sécurité Mars 2016 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 1

2 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 2

3 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. Our Three Core Platforms deliver THE CONNECTED ENTERPRISE Faster Time to Market Lower Total Cost of Ownership Headquarters Production Improved Asset Utilization Customers Enterprise Risk Management Supply Chain Smart Grid Field-Based Assets Distribution Center Integrated Architecture Intelligent Motor Control Solutions & Services

4 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 4

5 Cisco and Rockwell Automation Technology, Network, Cultural and Organizational Convergence Common Technology View: Achieve flexibility, visibility and efficiency through a converged plant-wide / site-wide network architecture, using open, industry standard networking technologies, such as EtherNet/IP Converged Plantwide Ethernet (CPwE) Architectures: Plant-wide / site-wide focused tested, validated and documented reference architectures, comprised of Rockwell Automation and Cisco expertise, provide a foundation to successfully deploy the latest technologies optimized for both industrial automation and IT professionals Joint Product and Solution Collaboration: Stratix 5900 Services Router, Stratix 5100 Wireless Access Point/ Workgroup Bridge, and Stratix 5000 /Stratix 8000 families of managed industrial Ethernet switches, combine the best of both Rockwell Automation and Cisco People and Process Optimization: Services, education and certification to facilitate industrial automation and information technology convergence and successful architecture deployment, so that critical resources can focus on increasing innovation and productivity Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 5

6 Rockwell Automation Product Portfolio collaboration with Cisco Seamless, secure integration between plant and enterprise networks - addressing the needs of both IT and OT Managed Switches Multicast management services Diagnostic information Network Address Translation (NAT) Segmentation / VLAN capabilities Prioritization services (QoS) Network resiliency Security Appliances Secure real-time control communication Routing and firewall capabilities Intrusion protection Access control lists Quality of Service (QoS) Wireless Technology Connect hard-to-reach areas Mobile access to equipment and key business systems Minimizes hardware and wiring Premier Integration to the Rockwell Automation Integrated Architecture system and embedded Cisco Technology Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 6

7 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background : Trends, Threats - Best Practices CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 7

8 Common IACS Security Issues Weak Access controls to HMI and other equipment Separation of duty for operator, administrator, audit Little or no Password management Physical segmentation of the IACS network Dual-homed servers or PLCs act as Firewall Segmented network has only physical security Unauthenticated command execution Communication is un-encrypted Outdated operating systems left unpatched Rogue wireless access points without encryption Insufficient controls on users, contractors (i.e. access policy, laptops, etc ) Humans are writing the IACS system software Aging infrastructures: machines, OS, softwares. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 8

9 ICS Threat Agents Threat Agent General hackers Botnet operators and spammers Organized crime group (e.g. gangs and crime syndicates) Insiders Phishers Foreign intelligence services Industrial spies Activists and terrorists Profile Looking for individual prestige Having the same skillsets as general hackers, but with the intent of further distributing and operating various botnets. These botnets may be rented out to other threat agents. Looking to obtain money, either as random against the threat of a disruptive attack, or through direct monetary theft Including disgruntled employees, technology or business partners, or recently terminated employees or partners Attempting to attract individual users to web sites loaded with malicious software in order to compromise the user devices State-sponsored entities, possibly paramilitary, usually operating from identifiable networks or geographic regions (if you can trace them) Mercenary type entities hired to target specific corporate assets and industries Ideologically motivated entities typically without the resources to develop exploits independently, but with enough resources to hire compromised devices from botnet operators or leverage off-the-shelf exploit kits Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 9

10 Consequences of Successful Attacks on Industrial Networks Incident Type Change in a system, operating system, or application configuration Change in programmable logic in PLCs, RTUs, and other controllers Potential Impact Introduction of command and control channels into otherwise secure system Suppression of alarms and reports to hide malicious activity Alteration of expected behavior to produce unwanted and unpredictable results Damage to equipment and/or facilities Malfunction of the process (e.g. shutdown) Disabling control over a process Misinformation reported to operators Causing inappropriate actions in response to misinformation that could result in a change in programmable logic Hiding or obfuscating malicious activity, including the incident itself or injected code (i.e., a rootkit) Tampering with safety systems or other controls Malicious software (malware) infection Preventing expected operations, fail safes, and other safeguards with potentially damaging consequences May initiate additional incident scenarios May impact production, or force assets to be taken offline for forensic analysis, cleaning, and/or replacement May open assets up to further attacks, information theft, alteration, or infection Information theft Sensitive information such as a recipe or chemical formula are stolen Information alteration Sensitive information such as a recipe or chemical formula is altered in order to adversely affect the manufactured product Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 10

11 Industrial Security Trends Established Industrial Security Standards International Society of Automation ISA/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 11

12 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background : Trends, Threats - Best Practices CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 12

13 IACS Security Objectives Restricting logical access to the ICS network and network activity Restricting physical access to the ICS network and devices Protecting individual ICS components from exploitation Maintaining functionality during adverse conditions. Restoring system after an incident. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 13

14 Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls Education and awareness programs - training of OT personnel on industrial security policies and procedures on how to respond to a security incident Physical limit physical access to authorized personnel: control room, cells/areas, control panels, IACS devices. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors Network industrial security framework Computer Hardening patch management, anti-x software, removal of unused applications/protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) Device Hardening change management, communication encryption, and restrictive access Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 14

15 Threat model protection Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall AAA VPN IPS -IDS Network Access Control Web security Network Behavior Analysis Posture Assessment Advanced Malware Protection Visibility and Context Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 15

16 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 16

17 Built on Industry Standards Purdue Reference Model & ISA95 Enterprise Zone Enterprise Network Level 5 DMZ Site Business Planning and Logistics Network Demilitarized Zone Shared Access Level 4 Manufacturing Zone Site Manufacturing Operations and Control Level 3 Cell/Area Zone Area Control Level 2 Basic Control Level 1 Process Level 0 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 17

18 Holistic Defense-in-Depth CPwE Architectures - Industrial Network Security Framework Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Authentication, Authorization and Accounting (AAA) Core Switches Wireless LAN (WLC) Active Control System Engineers Standby Control System Engineers in Collaboration with IT Network Engineers (Industrial IT) IT Security Architects in Collaboration with Control Systems Engineers Level 3 Site Operations FactoryTalk Client Level 2 Area Supervisory Control Distribution Switch Stack LWAP SSID 2.4 GHz SSID 5 GHz WGB Level 1 - I/O Soft Starter MCC Level 0 - Process I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 18

19 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 19

20 Network Technology Convergence Continued Trend - Single Industrial Network Technology Flat and Unstructured Network Infrastructure Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 20

21 Segmentation Cell Area Cell/Area Zone #1 VLAN 10 I/O VFD HMI Multiple VLAN Routing on Stratix 8000 (REP) Ring Safety I/O HMI Drive Cell/Area Zone #2 VLAN 20 Stratix 8000 (Layer 2) Switches Management VLAN VLAN 50 VFD Drive I/O I/O Catalyst 3750 StackWise Switch Stack HMI Cell/Area Zone #3 VLAN 30 Cell/Area Zone #4 VLAN 40 Servo Drive I/O I/O I/O Industrial Zone Cell/Area Zones Levels 0 2 HMI Servo Drive VFD Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 21

22 Segmentation NAT Machine to Machine Send message to Machine 2 CompactLogix Plant network switch Stratix 8300 TM Send message to Machine 2 CompactLogix Machine 1 NAT Machine 2 NAT Within a Machine Between Machine and Line Network Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 22

23 Segmentation IDMZ Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP Industrial DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Basic Control Safety Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 23

24 Holistic Defense-in-Depth Industrial DMZ positionning Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Industrial Zone: Levels 0-3 Identity Services Core Switches Wireless LAN (WLC) Active Standby Distribution Switch Stack SSID 2.4 GHz LWAP SSID 5 GHz WGB I/O Soft Starter MCC I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 24

25 Industrial Demilitarized Zone (IDMZ) Controlling Access to the Industrial Zone Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise Security Zone TRUSTED? UNTRUSTED? Industrial DMZ BROKER Industrial Security Zone TRUSTED Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 25

26 Industrial Demilitarized Zone (IDMZ) Design Tenants -Best practices All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Security Zone Industrial Security Zone Trusted IDMZ No Direct Traffic Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 26

27 IDMZ Replicated Data and Services Permit Secure Remote Access to Industrial Assets Permit Data from the Industrial Zone to Enterprise Stakeholders Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Firewall (Inspect Traffic) Physical or Virtualized Servers Patch Management AV Server Application Mirror Remote Desktop Gateway Server Firewall (Inspect Traffic) Physical or Virtualized Servers FactoryTalk Application Servers & Services Network Services e.g. DNS, AD, DHCP, AAA Call Manager Storage Array Remote Desktop Gateway Engineer Remote Access Level 3 Site Operations Web Reports Permit Remote Access Server Web Proxy Block Untrusted Access to Enterprise Zone Levels 0-2 Cell/Area Zone Plant Manager Permit Untrusted Block VantagePoint PAC Untrusted FactoryTalk Client IO Block Untrusted Access to Industrial Zone Drive Block Distribution switch MCC Core switches Firewalls (Active/Standby) Core switches PAC LWAP PAC WLC (Enterprise) ISE (Enterprise) ISE WGB WLC (Active) WLC (Standby) Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Industrial Zone Levels 0-3 Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 27

28 Typical Systems involved in IDMZ Designs Use Case Enterprise Zone: Levels 4-5 User Wants Historian Data and Reports Historian Domain Replication Domain User Wants Web Reports Web Reports User Wants to Send / Retrieve Files Secure File Transfer Configure, Troubleshoot Industrial Zone Asset Remote Desktop Client Update AV and Install O.S Patches O.S Patch Anti Virus Update Synchronized Time Across All Zones NTP Master Server Firewall (Inspect) 2 1 Industrial Demilitarized Zone (IDMZ) PI to PI Connector Domain Reverse Web Proxy Secure File Transfer Gateway Remote Desktop Gateway Anti Virus & WSUS Server IDMZ NTP Server Firewall (Inspect) Industrial Zone: Levels 0-3 Historian Domain Web Servers File Server Terminal Server Servers, Desktops, Laptops Ind. Zone NTP Server Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 28

29 Holistic Defense-in-Depth Cell / Zone Firewall positionning Enterprise External DMZ/ Firewall Internet Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Identity Services Industrial Zone: Levels 0-3 Core Switches Wireless LAN (WLC) Active Standby Level 3 Site Operations Distribution Switch Stack FactoryTalk Client Level 2 Area Supervisory Control SSID 2.4 GHz LWAP SSID 5 GHz WGB Level 1 - I/O Soft Starter MCC Level 0 - Process I/O Drive Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 29

30 Protocol Inspection Cell/Area Zone Firewall Policy Enforcement (example) Industrial Zone SNMP Sweep Ping Sweep CIP Class 3 CIP http Class 1 icmp - CIP icmp Class - ping3 CIP Class 3 Zone Firewall Cell/Area Zone CIP Class 3 CIP Class 1 icmp - ping Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 30

31 Firewall IDS/IPS products Cisco ASA 5515-X Available ISA3000-4C-K9/Stratix5950 Coming Soon!! Industrial DMZ firewall Rack mount, High performances, HA. Cell / Zone firewall Din Rail, Industrially hardened Firewall : Segmentation, NAT, L3-L4 Stateful inspection IDS/IPS : Content security, threat signatures, ICS protocol Inspection Remote Access : Encrypted VPN, clientless remote access SSL, Anyconnect client Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 31

32 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures: Overview - Segmentation - Identity Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 32

33 Secure Access Consolidating access for employee/contractors/vendors Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN plant 1, zone 2 Headquarters When? Weekends (8:00am 5:00pm) PST Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 33

34 ISE Unifying policy for all mediums VPN VPN Louise Plant tech Zone 2 WIfi Kevin LOB Engr Lan ISE AD Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 34

35 Examples of Non-User Endpoints Printers IP Cameras Alarm Systems Fax Machines Wireless APs Turnstiles Video Conferencing Stations IP Phones Hubs Managed UPS Cash Registers Medical Imaging Machines HVAC Systems RMON Probes Vending Machines... and many others Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 35

36 ISE Profiler Profiling Probes OUI, DHCP, Netflow, DNS, HTTP, CDP, LLDP Collection Classification ID Group Assignment The Network Full conn Full zone only HMI1 + HMI2 HMI1 Negated ISE Apply Policies Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 36

37 ISE Policy Enforcement VLANs and dacls VLAN Assignment VLANs ISE Authorization policy sets VLAN. Infrastructure provides enforcement Typical VLAN examples: Quarantine/Remediation VLAN Guest VLAN Employee VLAN. Typically requires IP change and/or VLANs trunked throughout 802.1X/MAB/Web Auth ACL Download ISE AD CA dacls ISE Authorization policy pushes dacl or named ACL to NAD. ACL source (any) automatically converted to specific host address. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 37

38 Adding ISE to CPwE Site Operations Level 3 Camera WGB Phone ISE PSN LWAP SSID 5 GHz WGB LWAP Cell/Area Zone - Levels 0-2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN ISE ADMIN Primary WLC Secondary WLC Catalyst 2960 UCS Remote Access Server LWAP SSID 2.4 GHz Drive FIRE Enterprise Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch Firewall (Standby) FIREASA 5500 HMI Catalyst 3750X StackWise Switch Stack Soft Starter Cell/Area Zone - Levels 0-2 Ring Topology - Resilient Ethernet Protocol (REP) Unified Wireless LAN I/O External DMZ/ Firewall Instrumentation Internet Plant Firewalls Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Servo Drive Safety HMI Cell/Area Zone Levels 0-2 Cell/Area Zone Levels 0-2 Robot Safety I/O Employee Remote Access Enterprise Zone Levels 4 and 5 Industrial Demilitarized Zone (IDMZ) AP Industrial Zone Levels 0-3 SSID 5 GHz Safety I/O WGB NOTES 1) All endpoints must authenticate before being allowed on the network. 2) Centralizing authentication for all three mediums (wired, wireless, remote access) 3) Centralizing your network policy/privileges 4) Full reporting capability on every endpoint accessing the network. -- Device type -- Username/MAC/IP -- Where they Auth d from Cell/Area Zone - Levels 0-2 Linear/Bus/Star Topology Autonomous Wireless LAN Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 38

39 Example Wired Secure access Contractor/Vendor ISE ADMIN AD Enterprise External DMZ/ Firewall Internet Employee Remote Access Enterprise Zone Levels 4 and 5 Catalyst 2960 FIRE Link for Failover Detection Firewall (Active) Firewall (Standby) FIRE ASA 5500X Plant Firewalls Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Industrial Demilitarized Zone (IDMZ) ISE PSN AD UCS Catalyst 6500/4500 Catalyst 3750X StackWise Switch Stack Cell/Area Zone Levels 0-2 NOTES 1. Employee endpoint is examined by ISE Site Operations Level 3 Camera WGB Phone LWAP SSID 5 GHz WGB Primary WLC LWAP Secondary WLC Cell/Area Zone - Levels 0-2 Redundant Star Topology - Flex Links Resiliency Unified Wireless LAN RAS LWAP SSID 2.4 GHz Drive Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch I/O HMI Soft Starter Instrumentation Ring Topology - Resilient Ethernet Protocol (REP) Unified Wireless LAN Servo Drive Safety HMI Robot RDP - Studio5000 Safety I/O AP SSID 5 GHz Safety I/O WGB 2. ISE sends back a dacl allowing access to that zone, but denies communication to other zones. 3. Employee has Studio 5000 on laptop, and receives direct access to controller Cell/Area Zone - Levels 0-2 Linear/Bus/Star Topology Autonomous Wireless LAN Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 39

40 Example Wireless Secure access Contractor/Vendor ISE ADMIN AD Enterprise External DMZ/ Firewall Internet Employee Remote Access Enterprise Zone Levels 4 and 5 ISE PSN PKI AD Catalyst 2960 UCS FIRE Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Firewall (Standby) FIRE ASA 5500X Catalyst 3750X StackWise Switch Stack Industrial Demilitarized Zone (IDMZ) RDP Mgmt Software NOTES Contractor /Vendor access restricted to devices via RDP machine Site Operations dacl Level 3 RAS WLC Camera Phone WGB LWAP SSID 5 GHz WGB LWAP AP SSID 2.4 GHz Drive Layer 2 switch I/O HMI Soft Starter Instrumentation Servo Drive Safety HMI Robot Safety I/O AP SSID 5 GHz Safety I/O WGB Redundant Star Topology Ring Topology - Linear/Bus/Star Topology Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 40

41 Example - Remote Access FTView SE Server for Configuration Enterprise Zone: Levels 4-5 Industrial Demilitarized Zone (IDMZ) Remote Desktop Gateway Industrial Zone: Levels 0-3 Terminal Server View SE Client View SE Server RSLinx Enterprise FT Live Data Level 3 Site Operations Levels 0-2 Cell/Area Zone Remote Desktop Client PAC 1 2 Enterprise WAN Distribution switch External DMZ / Firewall Core switches Firewalls (Active/Standby) Core switches LWAP Internet WLC (Enterprise) ISE (Enterprise) ISE WGB WLC (Active) WLC (Standby) Propose High Level Architecture Place Assets in the Enterprise or Industrial Security Zone Place proposed Assets in IDMZ Draw communication lines between the assets and asset owners to make sure requirement are met FactoryTalk Client IO Drive MCC PAC PAC Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 41

42 Agenda L Entreprise Connectée Rockwell-Cisco at a glance Cybersecurity Background CPwE Secure Architectures Les Services Réseaux Rockwell Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 42

43 Why Rockwell Automation NSS Network & Security Services Differentiation Converged skill set of operational technology (OT) and information technology (IT) Experience across industrial control applications and networks Ability to address security risks without sacrificing productivity Full life cycle service offering with global delivery capability Global Capability Network & Security Services For plant personnel, who need secure industrial infrastructure, NSS is a team of industrial automation and IT experts that assess, implement and support plant-wide network infrastructure. Unlike large IT vendors and resellers, we offer a comprehensive and tailored solution that balances both IT requirements and production goals of your company. Because Infrastructure Matters Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 43

44 Network & Security Services Pre-Engineered Solutions Simplify and Accelerate CPwE Deployment Inclusive of Support Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 44

45 Network & Security Services Portfolio Supported World Wide by NSS Professionals Global Support. Local Address. Peace of Mind. Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 45

46 Additional Material CPwE Architectures - Cisco and Rockwell Automation Whitepapers ENET-WP022B-EN-P - Top 10 Recommendations for Plant-wide EtherNet/IP Deployments ENET-WP009A-EN-P - Achieving Secure Remote Access to plant-floor Applications and Data ENET-WP031A-EN-P - Design Considerations for Securing Industrial Automation and Control System Networks ENET-WP033A-EN-P - Resilient Ethernet Protocol in a Converged Plantwide Ethernet (CPwE) Architecture ENET-WP034A-EN-P - Deploying Wireless LAN Technology within a Converged Plantwide Ethernet Architecture ENET-WP036A-EN-P - Deploying Network Address Translation within a Converged Plantwide Ethernet Architecture ENET-WP037A-EN-P - Deploying Identity Services within a Converged Plantwide Ethernet Architecture ENET-WP038A-EN-P - Securely Traversing IACS Data Across the Industrial Demilitarized Zone ENET-WP039B-EN-P - A Resilient Converged Plantwide Ethernet Architecture ENET-WP040A-EN-P - Migrating Legacy IACS Networks to a Converged Plantwide Ethernet Architecture Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 46

47 Additional Material Rockwell Automation ENISA Protecting Industrial Control systems (2011) ANSSI La cybersécurité des systèmes industriels (2014) NIST SP Guide to Industrial Control systems Security (2011) CPNI UK (2011) ce/cyber/scada/ Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 47

48 Because Infrastructure Matters Copyright 2016 Rockwell Automation, Inc. All Rights Reserved. 48