Network & Security Services (NSS) Because Infrastructure Matters

Transcription

1 Network & Security Services (NSS) Because Infrastructure Matters Andrew Ballard Commercial Director Services & Support - EMEA Rev 5058-CO900E

2 THE CONNECTED ENTERPRISE Headquarters Optimized for Rapid Value Creation Supply Chain Integration Collaborative, Demand Driven Compliant and Sustainable PRODUCTIVITY SUSTAINABILITY Smart Grid AGILITY Customers Supply Chain Distribution Center Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 2

3 BIG DATA and ANALYTICS DRIVERS: 39% Support collaboration 37% Fact-based decision 33% Better ways to serve customers Source: Aberdeen 2 Source: McKinsey & Company Exabytes Manufacturing generates more BIG DATA than any other sector. Real-Time Control in Manufacturing Produces Big Data Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 3

4 Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

5 TRANSFORMATION INTEGRATED CONTROL AND INFORMATION ENABLER Common Secure Ethernet Infrastructure Enterprise Infrastructure Automation Infrastructure One Common Environment CONVENTIONAL: SEPARATE IT & AUTOMATION FUTURE: UNIFIED INFRASTRUCTURE Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 5

6 Manufacturing and IT Convergence Creating challenges and opportunities Technology Convergence Business Innovation Model Business Model Innovation Business Agility Competitive Advantage Network Convergence Organizational Convergence Cultural Convergence Wide Ethernet Deployment Increasing Business Pressures Copyright 2010 Rockwell Automation, Inc. All rights reserved. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 6

7 The Evolving, Persistent Security Threat Was the Internet ever designed to be secure? Was your plant-floor network ever really designed? (if not how can it be secure?) Thieves are breaking into networks around the world, companies large and small, governments, agencies and industrial control systems (ICS), are you secure? Technology that helped us grow is also a risk to keeping our company and our customers and partners confidential information safe. Traditional security controls are no longer enough We must respond to these fast growing cyber threats against us, our customers and eco-system partners. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 7

8 Manufacturing Security Infographic Source : 2013 DBIR Sixty Two Percent took Months or Years to Discover of breaches took less than a day to execute 53% took months to Only 1 out of 10 were discovered by an internal resource Contain

9 The cost of Industrial Cyber Security* Cyber incidents cost US organizations (no published data for KSA): $558K in revenue losses $481K in brand damage $366K in compliance fines $174K in lost productivity DAY Incidents are costing US industry $6M per day or $20B per year. US industrial cybersecurity maturity is ~5 years ahead Europe & M-E. Companies that implement cybersecurity best practices see the ROI 2½ times less likely to experience a major cyber attack 3½ times less likely to experience unplanned downtime * Source: Belden Industrial Ethernet Infrastructure Design Seminar. Greg Hale, the Editor and Founder of ISSSource.com. October

10 Industrial Cyber Security Cyber Security is not a product. It is state of being. Cyber Security relies on many factors Ongoing collaboration of Customers and Vendors and End-users Use of Technical and Non-technical Security Controls Evolving Policies, Procedures, Practices and Technical controls Sustained and expanded investments that identify and mitigate operational risks to both the Industrial Control System and enterprise. The use of proven technologies, policies & procedures to RISK = Threat Vulnerability Consequence 10

11 4D Industrial Cyber Security People Processes Technology Facilities & Environment Protection of People, Property & Proprietary Information from unintended or malicious actions taken against it 11

12 Industrial Infrastructure Today s Plant Floor - Reality Our Experience Conventional Servers Large installed base of proprietary networks Protocol converters prevalent Limited plant-floor segmentation or security Single point of failure is common-place Insecure Remote Access solutions Limited Governance - lack of policies and procedures Large installed base of aging server infrastructure & legacy operating systems No process for patching or endpoint anti-virus protection with negative impact to production Server sprawl - more applications, growing business requirements, (one application/server) Lack of plant based on-site IT resource. Disparate Flat Networks

13 Industrial Infrastructure Common Customer Pain Points Inefficiency Vulnerability Inflexibility Fear of Lock-In Low Competency in Market (automation/it) Networks Evolved over Time (never designed) High MTTR (issue identification/resolution) High Capital Expense Security is After Thought Aging Industrial Control Systems Commonly Reported Business Disruptions Evolving Industrial Security Standards Project Dependence upon IT Organization Lack of Scalable Architectures Legacy Asset Islands Too Much Data, Lack of Actionable Information Heterogeneous Control Environments New Technologies (e.g. Big data, mobile, cloud) Rapidly Evolving Proprietary Network Protocols Rapidly Evolving Industrial IT Environment

14 RA Network & Security Services team: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 14

15 Network and Security Services What we deliver! Agility Choice Reduced CapEx,OpEx and total cost of ownership Reduced Risk while Improving Overall Equipment Effectiveness (OEE) Reduced project dependence upon IT organization Long software lifecycle vs. short hardware lifecycle Network Scalability, Virtualization Economics, Reduction in Support Security without Sacrificing Productivity Bring new assets online in days vs. weeks Your Control System, Your Infrastructure

16 Why Rockwell Automation Network and Security Services (NSS) Differentiation Converged skill set of operational technology (OT) and information technology (IT) Experience across industrial control applications and networks Breadth of industry standard committee (ISA, NIST, INL, DHS ) participation Ability to address security risks without sacrificing productivity Full life cycle service offering with global delivery capability Network & Security Services For plant personnel, who need secure industrial infrastructure, NSS is a team of industrial automation and IT experts that assess, implement and support plant-wide network infrastructure. Unlike large IT vendors and resellers, we offer a comprehensive and tailored solution that balances both IT requirements and production goals of your company. Because Infrastructure Matters

17 Example Bio of Our Team Members Principal Network & Security Consultant, Network & Security Services CISSP (Certified Information Systems Security Professional) CISA (Certified Information Systems Auditor) ISO 27001:2005 Lead Auditor COBIT Foundation Certificate ITIL Foundation Certificate CCNP (CISCO Certified Networking Professional Security Certificate) CISCO IPS Specialist CISCO Firewall Specialist CISCO Information Security Specialist Additional Certs and Awards: CISCO SND: Securing Network Devices, CISCO SNRS: Securing Networks with Cisco Routers and Switches, CISCO SNPA: Securing Networks with PIX and ASA, CISCO CCNA: Certified Network Associate CISCO Systems Infrastructure and Ethical Hacking Instructor 5+ Years Industrial Control System Experience Network and Security Infrastructure Team Leadership and Project Management: o High Level Design/Low Level Design multi-sector: IACS and Critical Infrastructure, Data Centre, Internet Service Provider, Multi-Enterprise Sectors, Risk Management, Business Continuity & Disaster Recovery Planning, Incident Response (Government & multiple private sectors) Team Leader and Project Manager implementing and auditing ISO/IEC in multiple Government Units Team Leader implementing Secure Development Lifecycle in multiple Government Units SIEM (Security Information and Event Management) complex heterogeneous strategies & deployments across multiple public/private Sectors Offensive Penetration Tester and Security Assessments across multiple public/private Sectors Multi-Vendor deployment : CISCO, JUNIPER, Checkpoint, HP, Hirschmann, Fortinet, F5, ArcSight, Palo Alto Networks, Tipping Point, RSA, Bluecoat, etc. 17

18 Connected Enterprise Collaboration of Partners Rockwell Automation Cisco Panduit Microsoft VMWare Rockwell Automation and Partner Portfolio Automation & Process Control and Information Solutions Wireless, Security, Switching & Routing Physical Layer Network Infrastructure Operating Systems, Database / Cloud Infrastructure, & Application Security Data Center Virtualization

19 Our Services Support Standards; Converged Plant-wide Ethernet (CPwE) ERP, , Wide Area Network (WAN) Enterprise Zone Levels 4 and 5 Patch Management Remote Gateway Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre, Transaction Manager FactoryTalk Services Platform Racks Catalyst Patching 6500/4500 Cable Management Copper/Fiber Directory Remote Catalyst 3750 Security/Audit Data Servers Access Server Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Cisco ASA 5500 StackWise Switch Stack Demilitarized Zone (DMZ) Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Industrial Zone Site Operations and Control Level 3 Network Services DNS, DHCP, syslog server Network and security mgmt Industrial Data Center (IDC) NSS Services Security Services Cell/Area Zones Levels 0 2 Copper, Fiber, Wireless Testers Network Discovery Protocol Statistics Drive Controller HMI I/O Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency I/O Rockwell Automation Stratix 8000 Layer 2 Access Switch Controller I/O HMI Drive Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP) Physical Logical Common Framework Toolsets HMI I/O Cell/Area Zone #3 Bus/Star Topology Controller Drive End Device Control Panel Network Zone 19

20 This image cannot currently be displayed. This image cannot currently be displayed. High Emphasis on Security Converged Plant-wide Ethernet Security Solutions Structured and Hardened IACS Network Infrastructure Industrial Data Center design & implementation Industrial security policy Pervasive security, not a bolt-on component Security framework utilizing defense-in-depth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Standard DMZ Design Best Practices Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server AAA - Application Authentication Server, Active Directory (AD), AAA - Network Remote Access Server Level 3 Site Operations FactoryTalk Client Client Hardening Level 2 Area Supervisory Control Controller Hardening, Encrypted Communications VLANs, Segmenting Domains of Trust Unified Threat Management (UTM) Controller Hardening, Physical Security VLANs Controller Level 1 - Controller Catalyst 3750 StackWise Switch Stack Enterprise WAN Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controllers, I/O, Drives Firewall (Standby) I/O HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Drive Network Device Resiliency Network Infrastructure Access Control and Hardening Physical Port Security MCC Soft Starter 20

21 Delivering Network Convergence What are the similarities and differences? 21

22 Plant-Floor and Enterprise Requirements Policies - Similarities and Differences Focus Precedence of Priorities Types of Data Traffic Access Control Implications of a Device Failure Threat Protection Upgrades Plant-Floor Network 24/7 Operations, High OEE Availability Integrity Confidentiality Converged Network of Data, Control, Information, Safety and Motion Strict Physical Access Simple Network Device Access Production is Down ($$ s/hour or Worse) Isolate Threat but Keep Operating Scheduled During Downtime Enterprise Network Protecting Intellectual Property and Company Assets Confidentiality Integrity Availability Converged Network of Data, Voice and Video Strict Network Authentication and Access Policies Work-around or Wait Shut Down Access to Detected Threat Automatically Pushed During Uptime 22

23 Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 23

24 Assessment Service Assessment Process: On site customer collaboration Assess all layers of OSI model Physical layer Logical layer Application layer Defense in Depth security evaluation Assess against industry and company standards Deliverables Detailed report of findings Prioritized critical issues Remediation's/suggestions Standard: on site observational and interview based Comprehensive: on site technically determined via tools ASSESS DESIGN IMPLEMENT VALIDATE MANAGE

25 Design Service Network Design Deliverable Package Functional Requirements Bill of Material Cable Selection Physical Hardware Connectivity Access and Distribution Layer Topology Physical Layer Drawings VLANs Addressing schema Switch and Network Configuration Redundancy Remote Access Security Standard: logical and physical conceptual design Comprehensive: detailed logical, physical with ports and protocols design ASSESS DESIGN IMPLEMENT VALIDATE MANAGE

26 Implementation Services Implementation Package Procurement Configuration Installation Testing Start Up Transition to Support Turn Key Projects: Based on RA Design Service Pre-Engineered Solutions: Industrial Data Center, Industrial De-Militarized Zone, Zone Enclosures, Secure Remote Access Custom: based on the role you need RA NSS to play (materials, labor, project mgmt) ASSESS DESIGN IMPLEMENT VALIDATE MANAGE The Power of Rockwell Automation Partnerships

27 Industrial Data Center Your Cost Effective Gateway to Virtualization Industry-leading partners collaborating with Rockwell Automation to help your business realize the benefits of virtualization through a pre-engineered, scalable infrastructure offering. Complete turn key solution including: Hardware Software Factory assembly On-site configuration Documentation TechConnect SM support Model Shown: E2000 Standard pre-engineered industrial solution to simplify deployment making commissioning and maintenance easier, scalable, and more supportable. 27

28 What is Virtualization? Traditionally the OS and its applications were tightly coupled to the hardware they were installed on Virtualization breaks the link between operating system and physical hardware This allows the ability to change hardware without replacing the OS or applications Additionally multiple instances of an OS with independent applications can now run on the same hardware Application Application Application Operating Hypervisor System

29 Server Consolidation Many physical servers - Under utilized - Requiring maintenance - Generating heat - Consuming energy Fewer physical servers More efficiently utilized Easier to maintenance Generating less heat Consuming less energy

30 IDC Supports Server Consolidation Supports more than 150 virtual machines Up to 3 Cisco C240M3 servers with 128GB RAM 2 - Cisco 3750X switches with 48 ports EMC VNXe 3150 storage with 10K SAS disks giving 9 TB usable storage Support VMware HA, FT and application redundancy Room to expand with 3 additional servers, additional RAM and 50 additional disk Room for in rack network equipment

31 Reliability: High Availability Automatic restart of failed virtual machines Resource Pool VMware ESXi VMware ESXi VMware ESXi Operating Server Operating Failed Server Operating Server

32 Reliability: VMware Fault Tolerance Simultaneous execution across two physical servers No Reboot Seamless Cutover VMware ESXi VMware ESXi VMware ESXi OperatingServer OperatingServer Failed OperatingServer

33 Increasing Uptime and Availability Local Site Failover Site vsphere vsphere vsphere vsphere vsphere Local Availability vsphere High Availability vsphere Fault Tolerance vmotion and Storage vmotion Disaster Recovery vcenter Site Recovery Manager Includes vsphere Replication Data Protection vsphere Data Recovery Storage APIs for Data Protection

34 Implementation Services The Power of Collaboration Implementation solutions typically include: Engineering Design from Rockwell Automation Servers and switches from Cisco Cables, patch cords, cable management, testing, validation, and assembly from Panduit Storage from EMC² Virtualization software from VMWare Hardware & Software Support from Rockwell Automation ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 34

35 Validation Service Validation Deliverable Package Audit current architecture compared to governing body (ODVA, IEEE, ANSI, TIA, ISA-95) Audit security program compared to governing body (NERC CIP, ISA-99, NIST , NIST ) Services includes all networks Data Highway DeviceNet ControlNet Ethernet Fieldbus Standard: known industry standard Custom: customer specific standard ASSESS DESIGN IMPLEMENT VALIDATE MANAGE

36 Scalable Infrastructure Support TechConnect Managed Services Remote Support Services RA Tech Support has Certified personal on staff CCNP (Cisco Network Professional) CCNA (Cisco Network Associate) CCNA Security (Cisco Security) CCENT (Entry Network Technician) CCISP (Information Systems Security Professional) VMware Certified Associate VMware Certified Professional Infrastructure Administration Asset Health Monitoring One number to call for support Infrastructure TechConnect Secure Remote Access Value ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 36

37 Complete Support Infrastructure Hardware and Software Applications Customer Rockwell will monitor and alarm Customer will own and manage Operating System Hypervisor Device Layer Network Layer Rockwell Automation Rockwell will monitor and manage the operating system, hypervisor, physical server stack including the rack, hosts, memory, storage area network (SAN), and uninterruptible power supply (UPS). Environment Customer Customer will be responsible for the physical space including maintaining proper ambient conditions, security and power

38 For additional information PlantPAx: O&G information: Download Process Safebook: Check out the Process demo on the show floor Request a PlantPax Demo: Join us at PSUG & AF:

39 Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. Rev 5058-CO900F