AUP28 - Implementing Security and IP Protection
|
|
- Maximillian Foster
- 8 years ago
- Views:
Transcription
1 AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer Logix & Networks Rev 5058-CO900E
2 Agenda Why IACS Security Now! Defense in depth Key Takeaways Design Considerations Additional Information 2
3 The threat is real!
4 Industrial Market Drivers Improve Asset Utilization Maximize return on your automation investment Drive Speed & Innovation Speed time to market; manage brand equity Innovation Reduce Energy usage Contextualize Data into Information Manage Risk Implement systems and procedures to address market dynamics and regulatory requirements 4
5 Cyber Security in the News? First there was Stuxnet Copyri 5
6 Cyber Security in the News In 2015 the game changed. Cyber security issues caused the CEO of a large US company to resign This showed highlighted that Manufacturing is the new back door. 6
7 Hackers have found Remote Access is an easy way to get into the Industrial network New Havex malware variants target industrial control system and SCADA users During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program called Havex by hacking Following into the websites the discovery of industrial of control the Stuxnet system (ICS) manufacturers and poisoning their legitimate software industrial downloads sabotage malware in 2010, which is believed to have destroyed up to 1,000 F-Secure did not name the affected vendors, but said that two of them develop ICS remote management uranium enrichment centrifuges in Iran, software and the third supplies high-precision industrial cameras and related software. According to the security researchers sounded the alarm security firm, the vendors are based in Germany, Switzerland and Belgium. about the insecurity of industrial control The attackers modified systems the legitimate and software the ease installers with which to drop they and execute can an additional file on computers. The file is called be targeted mbcheck.dll by and attackers. is actually Despite the Havex those malware. That conclusion is also supported concerns, by widespread the existence of malware a new malicious attacks Havex component whose purpose is to scan local area networks against for ICS devices and that SCADA respond systems to OPC (Open never Platform Communications) requests. became a reality, making the new Havex campaigns a rare occurrence, but possibly The Havex component leverages the OPC standard to gather information about industrial control devices an indication of things to come. and then sends that information back to its command-and-control (C&C) server for the attackers to analyze, the F-Secure researchers said. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware. 7
8 Hackers damage Steel Plant. Hackers infiltrated a German steel mill and made it impossible to safely shut down a furnace, according to a German security report quietly published before the new year. The breach, which caused massive damage, marks just the second time a digital attack caused physical damage, highlighting growing fears that cyberwarfare will soon impact more than computers and networks. 8
9 It is becoming the LAW Many countries are enacting laws to protect their Critical Infrastructure 9
10 Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISO/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. 10
11 Agenda Why ISC Security Now! Defense in depth Key Takeaways Design Considerations Additional Information 11
12 What Risk Copyright 2015 Rockwell Automation, Inc. All rights reserved. 12
13 From Who? Security Threat Actors Human Malicious Ignorant System Misconfiguration Lack of Privilege Control 13
14 Rockwell Automation Focus on Industrial Cyber Security Reduce risks to safe and reliable operation Control system architecture with layered security to help maintain operational integrity under threat Protect assets & information Product and system features to help control access, tamper-proof and limit information exposure Government and Standards Alignment Responsible disclosure with control system solutions that follow global standards and help fulfill independent & regulatory security requirements 14
15 Defense-in-Depth No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats. This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats. 15
16 Recommendations for Defending ICS Separate control network from enterprise network Harden connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside Harden interior of control network Make reconnaissance difficult from inside Avoid single points of vulnerability Frustrate opportunities to expand a compromise Harden field sites and partner connections Mutual distrust Monitor both perimeter and inside events Periodically scan for changes in security posture Copyright 2015 Rockwell Automation, Inc. All rights reserved.
17 Two Critical Elements to Industrial Cyber Security A balanced Security Program must address both Technical and Non- Technical Risks and Controls Non- Technical Technical Technical Controls (firewalls, layer-3 ACLs, etc.) provide restrictive measures for Non-technical Controls (rules for environments, i.e. policy, procedure, etc.) 17
18 Defense-in-Depth Industrial Security Policies Drive Technical Controls Physical limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room Network security framework e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) software Device Hardening change management, communication encryption, and restrictive access 18
19 Defense-in-Depth Application Security - Examples FactoryTalk Security Centralized authentication & access control Verifies user identity before granting system access Grants or denies requests to perform actions FactoryTalk AssetCentre Centralized storage of audit records Limits access to product and system data Offers back-up and archive of application files Studio 5000 Programming Software Control access to routines and AOIs with source protection Control access to tags with Data Access Control Detect unauthorized modification with Change Detection 19 Funda
20 Defense in depth Controller Hardening Physical Procedure Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Switch the Logix Controller key to RUN 20
21 Defense in Depth. Controller Hardening Electronic Design Protect the Source Embedded Change Log FactoryTalk Security Data Access Control Trusted Slot with Embedded VPN Module Copyright 2011 Rockwell Automation, Inc. All rights reserved. 21
22 Defense-in-Depth Computer Hardening - Examples Security Patch Management: establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches Keep computers up-to-date on service packs and hot fixes Disable automatic updates Check software vendor website Test patches before implementing Schedule patching during downtime Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection software Disable automatic updates and automatic scanning Test definition updates before implementing Schedule manually initiated scanning during downtime Uninstall unused Windows components Protocols and Services Protect unused or infrequently used USB, parallel or serial interfaces 22 Funda
23 Industrial Network Security Industrial vs. Enterprise Network Requirements Industrial Requirements Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization QoS Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Enterprise Requirements Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization QoS Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Similarities and differences? Copyright 2015 Rockwell Automation, Inc. All rights reserved. 23
24 Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Convergence Operation Technology(OT) with Information Technology (IT) 24
25 Industrial Network Security Collaboration of Partners Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Application Layer Reduce Risk Simplify Design Speed Deployment 25
26 The Purdue Model and Rockwell Automation Rockwell Automation and CISCO Systems have defined a manufacturing framework to created a foundation for network segmentation, management and policy enforcement maximising the seamless of the Industrial Cyber Security Technical Countermeasures and minimising the risks to be assumed by our customers: 26
27 Network Security Framework Industrial Demilitarized Zone Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP Industrial DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone 27
28 Network Security Framework Industrial Demilitarized Zone (IDMZ) All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Trusted? Untrusted? Enterprise Security Zone IDMZ No Direct Traffic Disconnect Point Industrial Security Zone Trusted 28
29 Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Not Recommended Figure 2 Recommended Depends. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Figure 3 Figure 4 Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Better Best Figure 5 Figure 6 Figure 7 29
30 Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Structured and Hardened IACS Network Infrastructure Industrial security policy Pervasive security, not a bolt-on component Security framework utilizing defense-indepth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Operations of the IACS Standard DMZ Design Best Practices Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server AAA - Application Authentication Server, Active Directory (AD), AAA - Network Remote Access Server Level 3 Site Operations FactoryTalk Client Client Hardening Level 2 Area Supervisory Control Controller Hardening, Encrypted Communications VLANs, Segmenting Domains of Trust Unified Threat Management (UTM) Controller Hardening, Physical Security Catalyst 3750 StackWise Switch Stack Enterprise WAN 30 VLANs Controller Level 1 - Controller Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controllers, I/O, Drives Firewall (Standby) I/O HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Drive Network Device Resiliency Network Infrastructure Access Control and Hardening Physical Port Security MCC Soft Starter
31 Secure Remote Access CPwE - Solution Remote Engineer or Partner Cisco VPN Client Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
32 Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall Remote Engineer or Partner Enterprise Data Center IPSEC VPN Cisco VPN Client Enterprise Edge Firewall Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
33 Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host Patch Management Terminal Services Application Mirror AV Server Remote Engineer or Partner Enterprise Data Center Enterprise WAN SSL VPN Gbps Link Failover Detection IPSEC VPN Cisco VPN Client Enterprise Edge Firewall HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Cisco ASA 5500 Firewall (Standby) Firewall (Active) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
34 Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server Patch Management Terminal Services Application Mirror AV Server Remote Engineer or Partner Enterprise WAN Cisco ASA 5500 Enterprise Data Center Gbps Link Failover Detection Firewall (Standby) SSL VPN IPSEC VPN Cisco VPN Client Enterprise Edge Firewall Firewall (Active) HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Remote Desktop Protocol (RDP) Demilitarized Zone (DMZ) Catalyst 6500/4500 Remote Access Server Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
35 Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server 4. Access to applications on remote access server is restricted to specified plant floor resources through industrial application security Patch Management Terminal Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security/Audit Data Servers Remote Engineer or Partner Enterprise WAN Cisco ASA 5500 Enterprise Data Center Gbps Link Failover Detection Firewall (Standby) SSL VPN Catalyst 6500/4500 IPSEC VPN Enterprise Edge Firewall Firewall (Active) Catalyst 3750 StackWise Switch Stack Cisco VPN Client HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Remote Desktop Protocol (RDP) Demilitarized Zone (DMZ) Remote Access Server RSLogix 5000 FactoryTalk View Studio Industrial Zone Site Operations and Control Level 3 EtherNet/IP Cell/Area Zones Levels 0 2
36 Network Security Framework Stratix 5900 Unified Threat Management (UTM) Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level IDMZ Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Site-to-Site Connection Stratix ) Site-to-Site Connection Stratix ) Cell/Area Zone Firewall Stratix ) OEM Integration Levels 0-2 Cell/Area Zones UTM UTM UTM Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 36
37 Network Security Framework Physical Port Security Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack) 37
38 IACS Security EtherNet/IP Industrial Automation & Control System Network Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth Multiple layers of security 38
39 Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 39
40 IACS Security Design and Implementation Considerations Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT , NIST , ISO/IEC (Formerly ISA- 99) Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks Establish an open dialog between Industrial Automation and IT groups Establish an industrial security policy Establish an IDMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) 40
41 Additional Material Industrial Security Resources Assessment Services Security Technology Security FAQ Security Services Leadership & Standards Security Resources Security Advisory Index MS Patch Qualification Reference Architectures Assessment Services 41
42 Additional Material Websites Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) CPwE Resilient Ethernet Protocol (REP) Application Guides Fiber Optic Infrastructure Application Guide Wireless Design Considerations for Industrial Applications Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks 42
43 Additional Material A new go-to resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies 43
44 Thank you for participating! Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey! Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. Rev 5058-CO900F 44
AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)
AUP28 Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) Clive Barwise, Rockwell Automation European Product Manager Networks and Security
More informationNetwork Security Trends & Fundamentals of Securing EtherNet/IP Networks
Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect"
More informationSecure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation
Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples
More informationSecuring The Connected Enterprise
Securing The Connected Enterprise Pack Expo 2015 Las Vegas Chelsea An Business Development Lead, Network & Security PUBLIC Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8 Connected Enterprise
More informationT46 - Integrated Architecture Tools for Securing Your Control System
T46 - Integrated Architecture Tools for Securing Your Control System PUBLIC PUBLIC - 5058-CO900G Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. The Connected Enterprise PUBLIC Copyright
More informationThe Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015
The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects
More informationIndustrial Security Solutions
Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats
More informationScalable Secure Remote Access Solutions
Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,
More informationIndustrial Security in the Connected Enterprise
Industrial Security in the Connected Enterprise Presented by Rockwell Automation 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. THE CONNECTED ENTERPRISE Optimized for Rapid
More informationREFERENCE ARCHITECTURES FOR MANUFACTURING
Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence
More informationProduction Software Within Manufacturing Reference Architectures
Production Software Within Manufacturing Reference Architectures Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard Ethernet for manufacturing
More informationDesign Considerations for Securing Industrial Automation and Control System Networks
Design Considerations for Securing Industrial Automation and Control System Networks Synopsis Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using
More informationSecuring the Connected Enterprise
Securing the Connected Enterprise ABID ALI, Network and Security Consultant. Why Infrastructure Matters Rapidly Growing Markets Global Network Infrastructure and Security Markets 13.7% CAGR over the next
More informationAUD20 - Industrial Network Security
AUD20 - Industrial Network Security Lesley Van Loo EMEA Senior Commercial engineer - Rockwell Automation Rev 5058-CO900B Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda Connected
More informationComputer System Security Updates
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
More informationAchieving Secure, Remote Access to Plant-Floor Applications and Data
Achieving Secure, Remote Access to Plant-Floor Applications and Data Abstract To increase the flexibility and efficiency of production operations, manufacturers are adopting open networking standards for
More informationSimplifying the Transition to Virtualization TS17
Simplifying the Transition to Virtualization TS17 Name Sandeep Redkar Title Manager Process Solutions Date 11 th February 2015 Agenda Overview & Drivers Virtualization for Production Rockwell Automation
More informationNetwork & Security Services (NSS) Because Infrastructure Matters
Network & Security Services (NSS) Because Infrastructure Matters Andrew Ballard Commercial Director Services & Support - EMEA Rev 5058-CO900E THE CONNECTED ENTERPRISE Headquarters Optimized for Rapid Value
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions
Network Segmentation Methodology Application Guide ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions By Josh Matson and Gregory
More informationPR03. High Availability
PR03 High Availability Related Topics NI10 Ethernet/IP Best Practices NI15 Enterprise Data Collection Options NI16 Thin Client Overview Solution Area 4 (Process) Agenda Overview Controllers & I/O Software
More informationSecure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco
Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks
More informationScalable Secure Remote Access Solutions for OEMs
Scalable Secure Remote Access Solutions for OEMs Introduction Secure remote access to production assets, data, and applications, along with the latest collaboration tools, provides manufacturers with the
More informationSecuring Manufacturing Computing and Controller Assets
Securing Manufacturing Computing and Controller Assets Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using open, industry standard networking
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationIACS Network Security and the Demilitarized Zone
CHAPTER 6 IACS Network Security and the Demilitarized Zone Overview This chapter focuses on network security for the IACS network protecting the systems, applications, infrastructure, and end-devices.
More informationChoosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application
Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application By: Josh Matson Various Time Synchronization Protocols From the earliest days of networked
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More informationDr. György Kálmán gyorgy@mnemonic.no
COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats
More informationCyber Security. Smart Grid
Cyber Security for the Smart Grid Peter David Vickery Executive Vice President N-Dimension Solutions Inc. APPA National Conference June 21, 2010 Cyber Security Solutions For Cyber Security
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationDecrease your HMI/SCADA risk
Decrease your HMI/SCADA risk Key steps to minimize unplanned downtime and protect your organization. Are you running your plant operations with serious risk? Most industrial applications lack recommended
More informationSecuring Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014
Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential
More informationManufacturing and the Internet of Everything
Manufacturing and the Internet of Everything Johan Arens, CISCO (joarens@cisco.com) Business relevance of the Internet of everything Manufacturing trends Business imperatives and outcomes A vision of the
More informationPhysical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture
Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Industrial Ethernet networking is advancing technology applications throughout the plant. These applications are rapidly
More informationSecurity for. Industrial. Automation. Considering the PROFINET Security Guideline
Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationSecuring Process Control Systems
Securing Process Control Systems Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011
More informationPlant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved.
Plant-wide Network Infrastructure Agenda Additional On-site Information EtherNet/IP Considerations Logical Design Considerations Physical Layer Design Consideration Testing Considerations Plant-Floor and
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationSCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP
SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations
More informationDas sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen
Das sollte jeder ITSpezialist über Automations- und Produktionsnetzwerke wissen Frank Schirra, Rockwell Automation Solution Architect Edi Truttmann, Cisco Systems Network Solution Sales Specialist 2012
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationIP Telephony Management
IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient
More informationSecure Access into Industrial Automation and Control Systems Best Practice and Trends
Secure Access into Industrial Automation and Systems Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Collaborating to Advance System Security Vendor offers a remote firmware update and
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationOPC & Security Agenda
OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information
More informationSecuring Virtual Applications and Servers
White Paper Securing Virtual Applications and Servers Overview Security concerns are the most often cited obstacle to application virtualization and adoption of cloud-computing models. Merely replicating
More informationUtility Modernization Cyber Security City of Glendale, California
Utility Modernization Cyber Security City of Glendale, California Cyber Security Achievements Cyber Security Achievements (cont) 1. Deploying IT Security Awareness training program Q4 2012 2. Purchased
More informationNetwork Security Guidelines. e-governance
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
More informationPlantPAx op weg naar Connected Enterprise.
AUP 46 PlantPAx op weg naar Connected Enterprise. Wim van der Heide Solution Architect Copyright 2015 Rockwell Automation, Inc. All rights reserved. 2 Agenda 1. Waarom zou u moeten migreren? 1. Connected
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationScalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets
Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets PUBLIC PUBLIC - 5058-CO900G Why Is This Important? What s Driving This Need? Customer Impact It
More informationDeploying Firewalls Throughout Your Organization
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationSymphony Plus Cyber security for the power and water industries
Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber Security_3BUS095402_(Oct12)US Letter.indd 1 01/10/12 10:15 Symphony Plus Cyber security for the power and water industries
More informationBuilding Secure Networks for the Industrial World
Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationDeltaV System Cyber-Security
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
More informationCloak and Secure Your Critical Infrastructure, ICS and SCADA Systems
Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems Building Security into Your Industrial Internet Phillip Allison Tempered Networks Discussion topics Threats to network security TCP/IP
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationNetwork Security. Intertech Associates, Inc.
Network Security Intertech Associates, Inc. Agenda IT Security - Past to Future Security Vulnerabilities Protecting the Enterprise What do we need in each site? Requirements for a Security Architecture
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationCYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric
CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric Challenges What challenges are there for Cyber Security in Industrial
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationSecurely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.
Securely Architecting the Internal Cloud Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc. Securely Building the Internal Cloud Virtualization is the Key How Virtualization Affects
More informationICANWK406A Install, configure and test network security
ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationNERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)
More informationG/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy
For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationNetwork & Security Services Rockwell Automation s Specialist team of Network & Security Specialists
Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists Sonny Kailola Customer Support & Maintenance (CSM) Rev 5058-CO900D Copyright 2015 Rockwell Automation,
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationSecurity Testing in Critical Systems
Security Testing in Critical Systems An Ethical Hacker s View Peter Wood Chief Executive Officer First Base Technologies Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base
More informationVerve Security Center
Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution
More informationARCHITECT S GUIDE: Comply to Connect Using TNC Technology
ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org
More informationNetwork Security. Mike Trice, Network Engineer mtrice@asc.edu. Richard Trice, Systems Specialist rtrice@asc.edu. Alabama Supercomputer Authority
Network Security Mike Trice, Network Engineer mtrice@asc.edu Richard Trice, Systems Specialist rtrice@asc.edu Alabama Supercomputer Authority What is Network Security Network security consists of the provisions
More informationHow To Create An Intelligent Infrastructure Solution
SYSTIMAX Solutions Intelligent Infrastructure & Security Using an Internet Protocol Architecture for Security Applications White Paper July 2009 www.commscope.com Contents I. Intelligent Building Infrastructure
More informationL03 - Design, Implement, and Manage FactoryTalk Security
L03 - Design, Implement, and Manage FactoryTalk Security PUBLIC PUBLIC - 5058-CO900G Background: What is FactoryTalk Security? Use FactoryTalk Security to Manage the insider threat by authenticating the
More informationMicrosoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.
Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc. Foundstone Labs October, 2003 Table of Contents Table of Contents...2 Introduction...3 Scope and Approach...3
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationJohn M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com
NERC CIP Substation Cyber Security Update John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com It s February 19, 2009 132 project days left to compliance Do you know where (what)
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationStratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer
Written By: Mark Devonshire, Product Manager Dave VanGompel, Principal Application Engineer Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationIndustrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
More informationWired Network Security: Hospital Best Practices. Jody Barnes. East Carolina University
Wired Network Security 1 Running Head: Wired Network Security: Hospital Best Practices Wired Network Security: Hospital Best Practices Jody Barnes East Carolina University Wired Network Security 2 Abstract
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More informationENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0
ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1
More information