Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Transcription

1 Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C

2 Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material

3 Industrial Network Security Trends Network Convergence Enterprise (IT) Network Requirements Internet Protocols Wide Area Network (WAN) High availability redundant star topologies Determinism, latency, jitter, etc. Voice, video, data applications IP Addressing - dynamic Security - pervasive So, what are the similarities and differences? Industrial Network Requirements Industrial and internet protocols Local Area Network (LAN) - packets are small: bytes, but communicated very frequently (every 0.5 to 10s of ms) Resiliency ring topologies are prominent, redundant star topologies are emerging Latency, jitter, etc. Information, control, safety, time synchronization and motion IP Addressing static Security emerging: Open by Default, must be Closed by Configuration

4 Access for Trusted Partners Secure Remote Access Requirements Availability of global equipment, machines and services Requires scalable services for ma users Machine Builders, System Integrators, vendors, contractors Reduces OEM cost pressures On-site commissioning reduction in resources and duration Warranty support; dispatching of resources Optimization services; partnership vs. supplier IT-ready solutions Elimination of security back doors Holistic industrial network infrastructure security solutions Machine Builder Trusted Partners System Integrator Industrial Plantwide Systems

5 Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material

6 Defense-in-Depth Security Policies and Procedures Securing industrial assets requires: A comprehensive network security model Multi-layer security approach Defense-in-Depth Procedural, physical and electronic measures Alignment with applicable industry standards Risk assessment: Current risk analysis Determination of acceptable risk Deployment of risk mitigation techniques Developed against a defined set of security policies Policy - plan of action with procedures to protect company assets Security policies are unique from company to company, although there are some common attributes and methodology to developing Industrial security policy, unique from and in addition to enterprise security policy Identify Domains of Trust and appropriately apply security to maintain policy

7 Defense-in-Depth Multiple Layers to Protect the network and Defend the edge Physical Security limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room escort and track visitors Network Security infrastructure framework e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers Computer Hardening patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security authentication, authorization, and audit software Device Hardening change management and restrictive access Physical Network Computer Application Device Defense in Depth

8 Defense-in-Depth Physical Security - Examples Physical Network Computer Application Device Defense in Depth

9 Defense-in-Depth Network - Demilitarized Zone (DMZ) All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ Application Data Mirror No primary services are permanently housed in the DMZ Disconnect Point Enterprise Security Zone DMZ shall not permanently house data No control traffic into the DMZ - Automation and Control Data stays home Be prepared to turn-off access via the firewall Replicated Services Disconnect Point Industrial Security Zone DMZ No Direct Traffic

10 Defense-in-Depth Network Firewalls - Unified Threat Management (UTM) Firewall with Application Layer Security IPS and Anti-X Defenses Access Control and Authentication SSL and IPSec Connectivity Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN Intelligent Networking Services Low latency Diverse topologies Multicast support Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing Modern Firewalls provide a range of security services

11 Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material

12 Remote Access Example Offsite connection for SI/OEM Required to view a machine s PLC processor from a hotel room to help troubleshoot the system Upload alarm datalog from site OEM, SI, Engineer Factory Processing Filling Material Handling

13 Remote Access Example Secure connection from within organisation View manufacturing data from Web Reporting Software for decision makers who are located in the enterprise (office) zone Data Center Web Reporting Server Processing Filling Material Handling

14 Scalable Secure Remote Access Considerations Direct vs. Indirect Access Direct Access Remote Site Industrial Plantwide Systems Design Considerations how will these be enforced? Network and application authentication and authorization Change management, version control, regulatory compliance, and software license management Remote client health management Alignment with established IACS security standards 14

15 Direct Connection Examples eg. 3G/HSDPA Modems A potential benefit of 3G/HSDPA gateways for remote access is that they could avoid IT concerns with connecting automation equipment to company LAN and configuring a VPN to allow the remote OEM technician access to the IACS. 3G/HSDPA gateways aren t an end in themselves, still requires a defense-indepth security approach.? Network and application authentication/authorization? Change management, version control, regulatory compliance, and software license management? Remote client health management? Alignment with established IACS security standards

16 Scalable Secure Remote Access Considerations Direct vs. Indirect Access Indirect Access Remote Site Remote Access Server (RAS) Industrial Plantwide Systems Design Considerations Greater network and application authentication and authorization Simplified asset management change management, version control, regulatory compliance, and software license management Simplified remote client health management Greater alignment with established IACS standards 16

17 Reference Architecture Cisco / Rockwell Validated Design

18 Reference Architecture High Level Architecture Review Remote access involves cooperation between: Enterprise Zone Information Technologies (IT) and infrastructure of the facility Automation Demilitarized Zone (Automation DMZ) To design it requires knowledge of data that must move from the plant to enterprise systems Manufacturing Zone Cell and Area devices Industrial Protocols

19 Remote Desktop Technologies Options Recommended in Reference Architecture Allows user to remotely view and control another computer. The user will see the remote computer s screen while sending keystrokes and mouse movements to the remote computer. Two options of Remote Desktop Technologies being discussed today Option 1 Host a Remote Desktop Session from the Cisco Firewall Option 2 Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer Option 1 Remote Desktop Client Remote Desktop Client Option 2 Firewall: Secure RDP Session Host MS 2008 R2 Secure RDP Session Host Remote Desktop Remote Desktop

20 Remote Desktop Protocol Via Cisco ASA 5500 Firewall Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall Same user experience as Microsoft Remote Desktop Gateway Configure Firewall to host the RDP session

21 Remote Desktop Protocol Via Cisco ASA 5500 Firewall 21

22 Remote Desktop Protocol Via Cisco ASA 5500 Firewall

23 Remote Desktop Gateway via Windows Server Solution Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server 2008 R2. Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal network resources

24 HTTPS Remote Access via Remote Desktop Gateway

25 Secure Remote Access Converged Ethernet (CPwE) RD Gateway Secure remote access for employees and trusted partners Meeting the security requirements of IT Common IT Infrastructure Following established Industrial Control System security standards Defense-in-depth DMZ Enables remote asset management: monitoring, configuration and audit Helps simplify change management, version control, regulatory compliance and software license management Helps simplify remote client health management One size does not fit all need a scalable secure solutions Remote Desktop Protocol (RDP) over RCP/HTTPS Patch Management Application Mirror AV Server Remote Gateway Services FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security/Audit Data Servers Remote Engineer or Partner Enterprise Data Center Enterprise WAN Gbps Link Failover Detection Firewall (Active) SSL VPN Catalyst 6500/4500 IPSEC VPN Generic VPN Client Enterprise Edge Firewall Catalyst 3750 StackWise Switch Stack Firewall (Standby) Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Remote Desktop Protocol (RDP) Demilitarized Zone (DMZ) Remote Access Server Remote Desktop Services RSLogix 5000 FactoryTalk View Studio Industrial Zone Site Operations and Control Level 3 EtherNet/IP Cell/Area Zones Levels

26 Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material

27 Web Resources - Security

28 Reference Architecture Rockwell and CISCO Alliance

29 Remote Access for End Users Whitepaper: enet-wp009

30 Remote Access for OEMs Whitepaper: enet-wp025

31 Summary Security and Remote Access Use industry best practice published guidelines for secure remote access solution Remote connection into the Plant indirect access Additional Information: Reference Architecture Education Series Webcast Whitepapers Common IT network infrastructure Follow emerging Industrial Automation and Control System security standards Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks Establish an open dialog between Industrial and IT groups Establish a Industrial security policy, unique from enterprise security policy Establish a DMZ between the Enterprise and Industrial Zones