AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer Logix & Networks Rev 5058-CO900E
Agenda Why IACS Security Now! Defense in depth Key Takeaways Design Considerations Additional Information 2
The threat is real!
Industrial Market Drivers Improve Asset Utilization Maximize return on your automation investment Drive Speed & Innovation Speed time to market; manage brand equity Innovation Reduce Energy usage Contextualize Data into Information Manage Risk Implement systems and procedures to address market dynamics and regulatory requirements 4
Cyber Security in the News? First there was Stuxnet Copyri 5
Cyber Security in the News In 2015 the game changed. Cyber security issues caused the CEO of a large US company to resign This showed highlighted that Manufacturing is the new back door. 6
Hackers have found Remote Access is an easy way to get into the Industrial network New Havex malware variants target industrial control system and SCADA users During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program called Havex by hacking Following into the websites the discovery of industrial of control the Stuxnet system (ICS) manufacturers and poisoning their legitimate software industrial downloads sabotage malware in 2010, which is believed to have destroyed up to 1,000 F-Secure did not name the affected vendors, but said that two of them develop ICS remote management uranium enrichment centrifuges in Iran, software and the third supplies high-precision industrial cameras and related software. According to the security researchers sounded the alarm security firm, the vendors are based in Germany, Switzerland and Belgium. about the insecurity of industrial control The attackers modified systems the legitimate and software the ease installers with which to drop they and execute can an additional file on computers. The file is called be targeted mbcheck.dll by and attackers. is actually Despite the Havex those malware. That conclusion is also supported concerns, by widespread the existence of malware a new malicious attacks Havex component whose purpose is to scan local area networks against for ICS devices and that SCADA respond systems to OPC (Open never Platform Communications) requests. became a reality, making the new Havex campaigns a rare occurrence, but possibly The Havex component leverages the OPC standard to gather information about industrial control devices an indication of things to come. and then sends that information back to its command-and-control (C&C) server for the attackers to analyze, the F-Secure researchers said. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware. 7
Hackers damage Steel Plant. Hackers infiltrated a German steel mill and made it impossible to safely shut down a furnace, according to a German security report quietly published before the new year. The breach, which caused massive damage, marks just the second time a digital attack caused physical damage, highlighting growing fears that cyberwarfare will soon impact more than computers and networks. 8
It is becoming the LAW Many countries are enacting laws to protect their Critical Infrastructure 9
Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISO/IEC-62443 (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. 10
Agenda Why ISC Security Now! Defense in depth Key Takeaways Design Considerations Additional Information 11
What Risk Copyright 2015 Rockwell Automation, Inc. All rights reserved. 12
From Who? Security Threat Actors Human Malicious Ignorant System Misconfiguration Lack of Privilege Control 13
Rockwell Automation Focus on Industrial Cyber Security Reduce risks to safe and reliable operation Control system architecture with layered security to help maintain operational integrity under threat Protect assets & information Product and system features to help control access, tamper-proof and limit information exposure Government and Standards Alignment Responsible disclosure with control system solutions that follow global standards and help fulfill independent & regulatory security requirements 14
Defense-in-Depth No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats. This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats. 15
Recommendations for Defending ICS Separate control network from enterprise network Harden connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside Harden interior of control network Make reconnaissance difficult from inside Avoid single points of vulnerability Frustrate opportunities to expand a compromise Harden field sites and partner connections Mutual distrust Monitor both perimeter and inside events Periodically scan for changes in security posture Copyright 2015 Rockwell Automation, Inc. All rights reserved.
Two Critical Elements to Industrial Cyber Security A balanced Security Program must address both Technical and Non- Technical Risks and Controls Non- Technical Technical Technical Controls (firewalls, layer-3 ACLs, etc.) provide restrictive measures for Non-technical Controls (rules for environments, i.e. policy, procedure, etc.) 17
Defense-in-Depth Industrial Security Policies Drive Technical Controls Physical limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room Network security framework e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) software Device Hardening change management, communication encryption, and restrictive access 18
Defense-in-Depth Application Security - Examples FactoryTalk Security Centralized authentication & access control Verifies user identity before granting system access Grants or denies requests to perform actions FactoryTalk AssetCentre Centralized storage of audit records Limits access to product and system data Offers back-up and archive of application files Studio 5000 Programming Software Control access to routines and AOIs with source protection Control access to tags with Data Access Control Detect unauthorized modification with Change Detection 19 Funda
Defense in depth Controller Hardening Physical Procedure Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Switch the Logix Controller key to RUN 20
Defense in Depth. Controller Hardening Electronic Design Protect the Source Embedded Change Log FactoryTalk Security Data Access Control Trusted Slot with Embedded VPN Module Copyright 2011 Rockwell Automation, Inc. All rights reserved. 21
Defense-in-Depth Computer Hardening - Examples Security Patch Management: establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches Keep computers up-to-date on service packs and hot fixes Disable automatic updates Check software vendor website Test patches before implementing Schedule patching during downtime Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection software Disable automatic updates and automatic scanning Test definition updates before implementing Schedule manually initiated scanning during downtime Uninstall unused Windows components Protocols and Services Protect unused or infrequently used USB, parallel or serial interfaces 22 Funda
Industrial Network Security Industrial vs. Enterprise Network Requirements Industrial Requirements Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization QoS Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Enterprise Requirements Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization QoS Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Similarities and differences? Copyright 2015 Rockwell Automation, Inc. All rights reserved. 23
Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Convergence Operation Technology(OT) with Information Technology (IT) 24
Industrial Network Security Collaboration of Partners Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Application Layer Reduce Risk Simplify Design Speed Deployment 25
The Purdue Model and Rockwell Automation Rockwell Automation and CISCO Systems have defined a manufacturing framework to created a foundation for network segmentation, management and policy enforcement maximising the seamless of the Industrial Cyber Security Technical Countermeasures and minimising the risks to be assumed by our customers: 26
Network Security Framework Industrial Demilitarized Zone Level 5 Level 4 E-Mail, Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web E-Mail CIP Industrial DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone 27
Network Security Framework Industrial Demilitarized Zone (IDMZ) All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Trusted? Untrusted? Enterprise Security Zone IDMZ No Direct Traffic Disconnect Point Industrial Security Zone Trusted 28
Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Not Recommended Figure 2 Recommended Depends. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Figure 3 Figure 4 Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Better Best Figure 5 Figure 6 Figure 7 29
Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Structured and Hardened IACS Network Infrastructure Industrial security policy Pervasive security, not a bolt-on component Security framework utilizing defense-indepth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Operations of the IACS Standard DMZ Design Best Practices Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server AAA - Application Authentication Server, Active Directory (AD), AAA - Network Remote Access Server Level 3 Site Operations FactoryTalk Client Client Hardening Level 2 Area Supervisory Control Controller Hardening, Encrypted Communications VLANs, Segmenting Domains of Trust Unified Threat Management (UTM) Controller Hardening, Physical Security Catalyst 3750 StackWise Switch Stack Enterprise WAN 30 VLANs Controller Level 1 - Controller Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controllers, I/O, Drives Firewall (Standby) I/O HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Drive Network Device Resiliency Network Infrastructure Access Control and Hardening Physical Port Security MCC Soft Starter
Secure Remote Access CPwE - Solution Remote Engineer or Partner Cisco VPN Client Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall Remote Engineer or Partner Enterprise Data Center IPSEC VPN Cisco VPN Client Enterprise Edge Firewall Internet Enterprise Zone Levels 4 and 5 Enterprise WAN Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host Patch Management Terminal Services Application Mirror AV Server Remote Engineer or Partner Enterprise Data Center Enterprise WAN SSL VPN Gbps Link Failover Detection IPSEC VPN Cisco VPN Client Enterprise Edge Firewall HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Cisco ASA 5500 Firewall (Standby) Firewall (Active) Demilitarized Zone (DMZ) Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server Patch Management Terminal Services Application Mirror AV Server Remote Engineer or Partner Enterprise WAN Cisco ASA 5500 Enterprise Data Center Gbps Link Failover Detection Firewall (Standby) SSL VPN IPSEC VPN Cisco VPN Client Enterprise Edge Firewall Firewall (Active) HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Remote Desktop Protocol (RDP) Demilitarized Zone (DMZ) Catalyst 6500/4500 Remote Access Server Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0 2
Secure Remote Access CPwE - Solution 1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall 2. Portal on plant firewall enables access to industrial application data and files Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host 3. Firewall proxies a client session to remote access server 4. Access to applications on remote access server is restricted to specified plant floor resources through industrial application security Patch Management Terminal Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security/Audit Data Servers Remote Engineer or Partner Enterprise WAN Cisco ASA 5500 Enterprise Data Center Gbps Link Failover Detection Firewall (Standby) SSL VPN Catalyst 6500/4500 IPSEC VPN Enterprise Edge Firewall Firewall (Active) Catalyst 3750 StackWise Switch Stack Cisco VPN Client HTTPS Enterprise Connected Engineer Internet Enterprise Zone Levels 4 and 5 Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Remote Desktop Protocol (RDP) Demilitarized Zone (DMZ) Remote Access Server RSLogix 5000 FactoryTalk View Studio Industrial Zone Site Operations and Control Level 3 EtherNet/IP Cell/Area Zones Levels 0 2
Network Security Framework Stratix 5900 Unified Threat Management (UTM) Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level 3.5 - IDMZ Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Site-to-Site Connection Stratix 5900 1) Site-to-Site Connection Stratix 5900 2) Cell/Area Zone Firewall Stratix 5900 3) OEM Integration Levels 0-2 Cell/Area Zones UTM UTM UTM Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 36
Network Security Framework Physical Port Security Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack) 37
IACS Security EtherNet/IP Industrial Automation & Control System Network Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth Multiple layers of security 38
Network & Security Services: Life Cycle Approach to Services and Solutions ASSESS DESIGN IMPLEMENT VALIDATE MANAGE 39
IACS Security Design and Implementation Considerations Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA- 99) Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks Establish an open dialog between Industrial Automation and IT groups Establish an industrial security policy Establish an IDMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) 40
Additional Material Industrial Security Resources Assessment Services Security Technology Security FAQ Security Services Leadership & Standards http://rockwellautomation.com/security Security Resources Security Advisory Index MS Patch Qualification Reference Architectures Assessment Services secure@ra.rockwell.com 41
Additional Material Websites Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) CPwE Resilient Ethernet Protocol (REP) Application Guides Fiber Optic Infrastructure Application Guide Wireless Design Considerations for Industrial Applications Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks 42
Additional Material A new go-to resource for educational, technical and thought leadership information about industrial communications Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies www.industrial-ip.org 43
Thank you for participating! Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey! Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Rev 5058-CO900F 44