Securing the Connected Enterprise ABID ALI, Network and Security Consultant.
Why Infrastructure Matters Rapidly Growing Markets Global Network Infrastructure and Security Markets 13.7% CAGR over the next five years 2012 $1.7B market for Industrial Security NIST 800 cyber security framework Internet of Things over $3T in Manufacturing 12.1% CAGR over the next five years 2012 $8.3B market ($900M industrial switches) Shift to Ethernet, Virtualization and COTS Disruptive technologies not included 2
Basic Network Parameters Basic business requirements: Confidentiality Integrity Availability Integrity Availability Confidentiality Secure usability and manageability requirements: Low end-user or end-device impact and high end-user transparency Manageability Low performance impact Authentication, authorization, and auditing Support integration with enterprise applications and remote users
Assets to Protect Endpoints Infrastructure Network infrastructure Systems infrastructure Applications Data in rest and in motion
Threats Malicious code (malware) Distributed denial-of-service (DDoS) attack Eavesdropping attacks Collateral damage Unauthorized access attacks Unauthorized use of assets, resources, or information Reconnaissance attacks
Security Approach Assess the network Security Policy Security enforcement techniques Identification Mitigation Documentation
Assess the Network Network devices and topology: Switches, routers, firewalls End-points: Servers, PCs, HMIs, Programmable Controllers Protocols: CIP, PROFINET, SCADA, MODBUS, PTP, HTTPS, SSH, SNMP Applications: Studio 5000, TIA Portal, Factory Talk Organization structure: Information Technology and Operations Technology departments Administrators and users, remote support
Security Policy Organizations should have a security policy. The security policy enables an organization to follow a consistent program for maintaining an acceptable level of security. The security policy defines and constrains behaviors by both personnel and components within the system. The security policy identifies vulnerability mitigation. The security policy components are as follows: Network device hardening End-device hardening Protecting the interior Remote access policy Security, management, analysis and response system
Network Device Threats Remote access threats: Unauthorized remote access Local access and physical threats: Damage to equipment Password recovery Device theft Malicious end-point inserts to the network
Network Device Security Components Access control lists (ACLs) to control remote access to a switch Switch-based authentication to manage network security VLANs for Layer 2 segmentation in the network Secure management and monitoring: Secure Shell (SSH) and HTTPS switch access SNMPv3 support for encryption of important protocol used to manage and monitor the network infrastructure Port-based security to prevent access from unauthorized devices, including the following: Limited number of allowed MAC addresses on a physical port Limited allowance of MAC address range on a switch port MAC address notification Control-plane policing for switches and routers
Software Updates Network devices: The Cisco Product Security Incident Response Team (PSIRT) addresses security issues in Cisco products. http://www.cisco.com/go/psirt The Cisco PSIRT publishes: Cisco Security Advisories Cisco Security Responses Cisco Security Notices Cisco Notification Service Cisco IOS upgrade to fix security issues Caution: The Cisco IOS upgrade requires downtime. Schedule a maintenance window to perform upgrades. HMI, servers, and computers OS: Patch OS to fix security issues Disable automatic updates Test patches before implementing them
Device-Based Authentication Password protection: Enable secret password Enable secret password Line password AAA: Authentication Authorization Accounting Username and password: Local database Remote database Telnet SSH http https Console Ethernet
Switch-Based Authentication (Cont.) Configuring the Enable Secret Password IE2K-1(config)# enable secret <password> IE2K-1(config)# service password-encryption 2 1 4 3
Switch-Based Authentication (Cont.) Configuring the Username and Password Pairs IE2K-1(config)# username STUDENT password 0 cisco123 IE2K-1(config)# aaa new-model IE2K-1(config)# aaa authentication login default local 1 3 4 2
Remote Device Management Remote access to CLI: Telnet SSH Remote access to GUI: HTTP HTTPS Telnet SSH http https
Remote Device Management (Cont.) Configuring the SSH Server switch(config)# hostname IE2K-1 IE2K-1(config)# ip domain-name cisco.com IE2K-1(config)# crypto key generate rsa The name for the keys will be: IE2K-1.cisco.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 5 seconds) IE2K-1(config)# ip ssh version 2 IE2K-1(config)# line vty 0 15 IE2K-1(config-line)# transport input ssh IE2K-1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQCULoJUd+DOnTQUmNyAKo9Z5X0mBU4Q569sz6e38bAs Dz1qSRgIJrqZSHSH/aapnyC+hqi6q1ONj4LoIGQx9dfdnEXRAXH5TjuNJowN+07z3vwjZxKBLDWEayGu psf9x6c=
Remote Device Management (Cont.) PuTTY Terminal Emulator Settings SSH connection 2 3 1 4
Remote Device Management (Cont.) PuTTY Terminal Emulator Settings SSH version
Remote Device Management (Cont.) HTTPS
Remote Device Management (Cont.) Simple Network Management Protocol The SNMP provides a message format for communication between network devices and network management. SNMP Versions: SNMPv1 SNMPv2C SNMPv3 Most secure Username authentication Encrypted communication SNMP SNMP Manager
Port Security Port security allows you to configure interfaces to allow inbound traffic only from a restricted set of MAC addresses. FE 1/4 FE 1/5 Nonsecure MAC address 0000.1111.5555 0000.02000.0005 IE2K-1(config)# interface FastEthernet1/4 IE2K-1(config-if)# switchport mode access IE2K-1(config-if)# switchport access vlan 21 IE2K-1(config-if)# switchport port-security IE2K-1(config-if)# switchport port-security mac-address 0000.02000.0004 IE2K-1(config)# interface FastEthernet1/5 IE2K-1(config-if)# switchport mode access IE2K-1(config-if)# switchport access vlan 21 IE2K-1(config-if)# switchport port-security IE2K-1(config-if)# switchport port-security mac-address 0000.02000.0005
VLAN Design Considerations Always use a dedicated native VLAN ID for all trunk ports. Disable all unused ports and put them in an unused VLAN. Do not use VLAN 1 for anything. Configure all end devicefacing ports as nontrunking (DTP off). Explicitly configure trunking on infrastructure ports. Set the default port status to disable. Nontrunking Cisco Catalyst 3750 Switch Stack Trunking Nontrunking
Traffic Filtering with ACLs An ACL is a list of permit and deny statements. An ACL identifies traffic based on the information within the packet. 10.2.2.0/24 After traffic is identified, different actions can be taken. GE1/1 ACLs GE1/1 10.1.1.41 ACLs can be used on routers switches, firewalls, and other network devices. 10.1.1.51 10.1.1.21 10.1.1.31 Traffic Filtering with ACLs: IE2K-1(config)# ip access-list extended REMOTE_MGMT IE2K-1(config-ext-nacl)# permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 IE2K-1(config-ext-nacl)# Inbound exit IE2K-1(config)# interface Gigabit Ethernet1/1 IE2K-1(config-if)# Outbound ip access-group REMOTE_MGMT in
Firewalls Firewalls control traffic flow: Isolate interfaces from each other Control connections with security and translation policies Firewalls provide: Inter-zone traffic segmentation Access Control Lists (ACLs) Intrusion Prevention System (IPS) VPN Services DMZ Internet Enterprise Network X Industrial Network
Intrusion Prevention System The IPS prevents attacks against devices: Standalone or integrated in Cisco ASA Inline versus promiscuous mode DMZ Enterprise Network Site Manufacturing Operations and Control IPS
VPNs and Benefits VPN usage: Connecting headquarters, plant, and business partners VPN characteristics: Virtual information within a private network is transported over a public network. Private traffic is separated by a tunnel so traffic can be encrypted to keep the data confidential. HQ Business Partner Consultant Internet WAN Site-to-site VPN Plant Remote Access VPN VPN benefits: Cost savings
IPsec IPsec acts at the network layer, protecting, and authenticating IP packets. IPsec is a framework of open standards that is algorithm-independent. IPsec services provide four critical functions: Confidentiality Data integrity Authentication Anti-replay protection Internet IPsec Tunnel
Cisco SSL VPN Solutions Internet Cisco AnyConnect Client SSL VPN Tunnel Cisco Catalyst 3750 Switch Stack
Identify Security Incidents Port mirroring on routers and switches that feed IPS Cisco IOS NetFlow from routers to flow collectors Network Management System Selected security event types to log Event Type Source Events Attribution DHCP server IP assignments to machine, MAC address VPN server IP assignments to user, WAN address NAT gateway IP assignment translation to RFC 1918 802.1x auth IP assignment to user, MAC address System activity Server syslog Authentication and authorization Services starting and stopping Configuration changes Security events Firewall logs Network firewall Accepted, denied connections
Identify Security Incidents (Cont.) Switched Port Analyzer You can use the port mirroring to identify security incidents. The SPAN feature allows traffic to be copied from one or more source ports or source VLANs to one or more destination ports on the same switch for capture and analysis. SPAN sources: Fast Ethernet Gigabit Ethernet EtherChannel VLANs Switch SPAN True Destination Port SPAN Switched Port Analyzer SPAN Destination Port Copies Are Received Here
Identify Security Incidents (Cont.) Configure SPAN to identify security incidents CLI example: You suspect attempt to DoS attack. Attack comes from outside. IE2K-1(config)# monitor session 1 source interface GigabitEthernet 1/1 IE2K-1(config)# monitor session 1 filter vlan 105 IE2K-1(config)# monitor session 1 destination interface FastEthernet 1/3 IE2K-1 # show monitor session 1 Session 1 --------- Type : Local Session Source Ports : Both : Gi1/1 Destination Ports : Fa1/3 Encapsulation : Native Ingress : Disabled Filter VLANs : 105 FE1/3 GE1/1
Identify Security Incidents (Cont.) Configure SPAN to identify security incidents Device Manager: Configure > Smartports 2 3
Identify Security Incidents (Cont.) Use Wire Shark to identify security incidents.
Document Security Incidents When? Active Duration Total Duration How? Service Application 3 minutes 30 seconds 2 days 5 hours 56 minutes Feb 13, 2014 8:15:00 AM Feb 15, 2014 2:11:00 PM http (tcp:80) HTTP Who? IP Address Host Group Country How much? 100.11 MBytes 108.3 k packets Who? IP Address Host Group Country
Summary As industrial applications become connected to enterprise systems, industrial applications are exposed to the same types of threats as traditional IT networks. Maintaining up to date IOS and firmware revisions increases device security. Username and passwords are used to prevent unauthorized access to switches and routers. SSH and HTTPS provide secure remote management. VLAN security measures prevent unauthorized access to the network. ACLs are used to control traffic to the network. Firewalls and IPS are used to protect the control network from threats that could come from the enterprise network. VPNs are used to protect sensitive data sent over public networks. Traffic monitoring can provide information about attacks. Certain information, such as the source IP addresses and target applications, should be gathered and documented during suspected security incidents.
This image cannot currently be displayed. This image cannot currently be displayed. Network Security Service Offerings Converged Plant-wide Ethernet (CPwE) Reference Architectures Structured and Hardened IACS Network Infrastructure Industrial security policy Pervasive security, not a bolt-on component Security framework utilizing defense-in-depth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Standard DMZ Design Best Practices Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server AAA - Application Authentication Server, Active Directory (AD), AAA - Network Remote Access Server Level 3 Site Operations FactoryTalk Client Client Hardening Level 2 Area Supervisory Control Controller Hardening, Encrypted Communications VLANs, Segmenting Domains of Trust Unified Threat Management (UTM) Controller Hardening, Physical Security Level 1 - Controller VLANs Catalyst 3750 StackWise Switch Stack Enterprise WAN Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controller Controllers, I/O, Drives Firewall (Standby) I/O HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Drive Network Device Resiliency Network Infrastructure Access Control and Hardening Physical Port Security MCC Soft Starter 36
Global Solutions Bringing you a world of experience Global Execution Consistent methodology deployed in all locations The right team for your project from our worldwide talent Domain Expertise All major industries Any production environment Combining technology & application knowledge Helping you exceed your business goals Project Management Based on PMI PMBOK Certified project managers Repeatable, measurable, auditable Risk management Information Process Discrete Automation Power Motion Sustainable Production Technology Migration Hardware Integration 80 Countries 20 Languages 2500+ Employees Average 13+ Years Experience Single point of contact 37
Thank you for participating! Your feedback is valuable! Please complete the session survey. E-Mail us indiamarketing@ra.rockwell.com Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com