Secure Access into Industrial Automation and Systems Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Collaborating to Advance System Security Vendor offers a remote firmware update and PLC programming. Contractor asks for access to SCADA from oil pipeline pump station Available industrial security guidelines do not detail Secure Access 2
Agenda!!!"#$%$!&'(!)*'*+,$!!!!-*./0*!"*12,*!3..*$$!#',2!&'!435-!!!!-*./0*!62.&7!3..*$$!#',2!&'!435-!!!!-*./0*!8#0*.,!3..*$$!*'&97*(!9:!;35!!!!-/11&0:! 3 Remote and Local Access Parties!!Authorized employees, contractors, vendors!!external Security Center!!Standalone Remote Embedded Device!!Remote Center And others. Do not forget!! Portable Storage Media 4
Cyber Security Risks!! Unauthorized/Unknown Access!! Inability to Limited Access!! Malicious and Mobile Code!! Accidental Misconfiguration!! Disgruntled Insiders 5 Business Risks!! Loss of Revenue!! Unanticipated Costs!! Fines Due to Violation of Legal and Regulatory Requirements!! Safety Incident!! Adverse Press Coverage 6
Security at DNA level!!secure by Design!!Defense in Depth!!Industry Validation vs. 7 Internet/ Intranet/ PSTN/WAN 4 3.5 (DMZ) 3 VPN/SSL Concentrator 5 Corporate/ Business Network ASA 5500 LAN/WAN Cisco Security Manager Access Server CS-MARS 2 1 8 0 8
Business Benefits!! Reduce Total Cost of Ownership!! Improve Operational Efficiency!! Low-cost External Manufacturing and Engineering Support!! Mobile Workers!! Reduce Errors of Manual Input!! Regulatory Compliance: Logging, Audit and Reporting of Access Attempts 9 Agenda!!!"#$%$!&'(!)*'*+,$!!!!-*./0*!"*12,*!3..*$$!#',2!&'!435-!!!!-*./0*!62.&7!3..*$$!#',2!&'!435-!!!!-*./0*!8#0*.,!3..*$$!*'&97*(!9:!;35!!!!-/11&0:! 10
Remote Access (RA) Security Requirements Tunnel Endpoint Confidentiality, Integrity and Availability DMZ Authenticity Authorization Availability Data and Code in Tunnel Authenticity Authorization Availability IPSec VPN SSL VPN (TLS/DTLS) * According to ISO/IEC 18028-5:2006 11 DMZ Principles Disconnect Point Terminal Services Patch Mgmt. AV Server 3%4567+,(#*(8# 9(:7%4+,(#!"# $%&'%()*+,(# -./!01$2# Historian Web Services Operations 1,#.*::;<=5,>&=# 3?5%4)#<5*@4# Disconnect Point 12
Other DMZ considerations of RA!! <57#*',!6*$$=!>?;!!!"27*@)&$*(!3..*$$!52',027!!!)&'(A#(,B!3(C/$,1*',!!!!4',0/$#2'!?02,*.D2'!!!-E7#,@,/''*7#'F!$B2/7(!9*!&G2#(*(!!!!"8?!-*$$#2'!"*.20(#'F!H1*,&(&,&!&'&7:D.$I! 13 Options of Secure Remote Access!!Type 1: SSL VPN and WEB Portal!!Type 2: Service-Oriented RA!!Type 3: Corporate IT best-practice RA 14
DMZ Architecture for unmanaged devices Type 1. SSL VPN/Web portal TS Emulation by ASA Corporate/3d Party Network DMZ VLAN 1 DMZ VLAN 3 DMZ VLAN 4 Adaptive Security Appliance (ASA) Network 15 DMZ Architecture for unmanaged devices Type 1. SSL VPN/Web portal!! No need for a Terminal Server!! Only SSL VPN mode!! Protocols doesn t pass through a DMZ firewall!! Available Single SignOn!! Terminal Session is not captured at DMZ 16!!
DMZ - Exteneded control for unmnaged access Type 2. Service-Oriented RA Virtualized Machines Server Role-based ACL and VLAN assignment Corporate/3d Party Network 802.1q (VLAN 2,3,4) DMZ VLAN 5 802.1q (VLANs 2,3,4,5,6) Adaptive Security Appliance (ASA) DMZ VLAN 6 Network 17 DMZ - Extended control for unmanaged access Type 2. Service-Oriented RA!! IPSec and SSL VPNs!! All types of Authentication!! Granular Role-based Access Model!! Session Recording!! Single SignOn available (for TS Access) 18
DMZ Enhanced Architecture Type 3. Corporate IT RA Virtualized Machines Server Corporate/3d Party Network 802.1q (VLAN 2,3,4) DMZ VLAN 5 802.1q (VLANs 2,3,4,5,6) Adaptive Security Appliance (ASA) DMZ VLAN 6 Network 19 DMZ Enhanced Architecture Type 3. Corporate IT RA!! Enhanced and adjusted version of Type 2!! Corporate IT VPN Security Best Practice!! Security Policy Enforcement!! Quarantine and Remediate!! Managed and Unmanaged Endpoints 20
Agenda!!!"#$%$!&'(!)*'*+,$!!!!-*./0*!"*12,*!3..*$$!#',2!&'!435-!!!!-*./0*!62.&7!3..*$$!#',2!&'!435-!!!!-*./0*!8#0*.,!3..*$$!*'&97*(!9:!;35!!!!-/11&0:! 21 4 Corporate/ Business Network VPN/SSL Concentrator Corporate Applications 5 Unified Communications 3.5 (DMZ) LAN/WAN ASA 5500 Cisco Security Manager Access IPSec / SSL VPN Tunnel Server or MPLS VPN CS-MARS 3 User Traffic 2 1 22 0 Quality of Service Virtualization User Web-based authentication Dynamic ACL (IPSec and SSL only) Rate-Limit and QoS Enforcement 22
3 2 Remote Access Web-Authentication VLAN to ASA ports Multiple Functional Subzones interconnect low-speed WAN Production Supervisory Optimizing HMI Historian Site Operations and Supervisory Engineering Station HMI Area Supervisory Remote Zone Terminal Services/VNC Traffic Port Security QoS Smart Ports 23 1 0 Batch Discrete Optional Firewall and IDS Continuous Hybrid Web-Portal / SSL VPN Terminal Services/VNC Emulation Basic Process Agenda!!!"#$%$!&'(!)*'*+,$!!!!-*./0*!"*12,*!3..*$$!#',2!&'!435-!!!!-*./0*!62.&7!3..*$$!#',2!&'!435-!!!!-*./0*!8#0*.,!3..*$$!*'&97*(!9:!;35!!!!-/11&0:! 24
Rate-Limiting QoS Enforcement Web-Authentication 3 Multiple Functional Subzones interconnect low-speed WAN Production Optimizing Historian Engineering Station Software Policy Compliance Check Site Operations and Remote Zone 2 Supervisory HMI Supervisory HMI Area Supervisory Port Security QoS Smart Ports 1 0 Batch Discrete Direct Access Traffic Optional Firewall and IDS Continuous Hybrid Basic Process 25 Network Admission (NAC)!!5B*.%$!.7#*',!(*G#.*$!J20!$*./0#,:!E27#.:!.21E7#&'.*!!! A>((?(&#B9.$#-%C&C#D$02E#0/E#7*)4=#4>55%()#FG#!! DH?%():#)=*)#I*?H#7,:)>5%#*::%::'%()#7H*4%8#,(#5%'%8?*+,(#/!01#!!K*7E$!E0*G*',!#'J*.D2'!2J!45-!9:!129#7*!/$*0$!!!;35!?02+7*0!#(*'D+*$!(*G#.*$!&'(!*'J20.*$!027*$!!!.!DG#/%(8,5#H*7),7G#J'7H,6%%G#1%)K,5L#*8'?(G#!! A,H%;M*:%8#/!01#*::?&('%()#!!3EE02E0#&,*!J20!92,B!8LM!H"*12,*!&..*$$I!&'(!52',027!M2'*!H72.&7!&..*$$I! 26
NAC Components!!NB*!3EE7#&'.*!!!3%7H,6%8#,>);,I;M*(8#?(#DN#I,5#8%O?4%#*(8#>:%5#5,H% #%(I,54%'%()#!!3%7H,6%8#?(;M*(8#?(#3PN#),#%(I,54%#5%',)%#*44%::#>:%5#5,H%:#!!10D#.5,QH%5#D,HH%4),5#5>(:#,(#10D#077H?*(4%#!!NB*!?02+7*0!-*0G*0!!!A%:?8%:#?(#3PNE#K,5L:#K?)=#'>H+7H%#10D#077H?*(4%:#!!NB*!L&'&F*0!!!!A%:?8%:#?(#3PNE#4,()5,H:#'>H+7H%#10D#077H?*(4%:#!!3%O?4%#R#>:%5#75,QH%:#:7%4?Q%8#,(#10D#P*(*&%5# 27 NAC Profiler: Automated Profiling of Devices NAC Profiler PCs Non-PCs CZ Devices Printer AP PLC Discovery Monitoring Endpoint Profiling Discover all network endpoints by type and location Maintain real time and historical contextual data for all endpoints Behavior Monitoring Monitor the state of the network endpoints Detect events such as MAC spoofing, port swapping, etc. Automated process populates devices into the NAC Manager; and :>M:%S>%()H6, into appropriate NAC policy 28
NAC Profiler Components ;35!?02+7*0!-*0G*0! 0&&5%&*)%:#*HH#8*)*#I5,'#D,HH%4),5:#*(8#'*(*&%:# 8*)*M*:%#,I#%(87,?()#?(I,5'*+,(C##T78*)%:#)=%#D?:4,## 10D#077H?*(4%#P*(*&%5E#K=%5%#5,H%:#*5%#*77H?%8C# Collector ;35!5277*.,20! U*)=%5:#?(I,5'*+,(#*M,>)#%(87,?():#>:?(&#$1P.E## 1%VH,KE#3BD.E#*(8#*4+O%#75,QH?(&# D,;5%:?8%()#K?)=#10D#077H?*(4%#$%5O%5# 29 NAC Profiler Collector (NPC)!! Gathers information about the endpoints associated with that NAC Appliance (CAS)!! Information gathered includes data from SNMP, Network Traffic Analysis, and/or Active Profiling It s a PLC!!! Distributed Collector model allows many NPCs to work with a single NAC Profiler -*0G*0 (NPS)!! NPC resides on NAC Appliance (CAS) 30
NAC Profiler and Collector Remote Location NAC Manager NAC API NAC Profiler Server (NPS) SPAN NAC Appliance with Collector (NPC) AAA Server May not be a DMZ Windows AD 31 NAC Deployment Guidelines for IACS!!?02+7*0!O/#(*7#'*$!!!.5,QH%#45%*+,(#(,)#)5?O?*H#!! J*:6#K=%(#6,>#=*O%#:?'?H*5#8%O?4%:#-7,5):E#75,),4,H:2#!!!30.B#,*.,/0*P8*$#F'!?0&.D.*!!! W>);,I;M*(8#7H*4%'%()#,I#)=%#*77H?*(4%:#-3PNE#J()%575?:%2#!! 9(;M*(8#7H*4%'%()#75,MH%':#*(8#H%::,(:#!!!Q,B*0$!!! D,:)#?::>%:#!! D,(Q&>5*+,(# 32
Agenda!!!"#$%$!&'(!)*'*+,$!!!!-*./0*!"*12,*!3..*$$!#',2!&'!435-!!!!-*./0*!62.&7!3..*$$!#',2!&'!435-!!!!-*./0*!8#0*.,!3..*$$!*'&97*(!9:!;35!!!!-/11&0:! 33 Key takeaways!!-*./0*!3..*$$!e02g#(*$!&!.7*&0!9/$#'*$$!g&7/*!!!!8#r*0*',!-*./0*!3..*$$!2ed2'$!&g&97*!,2!+,!g&0#2/$!'**($!!!!;35!s'&97*$!-*./0#,:!j20!&!8#0*.,!52',027!-:$,*1$!3..*$$! 34
Feedback? What is your best-practise? NK3;T!UQVWWW! 35