AUD20 - Industrial Network Security

AUD20 - Industrial Network Security Lesley Van Loo EMEA Senior Commercial engineer - Rockwell Automation Rev 5058-CO900B Copyright 2012 Rockwell Automation, Inc. All rights reserved.

2 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Firewall, VPN) Secure Remote Access References

3 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Firewall, VPN) Secure Remote Access References

4 The Connected Enterprise

The Value in Bringing the Information Together Copyright 2012 Rockwell Automation, Inc. All rights reserved. Laboratory Information Management Systems Performance Production Scheduling Alarms/Events Quality Systems HMIs Control Systems Data Historians Other Database Systems Computerized Maintenance Management Systems You need to deliver the information fast, reliably and securely!

Risks and Threats to Control Systems Application of Security patches Natural or Man-made disasters Worms and viruses Theft Sabotage Unauthorized access INFORMATION Denial of Service Business Risk Unauthorized actions by employees Unauthorized remote access Unintended employee actions OPERATIONS Security risks increase potential for disruption to system uptime and safe operation and a loss of IP Copyright 2012 Rockwell Automation, Inc. All rights reserved.

7 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Firewall, VPN) Secure Remote Access References

8 Industrial Security Trends Security for the Connected Enterprise Scalable, robust, secure and futureready infrastructure for the Connected Enterprise: Application Software Network Holistic Defense-in-Depth

9 Industrial Security Trends Security Quips "Good enough" security now, is better than "perfect" security... never (Tom West, Data General) Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello) Your absolute security is only as strong as your weakest link Concentrate on known, probable threats Security is not a static end state, it is an interactive process You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)

Industrial Security Trends Established Industrial Security Standards International Society of Automation ISA/IEC-62443 (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 10

11 Industrial Security Trends EtherNet/IP Industrial Automation & Control System Network Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth multiple layers of security

12 Defense In Depth - Don t miss the Depth A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks Defense in Depth Use multiple security countermeasures to protect integrity of components or systems Openness Consideration for participation of a variety of vendors in our security solutions Flexibility Able to accommodate a customer s needs, including policies & procedures Consistency Solutions that align with Government directives and Standards Bodies

14 Holistic Defense-in-Depth Critical Elements to Industrial Security one-size-fits-all A balanced Industrial Security Program must address both Technical and Non-Technical Elements Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management Technical controls technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs) Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the long-term security success

Partners Copyright 2012 Rockwell Automation, Inc. All rights reserved. 15 Security Innovation Building the Security-oriented Architecture Architecture Security Requirements Authenticated Access Data Confidentiality IP Protection Product & Network Hardening Tamper Prevention & Detection Partnering & Supply Chain Data Protection and Confidentiality Network IP protection Role-based Security Data Protection Anti- Tamper and Detection Remote Access Supply-chain

16 Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls Physical limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room. locks, gates, key cards, biometrics. This may also include policies, procedures and technology to escort and track visitors Network security framework e.g., firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) software Device Hardening change management, communication encryption, and restrictive access

17 Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure

18 Architectural Security Framework Cisco / Rockwell Automation CPwE Reference Architectures Structured and hardened network infrastructure Scalable framework utilizing holistic defense-in-depth approach Security is pervasive, not a bolt-on component Alignment with industrial security standards (e.g. ISA, NIST) Industrial security policy: A-I-C vs. C-I-A Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Plant/Site Operations Standard DMZ Design Best Practices AAA FactoryTalk Authentication Server, Active Directory (AD), AAA Radius / ISE Enterprise Zone Levels 4-5 Remote Access Server Level 3 Site Operations Industrial Demilitarized Zone (IDMZ) FactoryTalk Client OS Hardening Level 2 Area Supervisory Control Device Hardening, Encrypted Communications Device Hardening Physical Security Procedural VLANs, Segmenting Domains of Trust Zone Firewall Device Hardening, Electronic Level 1 - Controller VLANs Catalyst 3750 StackWise Switch Stack Enterprise WAN Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controller Controllers, I/O, Drives External DMZ/ Firewall Physical or Virtualized Servers Patch Management Remote Desktop Gateway Server Application Mirror AV Server I/O Firewall (Standby) HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Remote Desktop Services proxy Network Device Resiliency Network Infrastructure Hardening Access Control Drive Physical Port Security MCC Internet Soft Starter

19 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Firewall, VPN) Secure Remote Access References

20 Architectural Security Framework Physical Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards, video Surveillance, other Authentication Devices (biometric, keypad, etc.). Physical port access (Ethernet and USB ports) Switch the Logix Controller key to RUN

21 Architectural Security Framework Physical Port Security Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack)

23 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Firewall, VPN) Secure Remote Access References

24 Architectural Security Framework Device hardening Controller / communication modules Electronic design: Change passwords from default settings Logix Controller Source Protection Signed AOI s Logix Controller Data Access Control Signed firmware Trusted Slot Designation Disable unused ports Stratix managed switches (with CLI, Device Manager or Studio 5000 (AOP and code) USB port Logix controller and Ethernet communication card Message instruction (KB AID 618101) or Trusted slot feature Studio 5000 (V20 and later) USB ports industrial PC

25 Architectural Security Framework Device/ network hardening - Encrypted Communications Enables secure communications down to the controller chassis through IPSec VPN (L2TP) Create a secure link from a ControlLogix chassis to An engineering or HMI workstation A Services Router (like the Stratix 5900) or Cisco VPN Appliance (ASA) Another ControlLogix chassis for secure controller-to-controller messaging via EN2TSC Authentication to this module required before gaining access to modules on the Local 1756 backplane 1756-EN2TSC Take proper precautions unintentional threats can occur more often than intentional ones

26 Architectural Security Framework Device/ network hardening - Encrypted Communications ControlLogix Secure Communications Module 1756-EN2TSC Secure client connections (i.e., maintenance lap tops, servers) Secure program uploads and downloads Secure communications between ControlLogix controllers

27 Demo 1756-EN2TSC Connect a Windows PC securely to a ControlLogix controller 1. Setup EN2TSC Enable security features Configure with what device you are connecting too EN2TSC Windows based PC Application server (ASA) or service router (Stratix 5900) Disable connections and services to the controller / EN2TSC 2. Setup your VPN network on your windows based PC Instructions can be easily found on the internet for different Win OS 3. Connect via VPN tunnel 4. Trusted slot designation

28 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Stratix security features, Firewall, VPN) Secure Remote Access References

29 Architectural Security Framework Network Hardening How can I keep bad guys off my industrial networks? I m worried hackers are trying to get into my control system to disrupt or manipulate its operation Safety, Availability, IP protection are all critical to me. Network Hardening enables secure enterprise connectivity, remote manufacturing and remote engineering Rockwell Automation solutions available today include: Architectural Guidelines Network and Security Services Electronic design ControlLogix secure communication module Stratix Portfolio of Routers & Switches NEW! Stratix 5900 Services Router

The Stratix Portfolio Simplifying the Integration of Industrial & Enterprise Environments Products that deliver Layer 2 and Layer 2 switching for simple to complex networks applications Advanced security services Plant-floor and Enterprise integration Technology that offers Advanced switching, routing & security features Common tools for Controls & IT Improved maintainability Addressing the needs of Automation as well as Operations and IT Stratix 5100 Wireless Access Point

The Stratix Value Designed & developed for Industrial EtherNet/IP applications Optimize network performance QoS Quality of Service - default configurations are set to ODVA standards for EtherNet/IP industrial applications for discrete, motion, safety and process applications; security: minimize impact DoS attacks IEEE1588 (CIP Sync) - ODVA implementation of the IEEE 1588 precision time protocol ensures performance when connecting EtherNet/IP devices Simplify design, deployment and maintainability DHCP per port - assign a specific IP address to each port, ensuring that the device attached to a given port will get the same IP address Broken Wire Detection - detect cabling problems like, open, broken, cut or shorted twisted-pair wires, with status availability in Logix Network Address Translation NAT A 1:1 IP address translation to help segment machine level network devices from the plant network, translate only the devices that need to be visible to the plant network

Stratix Security Features Application/Project (CIP) based port access Controller based port control (on/off) Default settings for port access based on controller mode (idle/fault) Unauthorized device identification (tags) per port Configurable port security Preconfigured port security set-up via smartports Configure number of devices allowed per port Configurable device MAC ID authentication Storm control per port Encrypted administrative traffic SSHv2, SNMPv3, and HTTPS support Advanced capability (via CLI) Multiple layers (7) of password protection Access Control Lists (ACLs) to apply security policies per port 802.1x for user authentication DHCP Snooping and IP source guard to prevent spoofing TACACS+ and Radius for centralized authentication Simple tools to help standardize and enforce security policies

33 Port Security MAC address-based This feature is available on Stratix 5700, 8000 and 8300 managed switches. Provides a simple method for restricting network host access based on Media Control Access Address (MAC Address). A specific switch port can be blocked when: A greater number of source MAC addresses than configured is seen on the port. Source MAC address(es) seen on the port is not contained in a defined list. Each Port Security policy violation additionally triggers an alarm in the switch.

34 Access Control Lists (ACLs) In computer networks this is the preferred method of network administrators to filter traffic and apply security policies. For example, a network administrator may want to allow users access to the Internet to browse web pages (HTTP) but deny file exchange (FTP). An ACL is a sequential list of permit or deny statements that apply to addresses (MAC and IP) or upper-layer protocols.

35 Access Control Lists (ACLs) ACLs can be applied to an interface (IP or switch port) Inbound or outbound mode. Stratix 5700, 8000 and 8300 switches support only inbound mode for all ACLs. When an access lists applied to an inbound interface, the packets are checked against the access list before any routing or switching table lookup process occurs. All ACLs have an implied Deny Any Any at the end; Any traffic not specifically allowed will be dropped Does not inspect traffic Access Control Lists configuration can be done using: Command Line Interface (CLI) Primary user interface for configuring, monitoring and maintaining Cisco devices. It is the primary tool used by IT professionals today. Cisco network Assistant (CNA) (Stratix 5700, 8000 and 8300) Stratix Configurator (Stratix 5900)

Network Segmentation Structured and Hardened Network Infrastructure Smaller modular building blocks to help minimize network sprawl and build scalable, robust and future-ready network infrastructure Smaller fault domains (e.g. Layer 2 loops) Smaller broadcast domains Smaller domains of trust (security) Multiple techniques to create smaller network building blocks (Layer 2 domains) Structure and hierarchy Logical model geographical and functional organization of IACS devices Campus network model - multi-tier switch model Layer 2 and Layer 3 Logical framework Segmentation Multiple network interface cards (NICs) e.g. CIP bridge Network Address Translation (NAT) appliance Virtual Local Area Networks (VLANs) VLANs with NAT Integrated Services Router (Stratix 5900) Copyright 2012 Rockwell Automation, Inc. All rights reserved. 39

40 Demo security features Stratix platform Panduit Lock-in and block-out products Application/Project (CIP) based port access Controller based port control (on/off) Storm control (AOP) Configurable port security Smartports -> preconfigured port security set-up (Number of devices allowed per port) Segmentation VLANs and NAT

41 Architectural Security Framework Network hardening - Segmentation Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Not Recommended as only solutions Recommended Depends based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Better Best

Architectural Security Framework Stratix 5900 Layer 2 & Layer 3 Services Router Premiere routing and security services for Layer 2 or Layer 3 Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) 1GE WAN, 4 FE LAN, 1 Serial Port Built with Cisco technology (IOS) Common features of the Stratix Ethernet managed switch family Common IT development tools (CLI, DM, CiscoWorks, CCP) Supports advanced monitoring & troubleshooting (Netflow) Industrially hardened, DIN rail mountable Ideal Ideal for for helping Site to Site protect Connections, communications Cell/Zone through Area Firewall secure & channels & OEM restricting Integration unwanted communications by policy and inspection

Stratix 5900 Device Manager Web based graphical device management tool Dashboard, Configure, Monitor and Maintenance views to help manage and diagnose network issues Displays real-time views of configuration and performance Simplifies task of setting up router (LAN, WAN) Graphical displays to easily monitor & diagnose the router Alarm tools to alert, identify and help solve network problems Connect securely from your Internet browser

44 Stratix Configurator CCP PC based application software for device management for IOS based Stratix products Based on Cisco Configuration Professional (CCP) Easy-to-use configuration wizards for router, firewall, intrusion prevention system (IPS), VPN, unified communications, WAN, and LAN configurations HMI Server Catalyst 2960 Stratix 5700 Catalyst 3750-X Line Controller Free download available at our Product Compatibility and Download Center: http://www.rockwellautomation.com/ rockwellautomation/support/pcdc.page? Machine Stratix 5900 Machine #1 Stratix 5900 #2

45 Architectural Security Framework Stratix 5900 Layer 2 & Layer 3 Services Router Stratix 5900 Service Router is ideal for: Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level 3.5 - IDMZ Site-to-Site Connection Stratix 5900 1) Site-to-Site Connection Stratix 5900 2) Cell/Area Zone Firewall Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Stratix 5900 3) OEM Integration Levels 0-2 Cell/Area Zones Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1

46 Traditional Firewalls Cisco IOS Classic Firewall stateful inspection (formerly known as Context- Based Access Control, or CBAC) employed an interface-based configuration model, in which a stateful inspection policy was applied to an interface. All traffic passing through that interface received the same inspection policy

47 Zone Based Firewall (ZBF) Zone-Based Policy Firewall (also known as Zone-Policy Firewall) changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model Interfaces are assigned to security zones, and inspection policy is applied to traffic moving between the zones.

48 Zone Based Firewall terminology Security Zone A Security zone is a group of interfaces to which a policy can be applied. For example a Control security zone and an Information security zone. By default, traffic flows freely between interfaces in the same zone. Zone Pairs Specifies a uni-directional firewall policy between two zones. Zone pairs define the communications between different zones. Zone Policy A zone policy defines what we allow or deny to go between zones. For actions in the policy-maps the selections are Drop, Pass and Inspect.

50 Demo Stratix 5900 Zone Based Firewall The overarching goal of this demo is to create two security zones within the Stratix 5900 to allow a Studio 5000 laptop within one security zone to communicate with a Logix controller within a different security zone. The two security zones will be configured as listed below Information Security Zone used for HMI s and Engineering Workstations running FTSudio 5000 Control Security Zone used for ControlLogix processor and I/O subsystems The objective is to ping the Logix controller and then to successfully connect to a Logix controller in the Control Security Zone

53 Virtual Private Network (VPN) Each remote member of your network can communicate in a secure and reliable manner using the Internet or other untrusted networks as the medium to connect to the private or trusted LAN. Data Confidentiality - Internet Protocol Security Protocol (IPsec), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)/IPsec Data Integrity - Check whether the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data Origin Authentication (2 nd tier consideration) - It is extremely important to verify the identity of the source of the data that is sent. Anti Replay - This is the ability to detect and reject replayed packets and helps prevent spoofing. Data Tunneling/Traffic Flow Confidentiality - Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Authentication, Authorization, Accounting (AAA) Nonrepudiation ( 2 nd tier consideration ) You can pick and choose the VPN Protocols and technologies to support the requirements listed above

54 Demo Site-to-Site VPN connection One site is already configured Let s setup the other site using Stratix Configurator Site-to-Site VPN 172.16.0.0 network 172.16.0.250 Gi Gi 172.16.0.251 192.168.2.0 network 192.168.1.0 network IACS device

Network Security Framework Stratix 5900 - Cell Firewall and Site-to-Site VPN Allows the system to be securely distributed between a Central Site and smaller sites. DMZ Enterprise ASA 5515- X Industrial Zone Failover Industrial WAN Enterprise Stratix 5900 Distributed Site #1 Applications: Water/ Waste Water Pipelines Oil and Gas The Stratix 5900 firewall are restricts/ filters traffic to and from the Cell/ Area Zones Stratix 5900 offers: Network Address Translation Basic stateful inspection of all traffic Both routed and Transparent Firewalls Netflow Syslog HMI Server Stratix 5900 Catalyst 2960 Stratix 5700 Catalyst 3750-X Stratix 5900 HMI Server Engineering Workstation Line Controller Central Site ASA 5500-X Catalyst 2960 DMZ Catalyst 3750-X Stratix 5700 Central Site Controller Untrusted Network Stratix 5900 Stratix 5900 Distributed Site #2 Distributed Site #3 Machine #1 Machine #2

56 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Stratix security features, Firewall, VPN) Secure Remote Access References

57 Remote access Spectrum Control - WebPort Webport Connects Manage and connect to Webports from 1 central location Deployed on Microsoft s Azure Cloud Computing Platform Secure VPN technology (cloud based Windows Azure) Log and aggregate data multiple webports into a SQL database Create reports from data logs; custom dashboards to visualize data Web API allowing data to be shared Remote Connectivity Evolved Features Webport Ethernet or 3G Connectivity Linux Operating System SQL Database Micro SD for extended data storage (soon) 4 port LAN switch 2 Serial Ports (RS-232/RS485) Simplified User Interface Easy to use intuitive user interface Icon based interface Scrolling display for immediate updates Context Sensitive Interactive Help Ethernet 3G Cellular

59 Remote access ewon Industrial VPN Router Talk2M Talk2M cloud services Connect and get live with any devices across Internet Unlimited in time free service + ewon industrial VPN router DIN rail mounting, 24 VDC Easy VPN tunneling (secure and encrypted) through customer s LAN LAN and serial ports to connect equipments (PLC, HMI, ) Optional modem (2G/3G) Firewall friendly Mobile Web Access SMS & E-Mail relay

Putting it Together Secure Remote Access Good, Better, Best Scenario/Recognizing an Issue An employee, or 3 rd party, needs access to the control system from a network outside the production zone to assist in troubleshooting and maintenance Risk/Threat Good Solution Stratix 5900 Better Solution Good solution + expanded technical enforcement of the security perimeter-using FactoryTalk Security Unauthorized remote access Worms and viruses Theft Sabotage Best Solution Better solution + expanded technical enforcement of the security perimerter-though the implementation of Remote Access Gateways with in an Industrial DMZ $$$ Unplanned Downtime Quality Issues-Brand Image Copyright 2012 Rockwell Automation, Inc. All rights reserved. 60

What is Industrial Security? Reduce risks Improve ability to be free from danger, injury or loss The use of proven technologies, policies & procedures to Enhance protection Protect & limit RISK = Vulnerability Threat Consequence x Frequency Protect of People, Property & Proprietary Information from unintended or malicious actions taken against it

63 Additional Defense-in-Depth Security Values Tamper Prevention and Detection - How can I know that my control system s configuration hasn t been changed? How can I make sure the controller can only be accessed through a secure connection path? I m worried about changes to the control system that may affect its productivity and safety of those who work on it. Firmware Digital Signatures Controller Change Detection and Logging (store on SD or FT AssetCentre) High Integrity AOI s Trusted slot for Communications (+ optional link to serial number) Disable unused USB ports IP protection - How do I prevent people from seeing what s inside and exactly how it operates? I ve designed a very innovative industrial control process or machine. I am concerned my competitors will try to reverse engineer and counterfeit it. Logix Source Code Protection Application access control - How can I limit who can do what from where? I have different users and different areas in my plant. Not everyone should be able to do everything. Data Access Control FactoryTalk Security

64 Putting it Together Unintended Action Protection Good, Better, Best Scenario/Recognizing an Issue Contractor connecting to plant network to make change or integrate new line- causes downtime by introducing virus or unintentional configuration changes Good Solution Detect unauthorized changes with change detection audit value Use managed switches to segment the architecture with VLANs Scan contractor devices Better Solution Good solution + Enforce VLAN access with Access Control Lists Best Solution Better solution + limit access with FactoryTalk Security with Security Authority Binding enabled Risk/Threat Unauthorized actions by employees Unintended employee actions Lost $$$ Damage to product or assets

65 Agenda Connected Enterprise: Value, Risks and Threats Trends, Defense-in-Depth, Architectural Security Framework Physical security (restrict access) Device hardening (hardware and electronically) Network Security (Stratix security features, Firewall, VPN) Secure Remote Access References

66 Rockwell Automation: Industrial Security Resources Security-enhanced Products and Technologies Rockwell Automation product and technologies with security capabilities that help increase overall control system system-level security. http://www.rockwellautomation.com/security EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that complement recommended layered security/defense-in-depth measures. http://www.ab.com/networks/architectures.html Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and make recommendations for how to avert risk and mitigate vulnerabilities. http://www.rockwellautomation.com/services/security

Security Launch & Landing Pad http://rockwellautomation.com/security Assessment Services Security Technology Security FAQ Security Services Leadership & Standards Security Resources Security Advisory Index MS Patch Qualification Reference Architectures Assessment Services secure@ra.rockwell.com Pretty Good Privacy (PGP) Public Key

68 Security Advisory Index Vulnerabilities, Advisories and Disclosures We expect them. We plan for them. We work to avoid them. We support our customers. https://rockwellautomation.custhelp.com/app/utils/create_account

69 Additional Material Cisco and Rockwell Automation Alliance Websites Reference Architectures Design Guides Converged Plant-wide Ethernet (CPwE) CPwE Resilient Ethernet Protocol (REP) Application Guides Fiber Optic Infrastructure Application Guide Wireless Design Considerations for Industrial Applications Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks

Network & Security Services ASSESS Assess the current state of the security program, design, policy Assess the current state of the network design, implementation DESIGN/PLAN Design and plan a network infrastructure Design and plan security program, policy, infrastructure, business continuity plan IMPLEMENT Installation and configuration of a network Implementation of a security program, infrastructure design, policy training AUDIT Audit current architecture compared to governing body (ODVA, CNI, IEEE, TIA/EIA) Audit security program compared to governing body (NERC CIP, ISA SP-99, NIST 800-53, NIST 800-82 MANAGE/MONITOR Manage, maintain and monitor uptime and issues on the network Managed Security Services (Incident response, disaster recovery, monitoring) Copyright 2012 Rockwell Automation, Inc. All rights reserved. 70

71 Additional Material The Industrial IP Advantage A new go-to resource for educational, technical and thought leadership information about industrial communications (including industrial security!) Standard Internet Protocol (IP) for Industrial Applications Coalition of like-minded companies www.industrial-ip.org

Thank you for participating! We want your feedback! Please complete the session survey! Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Rev 5058-CO900B Copyright 2012 Rockwell Automation, 76 Inc. All rights reserved.