Network Security Trends & Fundamentals of Securing EtherNet/IP Networks

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation

Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello) Your absolute security is only as strong as your weakest link. Concentrate on known, probable threats. Security is not a static end state, it is an interactive process. You only get to pick two: fast, secure, cheap. (Brett Eldridge.) 2

Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISO/IEC-62443 (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defense-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST 800-82 Industrial Control System (ICS) Security Defense-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT-06-11478 Control Systems Cyber Security: Defense-in-Depth Strategies Defense-in-Depth IDMZ Deployment A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. 3

Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Convergence of Industrial Automation Technology (IAT) with Information Technology (IT) 4

Industrial Network Security Trends Industrial vs. Enterprise Network Requirements Industrial Requirements Switches Managed and Unmanaged Layer 2 is predominant Traffic types Information, control, safety, motion, time synchronization, energy management Performance Low Latency, Low Jitter Data Prioritization QoS Layer 2 & 3 IP Addressing Static Security Industrial security policies are inconsistently deployed Open by default, must close by configuration and architecture Enterprise Requirements Switches Managed Layer 2 and Layer 3 Traffic types Voice, Video, Data Performance Low Latency, Low Jitter Data Prioritization QoS Layer 3 IP Addressing Dynamic Security Pervasive Strong policies Similarities and differences? 5

Industrial Network Security Trends Policies - Industrial vs. Enterprise Network Requirements Focus Precedence of Priorities Types of Data Traffic Access Control Implications of a Device Failure Threat Protection Upgrades Industrial (IAT) Network 24/7 operations, high OEE Availability Integrity Confidentiality Converged network of data, control, information, safety and motion Strict physical access Simple network device access Production is down ($$ s/hour or worse) Isolate threat but keep operating Scheduled during downtime Enterprise (IT) Network Protecting intellectual property and company assets Confidentiality Integrity Availability Converged network of data, voice and video Strict network authentication and access policies Work-around or wait Shut down access to detected threat Automatically pushed during uptime 6

Industrial Network Security Trends Collaboration of Partners Wireless, Security, Switching/Routing Leader in Industrial Network Infrastructure The Established #1 Industrial Ethernet Physical Layer Network Infrastructure Reduce Risk Simplify Design Speed Deployment 7

Industrial Network Security Trends IACS Networking Design Considerations Recommendations and guidance to help reduce Latency and Jitter, to help increase data Availability, Integrity and Confidentiality, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP IACS network infrastructure Single Industrial Network Technology Robust Physical Layer Segmentation Resiliency Protocols and Redundant Topologies Time Synchronization Prioritization - Quality of Service (QoS) Multicast Management Convergence-Ready Solutions Security - Defense-in-Depth Scalable Secure Remote Access 8

Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks Secured by configuration: Protect the network - Electronic Security Perimeter Defend the edge - Industrial DMZ (IDMZ) Defense-in-Depth Multiple layers of security 9

Industrial Network Security Trends EtherNet/IP Industrial Automation & Control System Network Flat and Open IACS Network Infrastructure Flat and Open IACS Network InfrastructureStructured and Hardened IACS Network Infrastructure 10

Defense-in-Depth Multiple Layers to Protect the Network and Defend the Edge No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats. This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats. 11

Defense-in-Depth Critical Elements to Industrial Security one-size-fits-all A balanced Industrial Security Program must address both Technical and Non-Technical Elements Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management Technical controls technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs) Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the long-term security success 12

Defense-in-Depth Balanced Industrial Security Program - Example When a Technical Control is lacking, the non-technical control will only provide so much protection Example: Policy states operators should not surf the web from an industrial automation and control system HMI; however there is no technical control in place preventing such access or behavior When a Non-Technical Control is lacking, the technical control will only provide so much protection Example: Firewalls are in place to prevent operators from surfing the web from an industrial automation and control system HMI; however there is no nontechnical control in place stating you shouldn t change the HMI s network port access to the other side of the firewall How much security is enough security? The amount of security in a system should rise to meet a corporation s level of risk tolerance. In theory, the more security that is properly designed and deployed in a system, the lower the amount of risk that should remain. 13

Defense-in-Depth Industrial Security Policies and Procedures Security policy - plan of action with procedures (non-technical): Rules for controlling human interactions in automation systems Protect IACS assets, while balancing functional and application requirements such as 24x7 operations, low Mean-Time-To- Repair (MTTR) and high Overall Equipment Effectiveness (OEE). Alignment with applicable industry standards Industrial security policy, unique from and in addition to enterprise security policy Multi-layer security approach Defensein-Depth Procedural, physical and electronic measures Identify Domains of Trust and appropriately apply security to maintain policies Risk management: Determination of acceptable risk (tolerance to risk) Assessment - current risk analysis Deployment of risk mitigation techniques Securing industrial assets requires a comprehensive network security model developed against a defined set of security policies 14

Defense-in-Depth Industrial Security Policies Drive Technical Controls Physical limit physical access to authorized personnel Cells/Areas, control panels, devices, cabling, and control room Network security framework e.g. firewall policies, access control list (ACL) policies for switches and routers, AAA, intrusion detection and prevention systems (IDS/IPS) Computer Hardening patch management, Anti-X software, removal of unused applications/ protocols/services, closing unnecessary logical ports, protecting physical ports Application authentication, authorization, and accounting (AAA) software Device Hardening change management, communication encryption, and restrictive access 15

Network Security Framework Converged Plant-wide Ethernet (CPwE) Reference Architectures Structured and Hardened IACS Network Infrastructure Industrial security policy Pervasive security, not a bolt-on component Security framework utilizing defense-indepth approach Industrial DMZ implementation Remote partner access policy, with robust & secure implementation Network Security Services Must Not Compromise Operations of the IACS Standard DMZ Design Best Practices Enterprise Zone Levels 4-5 Industrial Demilitarized Zone (IDMZ) Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server AAA - Application Authentication Server, Active Directory (AD), AAA - Network Remote Access Server Level 3 Site Operations FactoryTalk Client Client Hardening Level 2 Area Supervisory Control Controller Hardening, Encrypted Communications VLANs, Segmenting Domains of Trust Unified Threat Management (UTM) Controller Hardening, Physical Security VLANs Controller Level 1 - Controller Catalyst 3750 StackWise Switch Stack Enterprise WAN Cisco ASA 5500 Firewall (Active) Network Status and Monitoring Catalyst 6500/4500 Controller Controllers, I/O, Drives Firewall (Standby) I/O HMI Level 0 - Process Plant Firewall: Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal Server proxy Drive Network Device Resiliency Network Infrastructure Access Control and Hardening Physical Port Security MCC Soft Starter 16

Network Security Framework Controller Hardening Physical procedure: Restrict Industrial Automation and Control System (IACS) access to authorized personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Switch the Logix Controller key to RUN Electronic design: Logix Controller Source Protection Logix Controller Data Access Control Trusted Slot Designation 17

Network Security Framework Physical Port Security Keyed solutions for copper and fiber Lock-in, Blockout products secure connections Data Access Port (keyed cable and jack) 21

Network Security Framework Network Infrastructure Access Control and Hardening Cryptographic Image HTTPS (HTTP Secure) Secure Shell (SSH) SNMPv3 Restrict Access Port Security Dynamic learning of MAC addresses ACL (Access Control List) Local Authentication through AAA Server Quality of Service (QoS) Minimize Impact of DDoS Attacks Disable Unnecessary Services MOP (Maintenance Operations Protocol) IP redirects Proxy ARP Attack Prevention DHCP Snooping Rogue DHCP Server Protection DHCP Starvation Protection Dynamic ARP Inspection ARP Spoofing, man-in-the-middle attack Storm Control Thresholds Denial-of-service (DoS) attack 22

Network Security Framework VLANs, Segmenting Domains of Trust Plant-wide IACS VLAN 10 IP Subnet 192.168.1.0/24 Plant-wide IACS VLAN 10 IP Subnet 192.168.1.0/24 Plant-wide IACS Stratix 8300 Plant-wide IACS Stratix 8300 Layer 3 Ring Ring Stratix 8000 Stratix 8000 Stratix 8000 Stratix 8000 Machine #1 OEM #1 Machine #2 OEM #2 Machine #1 OEM #1 Machine #2 OEM #2 Layer 2 Layer 2 Layer 2 Flat and Open IACS Network Infrastructure Machine #1 (OEM #1) VLAN 20 IP Subnet 10.20.20.0/24 Machine #2 (OEM #2) VLAN 30 IP Subnet 172.16.30.0/24 Structured and Hardened IACS Network Infrastructure 23

Network Security Framework Plant Firewall Unified Threat Management Firewall with Application Layer Security IPS and Anti-X Defenses Access Control and Authentication SSL and IPSec Connectivity Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN Intelligent Networking Services Low latency Diverse topologies Multicast support Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing Modern Firewalls (UTM s) provide a range of security services 24

Network Security Framework Unified Threat Management Stratix Services Router Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level 3.5 - IDMZ Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Site-to-Site Connection Stratix 5900 1) Site-to-Site Connection Stratix 5900 2) Cell/Area Zone Firewall Stratix 5900 3) OEM Integration Levels 0-2 Cell/Area Zones Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 25

Network Security Framework Network Device Resiliency Distribution switches typically provide first hop (default gateway) redundancy StackWise (3750X), stack management Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack Catalyst 3560 HSRP HSRP Active Standby 26

Network Security Framework AAA - Network 1 Who are you? Keep the Outsiders Out 2 Where can you go? Keep the Insiders Honest 3 4 What service level do you receive? What are you doing? Personalize the IACS Application Increase Network Visibility 27

Network Security Framework AAA - Network Cisco -Identity Services Engine (ISE) Combines AAA (authentication, authorization, accounting), posture and profiler into one appliance Gathers real-time network information to allow administrators to make network access decisions Uses network access control to manage what resources users and guests are allowed to access Determines what kind of device users are using, and whether it complies with hardware and software policies Manages wired and wireless access with 802.1X 28

Network Security Framework Industrial Demilitarized Zone Level 5 Level 4 E-Mail, Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Security Zone Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web E-Mail CIP Industrial DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Industrial Security Zone Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process Logical Model Industrial Automation and Control System (IACS) Converged Multi-discipline Industrial Network No Direct Traffic Flow between Enterprise and Industrial Zone 30

Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Not Recommended Figure 2 Recommended Depends. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Figure 3 Figure 4 Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Figure 5 Better Figure 6 Best Figure 7 31

Network Security Framework Demilitarized Zone (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network Web Proxy UNTRUSTED BROKER DMZ TRUSTED 32

Network Security Framework Industrial Demilitarized Zone (IDMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise Security Zone Industrial DMZ Industrial Security Zone UNTRUSTED /TRUSTED BROKER TRUSTED 33

Network Security Framework Industrial Demilitarized Zone (IDMZ) All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Industrial Zone Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Security Zone Industrial Security Zone Trusted IDMZ No Direct Traffic 34

Network Security Framework Industrial Demilitarized Zone (IDMZ) Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Trusted? Untrusted? Enterprise Zone Disconnect Point Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ No Direct Traffic Historian Mirror Web Services Operations Application Server Industrial Zone Disconnect Point Trusted 35

IACS Network Security Design and Implementation Considerations Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA- 99) Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks Establish an open dialog between Industrial Automation and IT groups Establish an industrial security policy Establish an IDMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General) 37