Post on 08-Apr-2018
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Cisco’s anbefalinger for IT sikkerhed i produktionsnet
Christian Helmundt Bermann
Systems Engineer - Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
1. Trussel’s billedet idag og i fremtiden
2. Cisco Security Intelligence Operations
3. Fra enterprise til produktionsnet
4. Cisco’s tilgang og anbefalinger i produktionsnet
5. Afrunding
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• http://www.comon.dk/art/147746/kinesiske-hackere-har-snuppet-admin-password-paa-it-universitetet
• http://www.comon.dk/art/220735/det-hvide-hus-ramt-af-cyberangreb
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
� http://www.comon.dk/art/221833/stort-kinesisk-hacker-angreb-mod-coca-cola
� http://www.comon.dk/art/200056/kaempe-it-angreb-paa-el-nettet-i-europa
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Internet of everything
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Angreb bliver mere avancerede
• Bruger minimal båndbredde
• Hackerne får nemmere ved angreb i en verden hvor alt forbindes til alt
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 12
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
WEB REQUESTS
30BENDPOINTS
150M+WORLDWIDE EMAIL TRAFFIC
35%
WEB DATA RECEIVED PER DAY
100TBGLOBALLY DEPLOYED
DEVICES
750,000+
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
NEW DNS REQUESTS FOR EMAIL SENDERS
10,000UNIQUE, EXECUTABLE CODE SAMPLES
500MALWARE AND BOTNET BLOCKS
60,000
MALMAIL BLOCKS
300,000WEB REQUESTS
900,000
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Visibility Control
Cisco SIO
WWW
ESA ASA WSA
AnyConnectCloud IPS
WWW
Email WebDevices
IPS EndpointsNetworks
24x7x365OPERATIONS
40+LANGUAGES
600+ENGINEERS, TECHNICIANS
AND RESEARCHERS
80+PH.D.S, CCIE, CISSP, MSCE
$100M+SPENT IN DYNAMIC RESEARCH
AND DEVELOPMENT
3 to 5MINUTE UPDATES
5,500+IPS SIGNATURES
PRODUCED
200+PARAMETERS TRACKED
70+PUBLICATIONS
PRODUCED
Info
rma
tio
nA
ctio
ns
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 16
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
“ …the trend in industrial operations is to interconnect systems, equipment, machinery and devices via networking, in order to provide real-time data and information for better decision making, control and management and, by extension, improved performance, quality and production…
Frost & Sullivan, July 2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Source: AMR, Industry Week, Cisco Analysis
Isoleret statisk miljø
“Solid State”
Dynamisk, Integreret
mobil, real-Time
forbundet udstyr
“Liquid State”
Traditional produktion
Fremtidensproduktion
SensorerFleksibilitet
IT og styringMobil og
hjemmearbejde
SikkerhedIntegrerede kontor og
produktions data
Real-Time overvågning
af enheder ogtrafik
Collaboration værktøjer og
processer
RealTime
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Enterprise Optimization Suite
Third-Party
Controllers,
Servers, etc.
Serial, OPC
or Fieldbus
EngineeringWork Place
Device Network
Firewall
Control Services
Network
Third-Party Application Server
ApplicationServer
HistorianServer
Workplaces
MobileOperator
ConnectivityServer
Control Network
Redundant
Enterprise Network
Serial RS485
Enterprise Network
Internet
IP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Confidentiality
Forhindre uautoriseret adgang til systemet.
IntegritySikre at data ikke ændres uden at det bliver opdaget.
AvailabilityTilgængelighed, oppetid
http://en.wikipedia.org/wiki/Information_security
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Enterprise netværk er C-I-A
Beskyttelse af data er vigtigst
• Industriele net er A-I-CAvailability og integrity er vigtigst
Robust hardware
Redudans
Høj oppetid
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ISA99 udvikler standarder og er et udvalg der samler industrielle sikkerhedseksperter fra hele verden. Formålet er at udvikle og etablere standarder, anbefalede praksis, tekniske rapporter, og relaterede oplysninger, som vil definere procedurerne for gennemførelse af sikker industriel automatisering, kontrolsystemer og sikkerhedspraksis.
Cisco deltager aktivt I ISA99 med 8 medlemmer, hvor vi bruger voreserfaring fra netværk og infrastruktur.
http://isa99.isa.org/ISA99%20Wiki/Home.aspx
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Systems
A set of products and services assembled and tested to work together to address a specific issue
Industrial switches developed with Rockwell, ISA 100 wireless developed with Honeywell
Architecture
Strategic Vision and Integrated portfolio of products, services, technology and business solutions, partnerships and routes to market.
Tecnology enables policies development (ISA99)
Solutions
Brings out the value addition that the system can bring to the customer’s business needs
Cross tested systems with Schlumberger, Emerson, Honeywell, ecc
Products
Cisco builds and sells products and services.
However, total value to the customer is realized only when Cisco moves beyond product and Services
ASA IPS series with SCADA signatures
Produkter rettetmod industriellenet
Samarbejdemed relevantepartnere
Netværksdesignud fra krav
Teknologi der errelevant I forholdtil brugerne
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
2
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive ControlContinuous
Process Control Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
EtherNet/IP (Industrial Protocols)
Real–Time Control
Fast Convergence
Traffic Segmentation and Management
Ease of Use
Site Operations and Control
Multi-Service Networks
Network and Security Management
Routing
Application and Data share
Access Control
Threat Protection
Gbps Link for Failover
Detection
Firewall(Active)
Firewall(Standby)
FactoryTalk Application
Servers
CiscoASA
CiscoCatalyst Switch
Network Services
Cisco Catalyst
Cisco CatalystSwitch Stack
Patch ManagementTerminal ServicesApplication Mirror
AV Server
Cell/Area #1(Redundant Star Topology)
Drive
Controller
HMI Distributed I/O
Controller
DriveDrive
HMI
Distributed I/O
HMI
Cell/Area #2(Ring Topology)
Cell/Area #3(Linear Topology)
Cisco industriialLayer 2 Access Switch
Controller
Enterprise/IT Integration
Collaboration
Wireless
Application Optimization
Cell/Area ZoneLevels 0–2Layer 2 Access
Manufacturing ZoneLevel 3Distribution and Core
Demilitarized Zone(DMZ) Firewalls
Enterprise NetworkLevels 4–5
Web Apps DNS FTP
Internet
Ove
rla
y se
cu
rity
mo
de
l
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Netværkssikkerhed
Adgangskontrol
Mobiladgang
Indhold
Cisco Industriel sikkerhed: Information, beskyttelse og alarmering
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Web E-Mail
CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process
• Stigende bekymring omkring
sikkerhed I produktionsnet og
end-to-end kommunikation.
• Cisco sikkerhedsarkitektur, bygger
sikkerhed ind i designet og giver
den dybde der skal til for at sikre
produktionsnetværket.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Enterprise Network
Site Business Planning and Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process
VPN
VDI
WSA
IPS
ASA-CX
ASA
ISE
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Industrial Control Signature Subscription Service tilCisco IPS
Registrerer, identificerer, stopper, og rapporterer om trusler i real tid, før de påvirker anlægget.
� Leverandører
Schneider, Siemens, GE
ABB, Yokogawa, Motorola
Emerson, Invensys
Honeywell
Rockwell Automation
og listen vokser……
� Standarder- SCADA- DCS- PLC- SIS- RTU
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Rockwell og Cisco har I samarbejde udarbejdet et dokumentomkring sikring af produktionsnetværk.
Converged Plantwide Ethernet (CPwE) Design and Implementation Guide
http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html
• Omfattende beskrivelse af design, implementering og begreber
• Cisco validated design
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 32
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
� Angreb mod netværk bliver stadig mere avancerede.
� Produktionsnet bliver i stigende grad bundet sammen med enterprisenet.
� Truslerne mod netværk gør at det ikke kan/må ignoreres.
� Cisco bidrager med kendskab til netværksarkitektur
� Samarbejde på tværs er vigtigt for at lykkedes
�ISA-99
�Rockwell og Cisco
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Thank you.