1

ICS Security from the Plant Floor Up

A Controls Engineers Approach to Securing Plant Floor Networks

Jeffrey Smith

2

Less than a minute of blather about

Jeffrey Smith

3

Nothing. Zero. Nada. Zip.

How much do I want to spend?

4

ICS Security

1. Assess our current posture

2. Define key objectives for which to develop a solution to improve that posture.

5

Key Objective #1

Protect the manufacturing controls networks (EtherNet/IP fieldbus) from the

enterprise networks (untrusted networks)

and they from us.

6

Key Objective #1

Isolate the Controls Fieldbus from the Enterprise network through two different Firewalls, one managed by IT, one by Controls.

EtherNet/IP Fieldbus

IT Firewall

Zenwall-5Controls FirewallIndustrial Protocol DPI

IT SPACE

CONTROLS

Key Objective #2

Secure and Safe Remote Support Capability from inside and outside the company

7

8

Key Objective #3

Control and track supplier access to Manufacturing Control Systems when onsite in one of our facilities

9

Supplier Support Login

10

Key Objective #4

Protect manufacturing systems from malware attack by removing PC(s) from or isolating them on the controls network.

Whitelist where applicable.

11

Say NO to PCs on your Fieldbus

Friends don’t let friends put PC(s) on Controls Networks

Computer

12

Move the PCs to the EnterpriseENTERPRISE NETWORK

13

Line Topology

14

Station Topology

PanelView PlusCompactLogix L3x ERM

Kinetix 6500 Servos

EtherNet/IP – Device Level Ring (DLR)

PowerFLEX 755 VFD

OP90

E-TAP

Torque Tool

HMS Gateway

OptionalE-TAP173x AENT

Numatics G3

EtherNet/IP Ring Link

OP100 OP80

UPLINK #2TO MACH 102

STATION DEVICE LEVEL RING (DLR) TOPOLOGY

EtherNet/IP Ring Link

15

PC at the Edge…If you must.

16

17

“Deep thoughts” by Jeff Smith

18

10 Ton Security Model

DMZ!

ACL!

DPI

19

Assessment is Critical

We don’t build rockets…you might.

20

Ethernet based Fieldbus

Is still young, it has long way to grow and it’s a long way from mature when

compared to it’s IT counterpart.

21

Can we move to Ethernet?

•Many companies, small to large, are just looking at making a move to an Ethernet based fieldbus.

•What’s the value proposition of Ethernet if we are pushing a huge security posture on them at the same time?

22

Controls Engineers

•Many don’t have experience with Ethernet based controls networks.

•Companies are tight with training dollars, more are forcing their support staff to learn via OJT even though technology growth is raging.

23

Migrating the “Ethernetly” Challenged

Are you helping? What does your “Convert Legacy Fieldbus X to an

Ethernet fieldbus” Engineering Plan look like?

24

Shore up the foundation

Perhaps for those who have taken a “swag” at Ethernet based fieldbus, the

correct approach to TLC is to help them “fix” their strategy for Control System Ethernet and then help them

secure it.

TLC = Total Landed Cost

25

Air Gapped?

Is there *REALLY* such a thing?

26

Pssst! We can do Controls Stuff…

When talking about security, let’s capitalize on our seemingly forgotten skillset of hardwired safety/security.

Might not be a singular product purchased from a shelf, but it is value

controls can bring to the table.

It’s our cockpit door.

27

If we had a little money left…

“Replace all unmanaged switches with managed switches.”

28

How to get started?

Do something, a little today, and more tomorrow.

Eat the elephant one bite at a time.

29

Not enough people talking about Detection and Fast Recovery.

If we agree we will never stop every attack, shouldn’t we spend time on detection and

recovery?

Detection and Recovery

30

This year, the first production vehicle will be released that uses Ethernet instead of CAN as it’s primary vehicle communications network.

Nervous? I am.

Ethernet in Automobiles

31

Forensic Diagnostics

Diagnostics

32

What do I look for?

ICS Security Appliance

33

Controls Security Appliance

•Fast, Low Latency Deep Packet Inspection of Industrial Protocols

•Ability to easily configure and manage firewall rules without needing a degree in “firewall”

•Horsepower to spare, with the ability to lay in changes without interrupting performance.

34

ICS Security Appliances

•Can’t require an IT person at 2:00am when the line is down.

•Best way to introduce yourself and your new wiz-bang security “stuff” to the plant manager is to take the line down OR prevent the 2:00am support staff from bringing it back up.

35

ICS Security Appliances

You won’t forget him and he won’t forget you or your security #%^!&%#*%.

And you thought CapEx funding of security initiatives was challenging before.…

36

ICS Security Appliances

•Must have easily replicatable configurations

•Must be scalable from small to large

•Must have reasonable pricing models to accompany their scalability

37

Security = Risk Mitigation

I’m often asked “How much security is enough?”

“Whatever you need to mitigate the risk you can’t live with.”

38

I can make up answers to any…

Questions?