Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

PUBLIC INFORMATION

Secure Network Architectures for The Connected Enterprise

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Agenda

3

Key Takeaways – Design Considerations

Demonstration – Architectural Security Framework

Lecture – Trends, Defense-in-Depth

Additional Information

Lecture – Demonstration Scenario

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

What We Will Demonstrate

4

Device hardening

Physical

Procedural

Electronic

Port Security

Physical

Electronic

Segmentation

Smaller Domains of Trust

Network Infrastructure Hardening

Cryptographic Images

Access Control Lists (ACLs)

Resiliency

Zone-based Policy Firewall (ZFW)

Firewall Policies

Encrypted Communications

Incremental additions of products, technology and methodology to help you secure your Industrial

Automation and Control System (IACS) application

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

What We Will Demonstrate

5

Software Tools

RSLinx® Classic

Studio 5000®

Stratix™ Device Manager

Stratix Command-line Interface

Stratix Configurator

Wireshark

Netflow

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Why Is This Important? Control and Information Convergence

7

Scalable, robust, secure and future-ready infrastructure: Application

Software

Network

Internet of Things, Internet of Everything

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Why Is This Important? Industrial Automation and Control System Convergence

8

Structured and Hardened IACS Network Infrastructure

Flat and Open Industrial Automation and Control System

Network Infrastructure

Flat and Open IACS Network Infrastructure

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Industrial Security Trends Security Quips

8

"Good enough" security now, is better than "perfect" security ... never (Tom West, Data General)

Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to

be thorough. It gets in the way of being done (Dave Piscitello)

Your absolute security is only as strong as your weakest link

Concentrate on known, probable threats

Security is not a static end state, it is an interactive process

You only get to pick two of the three: fast, secure, cheap (Brett Eldridge)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Industrial Security Trends Established Industrial Security Standards

9

International Society of Automation

ISA/IEC-62443 (Formerly ISA99)

Industrial Automation and Control Systems (IACS) Security

Defense-in-Depth

IDMZ Deployment

National Institute of Standards and Technology

NIST 800-82

Industrial Control System (ICS) Security

Defense-in-Depth

IDMZ Deployment

Department of Homeland Security / Idaho National Lab

DHS INL/EXT-06-11478

Control Systems Cyber Security: Defense-in-Depth Strategies

Defense-in-Depth

IDMZ Deployment

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Security – Holistic Defense-in-Depth EtherNet/IP™ Industrial Automation and Control System Network

10

Open by default to allow both technology coexistence and device interoperability for Industrial Automation and Control System (IACS) Networks

Secured by configuration:

Help Protect the network - Electronic Security Perimeter

Defend the edge - Industrial DMZ (IDMZ)

Defense-in-Depth

- Multiple layers of security

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Security – Holistic Defense-in-Depth Multiple Layers to Help Protect and Defend the Edge

11

No single product, technology or methodology can fully secure

Industrial Automation and Control System (IACS) applications.

Protecting IACS assets requires a defense-in-depth security

approach, which addresses internal and external security threats.

This approach uses multiple layers of defense (physical,

procedural and electronic) at separate IACS levels by applying

policies and procedures that address different types of threats.

111

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Security – Holistic Defense-in-Depth Industrial Security Policies Drive Technical Controls

12

Physical – limit physical access to authorized personnel: Cells/Areas, control panels,

devices, cabling, and control room…. locks, gates,

key cards, biometrics. This may also include policies,

procedures and technology to escort and track visitors

Network – security framework – for example, firewall policies,

access control list (ACL) policies for switches and routers,

AAA, intrusion detection and prevention systems (IDS/IPS)

Computer Hardening – patch management, Anti-X software,

removal of unused applications/protocols/services,

closing unnecessary logical ports, protecting physical ports

Application – authentication, authorization, and accounting (AAA) software

Device Hardening – change management, communication encryption,

and restrictive access

13

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Networking Design Considerations CPwE Reference Architectures

14

Education, design considerations and guidance to help reduce network Latency and Jitter, to help increase the Availability, Integrity and Confidentiality of data, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP™ network infrastructure:

Single Industrial Network Technology

Robust Physical Layer

Segmentation / Structure (modular and scalable building blocks)

Prioritization - Quality of Service (QoS)

Redundant Path Topologies with Resiliency Protocols

Time Synchronization – PTP, CIP Sync, Integrated Motion on the EtherNet/IP network

Multicast Management

Convergence-ready Solutions

Security – Holistic Defense-in-Depth

Scalable Secure Remote Access

Wireless – 802.11

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Security – Holistic Defense-in-Depth CPwE Reference Architectures

14

Enterprise WAN

Firewall (Active)

Firewall (Standby)

MCC

Enterprise Zone: Levels 4–5

Cisco ASA 5500

Catalyst 6500/4500

Soft Starter

I/O

Physical or Virtualized Servers • Patch Management • AV Server • Application Mirror • Remote Desktop Gateway Server

Level 0 - Process Level 1 - Controller

Level 3 – Site Operations:

Controller

Drive

Level 2 – Area Supervisory Control

FactoryTalk®

Client

Controller

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0–3

Authentication, Authorization and Accounting (AAA)

Catalyst 3750X StackWise

Switch Stack

Internet

External DMZ/ Firewall

LWAP

SSID

2.4 GHz

SSID

5 GHz WGB

I/O

Active

5500 Wireless

LAN Controller

(WLC) UCS

RADIUS

AAA Server

Standby

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Demonstration Scenario Defense-in-Depth Security

15

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Demonstration Scenario Defense-in-Depth Security

16

To simplify design and speed deployment of the demonstration

All EtherNet/IP™ devices and the laptop were configured for dynamic IP addressing

DHCP per port on the Stratix 5700™/8000™ was used to dynamically assign IP addresses

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Demonstration Scenario Layer 2 Segmentation Via VLANs

18

EtherNet/IP™ Layer 3 Networking Capabilities

Machine #1 (OEM #1)

VLAN 20

IP Subnet 10.20.20.0/24

VLAN 10

IP Subnet 10.10.10.0/24

Machine #2 (OEM #2)

VLAN 30

IP Subnet 192.168.30.0/24

VLAN 5

IP Subnet 192.168.1.0/24

Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24

VLAN 10

Stratix 8300™

Ring

Stratix 5700™

Stratix 8000™

Plant-wide IACS

Machine #1 OEM #1

Machine #2 OEM #2

Engineering Workstation

OWS

CompactLogix™ 5370 L3

1732E Slim ArmorBlock® I/O

1734 Point I/O

ControlLogix® 1756-EN2T

Layer 3

VLAN 20

VLAN 30

VLAN 5

Layer 2

Stratix 8300™

Ring

Stratix 5700™

Stratix 8000™

Plant-wide IACS

Machine #1 OEM #1

Machine #2 OEM #2

Engineering Workstation

OWS

CompactLogix™ 5370 L3

1732E Slim ArmorBlock® I/O

1734 Point I/O

ControlLogix® 1756-EN2T

Plant-wide IACS VLAN 40 IP Subnet 172.16.40.0/24

19

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Demonstration Scenario Defense-in-Depth Security

19

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Device Hardening

20

Physical procedure:

Restrict Industrial Automation and Control System (IACS) access to authorized personnel only

Control panels, devices, cabling, and control room

Locks, gates, key cards

Video Surveillance

Other Authentication Devices (biometric, keypad, and so forth).

Switch the Logix Controller key to “RUN”

Electronic design:

Logix Controller Source Protection

Logix Controller Data Access Control

Trusted Slot Designation

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Network Infrastructure Access Control and Hardening

21

Cryptographic Image

HTTPS (HTTP Secure)

Secure Shell (SSH)

SNMPv3

Restrict Access

Port Security – Dynamic learning of MAC

addresses

ACL (Access Control List) Local

Authentication through AAA Server

Resiliency

Layer 2 Loop Prevention

Quality of Service (QoS)

Minimize Impact of DDoS Attacks

Disable Unnecessary Services

MOP (Maintenance Operations Protocol)

IP redirects

Proxy ARP

Attack Prevention

DHCP Snooping Rogue DHCP Server Protection

DHCP Starvation Protection

Dynamic ARP Inspection ARP Spoofing, man-in-the-middle attack

Storm Control Thresholds Denial-of-service (DoS) attach

Disable HTTP Server

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Network Infrastructure Access Control and Hardening

22

Example - Stratix 8300™ Access Control Lists (ACLs)

Action Protocol Source Destination and Mask Port

Permit ICMP Any 10.20.20.0 0.0.0.255

Permit TCP Any 10.20.20.0 0.0.0.255 80 (WWW)

Permit TCP Any 10.20.20.0 0.0.0.255 443 (SSL)

Permit UDP Any 10.20.20.0 0.0.0.255 161 (SNMP)

Permit UDP Any 10.20.20.0 0.0.0.255 162

(SNMPTRAP)

Permit TCP Any 10.20.20.0 0.0.0.255 162

(SNMPTRAP)

Deny IP Any Any

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Port Security

23

Keyed solutions for copper and fiber

Lock-in, Blockout products secure connections

Data Access Port (keyed cable and jack)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Physical Port Security - Keyed Connectors

24

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Stratix 5900™ Services Router

25

Enterprise-wide Business Systems Enterprise Zone

Levels 4 & 5 – Data Center

Physical or Virtualized Servers • FactoryTalk® Application Servers and Services

Platform • Network Services – for example, DNS, AD, DHCP,

AAA • Remote Access Server (RAS) • Call Manager • Storage Array

IDMZ - Level 3.5

Plant-wide Site-wide

Operation Systems

Site-to-Site Connection

Remote Site #1 Skid / Machine

Local Skid / Machine #1

Industrial Zone Levels 0–3

Site Operations - Level 3

Cell/Area Zone - Levels 0-2 Ring Topology - Resilient Ethernet Protocol (REP)

Local Skid / Machine #2

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

ZFW

Architectural Security Framework Zone-based Firewall (ZFW) – Policy Enforcement (Example)

26

Industrial

Zone

Skid /

Machine

CIP Class 3 CIP Class 1

icmp - ping CIP Class 3

CIP Class 3 CIP Class 1

Http icmp - ping CIP Class 3

SNMP Sweep Ping Sweep

icmp - ping

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Architectural Security Framework Network Device Resiliency

27

Distribution switches typically provide first hop (default gateway)

redundancy

StackWise (3750X), stack management

Hot Standby Router Protocol (HSRP)

Virtual Router Redundancy Protocol (VRRP)

Gateway Load Balancing Protocol (GLBP)

Catalyst 3750x Switch Stack

HSRP Active

HSRP Standby

Catalyst 3560

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Key Takeaways

28

Align with Industrial Automation and Control System Security Standards

Implement a Holistic Defense-in-Depth approach: no single product, methodology, nor technology

fully secures IACS networks

Establish an open dialog between Industrial Automation and IT groups

Establish an Industrial security policy, unique from and in addition to the Enterprise security policy

Establish an IDMZ between the Industrial and Enterprise Zones

Work with trusted partners knowledgeable in automation and security

"Good enough" security now, is better than "perfect" security ... never

(Tom West, Data General)

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material

29

Website:

http://www.odva.org/

Securing EtherNet/IP™ Networks

http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securi

ng_EtherNetIP_Networks.pdf

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material

30

http://rockwellautomation.com/security

Assessment

Services

Security

Technology

Security

FAQ

Assessment

Services

Security

Resources

Reference

Architectures

Security

Services

Leadership and

Standards

MS Patch

Qualification

Security Advisory

Index

secure@ra.rockwell.com

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material CPwE Reference Architectures

31

Websites Reference Architectures

Design Guides Converged Plantwide Ethernet (CPwE)

Deploying the Resilient Ethernet Protocol (REP) in a

Converged Plantwide Ethernet Architecture

Deploying 802.11 Wireless LAN Technology within a

Converged Plantwide Ethernet Architecture

Application Guides Fiber-optic Infrastructure Application Guide

Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments

Securing Manufacturing Computer and Controller Assets

Achieving Secure Remote Access to plant-floor Applications and Data

Design Considerations for Securing Industrial Automation and Control System Networks

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material Training and Certifications

32

Cisco® Industrial Networking Specialist Training

and Certification

E-learning modules (pre-learning courses)

Control Systems Fundamentals for Industrial

Networking (ICINS)

Networking Fundamentals for Industrial

Control Systems (INICS)

Classroom training

Managing Industrial Networks with Cisco

Networking Technologies (IMINS)

Exam

600–601 IMINS

CCNA for Industrial Applications - Training

and Certification

Training - TBD

Exam - TBD

Industrial IP Advantage

E-learning modules

CPwE Design Considerations and Best

Practices

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Industrial IP Advantage

33

A ‘go-to’ resource for educational information

about industrial network communication and

using standard Internet Protocol (IP) for

industrial applications

Community of like-minded companies –

Cisco®, Panduit®, and Rockwell

Automation®

Receive monthly e-newsletters with

articles and videos on the latest trends Network Design eLearning course available for TechEd Attendee promotional price!

Sign up today at www.industrial–ip.org

Copyright © 2015 Rockwell Automation, Inc. All rights reserved. Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

Additional Material Training and Certifications

34

http://www.cisco.com/web/learning/training-index.html

ICND1

ICND2

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

www.rockwellautomationteched.com

Thank you!

Cisco is a trademark of Cisco Systems, Inc. Microsoft is a trademark of the Microsoft Corporation. Panduit is a trademark of the Panduit Corporation. EtherNet/IP and ODVA are trademarks of the ODVA.