Owl Technologies: Meeting the Cybersecurity Standards of ANSI/ISA-62443-3-3 With Data Diodes
-
Upload
rockwell-automation -
Category
Technology
-
view
64 -
download
4
Transcript of Owl Technologies: Meeting the Cybersecurity Standards of ANSI/ISA-62443-3-3 With Data Diodes
Meeting the Cybersecurity Standards of
ANSI/ISA 62443 with Data Diodes
Dennis Lanahan June 1 2015
Securing the convergence of OT and IT with ST (Security Technology) 1
Introduction to Owl
2
• Started 16 years ago with cyber security data diode technology from US DOE Sandia National Laboratory – Patented and Proprietary DualDiode technology
– Provides a hardware enforced, network protocol break, One way link (Owl)
• Over 2000 deployments globally
• Serving all branches of US DoD & Commands, US Intelligence agencies, DOE, DHS, DOS and many other governmental agencies – Accredited solutions for unclassified, secret, top secret and coalition partner networks
• Working with Critical Infrastructure for 9 years – Protecting over 200 process control sites in critical infrastructure
– Oil & Gas, Nuc., Fossil, Hydro power gen. T&D, petrochemical, water/wastewater, mining
• Rockwell Encompass Partner since 2013
US Owned & Operated Product Suite 1200+ Security
Solutions Deployed US Owned and Operated Suite of cybersecurity products 2000+ Security Solutions
Deployed
Enabling the Connected Enterprise
3
• Owl DualDiode Technology is security technology
• Designed to work at the intersection of OT and IT
• Hardware based solution
• Ethernet connectivity for ease of implementation
• Rack-mounted appliance (vertical or horizontal) based on card technology
Securing the convergence of OT and IT with ST (Security Technology)
Industrial Control Cybersecurity Goals
4
Cybersecurity Standards
– ANSI/ISA-62443
– NERC CIP 002-009
– NIST SP800-82
– API Standard 1164
– ChemITC
– AWWA G430-09
• Owl has mapped solutions to the various standards
• Same implementation process applies
5
Definitions (ANSI/ISA 62443)
• Security Zone – – A logical grouping of physical, informational and
application assets sharing common security requirements • Physical or virtual
• Conduit – – Communication flows that represent information
exchanges between security zones. • Single device or multiple data carriers
• Defining Security Zones – In building a security program, zones are one of the most
important tools for program success and proper definition of the zones is the most important aspect of the process.
6
How to Approach a Standards Based Data Diode Implementation
7
1. Define your security zones
2. Define workflows and data transfers within the zones
3. Define security policy
4. Define security solution to support requirements
OT Network (plant)
Corporate Network
FactoryTalk® Gateway FactoryTalk®
Historian
End Users
Corporate IT Network
• EXCELLENT BUSINESS CONTINUITY BETWEEN OT AND IT
• NETWORKS VULNERABLE TO CYBER THREATS
Firewall
Typical Industrial Network
End Users
OT Network
Firewall
DMZ
8
RSLinx® Classic
Air gap network security
• NO BUSINESS CONTINUITY BETWEEN OT AND IT
• NO CONVERGENCE OF IT AND OT
• 100% NETWORK CONFIDENTIALITY
End Users
Firewall
End Users Firewall
Air gap
9
FactoryTalk® Gateway FactoryTalk®
Historian
RSLinx® Classic
Corporate IT Network OT Network
Key Decisions to Remedy Business Challenges
End User
Plant Network Industrial Control Systems
Corporate Network IT Systems
1. Define security zones
High Security Zone Prevent outside access
Business Security Zone Enable plant support operations
End User
Firewall
DMZ
Firewall
10
FactoryTalk® Gateway FactoryTalk®
Historian
RSLinx® Classic
Key Decisions to Remedy Business Challenges
End User
Plant Network Industrial Control Systems
Corporate Network IT Systems
1. Define security zones 2. Define workflows and data transfers within the zones
Business Security Zone Enable plant support operations
High Security Zone Prevent outside access
End User
FactoryTalk® Historian
Firewall
Firewall
11
FactoryTalk® Gateway FactoryTalk®
Historian
RSLinx® Classic
Key Decisions to Remedy Business Challenges
End User
Plant Network Industrial Control Systems
Corporate Network IT Systems
1. Define security zones 2. Define workflows and data transfers within the zones 3. Define security policy – data transfers out, no attack vectors in
Business Security Zone Enable plant support operations
High Security Zone Prevent outside access
End User
Firewall
Firewall
12
FactoryTalk® Historian
FactoryTalk® Gateway FactoryTalk®
Historian
RSLinx® Classic
Key Decisions to Remedy Business Challenges
End User
End User
Plant Network Industrial Control Systems
Corporate Network IT Systems
1. Define security zones 2. Define workflows and data transfers within the zones 3. Define security policy – data transfers out, no attack vectors in 4. Define security solution to support requirements
Business Security Zone Enable plant support operations
High Security Zone Prevent outside access
Data Diode
Firewall
Firewall
13
FactoryTalk® Historian
FactoryTalk® Gateway FactoryTalk®
Historian
RSLinx® Classic
Product Suite 1200+ Security
Solutions Deployed
Features = Benefits
Well defined security zones and policies = Security standards met
Separation of network domains = Improved cyber security posture
OT Network secured = Plant Reliability
Convergence Point for OT and IT = Simplified plant operations
One-way data flows resumed = End users have access to data
Restored business continuity = Improved business operations
14
15
DualDiode Technology – Hardware based Cybersecurity Solution
16
OT Network
IT Network
DualDiode Operational Architecture
• Hardware based solution • Two diodes in series separated by an “air gap” • One-way hardware constrained fiber optic cable
• Source circuitry TX only, Destination RX only
Source Destination
Ethernet
Ethernet
• Each Diode has its own CPU & solid state hard drive • Servers run purpose specific applications
• FactoryTalk®, OPC, file transfer, streaming video, UDP packets, etc.
Air Gap
Server Server
DualDiode Technology
Data Diode Hardware Security Policy
• Hardware enforced one-way only data transfer • One-way data flow out of secure network zone • No external access into the secure network zone • No bidirectional TCP/IP connection • Software attack can not modify hardware security policy
• Network Confidentiality • Network protocol break - IP -> ATM -> IP • Only the “payload” of data packets cross the DualDiode • Data Diode remains “invisible” on the network • Data Diode has no IP or MAC address • Protects all IP and MAC addresses of the source network devices • No external network scanning or mapping of secure network
17
Data Transfer Capabilities
• Owl Support of Rockwell data flows • RSLinx® Classic
• FactoryTalk® Gateway
• FactoryTalk® Historian
• Owl Support of other Transfer Capabilities • Historians • Databases • Syslog • Email events • Remote HMI Screen view • UDP • Streaming Video • Chat • OPC • Modbus • Others…
18
Product Suite 1200+ Security
Solutions Deployed
Possible Enterprise Wide Deployment Locations
19
Summary
Securing the convergence of OT and IT with ST (Security Technology)
20
1. Pick a standard
2. Define your security zones
3. Define workflows and data transfers within the zones
4. Define security policy
5. Define security solution to support requirements
21