Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Hosts: Roland Plett (Cisco) & Neal Pinto (Westburne)Guests: Jeff Brown (Westburne) & Mike Wooten (Cisco)April 28 & 30, 2020
Week 4 – Industrial SecurityConnected Mine Ecosystem
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
Welcome!
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
The Series…
Week 1The Connected Mine Site Outdoor Industrial WirelessPresenters: Ian Procyk (Cisco), Grenn Holden (3D-P)Tuesday, April 7th – 12:00PM EDT (9:00AM PDT)Thursday, April 9th – 4:00PM EDT (1:00PM PDT)
Week 2The Connected Mine SiteMine Network OperationPresenters: Ian Procyk (Cisco), Indy Kar (FTP Solutions)Tuesday, April 14th – 12:00PM EDT (9:00AM PDT)Thursday, April 16th – 4:00PM EDT (1:00PM PDT)
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
The Series…
Week 3The Connected Plant for the Mining IndustryIndustrial NetworkingPresenters: Jeff Brown (Westburne), Kevin Turek (Cisco)Tuesday April 21st – 12:00PM EDT (9:00AM PDT)Thursday, April 23rd – 4:00PM EDT (1:00PM PDT)
Week 4The Connected Plant for the Mining IndustryIndustrial SecurityPresenters: Jeff Brown (Westburne), Mike Wooten (Cisco)Tuesday April 28th – 12:00PM EDT (9:00AM PDT)Thursday, April 30th – 4:00PM EDT (1:00PM PDT)
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
Housekeeping…WebEx Teams Room
WebEx Event Center Review
Questions & Answers
© 2019 Cisco and/or its affiliates. All rights reserved.
Industrial Networkfor a Connected Mine Jeff Brown
Connected Solutions Manager
© 2019 Cisco and/or its affiliates. All rights reserved.
Design for Security
© 2019 Cisco and/or its affiliates. All rights reserved.
• Risk management policies and overall tolerance to risk• Business practices• Corporate/local standards• Application requirements
• Applicable industry standards – e.g. NERC CIP
• Government regulations and compliance• Alignment with industrial safety standards
such as IEC 61508 – SIL3 and EN 954-1 -Cat 4
§ Enterprise and industrial safety and security policies and procedures - access control
§ Network ownership policies§ Alignment with industrial security standards
such as IEC-62443 (formerly ISA 99), NIST 800-82 and ICS-CERT
§ Network capabilities (segmentation into domains of trust)
What’s Driving This?
SAFETY!!
© 2019 Cisco and/or its affiliates. All rights reserved.
Source: Industrial Control Systems 2017 Report: Connected and Vulnerable, Positive Technologies
Control System Vulnerabilities Types 2017
© 2019 Cisco and/or its affiliates. All rights reserved.
Source: Industrial Control Systems 2017 Report: Connected and Vulnerable, Positive Technologies
Control System Internet Accessibility 2017
© 2019 Cisco and/or its affiliates. All rights reserved.
Source: Dragos - Adversaries
Real-world Threats to Industrial Systems
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved.
Security Lifecycle
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Defense Matrix
Credit: Sounil Yu RSA conference 2016
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Defense Matrix
Credit: Sounil Yu RSA conference 2016
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Defense MatrixLeft and Right of “Boom”
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Defense MatrixCase: Define Security Design Patterns
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Defense MatrixCase: Balancing the Portfolio
© 2019 Cisco and/or its affiliates. All rights reserved.
Network Security FrameworkIndustrial Demilitarized Zone
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Gateway Services
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Remote Access Server
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Cell/Area Zone
WebE-MailCIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
Logical Model – Industrial Control System (ICS)Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
© 2019 Cisco and/or its affiliates. All rights reserved.
Islands of Automation with Isolated LANsSegmentation
VFDDrive
HMII/O I/O
VFDDrive
HMI
I/O
I/O
Instrumentation
Controller
VFDDriveHMI
I/O
I/O
ServoDrive
Sneakernet
Controller ServoDrive
Controller
Industrial Internet of Things (IIoT)
© 2019 Cisco and/or its affiliates. All rights reserved.
Multiple Network Interface Cards (NICs)Segmentation
§ Benefits§ Clear network ownership demarcation line
§ Challenges§ Limited visibility to control network devices
for asset management§ Limited future-ready capability§ Smaller PACs may not support
§ Benefits§ Plant-wide information sharing for data
collection and asset management§ Future-ready
§ Challenges§ Blurred network ownership demarcation
line
Converged networks - logical segmentation - two NICs for scalability, performance, capacity and flexibility
Layer 2 Network
Segmented (using VLANs),
Layer 2 Network
VLAN 103
VLAN 102
Converged Network
Control NetworkLevels 0-2
Plant NetworkLevel 3
Control NetworkLevels 0-2
Layer 3 Network
Plant NetworkLevel 3
Isolated networks - two NICs for physical network segmentation
© 2019 Cisco and/or its affiliates. All rights reserved.
Switch Hierarchy, Virtual LANs (VLANs)Segmentation
• Multi-Layer Switch• Layer 2 VLAN Trunking• Layer 3 Inter-VLAN routing
= VLAN 42 – Scanners/Cameras
= VLAN 102 – EtherNet/IP Device
= VLAN 10 - VoIP
Drive
ControllerHMI
= VLAN 42 – Scanners/Cameras
= VLAN 102 – EtherNet/IP Device
= VLAN 10 - VoIP
Drive
ControllerHMI
Layer 3 Switch
Layer 2 NetworkMultiple VLANs Layer 2 Network
Multiple VLANs
StratixLayer 2 Switch
StratixLayer 2 Switch
© 2019 Cisco and/or its affiliates. All rights reserved.
Switch Hierarchy, Virtual LANs (VLANs)Segmentation
Layer 2
Ring
Plant-wide IACS
Machine #1OEM #1
Machine #2OEM #2
EWSOWS
Plant-wide IACSVLAN 40IP Subnet 172.16.40.0/24
Large Flat LANLarger Layer 2 Broadcast
Domain
Machine #1 (OEM #1)VLAN 20IP Subnet 10.20.20.0/24 VLAN 10IP Subnet 10.10.10.0/24
Machine #2 (OEM #2)VLAN 30IP Subnet 192.168.30.0/24VLAN 5IP Subnet 192.168.1.0/24
Plant-wide IACSVLAN 40IP Subnet 172.16.40.0/24
VLAN10 Ring
Plant-wide IACS
Machine #1OEM #1
Machine #2OEM #2
EWSOWS
Layer 3
VLAN20
VLAN30
VLAN5
Small Connected LANsSmaller Layer 2 Broadcast
Domains
© 2019 Cisco and/or its affiliates. All rights reserved.
Structure and Hierarchy
Levels 0–2
Phone
Controller
SafetyController
Camera
Safety I/O
Instrumentation
HMI
Cell/Area Zones
Layer 2 Access Switch
Switch Stack
Media & Connectors
Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency
Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)
Cell/Area Zone #3Bus/Star Topology
MCC
Layer 3 Distribution
SwitchLayer 2
Access Switch
Soft Starter
Level 2 HMI
Level 0 Drive
I/O
Layer 3Building Block
Layer 2Building Block
Level 1 Controller
Layer 2Building Block
ServoDrive
Layer 2Building Block
© 2019 Cisco and/or its affiliates. All rights reserved.
What Can You Do Now to Mitigate Risk?
Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security
1.Control who has network access2.Employ firewalls and intrusion detection/prevention 3.Use Anti Virus Protection and patch your system (When
Possible)4.Manage & protect your passwords5.Turn the processor key(s) to the Run Mode and remove key6.Utilize features embedded in the ICS7.Develop a process to manage removable media8.Block access ports (example: key connectors)
© 2019 Cisco and/or its affiliates. All rights reserved.
Westburne [email protected]
• Network Design – Core, Distribution and access layers• Wireless Surveys and Design (WAP’s)• NGFW Implementation• IDMZ Design• Patch Panels• Cabling – Bulk, Patch cords, fiber• POE Lighting• Servers and PC’s• Industrial Hazardous location, temperature resistant
PC’s and Tablets• Hardware specification
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
Intermission…Questions & Answers
Prizes!
© 2019 Cisco and/or its affiliates. All rights reserved.
OT Asset Visibility and Risk Mike Wooten
IoT Solution Architect
© 2019 Cisco and/or its affiliates. All rights reserved.
Lack of visibility is a problem in ICS environments
RTU Relay Meter
Volt/VarIEDController
UtilitiesRTU Relay Meter
Volt/VarIEDController
Utilities
Most customers don’t have an
accurate asset inventory
55% have no or low confidence that they know all devices in
their network
They are blindto what their
assets are communicating with
Myriad industrial protocols supported by a diverse
set of suppliers
You can’t secure what you can’t see
© 2019 Cisco and/or its affiliates. All rights reserved.
Two Worlds Converging
Security is the Top Driver
© 2019 Cisco and/or its affiliates. All rights reserved.
Challenges of securing industrial networks
Skills ShortageHow to streamline OT
cybersecurity tasks with existing OT and IT staff?
Growing Threats
53% of industrial companies have already suffered cyber attacks.
Are you ready?
ComplianceMust comply with new regulatory constraints
(NERC CIP, EU-NIS…) and show shareholders that risks are under controlSource: IBM report 2017
AgilityConverging OT & IT
securely to capture the benefits of industry
digitization
© 2019 Cisco and/or its affiliates. All rights reserved.
IE 3400 Switch IR 1101 Gateway
SensorSensor
Catalyst 9000 Series Switch
SensorSensor
IE 3400 Heavy Duty
Cisco Cyber Vision
Network-Sensors(Deep Packet Inspection built into network-elements eliminating the need for SPAN)
Sensor
IC3000 Industrial Compute
Hardware-Sensor(SPAN based to support brownfield)
Cyber Vision Center(Centralized Analytics)
Operational Insights for OT
Threat Detection for IT
Security that scales with your network infrastructure
ApplicationFlow
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Cyber Vision
Application-FlowLightweightMetadata
ICSnetwork
Cyber Vision Center
Sensor Sensor Sensor
Sensor Sensor
SensorCyber Vision Sensors embedded into industrial network equipment
No additional hardware needed
No need for an out-of-band monitoring network
No impact on performance
Reduce TCO by eliminating the need to invest in an ever-growing SPAN collection network
Visibility built into your network infrastructure
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Cyber VisionAsset Inventory & Security Platform for the Industrial IoT
ICS VisibilityAsset Inventory
Communication PatternsDevice Vulnerability
Operational InsightsIdentify configuration changesRecord control system events
relevant to the integrity of the system
Threat DetectionBehavioral Anomaly Detection
Signature based IDSReal-time alerting
Cisco Cyber Vision helps companies protect their industrial control systems against cyber risks
© 2019 Cisco and/or its affiliates. All rights reserved.
Gain Visibility and Operational Insights
Sensor
Sensor
Cyber Vision Center(Centralized analytics)
Network-Sensors(Built in Deep Packet Inspection)
Comprehensive asset inventory
Dynamic communication map
Track variable changes
Detect changes in the control system
ApplicationFlow
Sensor
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Vision Tags to Drive Data Analysis
Cyber VisionUniversal OT Language
• Messages exchanged between assets are translated to Tags any user can understand
• Asset characteristics are shown as Tags
• A common language, whatever the vendor reference
• Users do not need to be protocol experts to understand what is going on
36
150+ tags available
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Vision Threat Detection
Vulnerabilities Intrusion Control System Modifications C2 Callback
Cyber Vision Vulnerability Detection
Cyber VisionIntrusion Detection System
Cyber VisionIntrusion Detection System
Cyber Vision Behavioral Analytics
Patch Vulnerabilities Before They Are Exploited
Detect Malicious Intrusions From IT Domain
Detect Attempts to Scan & Modify OT Assets
Detect Attempts to Communicate With Attacker
Holistic Threat Detection Techniques
© 2019 Cisco and/or its affiliates. All rights reserved.
Cyber Vision understands ICS protocols you use
Cisco’s Deep Packet Inspection understands all process information even when using proprietary protocols
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco components
Industrial DMZ
• Access control lists (ACLs)• Intrusion detection systems (IDS) and
intrusion prevention systems (IPS)• VPN services• Portal and remote desktop services• Application and data mirrors
Industrial zone
• AAA identity services• Network management• Asset inventory• Anomaly detection• Plant-wide services• Traffic enforcement (plant to IDMZ, north/south)
Area zone
• Traffic Enforcement (Cell to Cell, East/West )• QoS Prioritization• SXP• Netflow
Inter-cell (ISA3000)
• Industrial deep packet inspection (DPI)• Stateful firewall and intrusion prevention (IPS)• Hardware bypass
Cell zone
• PoE/PoE+• Layer 2 NAT• 802.1X• MAC Authentication Bypass (MAB)• Quality of Service marking• Netflow (IE3x00 and IE4000 only)• TrustSec tagging (IE3x00 and IE4000 only)• Edge compute (IE3x00 only)
Cyber Vision architecture
Industrial Zone
Purdue level 3
Area ZonePurdue level 2
Cell ZonePurdue level 0-1
Cyber VisionCenter
Cisco NGFW and IPS solutions
Industrial core
ISA3000
IT network
IT core
DMZ
Enterprise Zone
Purdue level 4-5
User AccessRESTful API
(HTTPS)SIEM (Syslog)
ISE/DNA-C (PxGrid)
ISA3000
Sensor Sensor
Sensor SensorSensor
IC3000SPAN/RSPAN
IE3x00
PLC/RTU/IEDSIS
SCADA/HMI
HISTORIAN MES
Sensor Sensor
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Security for Industrial IoT
A fully integrated IT-OT security solutionWorking together to define & apply IoT security policies
Cisco ISEAccess Control
Cisco FirepowerTraffic Filtering
Cisco StealthwatchNetwork Flow Analysis
Cisco DNA-CNetwork Management
Cyber Vision CenterOperational Insights
Threat Detection
V I S I B I L I T Y
C O N T E X T C O N T E X T
Industrial Routing
Industrial Wi-Fi
Industrial Switching
IoT GatewaysCompute
Cyber Vision SensorsDeep Packet Inspection built into your Cisco industrial network
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
Thank you!!Questions & Answers
Prizes
Thank you!