Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC
PUBLIC - 5058-CO900H
Defense-in-Depth for Industrial CybersecurityNew Orleans Users Group
Clark Case – Security Platform Leader, Application Security
Tony Baker – Security Platform Leader, Hardware and Network Security
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Actuators Terminals Audio VideoSensors Intelligent Motor Control
Industrial IoT Enhances the Connected EnterpriseIntegrated Control and Information
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Threat Vectors
Unintended
employee actions
Theft
Unauthorized actions
by employees
Unauthorized
accessDenial of
Service
Application of
patches
Unauthorized
remote access
Natural or Man-made
disasters
Sabotage
Worms and
viruses
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 4
ICS Security in the News
Source: http://www.scmagazine.com
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 5
ICS Security in the News
Source: http://www.theregister.co.uk
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 6
ICS Security in the News
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Our Approach to ICS Security
7
1. Build in security quality
2. Create security value
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Quality
8
Vendors must build security into
products with a focus on security
throughout the products
lifecycle…
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security QualityStandards Based
International Society of Automation
ISA/IEC-62443 (Formerly ISA-99)
Industrial Automation and Control Systems (IACS) Security
Defense-in-Depth
National Institute of Standards and Technology
NIST 800-82
Industrial Control System (ICS) Security
Defense-in-Depth
Department of Homeland Security / Idaho National Lab
DHS INL/EXT-06-11478
Control Systems Cyber Security: Defense-in-Depth Strategies
Defense-in-Depth
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security QualityProduct Design Approach
Develop
Specifications
Audit and
Identify Gaps
Enhance &
Improve
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security QualityVerify
Key part of our Industrial Security Team
Help reduce customer risk
Critical to our Industrial Security Goals
Identify weaknesses and vulnerabilities
Improve product resiliency & robustness
Evaluation of all company products
Leveraging ISA Security Compliance Institute (ISCI) approved tools and test suites
Robustness and Resiliency Testing
Security code reviews
Fuzz testing
Windows BinScope verification
Web testing
Code analysis
Obfuscation
11
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security QualityIncident Response Process
12
CloseMitigate and
Remediate
Evaluate and
AssessReceive
Communications
Product Vulnerabilities:
We expect them
We plan for them
We work to avoid them
We support our customers
See Rockwell Automation® Knowledge
Base article 54102 for up-to-date
information on product vulnerabilities
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tamper
Detection
Content
ProtectionAccess Control &
Policy Management
Detect & Record unwanted
Activity & Modifications to
the application
Protect viewing, editing, and
use of specific pieces of
control system content
Control Who, What, Where &
When access is allowed, to
which application & device
Secure Automation & InformationDefending the digital architecture
MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY
Secure Network
Infrastructure
Control Access to the
network, and Detect unwanted
access and activity
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Value: Secure Network Infrastructure
14
Rockwell Automation® solutions available today include:
Architectural Guidelines
Stratix™ Portfolio of Routers and Switches
Stratix 5900™ Services Router
Network and Security Services
Secure Network Infrastructure helps enable secure enterprise
connectivity, remote manufacturing and remote engineering
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Network Security ApproachEtherNet/IP Industrial Automation & Control System Network
15
By ICS nature, open by default to allow
both technology coexistence and device
interoperability for Industrial Automation
and Control System (IACS) Networks
Secured by configuration:
Protect the network- Establish the Security Perimeter
Enable Connectivity- Industrial DMZ (IDMZ)
Defense-in-Depth– Multiple layers of security
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
What is a Network Perimeter?Network Segmentation
16
Recommended
Not Recommended
Enterprise-wide Network
Plant-wide Network
Enterprise-wide Network
Plant-wide Network
Plant-wide Network
Enterprise-wide Network
Plant-wide Network
Enterprise-wide Network
SwitchWith VLANs
Plant-wide Network
Enterprise-wide Network
Firewall
Better
Plant-wide Network
Enterprise-wide Network
IDMZ
Best
Plant-wide Network
Enterprise-wide Network
Router(Zone Based FW)
Good
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 17
Converged Plant-wide Ethernet (CPwE) Reference Architectures
Structured and Hardened IACS Network
Infrastructure
Industrial security policy
Pervasive security, not a bolt-on component
Security framework using defense-in-depth
approach
Industrial DMZ implementation
Remote partner access policy, with robust and
secure implementation
Network Security ServicesMust Not Compromise Operations of the IACS
EnterpriseWAN
Catalyst 3750StackWise
Switch Stack
Firewall(Active)
Firewall(Standby)
MCC
HMI
IndustrialDemilitarized Zone(IDMZ)
Enterprise ZoneLevels 4-5
CiscoASA 5500
Controllers, I/O, Drives
Catalyst6500/4500
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server
Network DeviceResiliency
VLANs
Standard DMZ Design Best Practices
Network Infrastructure Access Control and
Hardening
Physical Port Security
Level 0 - ProcessLevel 1 - Controller
Plant Firewall: Inter-zone traffic
segmentation ACLs, IPS and IDS VPN Services Portal and Terminal
Server proxy
VLANs, Segmenting Domains of Trust
AAA - Application
Authentication Server,Active Directory (AD),
Remote Access Server
Client Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
Drive
Level 2 – Area Supervisory Control
Controller Hardening, Physical Security
FactoryTalk® Client
Unified Threat Management (UTM)
Controller Hardening, Encrypted Communications
Controller
AAA - Network
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 18
The Stratix™ PortfolioIntegrating Industrial and Enterprise Environments
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC19
Network & Security Services:Lifecycle Approach to Services and Solutions
ASSESS DESIGN IMPLEMENT VALIDATE MANAGE
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Value: Tamper Detection
Rockwell Automation® solutions available today include:
Firmware Digital Signatures
FactoryTalk® AssetCentre Auditing
Controller Change Detection and Logging
High Integrity Add-On Instruction20
Tamper Detection allows customers to quickly detect
if something in their system has been modified
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tamper Detection:FactoryTalk® AssetCentre Auditing
21
Centrally collect records of all interactions with the control system
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tamper Detection:Controller Change Detection
22
Every Logix Controller exposes a Change Detection Audit Value
When something happens that can affect the behavior of the controller, the value changes
Audit Value is available in RSLogix™ 5000, in other software applications and in other
controllers via Message instruction
The set of events that causes the Audit Value to change can be configured
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Tamper Detection:Controller Change Detection
The Audit Value is stored in every Controller Log entry
FactoryTalk® AssetCentre (in version 4.1), can monitor the
Audit Value and read in the Controller Log
23Copyright © 2011 Rockwell Automation®, Inc. All rights reserved.
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Value: Content Protection
Rockwell Automation® solutions available today
include:
Logix Source Protection
24
Content Protection allows customers to control access to specific
objects within their controllers and other assets
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Coming Late 2015 – License Based Source Protection
Access to selected Routines and AOIs can be controlled using Licenses
Licenses are managed by the content owner using a web based
application, and reside on secure USB devices
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Coming in 2016 – Execution and Feature Protection
Content owners can prevent overuse by
requiring a license to be present in the
controller to allow protected routines and
AOIs to execute
Content owners can vary functionality of
content based on licenses in the
controller
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Security Value: Application Access Control
Rockwell Automation® solutions available
today include:
Data Access Control
FactoryTalk® Security
27
Application Access Control allows you to control who can do
what from where in your automation system
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Application Access Control:Data Access Control
External Access Attribute – Read/Write, Read Only, or None
Controls which tags can be modified from an HMI or other external application
Constant Attribute
Controls which tags can be modified by controller logic
Changes to Constants bump the Audit Value
FactoryTalk® Security can control
permission to change Constants
28
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Application Access Control:FactoryTalk Security
Use FactoryTalk® Security to…
Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation® software applications to access automation devices
How does it work?
Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system.
• Authenticate the User
• Authorize Use of Applications
• Authorize Access to Specific Devices
FactoryTalk®
Directory
(All FactoryTalk® Security
enabled software)
29
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Coming in V28 – FactoryTalk Temporary Users
30
Use FactoryTalk Temporary Users to temporarily give someone access to privileges of a different user group
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 31
Secure a project file with a
Permission Set to use the same
policies for many controllers
Coming in V28 – Permission Sets for Securing Projects
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 32
Apply Permission Sets to Routines, AOIs and Tags to have different policies for different components
Coming in V28 – Permission Sets for Securing Routines, AOIs and Tags
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Coming in V28 – Guest User Access
33
With Guest Users, grant
limited permissions to users
who aren’t members of your
FactoryTalk Directory
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Industrial Security Resources
Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities
that help increase overall control system system-level security.
http://www.rockwellautomation.com/security
EtherNet/IP™ Plantwide Reference Architectures Control system validated designs and security best-practices that
complement recommended layered security/defense-in-depth measures.
http://www.ab.com/networks/architectures.html
Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and
make recommendations for how to avert risk and mitigate vulnerabilities.
http://www.rockwellautomation.com/services/security
34
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Industrial Security Landing Pad
http://rockwellautomation.com/security
Assessment
Services
Security
Technology
Security
FAQ
Assessment
Services
Security
Resources
Reference
ArchitecturesSecurity
Services
[email protected] Good Privacy (PGP) Public Key
Leadership &
Standards
Microsoft Patch
Qualification
Security Advisory
Index
35
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC
PUBLIC - 5058-CO900H
www.rockwellautomation.com
Questions?