36
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC - 5058-CO900H Defense-in-Depth for Industrial Cybersecurity New Orleans Users Group Clark Case – Security Platform Leader, Application Security Tony Baker – Security Platform Leader, Hardware and Network Security

Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900H

Defense-in-Depth for Industrial CybersecurityNew Orleans Users Group

Clark Case – Security Platform Leader, Application Security

Tony Baker – Security Platform Leader, Hardware and Network Security

Page 2: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Actuators Terminals Audio VideoSensors Intelligent Motor Control

Industrial IoT Enhances the Connected EnterpriseIntegrated Control and Information

Page 3: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Threat Vectors

Unintended

employee actions

Theft

Unauthorized actions

by employees

Unauthorized

accessDenial of

Service

Application of

patches

Unauthorized

remote access

Natural or Man-made

disasters

Sabotage

Worms and

viruses

Page 4: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 4

ICS Security in the News

Source: http://www.scmagazine.com

Page 5: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 5

ICS Security in the News

Source: http://www.theregister.co.uk

Page 6: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 6

ICS Security in the News

Page 7: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Our Approach to ICS Security

7

1. Build in security quality

2. Create security value

Page 8: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Quality

8

Vendors must build security into

products with a focus on security

throughout the products

lifecycle…

Page 9: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security QualityStandards Based

International Society of Automation

ISA/IEC-62443 (Formerly ISA-99)

Industrial Automation and Control Systems (IACS) Security

Defense-in-Depth

National Institute of Standards and Technology

NIST 800-82

Industrial Control System (ICS) Security

Defense-in-Depth

Department of Homeland Security / Idaho National Lab

DHS INL/EXT-06-11478

Control Systems Cyber Security: Defense-in-Depth Strategies

Defense-in-Depth

Page 10: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security QualityProduct Design Approach

Develop

Specifications

Audit and

Identify Gaps

Enhance &

Improve

Page 11: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security QualityVerify

Key part of our Industrial Security Team

Help reduce customer risk

Critical to our Industrial Security Goals

Identify weaknesses and vulnerabilities

Improve product resiliency & robustness

Evaluation of all company products

Leveraging ISA Security Compliance Institute (ISCI) approved tools and test suites

Robustness and Resiliency Testing

Security code reviews

Fuzz testing

Windows BinScope verification

Web testing

Code analysis

Obfuscation

11

Page 12: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security QualityIncident Response Process

12

CloseMitigate and

Remediate

Evaluate and

AssessReceive

Communications

Product Vulnerabilities:

We expect them

We plan for them

We work to avoid them

We support our customers

See Rockwell Automation® Knowledge

Base article 54102 for up-to-date

information on product vulnerabilities

Page 13: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tamper

Detection

Content

ProtectionAccess Control &

Policy Management

Detect & Record unwanted

Activity & Modifications to

the application

Protect viewing, editing, and

use of specific pieces of

control system content

Control Who, What, Where &

When access is allowed, to

which application & device

Secure Automation & InformationDefending the digital architecture

MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY

Secure Network

Infrastructure

Control Access to the

network, and Detect unwanted

access and activity

Page 14: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Value: Secure Network Infrastructure

14

Rockwell Automation® solutions available today include:

Architectural Guidelines

Stratix™ Portfolio of Routers and Switches

Stratix 5900™ Services Router

Network and Security Services

Secure Network Infrastructure helps enable secure enterprise

connectivity, remote manufacturing and remote engineering

Page 15: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Network Security ApproachEtherNet/IP Industrial Automation & Control System Network

15

By ICS nature, open by default to allow

both technology coexistence and device

interoperability for Industrial Automation

and Control System (IACS) Networks

Secured by configuration:

Protect the network- Establish the Security Perimeter

Enable Connectivity- Industrial DMZ (IDMZ)

Defense-in-Depth– Multiple layers of security

Page 16: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

What is a Network Perimeter?Network Segmentation

16

Recommended

Not Recommended

Enterprise-wide Network

Plant-wide Network

Enterprise-wide Network

Plant-wide Network

Plant-wide Network

Enterprise-wide Network

Plant-wide Network

Enterprise-wide Network

SwitchWith VLANs

Plant-wide Network

Enterprise-wide Network

Firewall

Better

Plant-wide Network

Enterprise-wide Network

IDMZ

Best

Plant-wide Network

Enterprise-wide Network

Router(Zone Based FW)

Good

Page 17: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 17

Converged Plant-wide Ethernet (CPwE) Reference Architectures

Structured and Hardened IACS Network

Infrastructure

Industrial security policy

Pervasive security, not a bolt-on component

Security framework using defense-in-depth

approach

Industrial DMZ implementation

Remote partner access policy, with robust and

secure implementation

Network Security ServicesMust Not Compromise Operations of the IACS

EnterpriseWAN

Catalyst 3750StackWise

Switch Stack

Firewall(Active)

Firewall(Standby)

MCC

HMI

IndustrialDemilitarized Zone(IDMZ)

Enterprise ZoneLevels 4-5

CiscoASA 5500

Controllers, I/O, Drives

Catalyst6500/4500

Soft Starter

I/O

Physical or Virtualized Servers• Patch Management• Remote Gateway Services• Application Mirror• AV Server

Network DeviceResiliency

VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security

Level 0 - ProcessLevel 1 - Controller

Plant Firewall: Inter-zone traffic

segmentation ACLs, IPS and IDS VPN Services Portal and Terminal

Server proxy

VLANs, Segmenting Domains of Trust

AAA - Application

Authentication Server,Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

Controller Hardening, Physical Security

FactoryTalk® Client

Unified Threat Management (UTM)

Controller Hardening, Encrypted Communications

Controller

AAA - Network

Page 18: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 18

The Stratix™ PortfolioIntegrating Industrial and Enterprise Environments

Page 19: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC19

Network & Security Services:Lifecycle Approach to Services and Solutions

ASSESS DESIGN IMPLEMENT VALIDATE MANAGE

Page 20: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Value: Tamper Detection

Rockwell Automation® solutions available today include:

Firmware Digital Signatures

FactoryTalk® AssetCentre Auditing

Controller Change Detection and Logging

High Integrity Add-On Instruction20

Tamper Detection allows customers to quickly detect

if something in their system has been modified

Page 21: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tamper Detection:FactoryTalk® AssetCentre Auditing

21

Centrally collect records of all interactions with the control system

Page 22: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tamper Detection:Controller Change Detection

22

Every Logix Controller exposes a Change Detection Audit Value

When something happens that can affect the behavior of the controller, the value changes

Audit Value is available in RSLogix™ 5000, in other software applications and in other

controllers via Message instruction

The set of events that causes the Audit Value to change can be configured

Page 23: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tamper Detection:Controller Change Detection

The Audit Value is stored in every Controller Log entry

FactoryTalk® AssetCentre (in version 4.1), can monitor the

Audit Value and read in the Controller Log

23Copyright © 2011 Rockwell Automation®, Inc. All rights reserved.

Page 24: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Value: Content Protection

Rockwell Automation® solutions available today

include:

Logix Source Protection

24

Content Protection allows customers to control access to specific

objects within their controllers and other assets

Page 25: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Coming Late 2015 – License Based Source Protection

Access to selected Routines and AOIs can be controlled using Licenses

Licenses are managed by the content owner using a web based

application, and reside on secure USB devices

Page 26: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Coming in 2016 – Execution and Feature Protection

Content owners can prevent overuse by

requiring a license to be present in the

controller to allow protected routines and

AOIs to execute

Content owners can vary functionality of

content based on licenses in the

controller

Page 27: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Value: Application Access Control

Rockwell Automation® solutions available

today include:

Data Access Control

FactoryTalk® Security

27

Application Access Control allows you to control who can do

what from where in your automation system

Page 28: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Application Access Control:Data Access Control

External Access Attribute – Read/Write, Read Only, or None

Controls which tags can be modified from an HMI or other external application

Constant Attribute

Controls which tags can be modified by controller logic

Changes to Constants bump the Audit Value

FactoryTalk® Security can control

permission to change Constants

28

Page 29: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Application Access Control:FactoryTalk Security

Use FactoryTalk® Security to…

Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation® software applications to access automation devices

How does it work?

Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system.

• Authenticate the User

• Authorize Use of Applications

• Authorize Access to Specific Devices

FactoryTalk®

Directory

(All FactoryTalk® Security

enabled software)

29

Page 30: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Coming in V28 – FactoryTalk Temporary Users

30

Use FactoryTalk Temporary Users to temporarily give someone access to privileges of a different user group

Page 31: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 31

Secure a project file with a

Permission Set to use the same

policies for many controllers

Coming in V28 – Permission Sets for Securing Projects

Page 32: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 32

Apply Permission Sets to Routines, AOIs and Tags to have different policies for different components

Coming in V28 – Permission Sets for Securing Routines, AOIs and Tags

Page 33: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Coming in V28 – Guest User Access

33

With Guest Users, grant

limited permissions to users

who aren’t members of your

FactoryTalk Directory

Page 34: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Industrial Security Resources

Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities

that help increase overall control system system-level security.

http://www.rockwellautomation.com/security

EtherNet/IP™ Plantwide Reference Architectures Control system validated designs and security best-practices that

complement recommended layered security/defense-in-depth measures.

http://www.ab.com/networks/architectures.html

Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and

make recommendations for how to avert risk and mitigate vulnerabilities.

http://www.rockwellautomation.com/services/security

34

Page 35: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Industrial Security Landing Pad

http://rockwellautomation.com/security

Assessment

Services

Security

Technology

Security

FAQ

Assessment

Services

Security

Resources

Reference

ArchitecturesSecurity

Services

[email protected] Good Privacy (PGP) Public Key

Leadership &

Standards

Microsoft Patch

Qualification

Security Advisory

Index

35

Page 36: Defense-in-Depth for Industrial Cybersecurity · Audit Value is available in RSLogix™ 5000, in other software applications and in other ... Logix Source Protection 24 Content Protection

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900H

www.rockwellautomation.com

Questions?