SECURE NETWORK REFRESH (SNR) - Honeywell … NETWORK REFRESH (SNR) Honeywell Confidential ... Server NAS NAS vCenter Server Level 2.5 L2.5 to L2.5 SY ST C a tSsaePlr yoiesE t-2249

Honeywell Industrial Cyber Security

Seth Carpenter/Robert Alston

June 20, 2017

Honeywell Internal

SECURE NETWORK REFRESH (SNR)

Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.

Why I Don’t Upgrade My Network

1

Honeywell Internal


Secure Network Refresh2

Honeywell Internal

Honeywell User Group 2017

Seth Carpenter/ Robert Alston


Agenda

• Introductions

• Safety Moment

• Secure Network Refresh Defined

• Identifying the Need for a Refresh

• Securely Refreshing a Process Control Network

o Hardware Refresh

o Software Refresh

o Architecture Refresh

• Summary of Secure Network Refresh

• Wrap up / Q&A


How Do You Know if You Need a Network Refresh?

4

Honeywell Internal

If you are still using one of these…

… you need a network refresh.

or

IBM XT Cisco 1900


Secure Network Refresh Defined

•What it is?

- Replacing out of date software

and end of life hardware

- Securing critical network

infrastructure

- Hardening of systems

- Enabling migration of legacy

components

- Implementing secure

communications

- Updating network architecture

•What it is not

- Experion upgrade

- Controller upgrade

- Release dependent

5


How Do You Know if You Need a Network Refresh?

6

Honeywell Internal

… you definitely need a network refresh.

If you are still using one of these…

or


Foundation for ELCN/EUCN Migrations


Switch Obsolescence8

Honeywell Internal

• Announced End-of-Life (EOL) for many Cisco and other switches

- Switches: 2900s, 2950s, 2960s, 3550s

- Slower processing & interfaces

- Some obsolete as of 2009

- NOT UPGRADEABLE

• Big Issue: Security

- Older switches do NOT support encryption

- Configuration via Telnet only – IN THE CLEAR

- Extremely vulnerable to TAKE OVER

- New Switches & Routers support encryption for their communications and

configuration files

- Other manufacturer’s Switches & Routers that do not encrypt their configuration

files and access should also be replaced

• Configurations of upstream devices may also need to be checked as

well


Router Obsolescence 9

Honeywell Internal

• Routers were previously installed to support reliable connections- Routers today need more restricted configurations to strengthen

security

- Control of traffic between zones supports containment and protection

- Router’s Access Control Lists define communication between networks

• Announced End-of-Life (EOL) for many Cisco Routers as well- Routers: 3560s, 3750s

- Slower processing & interfaces

- Some obsolete as of 2009

- NOT UPGRADEABLE

• Same issues with security- Older routers do NOT support encryption

- Configuration via Telnet only – IN THE CLEAR

- Extremely vulnerable to TAKE OVER

- New Routers support encryption for their communications and configuration files

- Other manufacturer’s Routers that do not encrypt their configuration files and access should also be replaced

• Configurations of connecting devices should also be revisited


FTE Qualified Cisco Switches and IOS

10

Honeywell Internal


Architecture Refresh

11

Router

ESC ESF ESTACE Experion

Server

ESVT Safety

Manager

Terminal

Server

Qualified Cisco Switches

HSRPRouter

Domain

ControllerESF EAS

PHD

ServerExperion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

ServerPatch

Mgmt

Server

Anti

Virus

Server

RelayServer

PHD

Shadow

Server

Level 2 Domain

Controller

Experion Network Levels

Level 1

L1 to L1

Lim

ite

d

L2

to

L1

L2 to L2

L3 to L3

Lim

ite

d

L2.5

to

L3

Limited L3.5 to L3.5

Ve

ry L

imit

ed

L3

to

L3.5

to L

3

Comm flow

L4 to L4

Ve

ry L

imit

ed

L3.5

to

L4

No

Dir

ec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

or

L2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

or

L4

L 2.5 Router

PrimaryL2.5 Router

Secondary

Domain

ControllerBlade Server

NASNAS

vCenter

Server

Level 2.5

L2.5 to L2.5

Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED

MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X

2X POWER OVER ETHERNET

13X

14X

11X

12X

23X

24XSTATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT


MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET

13X14X

11X12X

23X24X

STATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Ve

ry L

imit

ed

L

2

Risk

ManagerService

Node

Firewall


Router


Server

ESVT Safety

Manager

Terminal

Server


HSRPRouter

Domain

ControllerESF EAS

PHD

ServerExperion

Server

Firewall


Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

ServerPatch

Mgmt

Server

Anti

Virus

Server

RelayServer

PHD

Shadow

Server

Level 2 Domain

Controller


Level 1

L1 to L1

Lim

ite

d

L2

to

L1

L2 to L2

L3 to L3

Lim

ite

d

L2.5

to

L3


Ve

ry L

imit

ed

L3

to

L3.5

to L

3

Comm flow

L4 to L4

Ve

ry L

imit

ed

L3.5

to

L4

No

Dir

ec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

or

L2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

or

L4

L 2.5 Router

PrimaryL2.5 Router

Secondary

Domain


NASNAS

vCenter

Server

Level 2.5

L2.5 to L2.5


MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X


13X

14X

11X

12X

23X

24XSTATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT


MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET

13X14X

11X12X

23X24X

STATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Ve

ry L

imit

ed

L

2

Risk

ManagerService

Node

Firewall

Architecture Refresh

12

Router


Server

ESVT Safety

Manager

Terminal

Server


HSRPRouter

Domain

ControllerESF EAS

PHD

ServerExperion

Server

Firewall


Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

ServerPatch

Mgmt

Server

Anti

Virus

Server

RelayServer

PHD

Shadow

Server

Level 2 Domain

Controller


Level 1

L1 to L1

Lim

ite

d

L2

to

L1

L2 to L2

L3 to L3

Lim

ite

d

L2

.5 t

o L

3


Ve

ry L

imit

ed

L3

to

L3.5

to L

3

Comm flow

L4 to L4

Ve

ry L

imit

ed

L3.5

to

L4

No

Dir

ec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

or

L2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

or

L4

L 2.5 Router

PrimaryL2.5 Router

Secondary

Domain


NASNAS

vCenter

Server

Level 2.5

L2.5 to L2.5


MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X


13X

14X

11X

12X

23X

24XSTATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT


MODE

COCIS1 2

1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X


13X

14X

11X

12X

23X

24XSTATRPSPoE

MT 1 2 3 4 5 6SM1 SM2

MT 1 2 3 4 5 6SM1 SM2

2

1

I/O 4

I/O 3

BladeCenter S

MTMT MTMT

MTMT

ServerBlade

VM Client

Firewall

PLC

Ve

ry L

imit

ed

L

2

Risk

ManagerService

Node

Firewall


Summary

-Replace out of date software

-Replace end of life hardware

-Secure critical network infrastructure

-Harden systems

-Migrate of legacy components

-Implement secure communications

-Update network architecture

13

Documents

SECURE NETWORK REFRESH (SNR) - Honeywell … NETWORK REFRESH (SNR) Honeywell Confidential ... Server NAS NAS vCenter Server Level 2.5 L2.5 to L2.5 SY ST C a tSsaePlr yoiesE t-2249