Upload
nguyendiep
View
221
Download
1
Embed Size (px)
Citation preview
Honeywell Industrial Cyber Security
Seth Carpenter/Robert Alston
June 20, 2017
Honeywell Internal
SECURE NETWORK REFRESH (SNR)
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Why I Don’t Upgrade My Network
1
Honeywell Internal
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Secure Network Refresh2
Honeywell Internal
Honeywell User Group 2017
Seth Carpenter/ Robert Alston
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Agenda
• Introductions
• Safety Moment
• Secure Network Refresh Defined
• Identifying the Need for a Refresh
• Securely Refreshing a Process Control Network
o Hardware Refresh
o Software Refresh
o Architecture Refresh
• Summary of Secure Network Refresh
• Wrap up / Q&A
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
How Do You Know if You Need a Network Refresh?
4
Honeywell Internal
If you are still using one of these…
… you need a network refresh.
or
IBM XT Cisco 1900
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Secure Network Refresh Defined
•What it is?
- Replacing out of date software
and end of life hardware
- Securing critical network
infrastructure
- Hardening of systems
- Enabling migration of legacy
components
- Implementing secure
communications
- Updating network architecture
•What it is not
- Experion upgrade
- Controller upgrade
- Release dependent
5
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
How Do You Know if You Need a Network Refresh?
6
Honeywell Internal
… you definitely need a network refresh.
If you are still using one of these…
or
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Foundation for ELCN/EUCN Migrations
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Switch Obsolescence8
Honeywell Internal
• Announced End-of-Life (EOL) for many Cisco and other switches
- Switches: 2900s, 2950s, 2960s, 3550s
- Slower processing & interfaces
- Some obsolete as of 2009
- NOT UPGRADEABLE
• Big Issue: Security
- Older switches do NOT support encryption
- Configuration via Telnet only – IN THE CLEAR
- Extremely vulnerable to TAKE OVER
- New Switches & Routers support encryption for their communications and
configuration files
- Other manufacturer’s Switches & Routers that do not encrypt their configuration
files and access should also be replaced
• Configurations of upstream devices may also need to be checked as
well
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Router Obsolescence 9
Honeywell Internal
• Routers were previously installed to support reliable connections- Routers today need more restricted configurations to strengthen
security
- Control of traffic between zones supports containment and protection
- Router’s Access Control Lists define communication between networks
• Announced End-of-Life (EOL) for many Cisco Routers as well- Routers: 3560s, 3750s
- Slower processing & interfaces
- Some obsolete as of 2009
- NOT UPGRADEABLE
• Same issues with security- Older routers do NOT support encryption
- Configuration via Telnet only – IN THE CLEAR
- Extremely vulnerable to TAKE OVER
- New Routers support encryption for their communications and configuration files
- Other manufacturer’s Routers that do not encrypt their configuration files and access should also be replaced
• Configurations of connecting devices should also be revisited
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
FTE Qualified Cisco Switches and IOS
10
Honeywell Internal
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Architecture Refresh
11
Router
ESC ESF ESTACE Experion
Server
ESVT Safety
Manager
Terminal
Server
Qualified Cisco Switches
HSRPRouter
Domain
ControllerESF EAS
PHD
ServerExperion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
ServerPatch
Mgmt
Server
Anti
Virus
Server
RelayServer
PHD
Shadow
Server
Level 2 Domain
Controller
Experion Network Levels
Level 1
L1 to L1
Lim
ite
d
L2
to
L1
L2 to L2
L3 to L3
Lim
ite
d
L2.5
to
L3
Limited L3.5 to L3.5
Ve
ry L
imit
ed
L3
to
L3.5
to L
3
Comm flow
L4 to L4
Ve
ry L
imit
ed
L3.5
to
L4
No
Dir
ec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
or
L2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
or
L4
L 2.5 Router
PrimaryL2.5 Router
Secondary
Domain
ControllerBlade Server
NASNAS
vCenter
Server
Level 2.5
L2.5 to L2.5
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X
2X POWER OVER ETHERNET
13X
14X
11X
12X
23X
24XSTATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
ServerBlade
VM Client
Firewall
PLC
Ve
ry L
imit
ed
L
2
Risk
ManagerService
Node
Firewall
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Router
ESC ESF ESTACE Experion
Server
ESVT Safety
Manager
Terminal
Server
Qualified Cisco Switches
HSRPRouter
Domain
ControllerESF EAS
PHD
ServerExperion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
ServerPatch
Mgmt
Server
Anti
Virus
Server
RelayServer
PHD
Shadow
Server
Level 2 Domain
Controller
Experion Network Levels
Level 1
L1 to L1
Lim
ite
d
L2
to
L1
L2 to L2
L3 to L3
Lim
ite
d
L2.5
to
L3
Limited L3.5 to L3.5
Ve
ry L
imit
ed
L3
to
L3.5
to L
3
Comm flow
L4 to L4
Ve
ry L
imit
ed
L3.5
to
L4
No
Dir
ec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
or
L2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
or
L4
L 2.5 Router
PrimaryL2.5 Router
Secondary
Domain
ControllerBlade Server
NASNAS
vCenter
Server
Level 2.5
L2.5 to L2.5
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X
2X POWER OVER ETHERNET
13X
14X
11X
12X
23X
24XSTATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X2X POWER OVER ETHERNET
13X14X
11X12X
23X24X
STATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
ServerBlade
VM Client
Firewall
PLC
Ve
ry L
imit
ed
L
2
Risk
ManagerService
Node
Firewall
Architecture Refresh
12
Router
ESC ESF ESTACE Experion
Server
ESVT Safety
Manager
Terminal
Server
Qualified Cisco Switches
HSRPRouter
Domain
ControllerESF EAS
PHD
ServerExperion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
ServerPatch
Mgmt
Server
Anti
Virus
Server
RelayServer
PHD
Shadow
Server
Level 2 Domain
Controller
Experion Network Levels
Level 1
L1 to L1
Lim
ite
d
L2
to
L1
L2 to L2
L3 to L3
Lim
ite
d
L2
.5 t
o L
3
Limited L3.5 to L3.5
Ve
ry L
imit
ed
L3
to
L3.5
to L
3
Comm flow
L4 to L4
Ve
ry L
imit
ed
L3.5
to
L4
No
Dir
ec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
or
L2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
or
L4
L 2.5 Router
PrimaryL2.5 Router
Secondary
Domain
ControllerBlade Server
NASNAS
vCenter
Server
Level 2.5
L2.5 to L2.5
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X
2X POWER OVER ETHERNET
13X
14X
11X
12X
23X
24XSTATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
Catalyst 2960SeriesPoE-24SYSTDUPLXSPEED
MODE
COCIS1 2
1 23 45 67 89 1011 1213 1415 1617 1819 2021 2223 241X
2X POWER OVER ETHERNET
13X
14X
11X
12X
23X
24XSTATRPSPoE
MT 1 2 3 4 5 6SM1 SM2
MT 1 2 3 4 5 6SM1 SM2
2
1
I/O 4
I/O 3
BladeCenter S
MTMT MTMT
MTMT
ServerBlade
VM Client
Firewall
PLC
Ve
ry L
imit
ed
L
2
Risk
ManagerService
Node
Firewall
Honeywell Confidential - © 2017 by Honeywell International Inc. All rights reserved.
Summary
-Replace out of date software
-Replace end of life hardware
-Secure critical network infrastructure
-Harden systems
-Migrate of legacy components
-Implement secure communications
-Update network architecture
13