Embed Size (px)
Citation preview
Securing Industrial Control SystemsICS, SCADA, IIoT, Industrial Cloud
Challenges with Legacy OT Cybersecurity Approaches
POOR NETWORK VISIBILITY
INCREASING SURFACES FOR
ATTACK
TIGHTENING REGULATIONS
STOPPING ADVANCED THREATS
COMPLEXITY & SCALABILITY OF
POINT SOLUTIONS
IT-OT Integration
OT ModernizationOT TRAFFIC?
RISKS?
THREATS?
PALO ALTO NETWORKS PLATFORM
NETWORK SECURITY ADVANCED ENDPOINT PROTECTION CLOUD SECURITY
WildFireThreat Prevention URL Filtering AutoFocus Logging Service MineMeld
NEXT-GEN SECURITY SERVICES
MG
Magnifier
Platform Benefits for OT
COMPLETE, OT-SPECIFIC
VISIBILITY
CYBERSAFE INTEGRATION OF
IT-OT
MEET AND EXCEED REGULATORY COMPLIANCE
STOP KNOWN AND UNKNOWN
THREATS
HIGHLY SCALABLE,
REDUCED TCO
Next-generation Firewall – Unique Architecture
5 | © 2018, Palo Alto Networks. All Rights Reserved.
Secure ICS Protocols and Applications
Enforce user and user-group controls
Secure content, stop malicious content
• High-performance, low-latency, high-availability architecture
• Native correlation of data
App-ID User-ID Content-ID
Next-generation Firewall
SP3
• Unique single pass, parallel processing engine (SP3)
• The only true Next-gen Firewall
Natively Integrated Security Services
6 | © 2018, Palo Alto Networks. All Rights Reserved.
• Protect unpatched or un-patchable systems from known threats to ICS (malware, exploits, C2)
• Quickly detect and stop 0-day malware, i.e. the next Black Energy, CrashOverride, Wannacry
• Safely enable internet access from OT, E.G to vendor support website
• Secure network access for mobile devices in OT, E.G. maintenance laptops, tablet HMIs
Threat Prevention
Global Protect
WildFire
URL Filtering
Powerful Network Segmentation with the NGFW and Services
7 | © 2018, Palo Alto Networks. All Rights Reserved.
• Maximize visibility over OT traffic
• Reduce the attack surface • Granular inter-zone policy (L7)• Secure mobile/internet access as allowed
• Stop known exploits, malware, C2 traffic
• Quickly discover and stop 0-day threatsNGFW as a
Security “Conduit” (ISA 62443)
Zone 1
Zone 2
Zone 3
Platform Security Use Cases for OT
Operator Zone
Historian DEV Zone
Engineering Zone
IT-OT DMZ Zone
Jump Patch Web
Site
/Cel
l Zon
e
Process-specific
L0
L1
L2
L3
L3.5
L4
SCADA Server Zone
PLC Zone
Corporate IT Zone
Historian ReplicaAdvanced Threat Prevention with the WF-500 Appliance
PLC Zone
NGFW as “conduit” for granular segmentation (L7)
Panorama Central Management
Secure Remote access: Jump-box or VPN
8 |©2015, PaloAltoNetworks
Virtual Patching of OT hosts with Threat Prevention
Engineering WSHMI
§ Layer 3
§ Layer 2 / VLAN
§ VWIRE “bump-in-the wireRemote Access
App-IDs for Industrial Protocols and Applications
9 | © 2018, Palo Alto Networks. All Rights Reserved.
Protocol / Application Protocol / Application Protocol / Application Protocol / Application Protocol /Application
n DNP3 n Modbus n Siemens S7 n Schneider/Wonderware SuiteLink n R-GOOSE
n IEC 60870-5-104 n CIP EtherNet IP n Siemens FactoryLink n Schneider OaSys n GE-Historian
n ICCP (IEC 60870-6 / TASE.2) n BACnet n Siemens Profinet IO n Rockwell FactoryTalk n Fanuc-Focas
n Synchrophasor (IEEE C.37.118) n OPC UA n ABB Network Manager n GE iFIX n Fisher-ROC
n Elcom 90 n MQTT n Honeywell/Matrikon OPC Tunneller n GE EGD n Cygnet SCADA
n DLMS / COSEM / IEC 62056 n RTCM (GPS/IP) n OSIsoft PI Systems
• Base App-IDs per above
• Function-level App-IDs: Modbus, DNP3, ICCP, S7, BACnet, IEC 60870-5-104
• Custom App-ID Decoders for ICS: Modbus, ICCP, DNP3
• Online request process for new App-ID
Granular Control over ICS Protocol
10 | © 2018, Palo Alto Networks. All Rights Reserved.
MODBUS
DNP3 ICCP BACnet
S7
IEC “104”
Consistent Network Security Across Your Industrial Enterprise
11 | © 2018, Palo Alto Networks. All Rights Reserved.
PA-220
PA-800 SERIES
PA-5200 SERIES
PA-7000 SERIES
PA-220R
Plant Perimeter / ICS Core
SCADA Core / Control Center / PCN / MES
OT Datacenter
Plant Perimeter / ICS Core
Industrial Cloud (AWS, Azure, Google)
VM-Series Virtualized NGFW
Panorama Network Security
Management
Harsh Environments
PA-3200 SERIES
CONSISTENT SECURITY FOR INDUSTRIAL DEPLOYMENTS
Prevention of known and unknown threats, including ICS-specific threats
Range of ICS / SCADA App-IDs supported with PAN-OS
Extended operating range for temperature
Certified for industrial use in harsh environments
Fan-less design, no moving parts for higher reliability
High availability and dual DC power supplies for redundancy
PA-220ROil & GasWater Utilities
Electric Transmission & Distribution
Power Generation
Manufacturing Transportation
12 | © 2018, Palo Alto Networks. All Rights Reserved.
Traps Advanced Endpoint Protection Overview
• Secures endpoints from known and unknown malware and exploits
• Multi-method prevention of malware and exploits in a single endpoint agent
• Light-weight agent uses low CPU resources
• Supports legacy operating systems
• Controls installation of unapproved software
• Facilitates regulatory compliance
13 | © 2018, Palo Alto Networks. All Rights Reserved.
Platform Security Use Cases for OT
Operator Zone
Historian DEV Zone
Engineering Zone
IT-OT DMZ Zone
Jump Patch Web
Site
/Cel
l Zon
e
Process-specific
L0
L1
L2
L3
L3.5
L4
SCADA Server Zone
PLC Zone
Corporate IT Zone
Historian ReplicaAdvanced Threat Prevention with the WF-500 Appliance
PLC Zone
NGFW as “conduit” for granular segmentation (L7)
Panorama Central Management
Secure Remote access: Jump-box or VPN
14 |©2015, PaloAltoNetworks
Virtual Patching of OT hosts with Threat Prevention
Engineering WSHMI
§ Layer 3
§ Layer 2 / VLAN
§ VWIRE “bump-in-the wireRemote Access
Advanced Endpoint Protection for OT hosts
Endpoint Security Manager
Case Study – Electric Utilities Transmission
• Deployed Palo Alto Networks platform• Next-generation Firewall
• 2 Control Centers & 17 Substations• Threat Prevention and URL filtering services• All high-availability
• Threat Intelligence Cloud• Wildfire services
• Central Management• Panorama for 38 distributed appliances
• Customer Value • Facilitate NERC CIP Compliance• Layer-7 Visibility and Zero-trust segmentation• Advanced Threat Prevention• Ease-of-use/Consolidation/TCO reduction
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Case Studies - Oil & Gas (Full-Platform Deployment)
§ Next-generation Firewalls§ 114 FWs in PCN core & 40+ plants§ Native Services: Threat Prevention, URL
filtering, Wildfire
§ Wildfire Service§ Protection against unknown threats
traversing the network
§ Traps Advanced Endpoint Protection§ Securing high-risk endpoint assets in
PCN & plants§ 200 Windows Server (2003 and newer)
and 250 Desktop (XP and newer)
§ Central Management§ Panorama for Next-generation FWs§ Traps Endpoint Security Manager
16 | ©2015, Palo Alto Networks16 |©2015, PaloAltoNetworks
Industrial Cybersecurity Partnerships
17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Get hands-on with our platform
18 | © 2015, Palo Alto Networks. Confidential and Proprietary.
ControlNetwork
Security Lifecycle Review (SLR) ICS Hands-on Workshop
• Hands-on labs for ICS cybersecurity using Palo Alto Networks platform
• Virtualized ICS environment including HMIs and PLCs
• Learn how your control network is being used and what risks may exist
• Summary report provided as part of SLR
• Free, passive, and confidential
Learn more about our ICS solution – Reference Blueprint
§ Free, downloadable whitepaper
§ Overview of our solution for ICS
§ www.paloaltonetworks.com/ics-security-blueprint
19 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Thank You!
