Stratix 5950 Security Appliance · Deep Packet Inspection technology provides the visibility and controls needed for implementing policies around access, applications and protocols

PUBLICCopyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 1

Stratix 5950 Security Appliance

Divya Venkataraman, CCNA, GICSPGlobal Product ManagerNetwork Infrastructure & Security Business

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2PUBLIC

Industrial Control System (ICS) Security Trends and Challenges

2

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 3COMPANY INTERNAL

ICS Security in the News• Industry reports and customer feedback shows top attack concerns for ICS are unintentional

actions from insiders, or actions from malicious insiders, both resulting in downtime

• Computer assets, such as HMI, servers, workstations are reported as the control system components that are at the greatest risk for compromise

• News of increasing security incidents provide evidence that plant-floor professionals are unable to detect and prevent intrusions from cybersecurity threats in a timely manner

• The number of ICS/SCADA cybersecurity incidents continues to grow and Industrial Automation professionals now understand the importance of securing their operations due to real-world security incidents and events targeting ICS network vulnerabilities

Rockwell Automation is dedicated to providing risk mitigation solutions to ensure availability in the face of security attacks and internal actions impacting ICS operations


Industrial Network Security Trends

4

Some customers state they already have zones for segmentation strategies. IEC 62443 Zones and Conduits concept is nothing new

The top attack concern for ICS is external / outsider threat, followed by malicious insiders

Patching ICS is not considered practical

Security configuration should be manageable centrally, not “one device at a time”

The Stratix® 5950 security appliance provides a solution for customer security challenges


Content Protection

Protect viewing, editing, and use of specific pieces of control

system content

Secure Automation and InformationDefending the Digital Architecture

MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY

Secure Network Infrastructure

Control Access to the network, and Detect unwanted access and activity

Stratix® 5950

Tamper Detection

Detect & Record unwanted Activity & Modifications to the

application

Access Control & Policy Management

Control Who, What, Where & When access is allowed, to which application & device


Stratix 5950 Security Appliance Differentiators

6


Stratix® 5950 Security Appliance

The Stratix® 5950 Security Appliance brings an industrially-hardened security product to the networks and security infrastructure portfolio of products. The Stratix® 5950 Security Appliance helps provide increased visibility and control with Deep Packet Inspection (DPI™) capabilities to help protect your assets down to the machine level.


Stratix® 5950 Security Appliance Differentiators

DIN rail mount offers increased design flexibility

Industrially-hardened for high temperature demands (-40°C to 60°C)

Deep Packet Inspection technology provides the visibility and controls needed for implementing policies around access, applications and

protocols on the plant floor

Maintain your protection against threats and control your assets with

subscription based licensing

Cisco ASA firewall and FirePOWER technology

provide prevention services to identify, log or block potentially

malicious traffic

SFP slots enable flexibility by allowing multiple options for fiber connectivity


Critical Infrastructure Automotive

Food & BeverageRobotics

Protecting Safety Integrated Systems (SIS)

Safety enforcement to protect Critical Infrastructure and people

Consumer Packaged Goods Life sciences Automotive Robotics

Stratix 5950 Security Appliance Applications


Stratix 5950 Security ApplianceApplications

Lacking visibility and control to prevent unauthorized personnel from making unwanted changes to your ICS devices. You want to maintain integrity of operations on the plant floor, for ex., prevent potentially tampered-with firmware being downloaded from a contractor’s laptop to a Controller.

Stratix® 5950 offers Intrusion Prevention capability and detailed network visibility which enhances traditional firewallfunctionality to ensure no plant floor downtime through the use of Deep Packet Inspection technology.

Threat control for vulnerable and/or legacy Industrial Control Systems (ICS) devices, and protection against communications from ICS components at risk of compromise (like HMI, or contractor laptops).

Stratix® 5950 allows for protection of vulnerable systems through configuration of policies to block actions, like CIP Reads, Writes, Download between at-risk ICS devices where patching or use of FT Security is not possible.

The Stratix® 5950 is ideal for resolution of the following challenges:

Stratix® 5950 addresses the challenge for Industrial Automation professionals to maintain operations integrity while making data more available from the ICS


Stratix® 5950 Security ApplianceApplications

Lacking skill set and common set of competencies amongst IT and OT staff to manage a heterogeneous system that includes use of multiple protocols. It is difficult to resolve the competency problem that encumbers visibility and control at all levels in the OSI model (0-5), especially all the way down to the plant floor.

Stratix® 5950 offers multiple Cisco technologies that extend visibility and monitoring of network communications between ICS devices on the plant floor. Cisco technologies such as Netflow, Syslog, IPS/IDS, and AppID can be leveraged on Stratix® 5950 to log and allow for central aggregation of plant floor network traffic using proven, re-usable, IT tools.

Use of Industrial Automation Control Systems products on the plant floor that allow for extensible access control and Enterprise Integration (Identity Services Engine).

Stratix® 5950 provides support for Identity Services Engine toallow for centralized policy management and remote access.

The Stratix® 5950 is ideal for resolution of the following challenges:

Stratix® 5950 addresses the challenge for Industrial Automation professionals to maintain operations integrity while making data more available from the ICS


Hardware Bypass

13

The Stratix 5950 provides an “Availability” function known as hardware bypass.

If a power loss or other catastrophic disruption occurs, the copper ports can be configured to connect directly to one another immediately, bypassing the device while it is down

When Hardware Bypass is triggered, the circuit is closed

This Option is Configurable


Stratix 5950 Enables Granular Security to Meet Differing Security Policies

Ent.SecurityPolicy

Cell BSecurityPolicy

Ent.SecurityPolicy

Lvl 3SecurityPolicy

Cell BSecurityPolicy

Lvl 3SecurityPolicy

Different Security policies for

different zones


Compliant in IEC 62443 ArchitectureSecurity Zones, Conduits and Barrier Devices

16

Zone 2Zone 1

In Transparent Mode:

The security appliance acts as a barrier device between Cell/Area Zones to allow segmentation of control systems to enable the implementation of an ISA99/IEC62443-compliant network architecture.

Security Zones

Barrier Devices


Deep Packet Inspection (DPI)

17


CIP Deep Packet Inspection Common Industrial Protocol (CIP) DPI has been added to the Stratix 5950 The ASA FirePOWER module has a software component in addition to the

Network Analysis Policy rules engine called a preprocessor. The preprocessor is responsible to handle the interpretation of the

packet before being handled by the rules engine Two types of CIP DPI rule categories:

CIP Generic – related to the CIP standard Rockwell Automation specific CIP

18


Firewalls and Deep Packet Inspection Deep Packet Inspection extends upon firewalls’ capabilities

Provides granular protection per protocol (ex. CIP, Modbus, DNP3) in the Industrial Zone * Giving the visibility and control to help prevent erroneous or malicious activity down to the

Cell / Area zone level Intrusion Prevention uses DPI What you want to do after you have inspected the packet?

1.) After inspecting the packet using DPI, achieve granular control through security rules that act on matched network traffic

2.) Do we allow this application or command, or is this a known threat?

19*Note: Modbus and DNP3 were not tested and validated as part of the IFW DIG


CIP DPI – High Level Example Specifically use “Block with reset” for CIP actions like CIP Reads, CIP

Writes, CIP Administration, RA CIP Read, RA CIP Writes and RA CIP Administration are recommended instead of “permit”

CIP DPI rules are written to include host addresses but is not granular to a block a user Good Example: Operator Workstation (10.10.30.10 ) block RA CIP

Firmware download to CLX 192.168.1.10 Bad Example: Bill on Operator Workstation (10.10.30.10) block RA

CIP Firmware download but permit Jeff on Operator Workstation (10.10.30.10) to CLX 192.168.1.10

20


Stratix 5950 Security Appliance – Modes of Operation

23


Stratix 5950 Architecture Modes

IFW

InlineTransparent Mode

Traffic Traffic

IFW

InlineRouted Mode

Traffic Traffic

IFW

Packet

Packet

Copy of the Packet

Network A Network A

Same Network Addresses on Ingress and Egress Interfaces Different Network Addresses on Ingress and Egress InterfacesThink “router”

Network A Network B

Passive Monitor Mode

24

Out of Box


Inline RoutedMode –need samefunctionality as inlinetransparentmode in additionto routing functionality

Inline Transparent Mode –I want toactivelyprotect the network byblocking orremediatingpotential threats

Inline Transparent Mode

Monitor Mode – I want to detect but notact upon potential threats


Machine / Skid ProtectionInline Transparent Mode

26

For use in deployments where the ability to actively protect the network is more important than traffic being affected by potential “false positives”

The machine/skid protection use case is used to segment a machine, skid or unit from the Cell/Area Zone network. This may be to support different security requirements between the larger IACS network and the machine/skid or to restrict ingress and egress traffic.

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES

Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology

(Lines, Machines, Skids, Equipment)

IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESEquipment

Industrial ZoneLevels 0 - 3

(Plant-wide Network)

IndustrialEthernetSwitch

Controller

IndustrialDemilitarized Zone

(IDMZ)

FireSIGHT Management CenterCisco Security Manager

Transparent Mode

CoreSwitches

Transparent Mode

IFW

IFWIFWTransparent Mode


Machine / Skid ProtectionInline Routed Mode

27

For use in deployments where the same functionality as Transparent mode is desired, in addition to routing functionality also being required

In inline routed mode, the Stratix 5950 is placed between the distribution network and one or more groupings of automation equipment that act as machines, skids or units to both protect and route traffic between each unit.

In each case, the Stratix 5950 acts as an ingress and egress point to a production line containing these machines/skids where traffic can be monitored or controlled through firewall or DPI security policies.

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES



IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESMachine




Controller


(IDMZ)


RoutedMode

CoreSwitches

IFW

IES IES


Redundant Star Cell/Area Zone ProtectionInline Transparent Mode

28

When a redundant star network configuration is required to meet redundancy requirements

The network can be architected in a manner to support redundant Layer 2 EtherChannellinks on Stratix 5950.

For this use case, the IFW is placed between the distribution switch and the plant floor equipment.

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES



IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESEquipment



Transparent Mode


Controller


(IDMZ)


Transparent Mode

CoreSwitches

Transparent Mode

IFW

IFWIFWTransparent Mode

IES IES


Ring Cell/Area Zone ProtectionInline Transparent Mode

29

The Ring Cell/Area Zone protection use case is used to monitor and apply security policies to a ring Two transparent mode IFWs are placed

between the distribution switches and the ring. The IFWs are not acting as an active/standby firewall pair in this configuration; they are simply providing firewall and possibly DPI functionality on both ingress points of the network ring

While it is a valid use case, implementing this use case is not recommended because of architectural limitations of this deployment

Any persistent connections that were established via the disrupted IFW will need to time out, then re-establish via the remaining IFW, resulting in communication downtime

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES



IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESEquipment




Controller


(IDMZ)


Transparent Mode Transparent

Mode

CoreSwitches

IFW IFW

IES IES


Cell/Area Zone MonitoringPassive Monitor Mode

30

For use in deployments where uninterrupted connectivity is more important than active network protection

The Cell/Area Zone monitoring mode use case is used to monitor traffic of interest without placing the Stratix 5950 directly inline of a controller, skid, machine or Cell/Area Zone of interest

A span session or port mirror is created to send the traffic of interest to the Stratix 5950

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES



IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESEquipment



Transparent Mode


Controller


(IDMZ)


Monitor Mode

Transparent Mode


Mode

CoreSwitches

Transparent Mode

IFW

IFW

IFW

IFW

IFW

IFW

IFW


Cell/Area Zone MonitoringPassive Monitor Mode

31

The Stratix 5950 currently supports logging only the first and last packets of a persistent TCP connection between endpoints, not the individual packets within that connection. For example, the first time that RSLinx® establishes a connection and for the duration of that session, only one event will be logged.

Therefore, if this level of granularity is desired when monitoring ingress and egress traffic for the Cell/Area Zone, this deployment is not recommended.

DistributionSwitch

HMI

Soft Starter

Drive

IES

IESIES

IES



IESIES

IESIES

IESMachine

IESIES

IESSkid

IESIES

IESSkid IESIES

IESEquipment



Transparent Mode


Controller


(IDMZ)


Monitor Mode

Transparent Mode


Mode

CoreSwitches

Transparent Mode

IFW

IFW

IFW

IFW

IFW

IFW

IFW


Converged Plantwide Ethernet (CPwE) Program

36


Firewalls in the CPwE FrameworkHolistic Plant-wide Security

MCC

Enterprise Zone: Levels 4-5

Soft Starter

I/O

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server

Level 0 - ProcessLevel 1 - Controller

Level 3 – Site Operations

Controller

Drive

Level 2 – Area Supervisory Control

FactoryTalkClient

Controller

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

LWAP

SSID2.4 GHz

SSID5 GHz WGB

I/O

Active

Wireless LAN Controller (WLC)

Standby

CoreSwitches

DistributionSwitch Stack

Enterprise

Identity Services

External DMZ/ Firewall

Internet

IFW

Control System Engineers (OT)

IEC 62443 - Zones & ConduitsNIST 800-82 - Protect, DetectICS-CERT - IDMZ

IDMZ Firewalls create a security boundary between the Enterprise and Industrial Zone

Industrial Firewall(s) can create security boundaries between Cell/Area/Zones and even provide a granular security boundary on machines or skids.


Stratix® 5950 within a CPwE Architecture



IndustrialDemilitarized Zone (IDMZ)

Inline TransparentMode


Inline RoutedMode


NetflowSyslog

ISE TrustSec


IFW Design & Implementation GuideAvailable for Download

39

Deploying Industrial Firewalls within a CPwE Architecture DIG outlines the concepts, requirements and technology solutions for application use cases that were tested, validated and documented by Cisco and Rockwell Automation to help support a hardened and converged plant-wide EtherNet/IP IACS architecture

Design Guide: http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td002_-en-p.pdfWhite Paper: http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp011_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td002_-en-p.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp011_-en-p.pdf


What’s in the IFW DIG?

40

The following is a summary of the CPwE IFW CVD content: Industrial Firewalls Technology Overview Modes of operation Inline Transparent mode Inline Routed mode Passive Monitor-only mode

Network Protection (Cisco Adaptive Security Appliance) [Firewall] Intrusion Prevention and Detection (Cisco FirePOWER) Deep Packet

Inspection (DPI) of the Common Industrial Protocol (CIP)


What’s in the IFW DIG?

41

Application use cases Equipment/Machine/Skid Protection Cell/Area Zone Protection Redundant Star Topology, Ring Topology

Cell/Area Zone Monitoring Management Use Cases Local Management Command Line Interface (CLI) Adaptive Security Device Manager

Centralized Management Migration from local to centralized management of industrial firewalls

Documents

Stratix 5950 Security Appliance · Deep Packet Inspection technology provides the visibility and controls needed for implementing policies around access, applications and protocols