Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
PUBLICCopyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 1
Stratix 5950 Security Appliance
Divya Venkataraman, CCNA, GICSPGlobal Product ManagerNetwork Infrastructure & Security Business
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2PUBLIC
Industrial Control System (ICS) Security Trends and Challenges
2
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 3COMPANY INTERNAL
ICS Security in the News• Industry reports and customer feedback shows top attack concerns for ICS are unintentional
actions from insiders, or actions from malicious insiders, both resulting in downtime
• Computer assets, such as HMI, servers, workstations are reported as the control system components that are at the greatest risk for compromise
• News of increasing security incidents provide evidence that plant-floor professionals are unable to detect and prevent intrusions from cybersecurity threats in a timely manner
• The number of ICS/SCADA cybersecurity incidents continues to grow and Industrial Automation professionals now understand the importance of securing their operations due to real-world security incidents and events targeting ICS network vulnerabilities
Rockwell Automation is dedicated to providing risk mitigation solutions to ensure availability in the face of security attacks and internal actions impacting ICS operations
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 4COMPANY INTERNAL
Industrial Network Security Trends
4
Some customers state they already have zones for segmentation strategies. IEC 62443 Zones and Conduits concept is nothing new
The top attack concern for ICS is external / outsider threat, followed by malicious insiders
Patching ICS is not considered practical
Security configuration should be manageable centrally, not “one device at a time”
The Stratix® 5950 security appliance provides a solution for customer security challenges
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 5PUBLIC
Content Protection
Protect viewing, editing, and use of specific pieces of control
system content
Secure Automation and InformationDefending the Digital Architecture
MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY
Secure Network Infrastructure
Control Access to the network, and Detect unwanted access and activity
Stratix® 5950
Tamper Detection
Detect & Record unwanted Activity & Modifications to the
application
Access Control & Policy Management
Control Who, What, Where & When access is allowed, to which application & device
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 6PUBLIC
Stratix 5950 Security Appliance Differentiators
6
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 7PUBLIC
Stratix® 5950 Security Appliance
The Stratix® 5950 Security Appliance brings an industrially-hardened security product to the networks and security infrastructure portfolio of products. The Stratix® 5950 Security Appliance helps provide increased visibility and control with Deep Packet Inspection (DPI™) capabilities to help protect your assets down to the machine level.
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 8PUBLIC
Stratix® 5950 Security Appliance Differentiators
DIN rail mount offers increased design flexibility
Industrially-hardened for high temperature demands (-40°C to 60°C)
Deep Packet Inspection technology provides the visibility and controls needed for implementing policies around access, applications and
protocols on the plant floor
Maintain your protection against threats and control your assets with
subscription based licensing
Cisco ASA firewall and FirePOWER technology
provide prevention services to identify, log or block potentially
malicious traffic
SFP slots enable flexibility by allowing multiple options for fiber connectivity
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 9PUBLIC
Critical Infrastructure Automotive
Food & BeverageRobotics
Protecting Safety Integrated Systems (SIS)
Safety enforcement to protect Critical Infrastructure and people
Consumer Packaged Goods Life sciences Automotive Robotics
Stratix 5950 Security Appliance Applications
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 10PUBLIC
Stratix 5950 Security ApplianceApplications
Lacking visibility and control to prevent unauthorized personnel from making unwanted changes to your ICS devices. You want to maintain integrity of operations on the plant floor, for ex., prevent potentially tampered-with firmware being downloaded from a contractor’s laptop to a Controller.
Stratix® 5950 offers Intrusion Prevention capability and detailed network visibility which enhances traditional firewallfunctionality to ensure no plant floor downtime through the use of Deep Packet Inspection technology.
Threat control for vulnerable and/or legacy Industrial Control Systems (ICS) devices, and protection against communications from ICS components at risk of compromise (like HMI, or contractor laptops).
Stratix® 5950 allows for protection of vulnerable systems through configuration of policies to block actions, like CIP Reads, Writes, Download between at-risk ICS devices where patching or use of FT Security is not possible.
The Stratix® 5950 is ideal for resolution of the following challenges:
Stratix® 5950 addresses the challenge for Industrial Automation professionals to maintain operations integrity while making data more available from the ICS
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 11PUBLIC
Stratix® 5950 Security ApplianceApplications
Lacking skill set and common set of competencies amongst IT and OT staff to manage a heterogeneous system that includes use of multiple protocols. It is difficult to resolve the competency problem that encumbers visibility and control at all levels in the OSI model (0-5), especially all the way down to the plant floor.
Stratix® 5950 offers multiple Cisco technologies that extend visibility and monitoring of network communications between ICS devices on the plant floor. Cisco technologies such as Netflow, Syslog, IPS/IDS, and AppID can be leveraged on Stratix® 5950 to log and allow for central aggregation of plant floor network traffic using proven, re-usable, IT tools.
Use of Industrial Automation Control Systems products on the plant floor that allow for extensible access control and Enterprise Integration (Identity Services Engine).
Stratix® 5950 provides support for Identity Services Engine toallow for centralized policy management and remote access.
The Stratix® 5950 is ideal for resolution of the following challenges:
Stratix® 5950 addresses the challenge for Industrial Automation professionals to maintain operations integrity while making data more available from the ICS
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 13PUBLIC
Hardware Bypass
13
The Stratix 5950 provides an “Availability” function known as hardware bypass.
If a power loss or other catastrophic disruption occurs, the copper ports can be configured to connect directly to one another immediately, bypassing the device while it is down
When Hardware Bypass is triggered, the circuit is closed
This Option is Configurable
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 15PUBLIC
Stratix 5950 Enables Granular Security to Meet Differing Security Policies
Ent.SecurityPolicy
Cell BSecurityPolicy
Ent.SecurityPolicy
Lvl 3SecurityPolicy
Cell BSecurityPolicy
Lvl 3SecurityPolicy
Different Security policies for
different zones
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 16PUBLIC
Compliant in IEC 62443 ArchitectureSecurity Zones, Conduits and Barrier Devices
16
Zone 2Zone 1
In Transparent Mode:
The security appliance acts as a barrier device between Cell/Area Zones to allow segmentation of control systems to enable the implementation of an ISA99/IEC62443-compliant network architecture.
Security Zones
Barrier Devices
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 17COMPANY INTERNAL
Deep Packet Inspection (DPI)
17
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 18COMPANY INTERNAL
CIP Deep Packet Inspection Common Industrial Protocol (CIP) DPI has been added to the Stratix 5950 The ASA FirePOWER module has a software component in addition to the
Network Analysis Policy rules engine called a preprocessor. The preprocessor is responsible to handle the interpretation of the
packet before being handled by the rules engine Two types of CIP DPI rule categories:
CIP Generic – related to the CIP standard Rockwell Automation specific CIP
18
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 19COMPANY INTERNAL
Firewalls and Deep Packet Inspection Deep Packet Inspection extends upon firewalls’ capabilities
Provides granular protection per protocol (ex. CIP, Modbus, DNP3) in the Industrial Zone * Giving the visibility and control to help prevent erroneous or malicious activity down to the
Cell / Area zone level Intrusion Prevention uses DPI What you want to do after you have inspected the packet?
1.) After inspecting the packet using DPI, achieve granular control through security rules that act on matched network traffic
2.) Do we allow this application or command, or is this a known threat?
19*Note: Modbus and DNP3 were not tested and validated as part of the IFW DIG
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 20COMPANY INTERNAL
CIP DPI – High Level Example Specifically use “Block with reset” for CIP actions like CIP Reads, CIP
Writes, CIP Administration, RA CIP Read, RA CIP Writes and RA CIP Administration are recommended instead of “permit”
CIP DPI rules are written to include host addresses but is not granular to a block a user Good Example: Operator Workstation (10.10.30.10 ) block RA CIP
Firmware download to CLX 192.168.1.10 Bad Example: Bill on Operator Workstation (10.10.30.10) block RA
CIP Firmware download but permit Jeff on Operator Workstation (10.10.30.10) to CLX 192.168.1.10
20
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 23COMPANY INTERNAL
Stratix 5950 Security Appliance – Modes of Operation
23
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 24COMPANY INTERNAL
Stratix 5950 Architecture Modes
IFW
InlineTransparent Mode
Traffic Traffic
IFW
InlineRouted Mode
Traffic Traffic
IFW
Packet
Packet
Copy of the Packet
Network A Network A
Same Network Addresses on Ingress and Egress Interfaces Different Network Addresses on Ingress and Egress InterfacesThink “router”
Network A Network B
Passive Monitor Mode
24
Out of Box
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 25COMPANY INTERNAL
Inline RoutedMode –need samefunctionality as inlinetransparentmode in additionto routing functionality
Inline Transparent Mode –I want toactivelyprotect the network byblocking orremediatingpotential threats
Inline Transparent Mode
Monitor Mode – I want to detect but notact upon potential threats
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 26COMPANY INTERNAL
Machine / Skid ProtectionInline Transparent Mode
26
For use in deployments where the ability to actively protect the network is more important than traffic being affected by potential “false positives”
The machine/skid protection use case is used to segment a machine, skid or unit from the Cell/Area Zone network. This may be to support different security requirements between the larger IACS network and the machine/skid or to restrict ingress and egress traffic.
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESEquipment
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
Transparent Mode
CoreSwitches
Transparent Mode
IFW
IFWIFWTransparent Mode
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 27COMPANY INTERNAL
Machine / Skid ProtectionInline Routed Mode
27
For use in deployments where the same functionality as Transparent mode is desired, in addition to routing functionality also being required
In inline routed mode, the Stratix 5950 is placed between the distribution network and one or more groupings of automation equipment that act as machines, skids or units to both protect and route traffic between each unit.
In each case, the Stratix 5950 acts as an ingress and egress point to a production line containing these machines/skids where traffic can be monitored or controlled through firewall or DPI security policies.
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESMachine
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
RoutedMode
CoreSwitches
IFW
IES IES
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 28COMPANY INTERNAL
Redundant Star Cell/Area Zone ProtectionInline Transparent Mode
28
When a redundant star network configuration is required to meet redundancy requirements
The network can be architected in a manner to support redundant Layer 2 EtherChannellinks on Stratix 5950.
For this use case, the IFW is placed between the distribution switch and the plant floor equipment.
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESEquipment
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
Transparent Mode
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
Transparent Mode
CoreSwitches
Transparent Mode
IFW
IFWIFWTransparent Mode
IES IES
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 29COMPANY INTERNAL
Ring Cell/Area Zone ProtectionInline Transparent Mode
29
The Ring Cell/Area Zone protection use case is used to monitor and apply security policies to a ring Two transparent mode IFWs are placed
between the distribution switches and the ring. The IFWs are not acting as an active/standby firewall pair in this configuration; they are simply providing firewall and possibly DPI functionality on both ingress points of the network ring
While it is a valid use case, implementing this use case is not recommended because of architectural limitations of this deployment
Any persistent connections that were established via the disrupted IFW will need to time out, then re-establish via the remaining IFW, resulting in communication downtime
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESEquipment
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
Transparent Mode Transparent
Mode
CoreSwitches
IFW IFW
IES IES
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 30COMPANY INTERNAL
Cell/Area Zone MonitoringPassive Monitor Mode
30
For use in deployments where uninterrupted connectivity is more important than active network protection
The Cell/Area Zone monitoring mode use case is used to monitor traffic of interest without placing the Stratix 5950 directly inline of a controller, skid, machine or Cell/Area Zone of interest
A span session or port mirror is created to send the traffic of interest to the Stratix 5950
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESEquipment
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
Transparent Mode
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
Monitor Mode
Transparent Mode
Transparent Mode Transparent
Mode
CoreSwitches
Transparent Mode
IFW
IFW
IFW
IFW
IFW
IFW
IFW
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 31COMPANY INTERNAL
Cell/Area Zone MonitoringPassive Monitor Mode
31
The Stratix 5950 currently supports logging only the first and last packets of a persistent TCP connection between endpoints, not the individual packets within that connection. For example, the first time that RSLinx® establishes a connection and for the duration of that session, only one event will be logged.
Therefore, if this level of granularity is desired when monitoring ingress and egress traffic for the Cell/Area Zone, this deployment is not recommended.
DistributionSwitch
HMI
Soft Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2Ring Topology, Redundant Star Topology
(Lines, Machines, Skids, Equipment)
IESIES
IESIES
IESMachine
IESIES
IESSkid
IESIES
IESSkid IESIES
IESEquipment
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
Transparent Mode
IndustrialEthernetSwitch
Controller
IndustrialDemilitarized Zone
(IDMZ)
FireSIGHT Management CenterCisco Security Manager
Monitor Mode
Transparent Mode
Transparent Mode Transparent
Mode
CoreSwitches
Transparent Mode
IFW
IFW
IFW
IFW
IFW
IFW
IFW
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 36PUBLIC
Converged Plantwide Ethernet (CPwE) Program
36
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 37PUBLIC
Firewalls in the CPwE FrameworkHolistic Plant-wide Security
MCC
Enterprise Zone: Levels 4-5
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
Level 0 - ProcessLevel 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalkClient
Controller
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
LWAP
SSID2.4 GHz
SSID5 GHz WGB
I/O
Active
Wireless LAN Controller (WLC)
Standby
CoreSwitches
DistributionSwitch Stack
Enterprise
Identity Services
External DMZ/ Firewall
Internet
IFW
Control System Engineers (OT)
IEC 62443 - Zones & ConduitsNIST 800-82 - Protect, DetectICS-CERT - IDMZ
IDMZ Firewalls create a security boundary between the Enterprise and Industrial Zone
Industrial Firewall(s) can create security boundaries between Cell/Area/Zones and even provide a granular security boundary on machines or skids.
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 38PUBLIC
Stratix® 5950 within a CPwE Architecture
Industrial ZoneLevels 0 - 3
(Plant-wide Network)
IndustrialDemilitarized Zone (IDMZ)
Inline TransparentMode
Inline TransparentMode
Inline RoutedMode
Inline TransparentMode
NetflowSyslog
ISE TrustSec
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 39PUBLIC
IFW Design & Implementation GuideAvailable for Download
39
Deploying Industrial Firewalls within a CPwE Architecture DIG outlines the concepts, requirements and technology solutions for application use cases that were tested, validated and documented by Cisco and Rockwell Automation to help support a hardened and converged plant-wide EtherNet/IP IACS architecture
Design Guide: http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td002_-en-p.pdfWhite Paper: http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp011_-en-p.pdf
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 40PUBLIC
What’s in the IFW DIG?
40
The following is a summary of the CPwE IFW CVD content: Industrial Firewalls Technology Overview Modes of operation Inline Transparent mode Inline Routed mode Passive Monitor-only mode
Network Protection (Cisco Adaptive Security Appliance) [Firewall] Intrusion Prevention and Detection (Cisco FirePOWER) Deep Packet
Inspection (DPI) of the Common Industrial Protocol (CIP)
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 41PUBLIC
What’s in the IFW DIG?
41
Application use cases Equipment/Machine/Skid Protection Cell/Area Zone Protection Redundant Star Topology, Ring Topology
Cell/Area Zone Monitoring Management Use Cases Local Management Command Line Interface (CLI) Adaptive Security Device Manager
Centralized Management Migration from local to centralized management of industrial firewalls