24
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC - 5058-CO900G T24 - New Security Features Help to Reduce Risk in Your Industrial Control System

T24 - New Security Features Help to Reduce Risk in Your ... · T24 - New Security Features Help to Reduce Risk ... Defending the Digital Architecture MUST BE IMPLEMENTED AS A SYSTEM

  • Upload
    lequynh

  • View
    261

  • Download
    0

Embed Size (px)

Citation preview

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900G

T24 - New Security Features Help to Reduce Risk in Your Industrial Control System

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Threat Vectors

Unintended

employee actions

Theft

Unauthorized actions

by employees

Unauthorized

accessDenial of

Service

Application of

patches

Unauthorized

remote access

Natural or Man-made

disasters

Sabotage

Worms and

viruses

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 3

ICS Security in the News

Source: http://www.theregister.co.uk

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC 4

ICS Security in the News

Source: https://www.bostonglobe.com

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security Quality

5

Vendors must build security

into products with a focus on

security throughout the

products lifecycle…

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Security QualityIncident Response Process

6

Product Vulnerabilities:

We expect them

We plan for them

We work to avoid them

We support our customers

See Rockwell Automation®

Knowledgebase article 54102 for up-to-

date information on product vulnerabilities

CloseMitigate and

Remediate

Evaluate and

AssessReceive

Communications

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tamper

Detection

Content

ProtectionAccess Control and

Policy Management

Detect and Record unwanted

Activity and Modifications to

the application

Protect viewing, editing, and

use of specific pieces of

control system content

Control Who, What, Where

and When access is allowed,

to which application and

device

Secure Automation and InformationDefending the Digital Architecture

MUST BE IMPLEMENTED AS A SYSTEMINDUSTRIAL SECURITY

Secure Network

Infrastructure

Control Access to the

network, and Detect unwanted

access and activity

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

• Validated Architectures

• Stratix™ Portfolio

• Network and Security

Services

• Logix Source Protection • Data Access Control

• FactoryTalk Security

• Firmware Digital Signatures

• Auditing with FactoryTalk®

AssetCentre

• Change Detection and

Logging for Controllers

• High Integrity Add-On

Instructions

Secure Automation and InformationCapability Overview

Tamper

Detection

Content

ProtectionAccess Control and

Policy Management

Detect and Record unwanted

Activity and Modifications to

the application

Protect viewing, editing, and

use of specific pieces of

control system content

Control Who, What, Where

and When access is allowed,

to which application and

device

Secure Network

Infrastructure

Control Access to the

network, and Detect unwanted

access and activity

New Symantec Partnership

New Tempered Networks Partnership

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Secure Network InfrastructureNew Validated Architectures

Achieve infrastructure security through a common, validated system architecture leveraging the Stratix™ portfolio and Cisco security solutions.

Design and Implementation Guides: • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (2011)

• Segmentation Methods within the Cell/Area Zone (2013)

• Securely Traversing IACS Data Across the Industrial Demilitarized Zone (2015)

• Deploying Identity Services within a Converged Plantwide Ethernet Architecture (2015)

• Site-to-site VPN to a Converged Plantwide Ethernet Architecture (2015)

Download these and more at:

http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Content Protection: License Based Source Protection– Coming Soon!

Access to selected Routines and Add-On Instructions can be controlled using Licenses

Licenses are managed by the content owner using a web-based application, and reside on secure USB devices

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Access Control: Application Access Control with FactoryTalk Security

Use FactoryTalk® Security to… Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation® software

applications to access automation devices

How does it work?Provides a centralized authority to verify identity of each user and grants or deny user requests to perform a

particular set of actions on resources within the system

• Authenticate the User

• Authorize Use of Applications

• Authorize Access to Specific Devices

FactoryTalk Directory

(All FactoryTalk Security

enabled software)

11

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

FactoryTalk Temporary UsersNew in latest version of Studio 5000

12

Use FactoryTalk® Temporary Users to temporarily give someone access to privileges of another user group

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Permission Sets for Securing Projects New in latest version of Studio 5000

13

Secure a project file with a

Permission Set to use the same

policies for many controllers

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Permission Sets for Securing ObjectsNew in latest version of Studio 5000

14

Apply Permission Sets to Routines, Add-On Instructions and Tags to have different policies for different components

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Guest User Access New in latest version of Studio 5000

15

With Guest Users, grant limited

permissions to users who

aren’t members of your

FactoryTalk® Directory

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Secondary Security Authority New in latest version of Studio 5000

16

Guest Users can further limit access to a project file

with a Secondary Security Authority

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Support for Disconnected EnvironmentsNew in latest version of Studio 5000

FactoryTalk®

Directory

Network 1

Active Directory

VPN

Field EngineerLaptop

Network 2

Project File that is

secured by Machine

Builder

Controller who is

secured by Machine

Builder

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Sources of Risk

Source: The State of Security in Control Systems Today, SANS Institute

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Sources of Risk

Source: Common Cybersecurity Vulnerabilities in Industrial Control Systems, Department of Homeland Security Control Systems Security Program

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

New Encompass™ Partner - Symantec

Symantec Embedded Security: Critical System Protection

Great for helping to protect PCs that can’t be frequently updated

Completely policy driven – no signatures

Features Application Whitelisting, Sandboxing, Host Firewall, File

Protection and Monitoring, and more

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Tempered Networks

Network segmentation using private

overlay networks on top of untrusted

infrastructure

Private networks can be mapped to users

and/or devices

Leverages HIPswitches and a centralized

HIPConductor without any changes to existing

infrastructure

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Industrial Security Resources

22

Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities

that help increase overall control system system-level security.

http://www.rockwellautomation.com/security

EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that

complement recommended layered security/defense-in-depth measures.

http://www.ab.com/networks/architectures.html

Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and

make recommendations for how to avert risk and mitigate vulnerabilities.

http://www.rockwellautomation.com/services/security

Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC

PUBLIC - 5058-CO900G

.

Connect with us.

www.rockwellautomation.com

Questions?