The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

CIP Security

Luis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity ExpertApril 2019

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 2

AttackerWhat happens when someone gets into the network?

OriginalConnection

Direct Connect MonitoringData

Man-in-The Middle (MitM)


Compliance & StandardsCertified Products, Architectures and Solution Delivery

ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).

Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:

End-users (i.e. asset owner)

System integrators

Security practitioners

ICS product/systems vendors*Equivalence to ISO 27001 and NIST Cybersecurity Framework


ISA/IEC 62443Certified products, systems and system delivery

Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).

Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:

End-users (i.e. asset owner)

System integrators

Security practitioners

ICS product/systems vendors


Industrial Security TrendsEstablished Industrial Security Standards

IEC 62443- Series of Standards - Zones & Conduits- Availability, Integrity,

Confidentiality


Holistic approachA secure application depends on multiple layers of protection and industrial security must be

implemented as a system.Defense in depthShield targets behind multiple levels of security countermeasures to reduce risk

OpennessConsideration for participation of a variety of vendors in our security solutions

FlexibilityAble to accommodate a customer’s needs, including policies & procedures

ConsistencySolutions that align with Government directives and Standards Bodies

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Secure Network InfrastructureNew validated architectures

Achieve infrastructure security through a common, validated system architecture leveraging the Stratix®

portfolio and Cisco security solutions.

Design and Implementation Guides: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide Segmentation Methods within the Cell/Area Zone Securely Traversing IACS Data Across the Industrial Demilitarized Zone Deploying Identity Services within a Converged Plantwide Ethernet Architecture Site-to-site VPN to a Converged Plantwide Ethernet Architecture Deploying industrial firewalls within a Converged Plantwide Ethernet Architecture

Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page

IDENTITYSERVICES

ENGINE

Adaptive Security Appliances

http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page


Infrastructure Configuration: SecurityPlantPAx® distributed control system

Address security concerns with step-by-step procedures for configuration of infrastructure components to meet your system requirements.

PlantPAx® System Infrastructure Configuration User Manual: Infrastructure: domain controller, active directory, windows management and network configuration

• Windows group policies with recommendations (ie. USB use policies, password complexity, time sync, etc)

• Firewall & wireless access configurations – coming soon!

• WSUS for OS patch management – coming soon!

Application user authentication with FactoryTalk® Security software

• Prescribed role-based policies (maintenance, operator, admin, etc)

• Area-based security models

Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.PDF

http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.pdf


IACS Device HardeningHolistic Plant-wide Security

Physical procedure: Restrict Industrial Automation and Control

System (IACS) access to authorized personnel only Control panels, devices, cabling, and

control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric,

keypad, etc.) Port Blocker (USB / RJ45)

Switch the Controller key to “RUN”

Electronic design: FactoryTalk® Security Application

Authentication and Authorization Controller Source Protection Controller Data Access Control Trusted Slot Designation

Encrypted Communications


Studio 5000® Logix DesignerContent Protection History

Password Source Protection

License Source and Execution

Version 8 Version 30Version 20


Secure with Permission Set / Restrict Slot

(All FactoryTalk Securityenabled software)


Match Project to ControllerEliminates inadvertent download



Secure Tags

Restrict tag write access by user, group or permission set



CIP Security Properties

The secure EtherNet/IP transport provides the following security attributes:

Authentication of the endpoints• Ensures that the target and originator are both trusted entities.

• End point authentication is accomplished using X.509 certificates or pre-shared keys

Data Integrity and Authentication • Ensures that the message was sent by the trusted endpoint and was not modified in transit

• Message integrity and authentication are accomplished via TLS message authentication code (HMAC)

Data Confidentiality• Optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake


CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from

establishing connections Integrity – Helps prevent tampering or modification of

communications Confidentiality – Helps prevent snooping or disclosure of data

Notable features: System management

Easily create and deploy security policies to many devices, all at once Micro-segmentation

Segment your automation application into smaller cell/zones. Device-based firewall

Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products

FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives

Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR

FactoryTalk®

Policy ManagerFactoryTalk®

System Services

PC Communicationswith Ethernet/IP™ network protocol

(FactoryTalk® Linx)

Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)

System Components

Security Admin


• CIP Security™ protocol

• 10M / 100M / 1Gigabit speeds

• Integrated Motion: 256 position loops

• SD Card for firmware, configuration and fault logs

• Explicit Protected Mode

• Prevents unauthorized changes to configuration

• Device Level Ring (DLR)

• Higher performance and capacity than 1756-EN2TR

• Future:

• Redundant Adapter

• Parallel Redundancy Protocol (PRP)

• ControlLogix Redundancy

1756-EN4TR EtherNet/IP™ Communication Module


1756-EN4TR Functionality Release TargetsInitial release

1756-EN2TR 1756-EN4TRCIP Security™ Protocol -

1 GB -

Device Level Ring (DLR)

SIL 2 Application SIL 2

with 1756-5580ES Controller

SIL 3 Fail Safe with GuardLogix® controller

with GuardLogix® controller

Conformal Coated version available (K)

Extreme Temperature version available (XT)

Explicit Protected Mode FW 11.001 and above


1756-EN4TRPerformance and Capacity

1756-EN2TR 1756-EN4TRTCP Connections 128 512

CIP™ Connections 256 See below, Class 1 = 1,000; Class 3 = 528

Class 1 CIP™ Connections See above, 256 for all CIP™ Protocol 1,000

Class 3 CIP™ Connections See above, 256 for all CIP™ Protocol 528

PPS w/o CIP Security™ Protocol (class 1) 25,000 50,000

PPS w/ Integrity only (class 1) N/A 25,000

PPS w/ Integrity and Confidentiality (class 1) N/A 15,000

PPS w/o CIP Security™ Protocol (class 3) 2,000 3,700

PPS w/ Integrity only (class 3) N/A 2,700

PPS w/ Integrity and Confidentiality (class 3) N/A 1,700

Integrated Motion Axes 8 (128 for 1756-EN3TR) 256


Identity, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data Initial products, CIP™ securable products

Certificate

CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol

FactoryTalk® Linx 5580 PowerFlex® 755T Kinetix® 5700

Certificate

1756-EN4TR


Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol

FactoryTalk® Linx

1756-EN4TR




FactoryTalk® Linx

Hacker is able to send commands to the controller

MiTM

1756-EN4TR


IntegrityHMAC keyed-hash message authentication code

An HMAC is attached to every message as a means to validate integrity and authenticity

The message is first “hashed” to provide integrity A mathematical function that maps a message of arbitrary size to a message of fixed size (like a checksum or CRC)

It is easy to compute the hash value for any given message

It is infeasible to generate a message from its hash (i.e., one way)

It is infeasible to modify a message without changing the hash

It is infeasible to find two different messages with the same hash

A secret key is also added to the message before it is “hashed” to provide authenticity You can’t validate the message unless you know the secret

HMAC is fast and efficient with only a minor performance impact

Device rejects messageDevice rejects messageAttacker inserted


Identify, authentication – Help prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

FactoryTalk® Linx

Now, hacker is not able to modify data however, can still view it

1756-EN4TR



Data Confidentially Encryption can be used as a means of encoding messages or information to help prevent reading or

viewing of EtherNet/IP™ data by unauthorized parties (eavesdropping on the wire)

The encryption method is negotiated as part of the TLS/DTLS “handshake” process

It is optional Not all ICS traffic contains “secrets” that need to be safeguarded (data integrity and authenticity is typically the goal)

The added encryption will impact data throughput performance



FactoryTalk® Linx

1756-EN4TR



Zones Security zone is a logical grouping of

physical, informational, and application assets sharing common security requirements

Conduits logical grouping of communication channels,

connecting two or more zones, that share common security requirements

Zone and Conduit Models


ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc.


ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .

Iden

tity

& Po

licy


Deployed ModelFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .

Zone 1

Trusted® Device

Integrity

Encrypted

Whitelist

Certificate

Legend


Sample Deployment

FactoryTalk®

ViewStudio 5000®

FactoryTalk® Policy ManagerFactoryTalk® System Services


Sample Deployment

Zone 1 Zone 2

Zone PCsFactoryTalk®

ViewStudio 5000®

Con

duit

1

Con

duit

2


FactoryTalk® Policy ManagerAdding Devices


FactoryTalk® Policy ManagerZone Configuration


FactoryTalk® Policy ManagerAdding Devices


Secure configuration to the controller: Computers to Controller Secure the inbound connection via 1756-EN4TR or the 5580 itself

Use Case Scenario (Phase I)

FactoryTalk®

ViewStudio 5000®


Extend the model: Whitelist devices as appropriate Remove devices from whitelist as they become CIP™ Securable

Use Case Scenario (Phase II)

FactoryTalk®

ViewStudio 5000®


CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from

establishing connections Integrity – Helps prevent tampering or modification of

communications Confidentiality – Helps prevent snooping or disclosure of data

Notable features: System management

Easily create and deploy security policies to many devices, all at once Micro-segmentation

Segment your automation application into smaller cell/zones. Device-based firewall

Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products

FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives

Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR

FactoryTalk®

Policy ManagerFactoryTalk®

System Services

PC Communicationswith Ethernet/IP™ network protocol

(FactoryTalk® Linx)

Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)

System Components

Security Admin

Industrial Control System SecurityLuis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity Expert

April 2019

Documents

The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using