38
CIP Security Luis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity Expert April 2019

The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

CIP Security

Luis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity ExpertApril 2019

Page 2: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 2

AttackerWhat happens when someone gets into the network?

OriginalConnection

Direct Connect MonitoringData

Man-in-The Middle (MitM)

Page 3: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 3

Compliance & StandardsCertified Products, Architectures and Solution Delivery

ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).

Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:

End-users (i.e. asset owner)

System integrators

Security practitioners

ICS product/systems vendors*Equivalence to ISO 27001 and NIST Cybersecurity Framework

Page 4: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 4

ISA/IEC 62443Certified products, systems and system delivery

Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).

Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:

End-users (i.e. asset owner)

System integrators

Security practitioners

ICS product/systems vendors

Page 5: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 5

Industrial Security TrendsEstablished Industrial Security Standards

IEC 62443- Series of Standards - Zones & Conduits- Availability, Integrity,

Confidentiality

Page 6: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 6

Holistic approachA secure application depends on multiple layers of protection and industrial security must be

implemented as a system.Defense in depthShield targets behind multiple levels of security countermeasures to reduce risk

OpennessConsideration for participation of a variety of vendors in our security solutions

FlexibilityAble to accommodate a customer’s needs, including policies & procedures

ConsistencySolutions that align with Government directives and Standards Bodies

Page 7: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 8

Secure Network InfrastructureNew validated architectures

Achieve infrastructure security through a common, validated system architecture leveraging the Stratix®

portfolio and Cisco security solutions.

Design and Implementation Guides: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide Segmentation Methods within the Cell/Area Zone Securely Traversing IACS Data Across the Industrial Demilitarized Zone Deploying Identity Services within a Converged Plantwide Ethernet Architecture Site-to-site VPN to a Converged Plantwide Ethernet Architecture Deploying industrial firewalls within a Converged Plantwide Ethernet Architecture

Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page

IDENTITYSERVICES

ENGINE

Adaptive Security Appliances

Page 8: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 9

Infrastructure Configuration: SecurityPlantPAx® distributed control system

Address security concerns with step-by-step procedures for configuration of infrastructure components to meet your system requirements.

PlantPAx® System Infrastructure Configuration User Manual: Infrastructure: domain controller, active directory, windows management and network configuration

• Windows group policies with recommendations (ie. USB use policies, password complexity, time sync, etc)

• Firewall & wireless access configurations – coming soon!

• WSUS for OS patch management – coming soon!

Application user authentication with FactoryTalk® Security software

• Prescribed role-based policies (maintenance, operator, admin, etc)

• Area-based security models

Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.PDF

Page 9: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 10

IACS Device HardeningHolistic Plant-wide Security

Physical procedure: Restrict Industrial Automation and Control

System (IACS) access to authorized personnel only Control panels, devices, cabling, and

control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric,

keypad, etc.) Port Blocker (USB / RJ45)

Switch the Controller key to “RUN”

Electronic design: FactoryTalk® Security Application

Authentication and Authorization Controller Source Protection Controller Data Access Control Trusted Slot Designation

Encrypted Communications

Page 10: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 11

Studio 5000® Logix DesignerContent Protection History

Password Source Protection

License Source and Execution

Version 8 Version 30Version 20

Page 11: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 12

Secure with Permission Set / Restrict Slot

(All FactoryTalk Securityenabled software)

Page 12: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 13

Match Project to ControllerEliminates inadvertent download

(All FactoryTalk Securityenabled software)

Page 13: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 14

Secure Tags

Restrict tag write access by user, group or permission set

(All FactoryTalk Securityenabled software)

Page 14: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 16

CIP Security Properties

The secure EtherNet/IP transport provides the following security attributes:

Authentication of the endpoints• Ensures that the target and originator are both trusted entities.

• End point authentication is accomplished using X.509 certificates or pre-shared keys

Data Integrity and Authentication • Ensures that the message was sent by the trusted endpoint and was not modified in transit

• Message integrity and authentication are accomplished via TLS message authentication code (HMAC)

Data Confidentiality• Optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake

Page 15: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 17

CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from

establishing connections Integrity – Helps prevent tampering or modification of

communications Confidentiality – Helps prevent snooping or disclosure of data

Notable features: System management

Easily create and deploy security policies to many devices, all at once Micro-segmentation

Segment your automation application into smaller cell/zones. Device-based firewall

Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products

FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives

Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR

FactoryTalk®

Policy ManagerFactoryTalk®

System Services

PC Communicationswith Ethernet/IP™ network protocol

(FactoryTalk® Linx)

Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)

System Components

Security Admin

Page 16: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 18

• CIP Security™ protocol

• 10M / 100M / 1Gigabit speeds

• Integrated Motion: 256 position loops

• SD Card for firmware, configuration and fault logs

• Explicit Protected Mode

• Prevents unauthorized changes to configuration

• Device Level Ring (DLR)

• Higher performance and capacity than 1756-EN2TR

• Future:

• Redundant Adapter

• Parallel Redundancy Protocol (PRP)

• ControlLogix Redundancy

1756-EN4TR EtherNet/IP™ Communication Module

Page 17: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 19

1756-EN4TR Functionality Release TargetsInitial release

1756-EN2TR 1756-EN4TRCIP Security™ Protocol -

1 GB -

Device Level Ring (DLR)

SIL 2 Application SIL 2

with 1756-5580ES Controller

SIL 3 Fail Safe with GuardLogix® controller

with GuardLogix® controller

Conformal Coated version available (K)

Extreme Temperature version available (XT)

Explicit Protected Mode FW 11.001 and above

Page 18: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 20

1756-EN4TRPerformance and Capacity

1756-EN2TR 1756-EN4TRTCP Connections 128 512

CIP™ Connections 256 See below, Class 1 = 1,000; Class 3 = 528

Class 1 CIP™ Connections See above, 256 for all CIP™ Protocol 1,000

Class 3 CIP™ Connections See above, 256 for all CIP™ Protocol 528

PPS w/o CIP Security™ Protocol (class 1) 25,000 50,000

PPS w/ Integrity only (class 1) N/A 25,000

PPS w/ Integrity and Confidentiality (class 1) N/A 15,000

PPS w/o CIP Security™ Protocol (class 3) 2,000 3,700

PPS w/ Integrity only (class 3) N/A 2,700

PPS w/ Integrity and Confidentiality (class 3) N/A 1,700

Integrated Motion Axes 8 (128 for 1756-EN3TR) 256

Page 19: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 21

Identity, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data Initial products, CIP™ securable products

Certificate

CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol

FactoryTalk® Linx 5580 PowerFlex® 755T Kinetix® 5700

Certificate

1756-EN4TR

Page 20: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 22

Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol

FactoryTalk® Linx

1756-EN4TR

Page 21: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 23

Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol

FactoryTalk® Linx

Hacker is able to send commands to the controller

MiTM

1756-EN4TR

Page 22: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 24

IntegrityHMAC keyed-hash message authentication code

An HMAC is attached to every message as a means to validate integrity and authenticity

The message is first “hashed” to provide integrity A mathematical function that maps a message of arbitrary size to a message of fixed size (like a checksum or CRC)

It is easy to compute the hash value for any given message

It is infeasible to generate a message from its hash (i.e., one way)

It is infeasible to modify a message without changing the hash

It is infeasible to find two different messages with the same hash

A secret key is also added to the message before it is “hashed” to provide authenticity You can’t validate the message unless you know the secret

HMAC is fast and efficient with only a minor performance impact

Device rejects messageDevice rejects messageAttacker inserted

Page 23: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 25

Identify, authentication – Help prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

FactoryTalk® Linx

Now, hacker is not able to modify data however, can still view it

1756-EN4TR

CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol

Page 24: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 26

Data Confidentially Encryption can be used as a means of encoding messages or information to help prevent reading or

viewing of EtherNet/IP™ data by unauthorized parties (eavesdropping on the wire)

The encryption method is negotiated as part of the TLS/DTLS “handshake” process

It is optional Not all ICS traffic contains “secrets” that need to be safeguarded (data integrity and authenticity is typically the goal)

The added encryption will impact data throughput performance

Page 25: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 27

Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data

FactoryTalk® Linx

1756-EN4TR

CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol

Page 26: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 28

Zones Security zone is a logical grouping of

physical, informational, and application assets sharing common security requirements

Conduits logical grouping of communication channels,

connecting two or more zones, that share common security requirements

Zone and Conduit Models

Page 27: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 30

ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc.

Page 28: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 31

ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .

Iden

tity

& Po

licy

Page 29: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 32

Deployed ModelFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits

FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .

Zone 1

Trusted® Device

Integrity

Encrypted

Whitelist

Certificate

Legend

Page 30: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 34

Sample Deployment

FactoryTalk®

ViewStudio 5000®

FactoryTalk® Policy ManagerFactoryTalk® System Services

Page 31: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 35

Sample Deployment

Zone 1 Zone 2

Zone PCsFactoryTalk®

ViewStudio 5000®

Con

duit

1

Con

duit

2

Page 32: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 36

FactoryTalk® Policy ManagerAdding Devices

Page 33: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 37

FactoryTalk® Policy ManagerZone Configuration

Page 34: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 38

FactoryTalk® Policy ManagerAdding Devices

Page 35: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 41

Secure configuration to the controller: Computers to Controller Secure the inbound connection via 1756-EN4TR or the 5580 itself

Use Case Scenario (Phase I)

FactoryTalk®

ViewStudio 5000®

Page 36: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 42

Extend the model: Whitelist devices as appropriate Remove devices from whitelist as they become CIP™ Securable

Use Case Scenario (Phase II)

FactoryTalk®

ViewStudio 5000®

Page 37: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 43

CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from

establishing connections Integrity – Helps prevent tampering or modification of

communications Confidentiality – Helps prevent snooping or disclosure of data

Notable features: System management

Easily create and deploy security policies to many devices, all at once Micro-segmentation

Segment your automation application into smaller cell/zones. Device-based firewall

Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products

FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives

Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR

FactoryTalk®

Policy ManagerFactoryTalk®

System Services

PC Communicationswith Ethernet/IP™ network protocol

(FactoryTalk® Linx)

Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)

System Components

Security Admin

Page 38: The Reynolds Company | Blog - CIP Security · 2019. 4. 17. · •Ensures that the target and originator are both trusted entities. • End point authentication is accomplished using

Industrial Control System SecurityLuis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity Expert

April 2019