62443 & Zero Trust Network Security
FHI event 2021
The Mega Trend: Digital Transformation of OT/ICS
3 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Today: ● IT-OT more interconnected●Refresh OT core technology to COTS
and IP-based technologies●On-premise DC-dedicated or shared
w/ IT
Legacy: ●Air-gap between OT and IT● Legacy and proprietary OT
Emerging/Future: ●Adds Internet and public cloud● Industry 4.0 IIoT use cases connecting
OT devices & sensors directly to public cloud, e.g. predictive maintenance●WAN evolution (5G, SD-WAN)
Internet
Enterprise Sys
IT
Control Center
OT
OT LAN/WAN
air-gap
Internet
Enterprise Sys
IT
Control Center
OT
OT LAN/WAN
Internet
Enterprise Sys
IT
Control Center
OT
OT LAN/WAN
Public cloud
5G
Industrial InternetHistorian SCADA, IIoT,AI/ML
IoT
OT Remote Sites, substations, line/cells
Our Approach
Traditional network security increases technology sprawl
5 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Operational Considerations: ●Management burden?●Performance impact?●Correlation of data?●Ease of automation?● Training cost?●Component cost?●Harmony with IT security
infrastructure?
Network Security Device: 1. Perimeter Firewall2.OT/ICS Firewall w/DPI3.IDS/IPS4.Malware Sandbox5.OT/IoT Asset ID6.Cloud Firewall7.5G Security8.SD-WAN Security
Internet
Enterprise Sys
IT
Control Center
OT
OT LAN/WAN
Public cloud
5G
IoT
1,3,4,6
1,3,4,6
1,2,3,4,
1,3,4,8
1,3,4,7
Firewall-as-a-Platform for OT - Deployment flexibility
6 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Single architecture for all parts of today and tomorrow’s OT network:● IT-OT, Plant, Rugged, Cloud, 5G, SD-WAN●Consistent Zero Trust security strategy
Security functions and services: ● IT & OT DPI● IDS/IPS●Malware Sandboxing●OT/IoT Asset ID●4G & 5G DPI
Unified central management: ● True single pane of glass management
Internet
Enterprise Sys
IT
Control Center
OT
OT LAN/WAN
Public cloud
5G
IoT
Flexible API for 3rd-party integration: ● SIEM, SOAR, sensors, etc
Promotes unified IT-OT security
Unified CentralManagement
Next-generation Firewall
APIs
Segmentation Gateway 62443 with
Zero Trust
Powerful Network Segmentation with the NGFW and Services
• Maximize visibility over OT traffic
• Reduce the attack surface • Granular inter-zone policy (L7)• Secure mobile/internet access as allowed
• Stop known exploits, malware, C2 traffic
• Quickly discover and stop 0-day threatsNGFW as a
Security “Conduit”
(ISA 62443)
Zone
1
Zone
2
Zone
3
5-Step Methodology for Deploying Zero TrustBased on the Kipling Method of Zero Trust Rule Writing
9 | © 2020 Palo Alto Networks, Inc. All rights reserved.
1. Define theprotect surface
2. Map the transaction flows
3.Architect a Zero Trust network
4. Create Zero Trust policy
5. Monitor and maintain
WHO WHAT WHEN WHERE WHY HOW ACTION
EMPLOYEE ON COMPANY MANAGED
ASSET
SOURCE CODENORMAL
WORKING HOURS
GITLABJOB
FUNCTION / ROLE
DECRYPTION
LEVEL OF SECURITY (e.g. AV, SANDBOX)
ALLOW?
BLOCK?
MFA?
The Kipling Method of Zero Trust Rule Writing
DATAVIP Database
APPSSQLServer
ASSETS Server Cluster
SERVICESActive Directory (AD)
SEGMENTATION BLUEPRINT FOR ICS & SCADA USING ZERO TRUST
Manufacturing Operations
Level 3• Historian
• Process-specific
• Engineer Station
Control Systems
Level 2 • HMI
• Engineer StationIntelligent Devices
Level 1• PLC
• RTU
• IED
Process
Level 0Physical Actuator
DMZ
Level 3.5
• Historian Repl
• Jump Server
• Patch Server
C
F
C
r
y
p
t
o
P
F
A
M
A
C
F
W
I
P
S
Behavioral analytics
Sandboxing
Machine Learning
AV signatures
IPS, IDS
URL Filtering
Sandboxing
Machine Learning
AV signatures
IPS, IDS
URL Filtering
Sandboxing
AV signatures
IPS, IDS
URL Filtering
Behavioral analytics
Sandboxing
Machine Learning
AV signatures
IPS, IDS
URL Filtering
Behavioral analytics
Machine Learning
IPS, IDS
Business
Level 4
• Internet
• Data Services
Segmentation
GatewayNGFW
Get hands-on with our platform
Control Network
aaZoo ICS Hands-on Workshop
• Hands-on labs for ICS cybersecurity using
Palo Alto Networks platform
• Virtualized ICS environment including HMIs
and PLCs
• Learn how your control network is being used and what risks may exist
Thank you
paloaltonetworks.com