Date post: | 23-Apr-2018 |
Category: |
Documents |
Upload: | nguyendieu |
View: | 217 times |
Download: | 1 times |
Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC
PUBLIC
T22 - Industrial Control System Security
1
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 2
Holistic Approach
Defense in DepthShield targets behind multiple levels of security countermeasures to reduce risk
OpennessConsideration for participation of a variety of vendors in our security solutions
FlexibilityAble to accommodate a customer’s needs, including policies & procedures
ConsistencySolutions that align with Government directives and Standards Bodies
A secure application depends on multiple layers of protection and industrial security must be implemented as a system.
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 3
Strategic Develop an OT cyber security
program Adopt an industry framework Understand business drivers and risk
tolerances to drive target profiles Conduct assessments to develop
an understanding of gaps Create an improvement plan to drive
the tactical approach
Tactical Execute on filling gaps as
defined and prioritized in the strategic approach
Use validated designs and architectures
Implement pre-engineered infrastructure and software solutions to achieve targets
The Approach
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 4
Methodology
Securing your operations environments with a risk-based approach
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 5
ISA/IEC 62443Certified Products, Systems and System Delivery
Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:
End-users (for example; asset owner) System integrators Security practitioners ICS product/systems vendors
Series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACS).
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 6
Recent Events
https://www.wired.com/story/crash-override-malware/https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
Frequency of malware attacks are rapidly increasing
Phishing attacks are the #1 delivery mechanism
Increasing levels of adaption and scalability
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 7
Remote access
Modems
Business system connectivity
USB and portable media
Mobile PCs and devices
Typical Access Points
People are the weakest link!L 0/1
L 2
L 3
IDMZ
L 4
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 8
Our Plan of Attack
Harden the endpoints
Secure the infrastructure
Detect and monitor
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 9
Secure Infrastructure1. Establish the perimeter2. Harden the interior3. Prevent & contain
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 10
Secure Network InfrastructureValidated Architectures
Help achieve infrastructure security through a common, validated system architecture leveraging the Stratix portfolio and Cisco security solutions.
Design and Implementation Guides: • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide • Segmentation Methods within the Cell/Area Zone • Securely Traversing IACS Data Across the Industrial Demilitarized Zone • Deploying Identity Services within a Converged Plantwide Ethernet Architecture • Site-to-site VPN to a Converged Plantwide Ethernet Architecture • Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture
Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page
IDENTITYSERVICES
ENGINE
Adaptive Security
Appliances
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 11
The Stratix® PortfolioIntegrating Industrial and Enterprise Environments
Leverage managed switches to build out robust networks that can manage ACL’s, VLANs, and QoS policies
Implement industrial firewalls (Stratix® 5950) to isolate critical systems
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 12
Connectivity Considerations Data Diodes for more secure one-way data transfer Enables data to move out of control system networks without allowing any
data in, for: View-only OPC View-only screen sharing Historian replication Backups
Allow tightly controlled movement of data into control system networks for needed files, patches and software updates
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 13
Connectivity Considerations
Network segmentation using private overlay networks on top of untrusted infrastructure Private networks can be mapped to users
and/or devices Requires no changes to existing infrastructure Leverages HIPswitches and a centralized
HIPConductor
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 14
Harden the Endpoints1. User access control for endpoints and applications2. Authorize appropriate software and devices3. Establish a patching procedure
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 15
Hardened PCs and Servers System Infrastructure Configuration User Manual: • Infrastructure: domain controller, Active Directory, Windows management and
• Windows group policies with recommendations (i.e. USB use policies, password complexity, time sync, etc.)
• WSUS for OS patch management – coming soon! • Application user authentication with FactoryTalk® Security
• Prescribed role-based policies (maintenance, operator, admin, etc.)• Area-based security models
Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.pdf
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 16
Application WhitelistingSymantec embedded security: critical system
protection Great for helping to protect PCs that can’t be frequently
updated Completely policy driven – no signatures Features include:
Application whitelisting Sandboxing Host firewall File protection Monitoring, and more…
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 17
User Access Control and AuthorizationFactoryTalk® Security
Provides a centralized authority to verify identity of each user Active Directory integration Disconnected environment support
Grants or deny user's requests to perform a particular set of actions on resources within the system
New in version 28: • Temporary Privilege Escalation• Guest User Access• Reusable Permission Sets
(Routines, Add-On Instruction, and Tags)• Secondary Security Authority
• Authenticate the user• Authorize use of applications• Authorize configuration access to
controllers
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 18
Asset Inventory & Patch ManagementFactoryTalk® AssetCentre
REDUCE THE TIME IT TAKES TO GET lifecycle INFORMATIONExport the asset inventory to Product Compatibility and Download Center (PCDC)
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 19
Disaster RecoveryFactoryTalk® AssetCentre
Disaster Recovery can optionally be configured to create a new archive versionWHEN A DIFFERENCE IS DETECTED
Version 10 Version 11
VS.
Compares image or code to master file in archive1 Detects differences & generates an
event to FactoryTalk® AssetCentre2 Email containing difference report sent to users3
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 20
Detection and Monitoring1. Alert on anomalous behavior2. Identify known threats3. Provide an audit trail to support analysis4. Measure on-going compliance to policy
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 21
Network Security AppliancesStratix® 5950 Security Appliance
Connectivity Options: (4) 1Gig Copper (2) 1Gig Copper and (2) SFP
Industrially-hardened
Based on recognized and proven technologies Adaptive security appliance for firewall and VPN SourceFire FirePower for inspection and detection Enhanced with OT context of protocols, behaviors,
and features
Strategic collaboration between Cisco and Rockwell Automation®
Key Features: Deep Packet Inspection for ICS
protocols Threat & application update service DIN rail mount
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 22
Line 1
Line 2
Line 3
Individually Managed Site Appliance
Centrally Managed Services
OT Assets
IT Assets
• Validate operational tasks to reduce risk, and maintain process integrity
• Near real-time detection of cyber threats
• Recover from security Incidents with Highly-Trained Professionals
• Reduce risk of downtime with 24x7 response
• Behavioral anomaly detection• Active change detection• Alert on operational and
security events• Incident response services
Capabilities Benefits
Secu
rity an
d Op
erati
onal
Monit
oring
MANAGED ANOMALY DETECTION
• Comprehensive asset inventorying
• Passive network monitoring• Vendor and protocol agnostic• Deep network analysis
• Continuous monitoring without interrupting production
• Single solution for many ICS vendors• Collect information on how assets are
configured, communicate and change• Discover issues with full visibility of
ICS networksAsse
t Mon
itorin
g
24x7 Monitoring and Response by Trained IT/OT Professionals
Security and Operational Alerts and Events
Powered by
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 23
Tripwire Configuration Compliance Manager (CCM) Audit industrial automation networks
and controllers for more secure and approved configurations
Identify unauthorized changes, configuration hardening errors and security vulnerabilities
Layer on top of a standard implementation of FactoryTalk® AssetCentrefor greater visibility into industrial automation applications
Compliance and Reporting
PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved. 24
Industrial Security Landing Web Page
http://rockwellautomation.com/security
Security Resources
Security Advisory Index
Microsoft Patch QualificationReference
Architectures
Services Services
Security Technology
Security FAQ