Security Considerations for Machine Builders

PUBLIC INFORMATION

Agenda

Infrastructure Features

Remote Connectivity

Segmentation Approaches

Advantages Disadvantages

Managed

Switches

Unmanaged

Switches

Embedded

Switches

• Segmentation services (VLANs)

• Diagnostic information

• Security services

• Prioritization services (QoS)

• Multicast management services

• Network resiliency

• Loop prevention

• Inexpensive

• Simple to set up

• More expensive

• Requires some level of support and configuration to start up

• No management capabilities

• No security

• No diagnostic information

• Difficult to troubleshoot

• No resiliency support

• No loop prevention

• Diagnostic information

• Prioritization services (QoS)

• Time Sync Services (1588 Transparent Clock)

• Network resiliency

• Loop prevention

• Limited management capabilities

• May require minimal configuration

Switch Considerations

Topology Flexibility with EtherNet/IP

EtherNet/IP is topology neutral for maximum flexibility

HYBRID – Obtain maximum flexibility

LINEAR - Simplify cable management STAR– Connect broad range of devices

RING – Maximum availability

Why Managed Switches for Machine Networks?

Robust/future proof the control network:

Reduce risk from interference from other devices on the network

Customer support & satisfaction

Security features for Network access to the Control System:

Enabler for remote access

Customer support/satisfaction

Equipment differentiation

Diagnostic Capability:

Reduce TTM

Increase equipment differentiation

Improve customer support/satisfaction and reduce risk

Logix Interface

Rockwell Software Studio 5000® • Configuration (stored as part of project)

• Status

• Product identification

• I/O connection

• Port Status

• Alarms

• Maintenance - Save and restore

Logix Predefined Tags • Link Status

• Unauthorized device

• Threshold exceeded

• Bandwidth utilization

• Alarm relays

• Port Control

Infrastructure Security Considerations

Physical Access Security Disable unused switch ports Lock a port to only allow specific devices to be

connected Change passwords from default settings

Access Control Lists and Firewall Features Limit access to secure areas of the network. Limit access to secure services on the network Block remote access to secured devices

VLANs Simplify security enforcement by creating function

groups Segment Network by function, by user, by location, etc.

Machine Switch Best Practices

Best practices to improve

machine level Infrastructure

Security:

• Apply port security to protect open

ports on the switch

• Apply password to the switches to

prevent unauthorized changes

• Limit the size of broadcast domain

with segmentation

• Apply Security Policies to

communications coming into the

machine from outside

Machine Network Segmentation for the Plant Network

ArmorBlock® I/O

PanelView™ Plus EOI

POINT I/O™

Plant Network CompactLogix™ L36ERM

Stratix 5700™

Cisco 3750 or Stratix 8300™

PowerFlex® 525

Kinetix® 5500

Cell/Area Zone #3 Cell/Area Zone #4 Cell/Area Zone #1 Cell/Area Zone #2

Industrial Zone

Enterprise Zone Enterprise

Network

Mobile User

Lightweight AP (LWAP)

AP as Workgroup Bridge (WGB)

ERP, Email, Wide Area Network (WAN)

Catalyst 2960 Series PoE-8

COC IS

POWER OVER ETHERNET

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Catalyst 2960 Series PoE-8

COC IS

POWER OVER ETHERNET

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

CISCO ASA 5510

POWER STATUS ACTIVE VPN FLASH

Adaptive Security Appliance

SERIES

CISCO ASA 5510

POWER STATUS ACTIVE VPN FLASH

Adaptive Security Appliance

SERIES

Cisco 4400 Series

WIRELESS LAN CONTROLLER

MODEL 4402 12 APCONSOLE

STATUS

LINK ACT

SERVICE

LINK ACT

UTILITY 1 2

ANTENNA

. Rx -Tx

zANTENNA

. Rx -Tx

zANTENNA

. Rx -Tx

zANTENNA

ANTENNA

STATUS RADIOETHERNET

C OCIS

ANTENNA

. Rx -Tx

zANTENNA

. Rx -Tx

zANTENNA

. Rx -Tx

zANTENNA

ANTENNA

STATUS RADIOETHERNET

C OCIS

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12

13 14 15 16 17 18 19 20 21 22 23 24

1 2 3 4

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12

13 14 15 16 17 18 19 20 21 22 23 24

1 2 3 4

Converged Network Segmentation

Network Address Translation

Machine 1 NAT

10.104.x.x :

192.168.1.x

Machine 2 NAT 10.104.x.x : 192.168.1.x

192.168.1.104 192.168.1.104

10.104.100.23

192.168.1.100

Within a Machine Between Machine and Line Network

Send message

to Machine 2

CMX 10.104.2.100

192.168.1.100

Connectivity to Plant Network Virtual vs. Physical Segmentation

PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

Plant VLAN

10.10.10.10

CompactLogix 5370 L3 PowerFlex 4/40 AC Drive

PV+ or PV+ Compact

10.10.10.10 192.168.1.2

Virtual

• Little/No machine level switch configuration needed

• Removes “single point of failure” plant network

connectivity

• Designed to allow network services (SNMP, VPN,

DNS, DHCP)

• IP addressing must be unique at the machine level

Physical

• IP Addresses private to machine (not visible

outside of machine network)

• Clear Demarcation

• Additional cost

• Some additional complexity and management

• Multiple network identities for a single device

Machine VLAN

Remote Access Approaches

Direct to ICS

Inside-Out Terminal Services

Outside-In

modems

VPN Technology

Through IT Infrastructure

Inside-Out

Conferencing technology (WebEx)

Terminal Services

Outside-In VPN Technology

Remote Access/Asset “Technology Recommendation” Process

Technology Recommendation

Risk Mitigation

Techniques and Policies

Business Case

Assessment

Strategic Planning and Justification

Cost of Downtime

Cost to train someone locally/run a dedicated line to remote asset

# of assets exposed to remote access

Functions exposed to remote access

Safety risk/reward? If someone got this access they could potentially do this and cause

a safety issue. If I have to send someone out to this unmanned location it would pose a

risk to their safety (confined spaces, other hazards present, etc.)

Productivity improvement potential

MTTR reduction potential

Cost of Hardware

Maintenance cost

What confidential information may be at risk and how can I mitigate that risk

Impact to operations in the event of a breech and how to mitigate/recover from that

Compliance and regulatory obligations

Remote Access Technology Considerations

Speed Security Features

IT Involvement and support

Firewall Setup Needs

Unmanned Site

Hardware Costs

Service Costs Application

Needs Auditing

Capabilities

Common Technology Approaches

Application

Presentation

Session

Transport

Network

Data Link

Physical

Layer 7

Layer 6

Layer 5

Layer 4

Layer 3

Layer 2

Layer 1

TCP - UDP

IEEE 802.3

TIA - 1005

Layer Name Layer No. Function

Application Layers

Data Transport Layers

SSL/TLS

Additional Material Rockwell Automation

Networks Website: http://www.ab.com/networks/

EtherNet/IP Website: http://www.ab.com/networks/ethernet/

Publications:

ENET-UM001-EN-P EtherNet/IP Network Configuration

ENET-AP005-EN-P Embedded Switch application guide

ENET-RM002-EN-P EtherNet/IP Design Considerations

Network and Security Services Website:

http://www.rockwellautomation.com/services/networks/

http://www.rockwellautomation.com/services/security/

ODVA Website

http://www.odva.org

Additional Material Cisco and Rockwell Automation Alliance

Website

http://www.ab.com/networks/architectures.html

Design Guides

CPwE DIG

Education Series

Whitepapers

Securing Manufacturing Computer and

Controller Assets

Production Software within Manufacturing

Reference Architectures

Achieving Secure Remote Access to Plant Floor

Applications and Data

Additional Material Cisco and Rockwell Automation Alliance

Education Series Webcasts

The Trend - Network Technology and Cultural Convergence

What every IT professional should know about Plant Floor Networking

What every Plant Floor Controls Engineer should know about working with IT

Industrial Ethernet: Introduction to Resiliency

Fundamentals of Secure Remote Access

for Plant Floor Applications and Data

Securing Architectures and Applications

for Network Convergence

Available Online

http://www.ab.com/networks/architectures.html

We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

Thank you!!

www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?

Security Considerations for Machine Builders

Technology

SOIL CONSIDERATIONS FOR BUILDERS [Read-Only] · SOIL CONSIDERATIONS FOR BUILDERS ... individuals to determine bearing capacity or settlement ... stone (PennDOT 2A)

Robert Bosch GmbH - CASE STUDY Machine OEM …...Machine OEM uses Safety as a Competitive Advantage How machine builders unlock automation efficiencies by designing safety into machines

Considerations for Evaluation and Generalization in ... · Considerations for Evaluation and Generalization in Interpretable Machine Learning Finale Doshi-Velez* and Been Kim* August

Machine and Equipment Builders | Rockwell Automation

Top 3 Considerations for Machine Learning on Big Data

Meta Optimization: Improving Compiler Heuristics with ...steffan/carg/readings/metaopt_talk.pdf · Compiler optimization considerations (e.g. exceptions) Machine-specific considerations

SY11 - Improve your Design Effectiveness with our "NEW" OEM Building Blocks for Machine and Equipment Builders

How Machine Builders Can Transcend the Service Dilemma

Machine considerations and constraints for the Safe Injection Flag and Safe Beam Flag

How machine tool builders can implement digitalization1bb6aff6-b… · Machine tool builders are becoming familiar with the concept of digitalization and its benefits. However,

Smart Control Panel Solutions · 2016-08-29 · 2 visit Panduit Control Panel Solutions Deliver Reliable System Performance Panel builders, engineering firms, machine builders, and

Food and beverage machine builders in Serbia Food and beverage

ABB motion control and drives for machine builders, OEMs ...4 ABB motion control and drives for machine builders, OEMs and system integrators Technology highlights ABB industrial drive,

How machine tool builders can implement digitalization

Oil, Gas & Petrochemical Customer Success Stories · following industry categories: • Building Controls • Food & Pharmaceutical • Government Infrastructure • Machine Builders

Space · 2017. 3. 8. · 20 years in support for the Bulgarian machine builders Company profile 2016 CAD ltd. Space 20 years in support for the Bulgarian machine builders . Page 3

Risk with Energy and Power Design considerations for LHC Machine Protection System

Data Quality Considerations for Big Data and Machine

Solutions for Machine Builders - UCAM · PDF fileSolutions for Machine Builders. ... Clamp torque Hydraulic @ 55 Bar Nm ... Ahmedabad: Mobile: +91 - 98252 15740 Email: gujarat@ucamind.com

Integrated Architecture capabilities expanded with ...media.klinkmann.ee/news/fi/Rockwell_Automation_Update_Magazine.pdfsystem, manufacturers and machine builders ... analysis and