Consumer Industry day - Rockwell Automation · Consumer Industry day ... HMI Cell/Area Zone - Levels 0–2 Redundant Star Topology ... Belden Industrial Ethernet Infrastructure Design

PUBLIC

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 1

Consumer Industry dayImportance of network structure and cyber security

Arno den ElzenDate – 31st January 2017

PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2

Agenda

Actionable steps for customers

Cyber Security Threats

Overview Stratix series

Rockwell Automation Network standartisation


Logical Model ISA 95Controlling Access to the Industrial Zone

3

Logical Model ISA 95 – Industrial Automation and Control System (IACS)Connect to Company Enterprise System

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Patch Management

AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

FactoryTalkApplication

Server

FactoryTalk Directory

Engineering Workstation

VSE- Remote Access Client

FactoryTalkClient

Operator Interface

FactoryTalkClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

EnterpriseSecurity Zone

IndustrialDMZ

IndustrialSecurity Zone

Cell/Area Zone

WebE-Mail

CIP

Firewall

Firewall

Site Operationsand Control

Area Supervisory

Control

Basic Control

Process


Cisco and Rockwell Automation AllianceTechnology, Network, Cultural and Organizational Convergence

Stratix 5900™ Services Router, Stratix 5950™ Industrial Firewall, Stratix 5100™ Wireless Access Point/ Workgroup Bridge, and Stratix™ 5000/Stratix 8000™ families of managed industrial Ethernet switches, combine the best of both Rockwell Automation and Cisco

Collection of tested and validated architectures developed by subject matter authorities at Cisco and Rockwell Automation. The content of CPwE is relevant to both Operational Technology (OT) and Information Technology (IT) disciplines and consists of documented architectures, best practices, guidance and configuration settings to help manufacturers with design and deployment of a scalable, robust, safe, secure and future-ready plant-wide industrial network infrastructure.

A single scalable architecture, using open and standard Ethernet and IP networking technologies, such as EtherNet/IP, enabling the Industrial Internet of Things to help achieve the flexibility, visibility and efficiency required in a competitive manufacturing environment.

Education and services to facilitate OT and IT convergence, assist with successful architecture deployment, and enable efficient operations that allow critical resources to focus on increasing innovation and productivity.

People and Process Optimization:

Common Technology View:

Converged Plantwide Ethernet (CPwE) Architectures:

Joint Product Collaboration STRATIX series:


Logical FrameworkConverged Plantwide Ethernet (CPwE)

Operational TechnologyEtherNet/IP (Industrial Protocol),

Real-Time Control and Information,Industrial Security Policies,Wired and Wireless LANs

(Unified and Autonomous WLAN),Fast Network Resiliency,

Traffic Segmentation, Data PrioritizationEase of Use

Secure Application and Data Share,Inter-zone Segmentation,

Access Control, Threat ProtectionIndustrial IT

Industrial Security Policies,Site Operations, Network Resiliency,

Virtualization, Traffic Segmentation, Routing, Network and Security Management

Information TechnologyEnterprise Security Policies,

Collaboration Tools, Unified Wireless,Business Application Optimization

Physical or Virtualized Servers• FactoryTalk Application Servers

and Services Platform

• Network & Security Services –DNS, AD, DHCP, Identity Services (AAA)

• Storage ArrayRemote AccessServer

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server

DistributionSwitch Stack

HMI

Cell/Area Zone - Levels 0–2Redundant Star Topology - Flex Links Resiliency

Unified Wireless LAN(Lines, Machines, Skids, Equipment)

Cell/Area Zone - Levels 0–2Linear/Bus/Star Topology

Autonomous Wireless LAN(Lines, Machines, Skids, Equipment)

IndustrialDemilitarized Zone

(IDMZ)

Enterprise ZoneLevels 4-5

Rockwell AutomationStratix 5000/8000

Layer 2 Access Switch

Industrial ZoneLevels 0–3

(Plant-wide Network)

CoreSwitches

Phone

Controller

CameraSafety

Controller

Robot

Soft Starter

Cell/Area Zone - Levels 0–2Ring Topology - Resilient Ethernet Protocol (REP)

Unified Wireless LAN(Lines, Machines, Skids, Equipment)

I/O

Plant Firewalls• Active/Standby• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy

SafetyI/O

ServoDrive

Instrumentation

Level 3 - Site Operations(Control Room)

HMI

Active

AP

SSID5 GHz

WGB

SafetyI/O

Controller

WGB

LWAP

SSID5 GHz WGB

LWAP

Controller

LWAP

SSID2.4 GHz

Standby

WirelessLAN Controller

(WLC)

Cell/Area ZoneLevels 0–2

Cell/Area ZoneLevels 0–2

Drive

DistributionSwitch Stack

Wide Area Network (WAN)Data Center - Virtualized Servers• ERP - Business Systems• Email, Web Services• Security Services - Active Directory (AD),

Identity Services (AAA)• Network Services – DNS, DHCP• Call Manager

Enterprise

Identity Services

Identity Services

External DMZ/ Firewall

Internet

AccessSwitches

AccessSwitches


Tested, validated and documented reference architectures Developed from use cases – customer, application, technology Tested for performance, availability, repeatability, scalability and security Comprised of a collection of Cisco and Rockwell Automation Validated Designs

Built on technology and industry standards “Future-ready” network design

Network Security Service Team from Rockwell Automation: Helps customers to implement secure network architecture and is able to discover performance

and cyber security issues in existing infrastructure

Reference ArchitecturesConverged Plantwide Ethernet (CPwE)

6


Agenda






Networks Infrastructure Portfolio PositioningManaged Switches

Access switching or distribution routing Diagnostic information Network Address Translation (NAT) Segmentation / VLAN capabilities Prioritization services (QoS) Network resiliency

Security Appliances Secure real-time control communication Routing and firewall capabilities Intrusion protection Access control lists DPI Depp Package Inspection

Wireless Technology Connect hard-to-reach and remote areas Mobile access to equipment and key

business systems Minimizes hardware

and wiring

Unmanaged Switches Low-cost, compact solution Automatically negotiates speed

and duplex settings No configuration required Automatically detects

cross-over cable

Premier Integration to the Rockwell Automation Integrated Architecture® system and embedded Cisco Technology

Embedded Switch Technology Enables greater topology configuration

choices for EtherNet/IP applications such as linear and device-level ring (DLR)

Offers diagnostics and fast recovery


Optimized OT Network IntegrationIntegrated Architecture System

Studio 5000® Add-on Profile (AOP) for easy

configuration and monitoring

Pre-designed FactoryTalk® View

faceplates for monitoring and alarming

Pre-defined Logix tags for monitoring and port

control


Agenda






Security risks increase potential for disruption tosystem uptime, safe operation, and a loss of intellectual property

Unintended employee actions

Theft

Unauthorized actions by employees

Unauthorized accessDenial of Denial of

ServiceDoS

Application of patches

Unauthorized remote access

Natural or Man-made disasters

Sabotage

Worms and viruses

Security Threat Vectors & Actors


The Cost of Security*

Cyber incidents cost US organizations: $558K in revenue losses $481K in brand damage $366K in compliance fines $174K in lost productivity

Incidents are costing US industry $6M per day –or–$2B per year.

Actual case Thyssen Krupp Germany Dec2016 Technical trade secrets were stolen from the steel production and manufacturing plant design divisions of

ThyssenKrupp AG (TKAG.DE) in cyber attacks mid year 2016 Same attack at Rolling Mill Attack Hohenlimburg cause 1 days shutdown on the plant

DAY

* Source: Belden Industrial Ethernet Infrastructure Design Seminar. Greg Hale, the Editor and Founder of ISSSource.com. October 2012


Defense-in-DepthMultiple Layers to Protect the Network and Defend the Edge

13

No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.

Protecting IACS assets requires a defense-in-depth security approach, which addresses internal and external security threats.

This approach utilizes multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.


Agenda






Getting StartedCreating a secure Industrial Infrastructure

15

Start with Design and Assessment Physical design of the Infrastructure Logical design of the Infrastructure Identify critical assets (Devices, IP, Data) Discover risks, potential threats and

vulnerabilities Implement right level of security for the

assets The industrial security policy is unique from and in

addition to enterprise security policy IT/OT policies might be different in some areas Alignment with applicable industry standards

Security policy - plan of action with procedures (non-technical):

Rules for controlling human interactions and access Determination of risk tolerance Identify Domains of Trust and appropriately apply

security to maintain policies Consider balancing security with functional and

application requirements: 24x7 operations, low Mean-Time-To-Repair (MTTR), high Overall

Equipment Effectiveness (OEE).

Sustainability Stakeholders Process Changes / Auditing Maintenance of the Risk Profile


Implement Validated Secure Network InfrastructureAchieve infrastructure security through a common, validated system architecture leveraging the Stratix portfolio and Cisco security solutions.

Design and Implementation Guides: • Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (2011)• Segmentation Methods within the Cell/Area Zone (2013)• Securely Traversing IACS Data Across the Industrial Demilitarized Zone (2015)• Deploying Identity Services within a Converged Plantwide Ethernet Architecture (2015)• Site-to-site VPN to a Converged Plantwide Ethernet Architecture (2015)

Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page

IDENTITYSERVICES ENGINE

Adaptive Security

Appliances


Educate and create Awareness in your organization Align with Industrial Automation and Control System Security Standards

DHS External Report # INL/EXT-06-11478, NIST 800-82, ISO/IEC-62443 (Formerly ISA-99)

Leverage a Defense-in-Depth philosophy No single product, methodology, nor technology fully secures IACS networks

Establish Open Dialog between Teams Production, Engineering, IT and Rockwell Automation (Incident Response Sharing)

Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security ...never. (Tom West, Data

General)

17

Create a Security Culture


What Can You Do Now to Mitigate Risk?Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security today :

1.Control who has network access2.Employ firewalls and intrusion detection/prevention 3.Use Anti Virus Protection and patch your system 4.Manage & protect your passwords5.Turn the processor key(s) to the Run Mode6.Utilize features embedded in Rockwell Automation products today

(example: FactoryTalk Security , managed switch setting)7.Develop a process to manage removable media8.Block access ports (example: key connectors)


Network & Security Services

ASSESS DESIGN IMPLEMENT VALIDATE MANAGE


Industrial Security Resources

Security-enhanced Products and Technologies Rockwell Automation® product and technologies with security capabilities

that help increase overall control system system-level security. http://www.rockwellautomation.com/security

EtherNet/IP™ Plantwide Reference Architectures Control system validated designs and security best-practices that complement recommended layered

security/defense-in-depth measures. http://www.ab.com/networks/architectures.html

Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and make recommendations for how

to avert risk and mitigate vulnerabilities. http://www.rockwellautomation.com/services/security

20

Documents

Consumer Industry day - Rockwell Automation · Consumer Industry day ... HMI Cell/Area Zone - Levels 0–2 Redundant Star Topology ... Belden Industrial Ethernet Infrastructure Design