CT230 - Industrial Network and Cybersecurity Threats · In the spring of 2000, a former employee of ... Lockheed Martin F-35. ... Industrial Network and Cybersecurity Solutions

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F

CT230 - Industrial Network and Cybersecurity Threats

Amadou DiawBusiness Development LeaderRockwell Automation - CSM Consulting Services

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only

Physical Layer

2


The Network is Slow!!!

3

Voice

Virus

Hacking

Multicast

DNS

Peer-to-peer

Worms

Top hosts, conversations, protocols

What’s really happening on my network?


Third PartyControllers,Servers, etc.

Serial, OPCor Fieldbus

EngineeringWorkplace

Device Network

Firewall

Services

Network

Third Party Application Server

ApplicationServer

HistorianServer

WorkplacesEnterprise

OptimizationSuite

MobileOperator

ConnectivityServer

Control

Network

Redundant

Enterprise Network

Serial RS485

Modern ICS

IP

Internet

Enterprise Network


The 2.4GHz and 5GHz RF represent the physical layer for 802.11 wireless LANs

� 2.4GHz 802.11b/g and 5GHz 802.11a

Not just 802.11 WiFi devices use these frequencies

� Bluetooth, analog video cameras, cordless phones, microwave ovens, motion sensors, florescent lights

The RF environment for good WiFi performance

� Relatively free of interfering 802.11 and non-802.11 devices

� Adequate signal strength over the target coverage area

Bluetooth Other Wi-Fi Networks

Microwave Ovens

2.4/5 GHz Cordless Phones

Radar

Wireless = RF SIGNAL…

5


of industrial network operators have faced a large scale

IS CRITICAL

was spent on in 2011

IS ESSENTIAL

McAfee and the Center for Strategic and International Studies (CSIS) April 2012

PriceWaterhouseCoopers LLP, Nov 2011

a day is the average costs per 24 hours of

CYBERATTACKS ARE

McAfee and the Center for Strategic and International Studies (CSIS) April 2012


Anatomy of a Zero-day Attack


Are you Protected?

“Some organizations will be a target regardless of what they do, but most become a target because of what they do…”

Compromising network security is a $6 billion global underground industry of which $300 million is directly tied to manufacturing

“If your organization is a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.”

Source : 2013 DBIR

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 9

ICS Security in the News


Maroochy Shire Sewage Plant

10

Reference: courtesy of Clinton Webb, Central Tech

In the spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with a local government, and was rejected.

Over a 2-month period, this person used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system.He altered electronic data for the sewage pumping stations and caused malfunctions in their operations.

This led to releasing about 264,000 gallons of raw sewage into nearby rivers and parks.


… and how did “they” get it?

JAC Motors4R3

Ford Motor CompanyF-150


Nothing is beyond reach

� “Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever...

� “the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.”

http://online.wsj.com/article/SB124027491029837401.html#ixzz1dQEQ283S


… and how did “they” get it?

Chengdu Aircraft Industry Group

J20

Lockheed Martin

F-35


Demo Time


Manufacturing SecurityInfographic

91% of breaches took less than a day to

execute

Sixty Two Percenttook

Months or Years to

Discover

53%took months to

Contain

Only1 out of 10 were discoveredby an internal resource…

Source : 2013 DBIR

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Real-world Threats to Industrial Systems

Cyber Attack Effects & Impacts

Conficker (2008)Worm that enabled remote access with payload replacement capability –Windows OS affected including Windows industrial PCs.

Operation Aurora (2009)

Attacks aimed at high tech, security and defense contractors alleged to access and potentially alter source code repositories.

Stuxnet (2010)Computer worm that facilitated the manipulation of PLC logic and operator’s view to disrupt a process and damage assets.

Duqu (2011)Targeted Remote Access Trojan (RAT) alleged to enable reconnaissance and intelligence-gathering as precursor to attack.

Nitro Malware (2011)Remote Access Trojan (RAT) targeting chemical and 19 other organizations in other industries for corporate espionage.


Security Threat Actors

17

Human

System

• Malicious• Ignorant

• Misconfiguration• Lack of Privilege Control


Security Threat Vectors

Security risks increase potential for disruption tosystem uptime, safe operation, and a loss of intellectual property

Unintended employee actions

Theft

Unauthorized actions by employees

Unauthorized access

Denial of Service

Application of patches

Unauthorized remote access

Natural or Man-made disasters

Sabotage

Worms and viruses


Industrial Control Systems in PPD-21 Defined Critical Infrastructure Sectors

19

Chemical

Commercial Facilities

Critical Manufacturing

Dams

Defense Industrial Base

Energy

Food and Agriculture

Nuclear Reactors

Transportation

Water/Wastewater

Government Facilities

Industrial Control Systems are core to operations of Critical Infrastructure Processes


Industrial Network Security TrendsEstablished Industrial Security Standards

20

� International Society of Automation� ISO/IEC-62443 (Formerly ISA-99)� Industrial Automation and Control Systems (IACS) Security� Defense-in-Depth� IDMZ Deployment

� National Institute of Standards and Technology� NIST 800-82� Industrial Control System (ICS) Security� Defense-in-Depth� IDMZ Deployment

� Department of Homeland Security / Idaho National Lab� DHS INL/EXT-06-11478� Control Systems Cyber Security: Defense-in-Depth Strategies� Defense-in-Depth� IDMZ Deployment

A secure application depends on multiple layers of protection.Industrial security must be implemented as a system.

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900B

CT231 - Industrial Network and Cybersecurity Solutions

Amadou DiawBusiness Development LeaderRockwell Automation - CSM Consulting Services


NIST CYBERSECURITY FRAMEWORK

22

IDENTIFY

PROTECT

Business continuity plans to

maintain resilience and

recover capabilities after a

cyber breach

Recovery Planning, improvements,

communications

DETECT

RESPOND

RECOVER

Continuous monitoring to

provide proactive and real-

time alerts of cybersecurity-

related events

NIST FRAMEWORK CORE

Anomalities and events,

continuous monitoring, detection

processes

Incident-response activities

Response planning,

communications, analysis,

mitigation, improvements

An undertanding of how to

manage cybersecurity risks to

systems, assets, data and

capabilities

Asset management, business

environment, governance, risk

assessment, risk management

strategy

The controls and safeguards

necessary to protect or deter

cybersecurity threats

Access controls, awreness and

training, data security, data

protection processes,

maintenance, protective

technologies

Functions Categories Subcategories Information

Reference: www.pwc.com/cybersecurity

ISA99 / IEC-62443NIST SP 800-XX

DHL INL/EXT-06-11478DHS CRR

TSA TSSCWGNERC-CIP XXX














.

Network CyberSecurity Services -Overview

ASSESSAssess the current state of the security program, design,

policy

Assess the current state of the network

design, implementation

Assess the current state of a

manufacturing data center

DESIGN/PLAN Design and plan a network infrastructure

Design and plan security program,

policy, infrastructure, business continuity

plan

Design and plan a SANs infrastructure

IMPLEMENTInstallation,

procurement and configuration of a

network

Implementation of a security program,

infrastructure design, policy training

Installation, procurement and configurations of a SANs infrastructure

AUDITAudit current architecture compared to governing body (ODVA, IEEE,

ANSI/ TIA)

Audit security program compared to governing body (NERC CIP, ISA -99, NIST 800-53, NIST

800-82

MANAGE/MONITOR

Manage, maintain and monitor uptime and issues on the network and SANs

environment

Managed Security Services (Incident response, disaster

recovery, monitoring)


LOGICAL NETWORK DESIGN CONSIDERATIONS


Holistic Defense-in-Depth

25


Holistic Defense-in-DepthEtherNet/IP Industrial Automation and Control System Network

� Open by default to allow both technology

coexistence and device interoperability for

Industrial Automation and Control System

(IACS) Networks

� Secure by configuration and architecture:

� Configuration

� Harden the infrastructure through holistic defense-in-depth - multiple layers of security

� Architecture

� Structure the infrastructure to defend the edge - Industrial DMZ (IDMZ)

26


Industrial Network Security TrendsEtherNet/IP Industrial Automation & Control System Network

27

Structured and HardenedIACS Network Infrastructure

Flat and OpenIACS Network Infrastructure


Holistic Defense-in-DepthCritical Elements to Industrial Security

� A balanced Industrial Security Program must address both Technical and

Non-Technical Elements

� Non-technical controls - rules for environments:

e.g. business practices, standards, policies, procedures,

risk management, education and awareness programs

� Technical controls – technology to provide restrictive measures for non-

technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access

control lists (ACLs), Physical Access

� Security is only as strong as the weakest link

� Vigilance and attention to detail are KEY to the long-term security success

28

“one-size-fits-all”


CPwE Industrial Network Security Framework

29

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.30

Industrial Network Security FrameworkCPwE Architectures

MCC

Enterprise Zone: Levels 4-5

Soft Starter

I/O

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server

Level 0 - ProcessLevel 1 - Controller

Level 3 – Site Operations

Controller

Drive

Level 2 – Area Supervisory Control

FactoryTalkClient

Controller

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0-3

Authentication, Authorization and Accounting (AAA)

LWAP

SSID2.4 GHz

SSID5 GHz WGB

I/O

Active

Wireless LAN Controller (WLC)

Standby

CoreSwitches

DistributionSwitch Stack

Control System Engineers

Control System Engineers in Collaboration with IT Network Engineers

(Industrial IT)

IT Security Architects in Collaboration with Control

Systems Engineers

Enterprise

Identity Services

External DMZ/ Firewall

Internet


IDMZ - Industrial DeMilitarized Zone

31


Network Security FrameworkIndustrial Demilitarized Zone

32

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Gateway Services

Patch Management

AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

FactoryTalkApplication

Server

FactoryTalk Directory

Engineering Workstation

Remote Access Server

FactoryTalkClient

Operator Interface

FactoryTalkClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

EnterpriseSecurity Zone

IndustrialDMZ

IndustrialSecurity Zone

Cell/Area Zone

WebE-Mail

CIP

Firewall

Firewall

Site Operationsand Control

Area Supervisory

Control

Basic Control

Process

Logical Model – Industrial Automation and Control System (IACS)Converged Multi-discipline Industrial Network

No Direct Traffic Flow between Enterprise and Industrial Zone


Industrial Demilitarized Zone (IDMZ)Industrial Network Security Framework

� All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ

� Only path between zones

� No common protocols in each logical firewall

� No control traffic into the IDMZ, CIP stays home

� No primary services are permanentlyhoused in the IDMZ

� IDMZ shall not permanently house data

� Application data mirror and reverse proxies to move data into and out of the Industrial Zone

� Limit outbound connections from the IDMZ

� Be prepared to “turn-off” access via the firewall

33

No Direct Traffic

EnterpriseSecurity

Zone

IndustrialSecurity

Zone

Disconnect Point

Disconnect Point

IDMZReplicated Services

Trusted? Untrusted?

Trusted

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.34

Industrial Demilitarized Zone (IDMZ)Industrial Network Security Framework

Firewalls(Active/Standby)

MCC

Enterprise ZoneLevels 4-5

IO

Level 3Site Operations

Drive

IndustrialDemilitarized Zone(IDMZ)

Industrial ZoneLevels 0-3

FactoryTalk Client

WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC

PAC

Levels 0-2 Cell/Area Zone

Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE (Enterprise)

Physical or Virtualized Servers• Application Servers & Services• Network Services – e.g. DNS, AD,

DHCP, AAA• Storage Array

Remote Access Server

Plant Manager

RemoteAccess

Untrusted

Untrusted

Block

Block

Permit

Remote Desktop Gateway

Permit

WebReports

Web Proxy

Firewall (Inspect Traffic)

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror

Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD),

AAA – Radius• Call Manager

Firewall (Inspect Traffic)

Permit Secure Remote Access to Industrial Assets

Permit Data from the Industrial Zone to Enterprise Stakeholders

Block Untrusted Access to Industrial Zone

Block Untrusted Access to Enterprise Zone

Engineer


Translate Logical-to-Physical Design

Translates logical network architecture into physical infrastructure design – using a methodology that reduces operating costs, speeds new hardware implementation, and ensures that future growth requirements are considered and properly planned

Logical Architecture Physical Design

Translateinto Design

Rockwell AutomationNSS Services

PanduitAdvisory Services

+ =

Taking Design Phase for granted =

Reliable, Scalable, Upgradeable Design

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900B

PHYSICAL NETWORK DESIGN CONSIDERATIONS


Infrastructure Investment Compared to Longevity

• 60%• 2 to 5 years

SoftwareSoftware

• 23%• 5 Years

NetworkingNetworking

• 10%• 5 Years

OperationsOperations

• 7%• 20+ years (or forever!)

CablingCabling

80% of network problems are caused by only 7% of invested budget.


SM

Think of your Network from End-to-End

� People in the Controls world tend to

think of networks as the link between

the Control Panel and the device.

Central ComputerManagement Level

Local Control System

Sensors Analyzers

Field Devices

ControlComputers

OperatorStation

Server

DMZ Server

Enterprise Control Level

ProcessControl Level

Field Level

IndustrialEthernet

ControlNetwork

DeviceNetwork

OfficeEthernet


Zone Architecture Benefits

Traditional Cable Deployment • Node to network room “home runs”

Zone Architecture• Flexibility for MAC’s• Reduced installation time• Simplified diagnostics


Network InfrastructurePhysical Layer Design Considerations

40

Fiber RoutingSystems

Copper Cabling Systems

Fiber Cabling Systems

Grounding &Bonding Systems

Cable Management

Cable Ties andAccessories

Zone CablingSystems

ManagedNetwork Systems

Cabinets &Rack Systems

IdentificationSolutions

IN-ROUTE™IN-FIELD™

IN-PANEL™

IN-ROOM™

IN-FRASTRUCTURE ™


Office Industrial

Environmental Focus - M.I.C.E.Physical Layer Design Considerations

41

TIA 1005

� M.I.C.E. provides a method of categorizing the environmental classes for each plant Cell/Area zone.

� This provides for determination of the level of “hardening” required for the network media, connectors, pathways, devices and enclosures.

� The MICE environmental classification is a measure of product robustness:� Specified in ISO/IEC 24702� Part of TIA-1005 and ANSI/TIA-568-C.0

standards

� Examples of rating:� 1585 Media : M3I3C3E3

� M12: M3I3C3E3

� RJ-45: M1I1C2E2

Increased Environmental Severity


Network Distribution Installation PitfallsPhysical Layer Design Considerations

42

Installation is critical for system performance,

security and testability.


Micro Data Center – IN-ROOM SolutionPhysical Layer Design Considerations

43

Enterprise/OfficePatchfield used to uplink switch

to Levels 4 & 5 Enterprise

Server PatchingCross connect between production

servers and switch

Firewall and DMZLogical buffer zone between theEnterprise and Industrial Zones

Industrial ZonePatchfield used to connect Layer 3 switch to Layer 2 switches used on plant-floor


Validated Building BlocksPhysical Layer Design Considerations

44

Design your system using

cost effective and easy to

troubleshoot Network

Architecture

Industrial Data Center Integrated Zone Control Panel Solutions

Fiber or

Copper

Leverage Reference Architecture & Validated Building Blocks to Speed Deployment and Reduce Risks


Network Security FrameworkPhysical Port Security

45

� Keyed solutions for copper and fiber

� Lock-in, Blockout products secure connections

� Data Access Port (keyed cable and jack)


Availability, Integrity and Confidentiality

� Enterprise networks require C-I-A

� Confidentiality of intellectual property matters most

� Industrial Control Systems require A-I-C

� Availability and integrity of control matters most

� control data has low entropy—little need for confidentiality

� Many ICS vendors provide “six 9’s” of availability

� Ensuring availability is hard

� Cryptography does not help (directly)

� DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF

� Security must not reduce availability!


Key Takeways


TAKE ACTION

� Education and awareness:

� Within your organization, for your customers or trusted partners

� Establish an open dialog between Industrial Automation and IT groups

� Establish an Industrial security policy, unique from and in addition to the Enterprise security policy

� Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks

� Be aware of Industrial Automation and Control System Security Standards

� IEC-62443 (Formerly ISA99), NIST 800-82, DHS External Report # INL/EXT-06-11478

� Utilize standards, reference models and reference architectures

� Work with trusted partners knowledgeable in industrial automation and security

� "Good enough" security now, is better than "perfect" security ... never. (Tom West, Data General)


Additional Information


Rockwell AutomationEducational Tools & Content

� EtherNet/IP Website:

� http://ab.rockwellautomation.com/Networks-and-Communications/Ethernet-IP-Network

� Network and Security Services Website:

� http://www.rockwellautomation.com/services/networks/

� http://www.rockwellautomation.com/services/security/

� Network and Security Services Noggin Site:

� https://noggin.gosavo.com/CustomPage/View.aspx?id=28994665

� Reference Architectures

� Reference Architectures

� Design Guides

� Converged Plant-wide Ethernet (CPwE)

� Application Guides

� Fiber Optic Infrastructure Application Guide


Rockwell AutomationEducational Tools & Content

� KnowledgeBase Security Table of Contents

� TCP/UDP Ports used by Rockwell Automation products

� Network and Security Services Brochure

� Whitepapers

� Patch Management and Computer System Security Updates

� Scalable Secure Remote Access Solutions for OEMs

� Top 10 Recommendations for Plant-wide EtherNet/IP

Deployments

� Securing Manufacturing Computer and Controller Assets

� Production Software within Manufacturing Reference

Architectures

� Achieving Secure Remote Access to plant-floor Applications and

Data

� Design Considerations for Securing Industrial Automation and

Control System Networks - ENET-WP031A-EN-E


THANK YOU!

Documents

CT230 - Industrial Network and Cybersecurity Threats · In the spring of 2000, a former employee of ... Lockheed Martin F-35. ... Industrial Network and Cybersecurity Solutions