Upload
phungnhu
View
216
Download
0
Embed Size (px)
Citation preview
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
CT230 - Industrial Network and Cybersecurity Threats
Amadou DiawBusiness Development LeaderRockwell Automation - CSM Consulting Services
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Physical Layer
2
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
The Network is Slow!!!
3
Voice
Virus
Hacking
Multicast
DNS
Peer-to-peer
Worms
Top hosts, conversations, protocols
What’s really happening on my network?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Third PartyControllers,Servers, etc.
Serial, OPCor Fieldbus
EngineeringWorkplace
Device Network
Firewall
Services
Network
Third Party Application Server
ApplicationServer
HistorianServer
WorkplacesEnterprise
OptimizationSuite
MobileOperator
ConnectivityServer
Control
Network
Redundant
Enterprise Network
Serial RS485
Modern ICS
IP
Internet
Enterprise Network
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
The 2.4GHz and 5GHz RF represent the physical layer for 802.11 wireless LANs
� 2.4GHz 802.11b/g and 5GHz 802.11a
Not just 802.11 WiFi devices use these frequencies
� Bluetooth, analog video cameras, cordless phones, microwave ovens, motion sensors, florescent lights
The RF environment for good WiFi performance
� Relatively free of interfering 802.11 and non-802.11 devices
� Adequate signal strength over the target coverage area
Bluetooth Other Wi-Fi Networks
Microwave Ovens
2.4/5 GHz Cordless Phones
Radar
Wireless = RF SIGNAL…
5
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
of industrial network operators have faced a large scale
IS CRITICAL
was spent on in 2011
IS ESSENTIAL
McAfee and the Center for Strategic and International Studies (CSIS) April 2012
PriceWaterhouseCoopers LLP, Nov 2011
a day is the average costs per 24 hours of
CYBERATTACKS ARE
McAfee and the Center for Strategic and International Studies (CSIS) April 2012
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Anatomy of a Zero-day Attack
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Are you Protected?
“Some organizations will be a target regardless of what they do, but most become a target because of what they do…”
Compromising network security is a $6 billion global underground industry of which $300 million is directly tied to manufacturing
“If your organization is a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.”
Source : 2013 DBIR
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only 9
ICS Security in the News
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Maroochy Shire Sewage Plant
10
Reference: courtesy of Clinton Webb, Central Tech
In the spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with a local government, and was rejected.
Over a 2-month period, this person used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system.He altered electronic data for the sewage pumping stations and caused malfunctions in their operations.
This led to releasing about 264,000 gallons of raw sewage into nearby rivers and parks.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
… and how did “they” get it?
JAC Motors4R3
Ford Motor CompanyF-150
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Nothing is beyond reach
� “Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever...
� “the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.”
http://online.wsj.com/article/SB124027491029837401.html#ixzz1dQEQ283S
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
… and how did “they” get it?
Chengdu Aircraft Industry Group
J20
Lockheed Martin
F-35
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
Demo Time
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Manufacturing SecurityInfographic
91% of breaches took less than a day to
execute
Sixty Two Percenttook
Months or Years to
Discover
53%took months to
Contain
Only1 out of 10 were discoveredby an internal resource…
Source : 2013 DBIR
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Real-world Threats to Industrial Systems
Cyber Attack Effects & Impacts
Conficker (2008)Worm that enabled remote access with payload replacement capability –Windows OS affected including Windows industrial PCs.
Operation Aurora (2009)
Attacks aimed at high tech, security and defense contractors alleged to access and potentially alter source code repositories.
Stuxnet (2010)Computer worm that facilitated the manipulation of PLC logic and operator’s view to disrupt a process and damage assets.
Duqu (2011)Targeted Remote Access Trojan (RAT) alleged to enable reconnaissance and intelligence-gathering as precursor to attack.
Nitro Malware (2011)Remote Access Trojan (RAT) targeting chemical and 19 other organizations in other industries for corporate espionage.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Security Threat Actors
17
Human
System
• Malicious• Ignorant
• Misconfiguration• Lack of Privilege Control
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Security Threat Vectors
Security risks increase potential for disruption tosystem uptime, safe operation, and a loss of intellectual property
Unintended employee actions
Theft
Unauthorized actions by employees
Unauthorized access
Denial of Service
Application of patches
Unauthorized remote access
Natural or Man-made disasters
Sabotage
Worms and viruses
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Control Systems in PPD-21 Defined Critical Infrastructure Sectors
19
Chemical
Commercial Facilities
Critical Manufacturing
Dams
Defense Industrial Base
Energy
Food and Agriculture
Nuclear Reactors
Transportation
Water/Wastewater
Government Facilities
Industrial Control Systems are core to operations of Critical Infrastructure Processes
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsEstablished Industrial Security Standards
20
� International Society of Automation� ISO/IEC-62443 (Formerly ISA-99)� Industrial Automation and Control Systems (IACS) Security� Defense-in-Depth� IDMZ Deployment
� National Institute of Standards and Technology� NIST 800-82� Industrial Control System (ICS) Security� Defense-in-Depth� IDMZ Deployment
� Department of Homeland Security / Idaho National Lab� DHS INL/EXT-06-11478� Control Systems Cyber Security: Defense-in-Depth Strategies� Defense-in-Depth� IDMZ Deployment
A secure application depends on multiple layers of protection.Industrial security must be implemented as a system.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900B
CT231 - Industrial Network and Cybersecurity Solutions
Amadou DiawBusiness Development LeaderRockwell Automation - CSM Consulting Services
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
NIST CYBERSECURITY FRAMEWORK
22
IDENTIFY
PROTECT
Business continuity plans to
maintain resilience and
recover capabilities after a
cyber breach
Recovery Planning, improvements,
communications
DETECT
RESPOND
RECOVER
Continuous monitoring to
provide proactive and real-
time alerts of cybersecurity-
related events
NIST FRAMEWORK CORE
Anomalities and events,
continuous monitoring, detection
processes
Incident-response activities
Response planning,
communications, analysis,
mitigation, improvements
An undertanding of how to
manage cybersecurity risks to
systems, assets, data and
capabilities
Asset management, business
environment, governance, risk
assessment, risk management
strategy
The controls and safeguards
necessary to protect or deter
cybersecurity threats
Access controls, awreness and
training, data security, data
protection processes,
maintenance, protective
technologies
Functions Categories Subcategories Information
Reference: www.pwc.com/cybersecurity
ISA99 / IEC-62443NIST SP 800-XX
DHL INL/EXT-06-11478DHS CRR
TSA TSSCWGNERC-CIP XXX
ISA99 / IEC-62443NIST SP 800-XX
DHL INL/EXT-06-11478DHS CRR
TSA TSSCWGNERC-CIP XXX
ISA99 / IEC-62443NIST SP 800-XX
DHL INL/EXT-06-11478DHS CRR
TSA TSSCWGNERC-CIP XXX
ISA99 / IEC-62443NIST SP 800-XX
DHL INL/EXT-06-11478DHS CRR
TSA TSSCWGNERC-CIP XXX
ISA99 / IEC-62443NIST SP 800-XX
DHL INL/EXT-06-11478DHS CRR
TSA TSSCWGNERC-CIP XXX
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
.
Network CyberSecurity Services -Overview
ASSESSAssess the current state of the security program, design,
policy
Assess the current state of the network
design, implementation
Assess the current state of a
manufacturing data center
DESIGN/PLAN Design and plan a network infrastructure
Design and plan security program,
policy, infrastructure, business continuity
plan
Design and plan a SANs infrastructure
IMPLEMENTInstallation,
procurement and configuration of a
network
Implementation of a security program,
infrastructure design, policy training
Installation, procurement and configurations of a SANs infrastructure
AUDITAudit current architecture compared to governing body (ODVA, IEEE,
ANSI/ TIA)
Audit security program compared to governing body (NERC CIP, ISA -99, NIST 800-53, NIST
800-82
MANAGE/MONITOR
Manage, maintain and monitor uptime and issues on the network and SANs
environment
Managed Security Services (Incident response, disaster
recovery, monitoring)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
LOGICAL NETWORK DESIGN CONSIDERATIONS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-Depth
25
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-DepthEtherNet/IP Industrial Automation and Control System Network
� Open by default to allow both technology
coexistence and device interoperability for
Industrial Automation and Control System
(IACS) Networks
� Secure by configuration and architecture:
� Configuration
� Harden the infrastructure through holistic defense-in-depth - multiple layers of security
� Architecture
� Structure the infrastructure to defend the edge - Industrial DMZ (IDMZ)
26
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsEtherNet/IP Industrial Automation & Control System Network
27
Structured and HardenedIACS Network Infrastructure
Flat and OpenIACS Network Infrastructure
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Holistic Defense-in-DepthCritical Elements to Industrial Security
� A balanced Industrial Security Program must address both Technical and
Non-Technical Elements
� Non-technical controls - rules for environments:
e.g. business practices, standards, policies, procedures,
risk management, education and awareness programs
� Technical controls – technology to provide restrictive measures for non-
technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access
control lists (ACLs), Physical Access
� Security is only as strong as the weakest link
� Vigilance and attention to detail are KEY to the long-term security success
28
“one-size-fits-all”
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
CPwE Industrial Network Security Framework
29
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.30
Industrial Network Security FrameworkCPwE Architectures
MCC
Enterprise Zone: Levels 4-5
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
Level 0 - ProcessLevel 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalkClient
Controller
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
Authentication, Authorization and Accounting (AAA)
LWAP
SSID2.4 GHz
SSID5 GHz WGB
I/O
Active
Wireless LAN Controller (WLC)
Standby
CoreSwitches
DistributionSwitch Stack
Control System Engineers
Control System Engineers in Collaboration with IT Network Engineers
(Industrial IT)
IT Security Architects in Collaboration with Control
Systems Engineers
Enterprise
Identity Services
External DMZ/ Firewall
Internet
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
IDMZ - Industrial DeMilitarized Zone
31
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkIndustrial Demilitarized Zone
32
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Gateway Services
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
FactoryTalkApplication
Server
FactoryTalk Directory
Engineering Workstation
Remote Access Server
FactoryTalkClient
Operator Interface
FactoryTalkClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Cell/Area Zone
WebE-Mail
CIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
Logical Model – Industrial Automation and Control System (IACS)Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Demilitarized Zone (IDMZ)Industrial Network Security Framework
� All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ
� Only path between zones
� No common protocols in each logical firewall
� No control traffic into the IDMZ, CIP stays home
� No primary services are permanentlyhoused in the IDMZ
� IDMZ shall not permanently house data
� Application data mirror and reverse proxies to move data into and out of the Industrial Zone
� Limit outbound connections from the IDMZ
� Be prepared to “turn-off” access via the firewall
33
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
IDMZReplicated Services
Trusted? Untrusted?
Trusted
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.34
Industrial Demilitarized Zone (IDMZ)Industrial Network Security Framework
Firewalls(Active/Standby)
MCC
Enterprise ZoneLevels 4-5
IO
Level 3Site Operations
Drive
IndustrialDemilitarized Zone(IDMZ)
Industrial ZoneLevels 0-3
FactoryTalk Client
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PAC
Levels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE (Enterprise)
Physical or Virtualized Servers• Application Servers & Services• Network Services – e.g. DNS, AD,
DHCP, AAA• Storage Array
Remote Access Server
Plant Manager
RemoteAccess
Untrusted
Untrusted
Block
Block
Permit
Remote Desktop Gateway
Permit
WebReports
Web Proxy
Firewall (Inspect Traffic)
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror
Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD),
AAA – Radius• Call Manager
Firewall (Inspect Traffic)
Permit Secure Remote Access to Industrial Assets
Permit Data from the Industrial Zone to Enterprise Stakeholders
Block Untrusted Access to Industrial Zone
Block Untrusted Access to Enterprise Zone
Engineer
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Translate Logical-to-Physical Design
Translates logical network architecture into physical infrastructure design – using a methodology that reduces operating costs, speeds new hardware implementation, and ensures that future growth requirements are considered and properly planned
Logical Architecture Physical Design
Translateinto Design
Rockwell AutomationNSS Services
PanduitAdvisory Services
+ =
Taking Design Phase for granted =
Reliable, Scalable, Upgradeable Design
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900B
PHYSICAL NETWORK DESIGN CONSIDERATIONS
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Infrastructure Investment Compared to Longevity
• 60%• 2 to 5 years
SoftwareSoftware
• 23%• 5 Years
NetworkingNetworking
• 10%• 5 Years
OperationsOperations
• 7%• 20+ years (or forever!)
CablingCabling
80% of network problems are caused by only 7% of invested budget.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
SM
Think of your Network from End-to-End
� People in the Controls world tend to
think of networks as the link between
the Control Panel and the device.
Central ComputerManagement Level
Local Control System
Sensors Analyzers
Field Devices
ControlComputers
OperatorStation
Server
DMZ Server
Enterprise Control Level
ProcessControl Level
Field Level
IndustrialEthernet
ControlNetwork
DeviceNetwork
OfficeEthernet
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Zone Architecture Benefits
Traditional Cable Deployment • Node to network room “home runs”
Zone Architecture• Flexibility for MAC’s• Reduced installation time• Simplified diagnostics
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network InfrastructurePhysical Layer Design Considerations
40
Fiber RoutingSystems
Copper Cabling Systems
Fiber Cabling Systems
Grounding &Bonding Systems
Cable Management
Cable Ties andAccessories
Zone CablingSystems
ManagedNetwork Systems
Cabinets &Rack Systems
IdentificationSolutions
IN-ROUTE™IN-FIELD™
IN-PANEL™
IN-ROOM™
IN-FRASTRUCTURE ™
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Office Industrial
Environmental Focus - M.I.C.E.Physical Layer Design Considerations
41
TIA 1005
� M.I.C.E. provides a method of categorizing the environmental classes for each plant Cell/Area zone.
� This provides for determination of the level of “hardening” required for the network media, connectors, pathways, devices and enclosures.
� The MICE environmental classification is a measure of product robustness:� Specified in ISO/IEC 24702� Part of TIA-1005 and ANSI/TIA-568-C.0
standards
� Examples of rating:� 1585 Media : M3I3C3E3
� M12: M3I3C3E3
� RJ-45: M1I1C2E2
Increased Environmental Severity
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network Distribution Installation PitfallsPhysical Layer Design Considerations
42
Installation is critical for system performance,
security and testability.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Micro Data Center – IN-ROOM SolutionPhysical Layer Design Considerations
43
Enterprise/OfficePatchfield used to uplink switch
to Levels 4 & 5 Enterprise
Server PatchingCross connect between production
servers and switch
Firewall and DMZLogical buffer zone between theEnterprise and Industrial Zones
Industrial ZonePatchfield used to connect Layer 3 switch to Layer 2 switches used on plant-floor
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Validated Building BlocksPhysical Layer Design Considerations
44
Design your system using
cost effective and easy to
troubleshoot Network
Architecture
Industrial Data Center Integrated Zone Control Panel Solutions
Fiber or
Copper
Leverage Reference Architecture & Validated Building Blocks to Speed Deployment and Reduce Risks
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Network Security FrameworkPhysical Port Security
45
� Keyed solutions for copper and fiber
� Lock-in, Blockout products secure connections
� Data Access Port (keyed cable and jack)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Availability, Integrity and Confidentiality
� Enterprise networks require C-I-A
� Confidentiality of intellectual property matters most
� Industrial Control Systems require A-I-C
� Availability and integrity of control matters most
� control data has low entropy—little need for confidentiality
� Many ICS vendors provide “six 9’s” of availability
� Ensuring availability is hard
� Cryptography does not help (directly)
� DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF
� Security must not reduce availability!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
Key Takeways
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
TAKE ACTION
� Education and awareness:
� Within your organization, for your customers or trusted partners
� Establish an open dialog between Industrial Automation and IT groups
� Establish an Industrial security policy, unique from and in addition to the Enterprise security policy
� Holistic Defense-in-Depth approach: no single product, methodology, nor technology fully secures IACS networks
� Be aware of Industrial Automation and Control System Security Standards
� IEC-62443 (Formerly ISA99), NIST 800-82, DHS External Report # INL/EXT-06-11478
� Utilize standards, reference models and reference architectures
� Work with trusted partners knowledgeable in industrial automation and security
� "Good enough" security now, is better than "perfect" security ... never. (Tom West, Data General)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
Additional Information
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Rockwell AutomationEducational Tools & Content
� EtherNet/IP Website:
� http://ab.rockwellautomation.com/Networks-and-Communications/Ethernet-IP-Network
� Network and Security Services Website:
� http://www.rockwellautomation.com/services/networks/
� http://www.rockwellautomation.com/services/security/
� Network and Security Services Noggin Site:
� https://noggin.gosavo.com/CustomPage/View.aspx?id=28994665
� Reference Architectures
� Reference Architectures
� Design Guides
� Converged Plant-wide Ethernet (CPwE)
� Application Guides
� Fiber Optic Infrastructure Application Guide
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.COMPANY INTERNAL - Internal Use Only
Rockwell AutomationEducational Tools & Content
� KnowledgeBase Security Table of Contents
� TCP/UDP Ports used by Rockwell Automation products
� Network and Security Services Brochure
� Whitepapers
� Patch Management and Computer System Security Updates
� Scalable Secure Remote Access Solutions for OEMs
� Top 10 Recommendations for Plant-wide EtherNet/IP
Deployments
� Securing Manufacturing Computer and Controller Assets
� Production Software within Manufacturing Reference
Architectures
� Achieving Secure Remote Access to plant-floor Applications and
Data
� Design Considerations for Securing Industrial Automation and
Control System Networks - ENET-WP031A-EN-E
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900F
THANK YOU!