Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Marco [email protected]
Cybersecurity for the Industrial Internet
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Two Worlds Converging
Security is the Top Driver
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IT-OT collaboration is vital for securing ICS
Industrial
Network
Traffic
Industrial process skillsOperational events context
Asset criticality levelsEquipment configuration
OT
Cybersecurity skillsNetwork hygieneSecurity policies
Detection & Remediation IT
Drives best practices
Fights cyber attacks
Ensures production continuityDefines behavioral baselines
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4
Context is key to securing any environment
SecOps
lack
context
to industrial
processes
Security policies
implemented
without context
cause
downtime
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IEC 62443 architectural framework
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Framework Nazionale
per la Cybersecurity e
la Data Protection
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The 4-step journey to secure your industrial network
Identify all your industrial assets to build the right
security strategy
Gain visibility on your OT to build and enforce the right security policies
Policies
definition
Environment
discovery
Integrated
IT/OT SOC
Live threat
detection
Isolate networks to build zones and conduits to
avoid attacks to spread
Detect IT intrusions and abnormal OT behaviors to
maintain process integrity
Gain a holistic view on security events to ease
investigation & remediation
SOC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sensors/Devices
Applications
Analytics
IoT Security
Networking
Security across the
stack
Data Control
Cisco’s product focus for IoT
Mgmt. and Automation
Control Center
Industrial Switching
IoT Gateways/Compute
IndustrialWireless
Industrial Routing
Sensor Networking(LoRa/Mesh)
Industrial Security
EdgeComputing
Data Mgmt.and Control
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISA 3000Industrial Firewall
Prevent propagation of threats
with best of breed
Industrial Protocol IPS/IDS
Foundational Components of Industrial Security
Cyber VisionOperational insights and
cyber threat detection
OT asset inventory
Track industrial processes
Detect attempts to modify assets
SecureX
Threat ResponseThreat investigation and remediation
Enable IT-SOC to investigate industrial
threats through integration with
Cyber Vision and the ISA3000
Powered by Cisco TALOS threat intelligence
Sensor
Sensor
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IE 3400 Switch IR 1101 Gateway
Sensor
Sensor
Catalyst 9000 Series Switch
Sensor
Sensor
IE 3400 Heavy Duty
Cisco Cyber Vision
Network-Sensors(Deep Packet Inspection built into network-elements eliminating the need for SPAN)
Sensor
IC3000 Industrial Compute
Hardware-Sensor(SPAN based to support brownfield )
Cyber Vision Center(Centralized Analytics)
Operational Insights for OT
Threat Detection for IT
Security that scales with your network infrastructure
ApplicationFlow
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISA3000 Industrial Security Appliance
Benefit from industry-leading, advancedthreat intelligence
Streamline security policy and device management
across your sites
Leverage built-in, comprehensive next-
generation IPS
Detect, investigate, and remediate across IT-OT
integrated security portfolio
Cisco Firepower Threat Defense technology packaged
in a ruggedized form factor built for OT use cases
Protect your industrial networks against increasingly complex threats
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SecureX Threat Response
• Cisco’s cloud platform
to accelerate threat
hunting and incident
response
• Detect, investigate, and
remediate across
multiple integrated
security technologies
• FREE with existing Cisco
Security licenses
Threat Intelligence
Cisco Talos
Incident Response
Cisco Talos Intelligence Group is one of
the largest commercial threat
intelligence teams in the world,
comprised of world-class researchers,
analysts and engineers.
Cisco Talos Incident Response provides a
full suite of proactive and reactive services
to help you prepare, respond and recover
from a breach. With Talos IR, you have
direct access to the same threat
intelligence available to Cisco.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Purdue level 3Manufacturing Operations Zone
Purdue level 0-2Cell/Area Zone
IndustrialDe-Militarized Zone (IDMZ)
Purdue level 4 & 5Enterprise Zone
Foundation Security Architecture in ManufacturingSecurity OperationsCenterFMC SecureX SIEM
NGFW
Cyber VisionCenterIndustrial Aggregation
PLC/RTU/IED
IE Switch
ISA3000
Firewall
HMI
IE Switch
ISA3000
Firewall
IC3000
Sensor
SCADA/HMI
Sensor
SIS PLC/RTU/IED
SPAN
PLC/RTU/IED PLC/RTU/IED
SensorHMI
Sensor
Detect• Vulnerabilities• Anomalies • Intrusion
Respond• Investigate• Remediate
Segment• Control Access• Create zones
Discover• Asset Visibility• Application Flows
CGC
SensorSensor
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Foundational Security Architecture in Electric Utilities
SCADA App Servers
Private WANSP Cellular
Backhaul
Sensor
Substation
Operations Center / Control Center
Transmission Grid
Substation
Distribution GridHMI
IE Switch
ISA3000
Firewall
IC3000
Sensor
SPAN
Bay ControllerBay Controller
RTU Relay IED MU
HMI
IE Switch
ISA3000
Firewall
Sensor
Bay ControllerBay Controller
RTU Relay IED MU
IR1101
Smart Inverter
Sensor
IR1101
Capacitor Bank
Sensor
IR1101
Voltage Regulator
SI
Sensor
CB VR
Applicatio
n Flow
Feeder
Application Flow
Detect• Vulnerabilities
• Anomalies
• Intrusion
Respond• Investigate
• Remediate
Segment• Control Access
• Create zones
Discover• Asset Visibility
• Application Flows
NGFW
Security Operations Center
FMC SecureX SIEMCyber Vision
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detect
• Vulnerabilities
• Anomalies
• Intrusion
Respond
• Investigate
• Remediate
Discover
• Asset Visibility
• Application Flows
Segment
• Control Access
• Create zones
Foundational Security Architecture in Oil and Gas
Security Operations Center
SCADA App Servers
WANSP Cellular
Backhaul
Sensor
Operations Center / Control Center
FMC SecureX SIEM
1
Plant/Refinery
Downstream Midstream Upstream
IE3400 IR1101
ISA3000
Firewall
Switch Stack Switch Stack
Industrial Switch
IC3000 IE3400
Sensor
Compressors/pumps/valves
Sensor
IR1101
Sensor
Compressors/pumps/valves
Compressors/pumps/valves
32
SPAN
Valves, Actuators, Sensors
SensorSensor
OT Apps
LTE
Cyber Vision
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Industry Validated DesignsSimplicity Security Scalability
Manufacturing Power Utilities Energy Transportation Smart Cities
Extended Enterprise
Remote and Mobile Assets
NEW
• Industrial Automation
• Plant Wide Connectivity
• Factory Security
• Factory Wireless
• Substation Automation
• Smart Metering
• Distribution Automation
• Industrial Automation
• Connected Pipeline
• Refinery and Process
Plants – Jan 2020
• Connected Rail
• Connected Mass Transit
• Connected Roadways
• Lighting, Parking,
Environment, Safety
and Security
• Connected Communities
Infrastructure
NEW
NEW
Industry Cisco Validated Designs (CVDs)
NEW
Proven Integrations
NEW
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meeting Stakeholder NeedsEnsuring success from POC to IoT scale deployments!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Trifecta of Stakeholders
CSO IT OT
Chooses ICS
Security Solution
Tasked with
Deploying Solution
Must Approve what
gets deployed
Choice of security solution impacts all stakeholders
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meeting the needs of IT
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Typical ICS detection solutions depend on SPAN
Out-of-band SPAN requires an expensive
collection network
Hidden costs of port mirroring
Server appliance
SPAN
traffic
Industrial
switch
Industrial protocol DPI based passive monitoring of SPAN traffic
Inline SPAN causes jitter which impacts
control system performance
Sending SPAN traffic over 3G/LTE WAN
links is cost prohibitive
Space constrained locations cannot house
extra hardware sensors
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Cyber Vision
Application-Flow
Lightweight
Metadata
ICSnetwork
Cyber Vision Center
Sensor Sensor Sensor
Sensor Sensor
Sensor
Cyber Vision Sensors embedded into
industrial network equipment
No additional hardware needed
No need for an out-of-band monitoring
network
No impact on performance
Reduce TCO by eliminating the need to invest in an ever-growing SPAN collection network
Visibility built into your network infrastructure
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security deployed at scaleVisibility
built into your
network infrastructure
1Leverage OT budget for
industrial network
2Eliminate the need for IT
to invest in and maintain
SPAN collection network
3Single solution for
SecOps to monitor
threats across
operational departments
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security deployed at scaleVisibility
built into your
network infrastructure
1Leverage OT budget for
industrial network
2Eliminate the need for IT
to invest in and maintain
SPAN collection network
3Single solution for
SecOps to monitor
threats across
operational departments
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security deployed at scaleVisibility
built into your
network infrastructure
1Leverage OT budget for
industrial network
2Eliminate the need for IT
to invest in and maintain
SPAN collection network
3Single solution for
SecOps to monitor
threats across
operational departments
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meeting the needs of OT
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Vision understands ICS protocols you use
Cisco’s Deep Packet Inspection decodes standard and proprietary industrial protocols
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial
Application
Visibility
Cisco industrial
networking enables
you to visually inspect
the activities in your industrial processes to
reduce downtime.IE 3400 Switch
Sensor
IR 1101 Gateway
Sensor
Application
Flow
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Gain Operational Insights
Sensor
Sensor
Cyber Vision Center(Centralized analytics)
Network-Sensors(Built in Deep Packet Inspection)
Comprehensive asset inventory
Dynamic communication map
Track variable changes
Detect changes in the control system
ApplicationFlow
Sensor
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Vision Center(Centralized analytics)
Network-Sensors(Built in Deep Packet Inspection)
A Flight Recorder for Troubleshooting
New component Dell workstation
detected on the network
Component Dell workstation detected
vulnerable to Windows SMB Remote
Code Execution CVE-2017-0145
Siemens 192.168.105.75
PLC_3
Siemens 192.168.105.150
S7-400 station_1PLC_1
Dell 192.168.105.241
Stop CPU command detected from
Dell workstation to S7-400 PLC
Program Download detected from Dell
workstation to S7-400 PLC
New Communication detected from
Dell workstation to S7-400 PLC
New Variable access Detected from
S7-400 PLC to HMI 192.168.105.75
ApplicationFlow
Sensor
Sensor
Sensor
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meeting the needs of SecOps
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Vision Threat Detection
Patch vulnerabilities
before they are
exploited
Detect malicious
intrusions & callbacks
to control servers
Detect attempts to
scan & modify OT
assets
Cyber VisionVulnerability Detection
Cyber VisionIntrusion Detection
Cyber VisionBehavioral Analytics
Threat Intelligence
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Security events(authentication, vulnerabilities, port scan, protocol exception…)
• Signature-based detection (IDS)
• Control systems events (variable changes, program uploads…)
• Asset inventory events (new, modified asset…)
• Cyber Vision admin and
config events
Easily track all threats to your industrial networks
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cyber Vision behavior modeling automatically triggers alerts on deviations to the baselines
• New and modified assets
• New activities between assets
• Variable changes
• Program modifications
• Continuously improve detection with classification of new events
• Accept changes to continuous
monitoring or trigger alerts to investigate changes
• Provide feedback on anomalies to give
context to security analysts
Baselines highlight abnormal behaviors
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Top / Rare DNS requests
• Top / Rare HTTP requests
• Top / Rare SMB usage
• Unclassified “strange” flows
Easily spot important IT security information
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Vision intrusion detection
• Snort subscriber rule set includes:
• Denial of Service
• C2 and Botnet Communication
• Lateral Movement through Windows exploits
• Malware traffic
• Browser Exploit
• PLC Exploits
• Curated for industrial environments
• Custom rule set support
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISA 3000 Industrial Threat Protection
Industrial Application Visibility & Control Industrial IPS Preprocessors
500+ Industrial IPS Signatures
Create custom detectors with OpenAppID
1000+ Windows IPS Signatures
Prebuilt industrial Preprocessors &
Application Detectors for the
leading open source IPS/IDS
OpenWrite your own custom
Application Detectors using open
source application layer plugin
Regularly updated Signatures
from Cisco’s industry-leading
threat intelligence team
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reduce the noise of Intrusion events
Impact of IPS events can be deduced Firepower recommendation can tune IPS
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act immediately, Vulnerable
Investigate, Potentially Vulnerable
Good to know, Currently Not available
Good to know,Unknown Target
Good to know,Unknown Network
Event Corresponds to vulnerability mapped to
host
Relevant port open or protocol in use but no
vuln mapped
Relevant port not open or protocol not in use
Monitored network but unknown host
Unmonitored network
2
3
4
0
1
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Block Malware Using AMP for Networks
File
Trajectory
Behavioral
IoCs
• Multiple methods of malware
detection:
• AV detection engines
• One-to-one signature matching
• Machine Learning
• Fuzzy finger printing
• Sandboxing on device or cloud
Threat
Hunting
Retrospective
Detection
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cyber Vision
integrates with your
existing security
platforms
SOC
Threat Response
CMDBFirewalls
Firepower NGFW
Access Control
ISE
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Management + Cyber Vision
FMC: Cyber Vision integration
Map ICS device IP to named objects (PLC, IO, Drive) in
Firepower for use in access policy*
Identify anomalous flows in
Cyber Vision and kill FTD Firewall
sessions
Map ICS device identity to Hosts
in Firepower for use in FMC correlation policy
Integration available with Cyber Vision 3.1.0+
* Available in November 2020
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Identity Services Engine + Cyber Vision
ISE: Cyber Vision integration
Enforce Network Access Control
through dynamic assignment of VLAN
and dACLs or micro-segmentation
with SGT / TrustSec
Enrich endpoint attributes in ISE
with rich context from Cyber Vision
Use custom attributes to map
industrial process context like Cells
and Zones for profiling endpoints
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stealthwatch + Cyber Vision
Stealthwatch: Cyber Vision integration
Use host-group attributes like Cells and Zones to create alarms for inter
cell/zone traffic violations
Enrich host-groups in
Stealthwatch with rich context from Cyber Vision
Easily identify flows mapped to
industrial endpoints with host-group
attributes (Logix Controller made by Rockwell Automation in Cell-3)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response + ISA 3000 Firewall
CTR: Firepower integration
Automated triage and prioritization
of intrusion events through the
built-in Incident Manager
Investigate, identify and enrich
Firepower intrusion events with
context from integrations across
security products
Enrich all investigations with
network context from Firepower
devices
Integration available with FTD v6.3+
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Gather context from
Umbrella, FTD, Talos,
AMP, Stealthwatch, etc.
• Block/Unblock domains
in Umbrella
• Block/Unblock file
executives in AMP
Investigate across IT-OT integrated security technologies
pivot from Cyber Vision to CTR to investigate observables
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IBM QRadar integrationUnified IT/OT security events management in SIEM
Syslog
PLC IO DRIVE CONTROLLER
ICS visibility
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Splunk integrationUnified IT/OT security events management in SIEM
Syslog
PLC IO DRIVE CONTROLLER
ICS visibility
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CSO
Protect your business against
threats with the strongest suite
of industrial application aware
integrated security solutions
OT
Reduce downtime with
Operational insights that
help track activities in your
industrial process
IT
Reduce TCO by eliminating
the need to invest in an
ever-growing SPAN
collection network
Meeting Stakeholder Needs
The bridge between the enterprise and the line of business
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Asset Inventory
Vulnerability Detection
Communication Maps
Actionable Insights
Detailed Reports
Kick-start your Industrial IoT security project
Cisco assessment service gives you a comprehensive picture of
your industrial security posture so you can build your project plan
Asset discovery and assessment service led by Cisco OT Security experts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bring Cisco scale and simplicity to IIoT security
All working together for successful Industrial IoT security deployments
Cisco Industrial Networks
Connect anything anywhere
Cisco Security
Comprehensive IT/OT cybersecurity
Cisco Validated Designs
State-of-the-art architecture guides
Cisco Customer Services
Human skills to enable deployments