Cybersecurity for the Industrial Internet

Marco [email protected]

Cybersecurity for the Industrial Internet

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Two Worlds Converging

Security is the Top Driver


IT-OT collaboration is vital for securing ICS

Industrial

Network

Traffic

Industrial process skillsOperational events context

Asset criticality levelsEquipment configuration

OT

Cybersecurity skillsNetwork hygieneSecurity policies

Detection & Remediation IT

Drives best practices

Fights cyber attacks

Ensures production continuityDefines behavioral baselines


4

Context is key to securing any environment

SecOps

lack

context

to industrial

processes

Security policies

implemented

without context

cause

downtime


IEC 62443 architectural framework


Framework Nazionale

per la Cybersecurity e

la Data Protection


The 4-step journey to secure your industrial network

Identify all your industrial assets to build the right

security strategy

Gain visibility on your OT to build and enforce the right security policies

Policies

definition

Environment

discovery

Integrated

IT/OT SOC

Live threat

detection

Isolate networks to build zones and conduits to

avoid attacks to spread

Detect IT intrusions and abnormal OT behaviors to

maintain process integrity

Gain a holistic view on security events to ease

investigation & remediation

SOC


Sensors/Devices

Applications

Analytics

IoT Security

Networking

Security across the

stack

Data Control

Cisco’s product focus for IoT

Mgmt. and Automation

Control Center

Industrial Switching

IoT Gateways/Compute

IndustrialWireless

Industrial Routing

Sensor Networking(LoRa/Mesh)

Industrial Security

EdgeComputing

Data Mgmt.and Control


ISA 3000Industrial Firewall

Prevent propagation of threats

with best of breed

Industrial Protocol IPS/IDS

Foundational Components of Industrial Security

Cyber VisionOperational insights and

cyber threat detection

OT asset inventory

Track industrial processes

Detect attempts to modify assets

SecureX

Threat ResponseThreat investigation and remediation

Enable IT-SOC to investigate industrial

threats through integration with

Cyber Vision and the ISA3000

Powered by Cisco TALOS threat intelligence

Sensor

Sensor


IE 3400 Switch IR 1101 Gateway

Sensor

Sensor

Catalyst 9000 Series Switch

Sensor

Sensor

IE 3400 Heavy Duty

Cisco Cyber Vision

Network-Sensors(Deep Packet Inspection built into network-elements eliminating the need for SPAN)

Sensor

IC3000 Industrial Compute

Hardware-Sensor(SPAN based to support brownfield )

Cyber Vision Center(Centralized Analytics)

Operational Insights for OT

Threat Detection for IT

Security that scales with your network infrastructure

ApplicationFlow


ISA3000 Industrial Security Appliance

Benefit from industry-leading, advancedthreat intelligence

Streamline security policy and device management

across your sites

Leverage built-in, comprehensive next-

generation IPS

Detect, investigate, and remediate across IT-OT

integrated security portfolio

Cisco Firepower Threat Defense technology packaged

in a ruggedized form factor built for OT use cases

Protect your industrial networks against increasingly complex threats


SecureX Threat Response

• Cisco’s cloud platform

to accelerate threat

hunting and incident

response

• Detect, investigate, and

remediate across

multiple integrated

security technologies

• FREE with existing Cisco

Security licenses

Threat Intelligence

Cisco Talos

Incident Response

Cisco Talos Intelligence Group is one of

the largest commercial threat

intelligence teams in the world,

comprised of world-class researchers,

analysts and engineers.

Cisco Talos Incident Response provides a

full suite of proactive and reactive services

to help you prepare, respond and recover

from a breach. With Talos IR, you have

direct access to the same threat

intelligence available to Cisco.


Purdue level 3Manufacturing Operations Zone

Purdue level 0-2Cell/Area Zone

IndustrialDe-Militarized Zone (IDMZ)

Purdue level 4 & 5Enterprise Zone

Foundation Security Architecture in ManufacturingSecurity OperationsCenterFMC SecureX SIEM

NGFW

Cyber VisionCenterIndustrial Aggregation

PLC/RTU/IED

IE Switch

ISA3000

Firewall

HMI

IE Switch

ISA3000

Firewall

IC3000

Sensor

SCADA/HMI

Sensor

SIS PLC/RTU/IED

SPAN

PLC/RTU/IED PLC/RTU/IED

SensorHMI

Sensor

Detect• Vulnerabilities• Anomalies • Intrusion

Respond• Investigate• Remediate

Segment• Control Access• Create zones

Discover• Asset Visibility• Application Flows

CGC

SensorSensor


Foundational Security Architecture in Electric Utilities

SCADA App Servers

Private WANSP Cellular

Backhaul

Sensor

Substation

Operations Center / Control Center

Transmission Grid

Substation

Distribution GridHMI

IE Switch

ISA3000

Firewall

IC3000

Sensor

SPAN

Bay ControllerBay Controller

RTU Relay IED MU

HMI

IE Switch

ISA3000

Firewall

Sensor

Bay ControllerBay Controller

RTU Relay IED MU

IR1101

Smart Inverter

Sensor

IR1101

Capacitor Bank

Sensor

IR1101

Voltage Regulator

SI

Sensor

CB VR

Applicatio

n Flow

Feeder

Application Flow

Detect• Vulnerabilities

• Anomalies

• Intrusion

Respond• Investigate

• Remediate

Segment• Control Access

• Create zones

Discover• Asset Visibility

• Application Flows

NGFW

Security Operations Center

FMC SecureX SIEMCyber Vision


Detect

• Vulnerabilities

• Anomalies

• Intrusion

Respond

• Investigate

• Remediate

Discover

• Asset Visibility

• Application Flows

Segment

• Control Access

• Create zones

Foundational Security Architecture in Oil and Gas

Security Operations Center

SCADA App Servers

WANSP Cellular

Backhaul

Sensor

Operations Center / Control Center

FMC SecureX SIEM

1

Plant/Refinery

Downstream Midstream Upstream

IE3400 IR1101

ISA3000

Firewall

Switch Stack Switch Stack

Industrial Switch

IC3000 IE3400

Sensor

Compressors/pumps/valves

Sensor

IR1101

Sensor



32

SPAN

Valves, Actuators, Sensors

SensorSensor

OT Apps

LTE

Cyber Vision


Cisco Industry Validated DesignsSimplicity Security Scalability

Manufacturing Power Utilities Energy Transportation Smart Cities

Extended Enterprise

Remote and Mobile Assets

NEW

• Industrial Automation

• Plant Wide Connectivity

• Factory Security

• Factory Wireless

• Substation Automation

• Smart Metering

• Distribution Automation

• Industrial Automation

• Connected Pipeline

• Refinery and Process

Plants – Jan 2020

• Connected Rail

• Connected Mass Transit

• Connected Roadways

• Lighting, Parking,

Environment, Safety

and Security

• Connected Communities

Infrastructure

NEW

NEW

Industry Cisco Validated Designs (CVDs)

NEW

Proven Integrations

NEW


Meeting Stakeholder NeedsEnsuring success from POC to IoT scale deployments!


The Trifecta of Stakeholders

CSO IT OT

Chooses ICS

Security Solution

Tasked with

Deploying Solution

Must Approve what

gets deployed

Choice of security solution impacts all stakeholders


Meeting the needs of IT


Typical ICS detection solutions depend on SPAN

Out-of-band SPAN requires an expensive

collection network

Hidden costs of port mirroring

Server appliance

SPAN

traffic

Industrial

switch

Industrial protocol DPI based passive monitoring of SPAN traffic

Inline SPAN causes jitter which impacts

control system performance

Sending SPAN traffic over 3G/LTE WAN

links is cost prohibitive

Space constrained locations cannot house

extra hardware sensors


Cisco Cyber Vision

Application-Flow

Lightweight

Metadata

ICSnetwork

Cyber Vision Center

Sensor Sensor Sensor

Sensor Sensor

Sensor

Cyber Vision Sensors embedded into

industrial network equipment

No additional hardware needed

No need for an out-of-band monitoring

network

No impact on performance

Reduce TCO by eliminating the need to invest in an ever-growing SPAN collection network

Visibility built into your network infrastructure


Security deployed at scaleVisibility

built into your

network infrastructure

1Leverage OT budget for

industrial network

2Eliminate the need for IT

to invest in and maintain

SPAN collection network

3Single solution for

SecOps to monitor

threats across

operational departments



built into your



industrial network





SecOps to monitor

threats across




built into your



industrial network





SecOps to monitor

threats across



Meeting the needs of OT


Cyber Vision understands ICS protocols you use

Cisco’s Deep Packet Inspection decodes standard and proprietary industrial protocols


Industrial

Application

Visibility

Cisco industrial

networking enables

you to visually inspect

the activities in your industrial processes to

reduce downtime.IE 3400 Switch

Sensor

IR 1101 Gateway

Sensor

Application

Flow


Gain Operational Insights

Sensor

Sensor

Cyber Vision Center(Centralized analytics)

Network-Sensors(Built in Deep Packet Inspection)

Comprehensive asset inventory

Dynamic communication map

Track variable changes

Detect changes in the control system

ApplicationFlow

Sensor


Cyber Vision Center(Centralized analytics)

Network-Sensors(Built in Deep Packet Inspection)

A Flight Recorder for Troubleshooting

New component Dell workstation

detected on the network

Component Dell workstation detected

vulnerable to Windows SMB Remote

Code Execution CVE-2017-0145

Siemens 192.168.105.75

PLC_3

Siemens 192.168.105.150

S7-400 station_1PLC_1

Dell 192.168.105.241

Stop CPU command detected from

Dell workstation to S7-400 PLC

Program Download detected from Dell

workstation to S7-400 PLC

New Communication detected from

Dell workstation to S7-400 PLC

New Variable access Detected from

S7-400 PLC to HMI 192.168.105.75

ApplicationFlow

Sensor

Sensor

Sensor


Meeting the needs of SecOps


Cyber Vision Threat Detection

Patch vulnerabilities

before they are

exploited

Detect malicious

intrusions & callbacks

to control servers

Detect attempts to

scan & modify OT

assets

Cyber VisionVulnerability Detection

Cyber VisionIntrusion Detection

Cyber VisionBehavioral Analytics

Threat Intelligence


• Security events(authentication, vulnerabilities, port scan, protocol exception…)

• Signature-based detection (IDS)

• Control systems events (variable changes, program uploads…)

• Asset inventory events (new, modified asset…)

• Cyber Vision admin and

config events

Easily track all threats to your industrial networks


• Cyber Vision behavior modeling automatically triggers alerts on deviations to the baselines

• New and modified assets

• New activities between assets

• Variable changes

• Program modifications

• Continuously improve detection with classification of new events

• Accept changes to continuous

monitoring or trigger alerts to investigate changes

• Provide feedback on anomalies to give

context to security analysts

Baselines highlight abnormal behaviors


• Top / Rare DNS requests

• Top / Rare HTTP requests

• Top / Rare SMB usage

• Unclassified “strange” flows

Easily spot important IT security information


Cyber Vision intrusion detection

• Snort subscriber rule set includes:

• Denial of Service

• C2 and Botnet Communication

• Lateral Movement through Windows exploits

• Malware traffic

• Browser Exploit

• PLC Exploits

• Curated for industrial environments

• Custom rule set support


ISA 3000 Industrial Threat Protection

Industrial Application Visibility & Control Industrial IPS Preprocessors

500+ Industrial IPS Signatures

Create custom detectors with OpenAppID

1000+ Windows IPS Signatures

Prebuilt industrial Preprocessors &

Application Detectors for the

leading open source IPS/IDS

OpenWrite your own custom

Application Detectors using open

source application layer plugin

Regularly updated Signatures

from Cisco’s industry-leading

threat intelligence team


Reduce the noise of Intrusion events

Impact of IPS events can be deduced Firepower recommendation can tune IPS

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act immediately, Vulnerable

Investigate, Potentially Vulnerable

Good to know, Currently Not available

Good to know,Unknown Target

Good to know,Unknown Network

Event Corresponds to vulnerability mapped to

host

Relevant port open or protocol in use but no

vuln mapped

Relevant port not open or protocol not in use

Monitored network but unknown host

Unmonitored network

2

3

4

0

1


Block Malware Using AMP for Networks

File

Trajectory

Behavioral

IoCs

• Multiple methods of malware

detection:

• AV detection engines

• One-to-one signature matching

• Machine Learning

• Fuzzy finger printing

• Sandboxing on device or cloud

Threat

Hunting

Retrospective

Detection

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cyber Vision

integrates with your

existing security

platforms

SOC

Threat Response

CMDBFirewalls

Firepower NGFW

Access Control

ISE


Firepower Management + Cyber Vision

FMC: Cyber Vision integration

Map ICS device IP to named objects (PLC, IO, Drive) in

Firepower for use in access policy*

Identify anomalous flows in

Cyber Vision and kill FTD Firewall

sessions

Map ICS device identity to Hosts

in Firepower for use in FMC correlation policy

Integration available with Cyber Vision 3.1.0+

* Available in November 2020


Identity Services Engine + Cyber Vision

ISE: Cyber Vision integration

Enforce Network Access Control

through dynamic assignment of VLAN

and dACLs or micro-segmentation

with SGT / TrustSec

Enrich endpoint attributes in ISE

with rich context from Cyber Vision

Use custom attributes to map

industrial process context like Cells

and Zones for profiling endpoints


Stealthwatch + Cyber Vision

Stealthwatch: Cyber Vision integration

Use host-group attributes like Cells and Zones to create alarms for inter

cell/zone traffic violations

Enrich host-groups in

Stealthwatch with rich context from Cyber Vision

Easily identify flows mapped to

industrial endpoints with host-group

attributes (Logix Controller made by Rockwell Automation in Cell-3)


Cisco Threat Response + ISA 3000 Firewall

CTR: Firepower integration

Automated triage and prioritization

of intrusion events through the

built-in Incident Manager

Investigate, identify and enrich

Firepower intrusion events with

context from integrations across

security products

Enrich all investigations with

network context from Firepower

devices

Integration available with FTD v6.3+


• Gather context from

Umbrella, FTD, Talos,

AMP, Stealthwatch, etc.

• Block/Unblock domains

in Umbrella

• Block/Unblock file

executives in AMP

Investigate across IT-OT integrated security technologies

pivot from Cyber Vision to CTR to investigate observables


IBM QRadar integrationUnified IT/OT security events management in SIEM

Syslog

PLC IO DRIVE CONTROLLER

ICS visibility


Splunk integrationUnified IT/OT security events management in SIEM

Syslog

PLC IO DRIVE CONTROLLER

ICS visibility


CSO

Protect your business against

threats with the strongest suite

of industrial application aware

integrated security solutions

OT

Reduce downtime with

Operational insights that

help track activities in your

industrial process

IT

Reduce TCO by eliminating

the need to invest in an

ever-growing SPAN

collection network

Meeting Stakeholder Needs

The bridge between the enterprise and the line of business


Industrial Asset Inventory

Vulnerability Detection

Communication Maps

Actionable Insights

Detailed Reports

Kick-start your Industrial IoT security project

Cisco assessment service gives you a comprehensive picture of

your industrial security posture so you can build your project plan

Asset discovery and assessment service led by Cisco OT Security experts


Bring Cisco scale and simplicity to IIoT security

All working together for successful Industrial IoT security deployments

Cisco Industrial Networks

Connect anything anywhere

Cisco Security

Comprehensive IT/OT cybersecurity

Cisco Validated Designs

State-of-the-art architecture guides

Cisco Customer Services

Human skills to enable deployments

Documents

Cybersecurity for the Industrial Internet