Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
CIP Security
Luis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity ExpertApril 2019
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 2
AttackerWhat happens when someone gets into the network?
OriginalConnection
Direct Connect MonitoringData
Man-in-The Middle (MitM)
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 3
Compliance & StandardsCertified Products, Architectures and Solution Delivery
ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).
Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:
End-users (i.e. asset owner)
System integrators
Security practitioners
ICS product/systems vendors*Equivalence to ISO 27001 and NIST Cybersecurity Framework
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 4
ISA/IEC 62443Certified products, systems and system delivery
Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).
Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems:
End-users (i.e. asset owner)
System integrators
Security practitioners
ICS product/systems vendors
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 5
Industrial Security TrendsEstablished Industrial Security Standards
IEC 62443- Series of Standards - Zones & Conduits- Availability, Integrity,
Confidentiality
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 6
Holistic approachA secure application depends on multiple layers of protection and industrial security must be
implemented as a system.Defense in depthShield targets behind multiple levels of security countermeasures to reduce risk
OpennessConsideration for participation of a variety of vendors in our security solutions
FlexibilityAble to accommodate a customer’s needs, including policies & procedures
ConsistencySolutions that align with Government directives and Standards Bodies
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 8
Secure Network InfrastructureNew validated architectures
Achieve infrastructure security through a common, validated system architecture leveraging the Stratix®
portfolio and Cisco security solutions.
Design and Implementation Guides: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide Segmentation Methods within the Cell/Area Zone Securely Traversing IACS Data Across the Industrial Demilitarized Zone Deploying Identity Services within a Converged Plantwide Ethernet Architecture Site-to-site VPN to a Converged Plantwide Ethernet Architecture Deploying industrial firewalls within a Converged Plantwide Ethernet Architecture
Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page
IDENTITYSERVICES
ENGINE
Adaptive Security Appliances
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 9
Infrastructure Configuration: SecurityPlantPAx® distributed control system
Address security concerns with step-by-step procedures for configuration of infrastructure components to meet your system requirements.
PlantPAx® System Infrastructure Configuration User Manual: Infrastructure: domain controller, active directory, windows management and network configuration
• Windows group policies with recommendations (ie. USB use policies, password complexity, time sync, etc)
• Firewall & wireless access configurations – coming soon!
• WSUS for OS patch management – coming soon!
Application user authentication with FactoryTalk® Security software
• Prescribed role-based policies (maintenance, operator, admin, etc)
• Area-based security models
Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.PDF
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 10
IACS Device HardeningHolistic Plant-wide Security
Physical procedure: Restrict Industrial Automation and Control
System (IACS) access to authorized personnel only Control panels, devices, cabling, and
control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric,
keypad, etc.) Port Blocker (USB / RJ45)
Switch the Controller key to “RUN”
Electronic design: FactoryTalk® Security Application
Authentication and Authorization Controller Source Protection Controller Data Access Control Trusted Slot Designation
Encrypted Communications
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 11
Studio 5000® Logix DesignerContent Protection History
Password Source Protection
License Source and Execution
Version 8 Version 30Version 20
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 12
Secure with Permission Set / Restrict Slot
(All FactoryTalk Securityenabled software)
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 13
Match Project to ControllerEliminates inadvertent download
(All FactoryTalk Securityenabled software)
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 14
Secure Tags
Restrict tag write access by user, group or permission set
(All FactoryTalk Securityenabled software)
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 16
CIP Security Properties
The secure EtherNet/IP transport provides the following security attributes:
Authentication of the endpoints• Ensures that the target and originator are both trusted entities.
• End point authentication is accomplished using X.509 certificates or pre-shared keys
Data Integrity and Authentication • Ensures that the message was sent by the trusted endpoint and was not modified in transit
• Message integrity and authentication are accomplished via TLS message authentication code (HMAC)
Data Confidentiality• Optional capability to encrypt the communications, provided by the encryption algorithm that is negotiated via the TLS handshake
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 17
CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from
establishing connections Integrity – Helps prevent tampering or modification of
communications Confidentiality – Helps prevent snooping or disclosure of data
Notable features: System management
Easily create and deploy security policies to many devices, all at once Micro-segmentation
Segment your automation application into smaller cell/zones. Device-based firewall
Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products
FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives
Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR
FactoryTalk®
Policy ManagerFactoryTalk®
System Services
PC Communicationswith Ethernet/IP™ network protocol
(FactoryTalk® Linx)
Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)
System Components
Security Admin
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 18
• CIP Security™ protocol
• 10M / 100M / 1Gigabit speeds
• Integrated Motion: 256 position loops
• SD Card for firmware, configuration and fault logs
• Explicit Protected Mode
• Prevents unauthorized changes to configuration
• Device Level Ring (DLR)
• Higher performance and capacity than 1756-EN2TR
• Future:
• Redundant Adapter
• Parallel Redundancy Protocol (PRP)
• ControlLogix Redundancy
1756-EN4TR EtherNet/IP™ Communication Module
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 19
1756-EN4TR Functionality Release TargetsInitial release
1756-EN2TR 1756-EN4TRCIP Security™ Protocol -
1 GB -
Device Level Ring (DLR)
SIL 2 Application SIL 2
with 1756-5580ES Controller
SIL 3 Fail Safe with GuardLogix® controller
with GuardLogix® controller
Conformal Coated version available (K)
Extreme Temperature version available (XT)
Explicit Protected Mode FW 11.001 and above
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 20
1756-EN4TRPerformance and Capacity
1756-EN2TR 1756-EN4TRTCP Connections 128 512
CIP™ Connections 256 See below, Class 1 = 1,000; Class 3 = 528
Class 1 CIP™ Connections See above, 256 for all CIP™ Protocol 1,000
Class 3 CIP™ Connections See above, 256 for all CIP™ Protocol 528
PPS w/o CIP Security™ Protocol (class 1) 25,000 50,000
PPS w/ Integrity only (class 1) N/A 25,000
PPS w/ Integrity and Confidentiality (class 1) N/A 15,000
PPS w/o CIP Security™ Protocol (class 3) 2,000 3,700
PPS w/ Integrity only (class 3) N/A 2,700
PPS w/ Integrity and Confidentiality (class 3) N/A 1,700
Integrated Motion Axes 8 (128 for 1756-EN3TR) 256
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 21
Identity, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data Initial products, CIP™ securable products
Certificate
CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol
FactoryTalk® Linx 5580 PowerFlex® 755T Kinetix® 5700
Certificate
1756-EN4TR
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 22
Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data
CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol
FactoryTalk® Linx
1756-EN4TR
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 23
Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data
CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol
FactoryTalk® Linx
Hacker is able to send commands to the controller
MiTM
1756-EN4TR
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 24
IntegrityHMAC keyed-hash message authentication code
An HMAC is attached to every message as a means to validate integrity and authenticity
The message is first “hashed” to provide integrity A mathematical function that maps a message of arbitrary size to a message of fixed size (like a checksum or CRC)
It is easy to compute the hash value for any given message
It is infeasible to generate a message from its hash (i.e., one way)
It is infeasible to modify a message without changing the hash
It is infeasible to find two different messages with the same hash
A secret key is also added to the message before it is “hashed” to provide authenticity You can’t validate the message unless you know the secret
HMAC is fast and efficient with only a minor performance impact
Device rejects messageDevice rejects messageAttacker inserted
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 25
Identify, authentication – Help prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data
FactoryTalk® Linx
Now, hacker is not able to modify data however, can still view it
1756-EN4TR
CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 26
Data Confidentially Encryption can be used as a means of encoding messages or information to help prevent reading or
viewing of EtherNet/IP™ data by unauthorized parties (eavesdropping on the wire)
The encryption method is negotiated as part of the TLS/DTLS “handshake” process
It is optional Not all ICS traffic contains “secrets” that need to be safeguarded (data integrity and authenticity is typically the goal)
The added encryption will impact data throughput performance
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 27
Identify, authentication – Helps prevent unauthorized devices from establishing connections Integrity – Helps prevent tampering or modification of communications Confidentiality – Helps prevent snooping or disclosure of data
FactoryTalk® Linx
1756-EN4TR
CIP Security™ Protocol OverviewSecure communications with Ethernet/IP™ network protocol
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 28
Zones Security zone is a logical grouping of
physical, informational, and application assets sharing common security requirements
Conduits logical grouping of communication channels,
connecting two or more zones, that share common security requirements
Zone and Conduit Models
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 30
ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits
FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc.
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 31
ConfigurationFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits
FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .
Iden
tity
& Po
licy
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 32
Deployed ModelFactoryTalk® Policy ManagerModeling Tool Concepts• Devices• Zones• Conduits
FactoryTalk® System ServicesPolicy Authority (Integrity, Encryption), Certificate Authority, Identity (Trust), Deployment, etc. .
Zone 1
Trusted® Device
Integrity
Encrypted
Whitelist
Certificate
Legend
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 34
Sample Deployment
FactoryTalk®
ViewStudio 5000®
FactoryTalk® Policy ManagerFactoryTalk® System Services
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 35
Sample Deployment
Zone 1 Zone 2
Zone PCsFactoryTalk®
ViewStudio 5000®
Con
duit
1
Con
duit
2
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 36
FactoryTalk® Policy ManagerAdding Devices
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 37
FactoryTalk® Policy ManagerZone Configuration
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 38
FactoryTalk® Policy ManagerAdding Devices
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 41
Secure configuration to the controller: Computers to Controller Secure the inbound connection via 1756-EN4TR or the 5580 itself
Use Case Scenario (Phase I)
FactoryTalk®
ViewStudio 5000®
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 42
Extend the model: Whitelist devices as appropriate Remove devices from whitelist as they become CIP™ Securable
Use Case Scenario (Phase II)
FactoryTalk®
ViewStudio 5000®
PUBLIC | Copyright ©2019 Rockwell Automation, Inc. 43
CIP Security™ Protocol OverviewSecure communications with EtherNet/IP™ network protocol Authentication – Helps prevents unauthorized devices from
establishing connections Integrity – Helps prevent tampering or modification of
communications Confidentiality – Helps prevent snooping or disclosure of data
Notable features: System management
Easily create and deploy security policies to many devices, all at once Micro-segmentation
Segment your automation application into smaller cell/zones. Device-based firewall
Enable/disable available ports/protocols of devices (ie./ HTTP/HTTPS) Initial Key Products
FactoryTalk® Linx software, 5580 Controllers, 1756-EN4TR communication module, and Kinetix® 5700 and PowerFlex® 755T drives
Legacy Systems Support Whitelisting – authorize specific communications based on IP address Retrofit 1756 based systems with the new 1756-EN4TR
FactoryTalk®
Policy ManagerFactoryTalk®
System Services
PC Communicationswith Ethernet/IP™ network protocol
(FactoryTalk® Linx)
Device CommunicationsWith Ethernet/IP™ network protocol(CIP Security™ protocol enabled)
System Components
Security Admin
Industrial Control System SecurityLuis Ramos – Solution Architect – ISA/IEC 62443 Cybersecurity Expert
April 2019