Upload
rockwell-automation
View
503
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Learn how you can reduce risk and enhance protection of your industrial control system against security threats. Discussion and demonstration will focus on practical recommendations for installing, commissioning and improving the security of Integrated Architecture including new capabilities in Logix controllers and how to use FactoryTalk Security to control user access to key assets and information.
Citation preview
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Integrated Architecture® Tools for Securing your Control System
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2
Cyber Security in the News
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3
Cyber Security in the News
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4
Cyber Security in the News
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Security Threat Vectors
Unintended
employee actions
Theft
Unauthorized actions
by employees
Unauthorized
access Denial of
Service
Application of
patches
Unauthorized
remote access
Natural or Man-made
disasters
Sabotage
Worms and
viruses
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Security Comes from Defense-in-Depth
6
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Connected Enterprise
Machine data is expected
to grow by a factor of >15
Shift from CapEx to
flexible & scalable OpEx
Workforce is mobile
during typical work day
Big Data & Analytics
Information Technology (IT) influence is increasing in the automation buying decisions
Cloud &
Virtualization
Mobility &
BYOD
Enables IT functionality
off-premise for
improved reliability,
support, and disaster
recovery
Access to actionable
Information at your
fingertips anytime,
anywhere, regardless of
device
Unlock latent value by
contextualizing and
analyzing data "hidden"
in devices throughout
the plant
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 8
Tools for a Secure Network Converged Plant-wide Ethernet (CPwE) Reference Architectures
Enterprise WAN
Catalyst 3750 StackWise
Switch Stack
Firewall (Active)
Firewall (Standby)
MCC
HMI
Industrial Demilitarized Zone (IDMZ)
Enterprise Zone Levels 4-5
Cisco ASA 5500
Controllers, I/O, Drives
Catalyst 6500/4500
Soft Starter
I/O
Physical or Virtualized Servers • Patch Management • Remote Gateway Services • Application Mirror • AV Server
Network Device Resiliency
VLANs
Standard DMZ Design Best Practices
Network Infrastructure Access Control and
Hardening
Physical Port Security
Level 0 - Process Level 1 - Controller
Plant Firewall: Inter-zone traffic
segmentation ACLs, IPS and IDS VPN Services Portal and Terminal
Server proxy
VLANs, Segmenting Domains of Trust
AAA - Application
Authentication Server, Active Directory (AD),
Remote Access Server
Client Hardening
Level 3 – Site Operations
Controller
Network Status and Monitoring
Drive
Level 2 – Area Supervisory Control
Controller Hardening, Physical Security
FactoryTalk Client
Unified Threat Management (UTM)
Controller Hardening, Encrypted Communications
Controller
AAA - Network
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Network Network Segmentation
9
Recommended
Not Recommended
Enterprise-wide Network
Plant-wide Network
Enterprise-wide Network
Plant-wide Network
Plant-wide Network
Enterprise-wide Network
Plant-wide Network
Enterprise-wide Network
Switch with VLANs
Plant-wide Network
Enterprise-wide Network
Firewall
Better
Plant-wide Network
Enterprise-wide Network
IDMZ
Best
Plant-wide Network
Enterprise-wide Network
Router (Zone Based FW)
Good
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 10
Tools for a Secure Network Network and Security Services
ASSESS DESIGN IMPLEMENT VALIDATE MANAGE
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Layer 2 and Layer 3 switching for simple to
complex networks applications
Advanced security services
Plant-floor and Enterprise integration
Technology that offers Products that offer
Advanced switching, routing & security features
Common tools for Controls & IT Improved Maintainability
& Operations and IT
Addressing the needs of Automation
Tools for a Secure Network The Stratix™ Portfolio
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Optimize network performance
QoS – Quality of Service - default configurations are set to ODVA standards for EtherNet/IP
industrial applications for discrete, motion, safety and process applications
IEEE1588 (CIP Sync) - ODVA implementation of the IEEE 1588 precision time protocol
ensures performance when connecting EtherNet/IP devices
Simplify design, deployment and maintainability
DHCP per port - assign a specific IP address to each port, ensuring that the device attached
to a given port will get the same IP address
Broken Wire Detection - detect cabling problems like, open, broken, cut or shorted twisted-
pair wires, with status availability in Logix
Network Address Translation – NAT – A 1:1 IP address translation to help segment machine
level network devices from the plant network, translate only the devices that need to be visible
to the plant network
Designed & developed for Industrial EtherNet/IP applications
Tools for a Secure Network The Stratix Portfolio
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
The Stratix 5100 enables IP based communications, like EtherNet/IP, via wireless media using the 802.11a/b/g/n wireless standard. Additional features include: 3x4 MIMO (multiple-input multiple-output)
technology with 3 spacial streams
Dual-band 2.4 GHz / 5 GHz radios
Default configuration for QoS on EtherNet/IP
Enterprise-class silicon and optimized radios deliver a robust mobility experience
Security: • 802.11i, Wi-Fi Protected Access 2 (WPA2), WPA • 802.1X • Advanced Encryption Standards (AES), Temporal
Key Integrity Protocol (TKIP) See Wireless Design Guide for Industrial Wireless
Applications
13
Tools for a Secure Network Stratix 5100™ Wireless Access Point
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Network Stratix 5900™ Layer 2 & Layer 3 Services Router
Premiere routing and security services for Layer 2 or Layer 3
Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) Intrusion Prevention Systems (IPS)
Connections: 1 Gigabit WAN 4 Fast Ethernet
Industrially hardened, DIN rail mountable Ideal for Site to Site Connections, Cell/Zone
Area Firewall & OEM Integration
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 15
Enterprise-wide Business Systems Levels 4 & 5 – Data Center
Enterprise Zone
Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers
• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array
Levels 0-2 Cell/Area Zones
Level 3.5 - IDMZ
Remote Site #1 Local Cell/Area Zone #1
Local OEM Skid / Machine #1
Plant-wide Site-wide
Operation Systems
Site-to-Site Connection Stratix 5900
1) Site-to-Site Connection
Stratix 5900 3) OEM Integration
Stratix 5900 2) Cell/Area Zone
Firewall
Tools for a Secure Network Stratix 5900 Layer 2 & Layer 3 Services Router
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Network Stratix 8000™ & Stratix 8300™ Layer 2 & Layer 3 Modular Managed
Configurable up to 26 ports
Base Unit - 6 or 10 port
Expansion Modules Cooper, Fiber, SFP & PoE extensions
SFP for multi & single mode fiber
Wide variety of SFPs available
Power over Ethernet (PoE)
PoE & PoE+ port configurable
CompactFlash card
Stores configuration and IOS for
easy device replacement
Advanced feature set to address:
EtherNet/IP applications
Security
Resiliency & Redundancy
Operating Temp: -40ºC to 60ºC
Data Ports 10/100 Copper
Dual Purpose Uplink Ports 10/100/1000
Copper or SFP
SFP Fiber Transceiver 100M and 1G
Multimode and Singlemode
Copper, fiber, SFP & PoE Expansion
Modules
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Network Stratix 5700™ Family Layer 2 Managed Fixed Port
3 base platforms offering 20 configurations
6, 10 & 20 port base units
2 Gig port option
SFP slots support multi & single mode fiber
Wide variety of SFPs available
SecureDigital flash card (optional)
Stores configuration and IOS of switch
Two software packages
Lite & Full software versions
Advanced feature set
Same feature set as the Stratix 8000
Integrated NAT functionality
Simple static routing
Power over Ethernet (PoE)
PoE & PoE+ port configurable
*Combo ports can be either copper or SFP
SD card for backup
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Stratix 5700 Demo
18
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Application FactoryTalk® AssetCentre Auditing
19
Centrally collect records of all interactions with the control system
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Application Controller Change Detection
Every Logix PAC™ exposes a Change Detection Audit Value
When something happens that can impact the behavior of the controller, the value
changes
Audit Value is available in RSLogix™ 5000 and Studio 5000 Logix Designer™, in
other software applications and in other controllers via a message instruction
The set of events that causes the Audit Value to change can be configured
20
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Application Controller Change Detection
The Audit Value is stored in every Controller Log entry
FactoryTalk® AssetCentre (in version 4.1), can monitor the Audit Value
and read in the Controller Log
21 Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Change Detection Demo
22
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
External Access Attribute – Read/Write, Read Only, or None
Controls which tags can be modified from an HMI or other external application
Constant Attribute
Controls which tags can be modified by controller logic
Changes to Constants bump the Audit Value
FactoryTalk Security can control permission to change Constants
23
Tools for a Secure Application Data Access Control
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Data Access Control Demo
24
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Tools for a Secure Application FactoryTalk Security
Use FactoryTalk Security to…
Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices
How does it work?
Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system.
• Authenticate the User • Authorize Use of Applications • Authorize Access to Specific Devices
FactoryTalk Directory
(All FactoryTalk Security enabled software)
25
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Administrators can manage
User Accounts
Windows
FactoryTalk
User Groups
Custom group or role
Windows Group
Computers
Computer Groups
System Policies
Product Policies
Product Actions
26
Tools for a Secure Application FactoryTalk Security
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PC #2
27 27
PC #1
Logix 5000 Project
FactoryTalk
Services
Security Authority
Security
Administration
Logix 5000 Project
FactoryTalk
Services
Security
Administration
ID = 795D5EF-12... ID = A73R5CG – 89...
ID= 795D5EF-12..
Security Authority
ID = 795D5EF-12…
EtherNet/IP
ID’s Match ID’s Don’t Match
Tools for a Secure Application FactoryTalk Security
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
FactoryTalk Security Demo
28
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Scenario/Recognizing an Issue
An employee, or 3rd party, needs access to the control system from a network outside the production zone to assist in troubleshooting and maintenance
Good Solution
Stratix 5900
Better Solution
Good solution + expanded technical enforcement of the security perimeter-using FactoryTalk Security
Best Solution
Better solution + expanded technical enforcement of the security perimerter-though the implementation of Remote Access Gateways with in an Industrial DMZ
29
Putting it Together Secure Remote Access – Good, Better, Best
Unauthorized
remote access
Worms and
viruses
Theft
Sabotage
Risk/Threat
$$$
Unplanned Downtime
Quality Issues-Brand
Image
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Unintended
employee
actions
Scenario/Recognizing an Issue Contractor connecting to plant network to make
change or integrate new line- causes downtime by introducing virus or unintentional configuration changes
Good Solution Detect unauthorized changes with change
detection audit value
Use managed switches to segment the architecture with VLANs
Scan contractor devices
Better Solution Good solution + Enforce VLAN access with
Access Control Lists
Best Solution Better solution + limit access with FactoryTalk
Security with Security Authority Binding enabled
30
Putting it Together Unintended Action Protection– Good, Better, Best
Risk/Threat
Lost $$$
Damage to product or assets
Unauthorized actions
by employees
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Industrial Security Resources
Security-enhanced Products and Technologies Rockwell Automation product and technologies with security capabilities
that help increase overall control system system-level security.
http://www.rockwellautomation.com/security
EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that
complement recommended layered security/defense-in-depth measures.
http://www.ab.com/networks/architectures.html
Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and
make recommendations for how to avert risk and mitigate vulnerabilities.
http://www.rockwellautomation.com/services/security
31
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Industrial Security Landing Pad
http://rockwellautomation.com/security
Assessment Services
Security Technology
Security FAQ
Assessment Services
Security Resources
Reference Architectures
Security Services
[email protected] Pretty Good Privacy (PGP) Public Key
Leadership & Standards
MS Patch Qualification
Security Advisory Index
32
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
33
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions?