Integrated Architecture Tools for Securing your Control System

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Integrated Architecture® Tools for Securing your Control System

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2

Cyber Security in the News






Security Threat Vectors

Unintended

employee actions

Theft

Unauthorized actions

by employees

Unauthorized

access Denial of

Service

Application of

patches

Unauthorized

remote access

Natural or Man-made

disasters

Sabotage

Worms and

viruses


Security Comes from Defense-in-Depth

6


Connected Enterprise

Machine data is expected

to grow by a factor of >15

Shift from CapEx to

flexible & scalable OpEx

Workforce is mobile

during typical work day

Big Data & Analytics

Information Technology (IT) influence is increasing in the automation buying decisions

Cloud &

Virtualization

Mobility &

BYOD

Enables IT functionality

off-premise for

improved reliability,

support, and disaster

recovery

Access to actionable

Information at your

fingertips anytime,

anywhere, regardless of

device

Unlock latent value by

contextualizing and

analyzing data "hidden"

in devices throughout

the plant


Tools for a Secure Network Converged Plant-wide Ethernet (CPwE) Reference Architectures

Enterprise WAN

Catalyst 3750 StackWise

Switch Stack

Firewall (Active)

Firewall (Standby)

MCC

HMI

Industrial Demilitarized Zone (IDMZ)

Enterprise Zone Levels 4-5

Cisco ASA 5500

Controllers, I/O, Drives

Catalyst 6500/4500

Soft Starter

I/O

Physical or Virtualized Servers • Patch Management • Remote Gateway Services • Application Mirror • AV Server

Network Device Resiliency

VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security

Level 0 - Process Level 1 - Controller

Plant Firewall: Inter-zone traffic

segmentation ACLs, IPS and IDS VPN Services Portal and Terminal

Server proxy

VLANs, Segmenting Domains of Trust

AAA - Application

Authentication Server, Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Controller

Network Status and Monitoring

Drive

Level 2 – Area Supervisory Control

Controller Hardening, Physical Security

FactoryTalk Client

Unified Threat Management (UTM)

Controller Hardening, Encrypted Communications

Controller

AAA - Network


Tools for a Secure Network Network Segmentation

9

Recommended

Not Recommended

Enterprise-wide Network

Plant-wide Network


Plant-wide Network

Plant-wide Network


Plant-wide Network


Switch with VLANs

Plant-wide Network


Firewall

Better

Plant-wide Network


IDMZ

Best

Plant-wide Network


Router (Zone Based FW)

Good


Tools for a Secure Network Network and Security Services

ASSESS DESIGN IMPLEMENT VALIDATE MANAGE


Layer 2 and Layer 3 switching for simple to

complex networks applications

Advanced security services

Plant-floor and Enterprise integration

Technology that offers Products that offer

Advanced switching, routing & security features

Common tools for Controls & IT Improved Maintainability

& Operations and IT

Addressing the needs of Automation

Tools for a Secure Network The Stratix™ Portfolio


Optimize network performance

QoS – Quality of Service - default configurations are set to ODVA standards for EtherNet/IP

industrial applications for discrete, motion, safety and process applications

IEEE1588 (CIP Sync) - ODVA implementation of the IEEE 1588 precision time protocol

ensures performance when connecting EtherNet/IP devices

Simplify design, deployment and maintainability

DHCP per port - assign a specific IP address to each port, ensuring that the device attached

to a given port will get the same IP address

Broken Wire Detection - detect cabling problems like, open, broken, cut or shorted twisted-

pair wires, with status availability in Logix

Network Address Translation – NAT – A 1:1 IP address translation to help segment machine

level network devices from the plant network, translate only the devices that need to be visible

to the plant network

Designed & developed for Industrial EtherNet/IP applications

Tools for a Secure Network The Stratix Portfolio


The Stratix 5100 enables IP based communications, like EtherNet/IP, via wireless media using the 802.11a/b/g/n wireless standard. Additional features include: 3x4 MIMO (multiple-input multiple-output)

technology with 3 spacial streams

Dual-band 2.4 GHz / 5 GHz radios

Default configuration for QoS on EtherNet/IP

Enterprise-class silicon and optimized radios deliver a robust mobility experience

Security: • 802.11i, Wi-Fi Protected Access 2 (WPA2), WPA • 802.1X • Advanced Encryption Standards (AES), Temporal

Key Integrity Protocol (TKIP) See Wireless Design Guide for Industrial Wireless

Applications

13

Tools for a Secure Network Stratix 5100™ Wireless Access Point


Tools for a Secure Network Stratix 5900™ Layer 2 & Layer 3 Services Router

Premiere routing and security services for Layer 2 or Layer 3

Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) Intrusion Prevention Systems (IPS)

Connections: 1 Gigabit WAN 4 Fast Ethernet

Industrially hardened, DIN rail mountable Ideal for Site to Site Connections, Cell/Zone

Area Firewall & OEM Integration


Enterprise-wide Business Systems Levels 4 & 5 – Data Center

Enterprise Zone

Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers

• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array

Levels 0-2 Cell/Area Zones

Level 3.5 - IDMZ

Remote Site #1 Local Cell/Area Zone #1

Local OEM Skid / Machine #1

Plant-wide Site-wide

Operation Systems

Site-to-Site Connection Stratix 5900

1) Site-to-Site Connection

Stratix 5900 3) OEM Integration

Stratix 5900 2) Cell/Area Zone

Firewall

Tools for a Secure Network Stratix 5900 Layer 2 & Layer 3 Services Router


Tools for a Secure Network Stratix 8000™ & Stratix 8300™ Layer 2 & Layer 3 Modular Managed

Configurable up to 26 ports

Base Unit - 6 or 10 port

Expansion Modules Cooper, Fiber, SFP & PoE extensions

SFP for multi & single mode fiber

Wide variety of SFPs available

Power over Ethernet (PoE)

PoE & PoE+ port configurable

CompactFlash card

Stores configuration and IOS for

easy device replacement

Advanced feature set to address:

EtherNet/IP applications

Security

Resiliency & Redundancy

Operating Temp: -40ºC to 60ºC

Data Ports 10/100 Copper

Dual Purpose Uplink Ports 10/100/1000

Copper or SFP

SFP Fiber Transceiver 100M and 1G

Multimode and Singlemode

Copper, fiber, SFP & PoE Expansion

Modules


Tools for a Secure Network Stratix 5700™ Family Layer 2 Managed Fixed Port

3 base platforms offering 20 configurations

6, 10 & 20 port base units

2 Gig port option

SFP slots support multi & single mode fiber

Wide variety of SFPs available

SecureDigital flash card (optional)

Stores configuration and IOS of switch

Two software packages

Lite & Full software versions

Advanced feature set

Same feature set as the Stratix 8000

Integrated NAT functionality

Simple static routing

Power over Ethernet (PoE)

PoE & PoE+ port configurable

*Combo ports can be either copper or SFP

SD card for backup


Stratix 5700 Demo

18


Tools for a Secure Application FactoryTalk® AssetCentre Auditing

19

Centrally collect records of all interactions with the control system


Tools for a Secure Application Controller Change Detection

Every Logix PAC™ exposes a Change Detection Audit Value

When something happens that can impact the behavior of the controller, the value

changes

Audit Value is available in RSLogix™ 5000 and Studio 5000 Logix Designer™, in

other software applications and in other controllers via a message instruction

The set of events that causes the Audit Value to change can be configured

20


Tools for a Secure Application Controller Change Detection

The Audit Value is stored in every Controller Log entry

FactoryTalk® AssetCentre (in version 4.1), can monitor the Audit Value

and read in the Controller Log

21 Copyright © 2011 Rockwell Automation, Inc. All rights reserved.


Change Detection Demo

22


External Access Attribute – Read/Write, Read Only, or None

Controls which tags can be modified from an HMI or other external application

Constant Attribute

Controls which tags can be modified by controller logic

Changes to Constants bump the Audit Value

FactoryTalk Security can control permission to change Constants

23

Tools for a Secure Application Data Access Control


Data Access Control Demo

24


Tools for a Secure Application FactoryTalk Security

Use FactoryTalk Security to…

Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices

How does it work?

Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system.

• Authenticate the User • Authorize Use of Applications • Authorize Access to Specific Devices

FactoryTalk Directory

(All FactoryTalk Security enabled software)

25


Administrators can manage

User Accounts

Windows

FactoryTalk

User Groups

Custom group or role

Windows Group

Computers

Computer Groups

System Policies

Product Policies

Product Actions

26



PC #2

27 27

PC #1

Logix 5000 Project

FactoryTalk

Services

Security Authority

Security

Administration

Logix 5000 Project

FactoryTalk

Services

Security

Administration

ID = 795D5EF-12... ID = A73R5CG – 89...

ID= 795D5EF-12..

Security Authority

ID = 795D5EF-12…

EtherNet/IP

ID’s Match ID’s Don’t Match



FactoryTalk Security Demo

28


Scenario/Recognizing an Issue

An employee, or 3rd party, needs access to the control system from a network outside the production zone to assist in troubleshooting and maintenance

Good Solution

Stratix 5900

Better Solution

Good solution + expanded technical enforcement of the security perimeter-using FactoryTalk Security

Best Solution

Better solution + expanded technical enforcement of the security perimerter-though the implementation of Remote Access Gateways with in an Industrial DMZ

29

Putting it Together Secure Remote Access – Good, Better, Best

Unauthorized

remote access

Worms and

viruses

Theft

Sabotage

Risk/Threat

$$$

Unplanned Downtime

Quality Issues-Brand

Image


Unintended

employee

actions

Scenario/Recognizing an Issue Contractor connecting to plant network to make

change or integrate new line- causes downtime by introducing virus or unintentional configuration changes

Good Solution Detect unauthorized changes with change

detection audit value

Use managed switches to segment the architecture with VLANs

Scan contractor devices

Better Solution Good solution + Enforce VLAN access with

Access Control Lists

Best Solution Better solution + limit access with FactoryTalk

Security with Security Authority Binding enabled

30

Putting it Together Unintended Action Protection– Good, Better, Best

Risk/Threat

Lost $$$

Damage to product or assets

Unauthorized actions

by employees


Industrial Security Resources

Security-enhanced Products and Technologies Rockwell Automation product and technologies with security capabilities

that help increase overall control system system-level security.

http://www.rockwellautomation.com/security

EtherNet/IP Plantwide Reference Architectures Control system validated designs and security best-practices that

complement recommended layered security/defense-in-depth measures.

http://www.ab.com/networks/architectures.html

Network & Security Services (NSS) RA consulting specialists that conduct security risk assessments and

make recommendations for how to avert risk and mitigate vulnerabilities.

http://www.rockwellautomation.com/services/security

31





http://www.rockwellautomation.com/solutions/security/technology.html




Industrial Security Landing Pad

http://rockwellautomation.com/security

Assessment Services

Security Technology

Security FAQ

Assessment Services

Security Resources

Reference Architectures

Security Services

[email protected] Pretty Good Privacy (PGP) Public Key

Leadership & Standards

MS Patch Qualification

Security Advisory Index

32

http://www.rockwellautomation.com/solutions/security/assessment.html

http://www.rockwellautomation.com/solutions/security/technology.html

http://www.rockwellautomation.com/solutions/security/faqs.html

http://www.rockwellautomation.com/services/security/

http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/acct_login.php?p_sid=-ytq52bj&p_lva=&p_sp=&p_li=&p_next_page=std_adp.php&p_faqid=35530&p_created=&p_accessibility=&p_redirect=


http://www.rockwellautomation.com/services/security/

mailto:[email protected]?Subject=Security Web Inquiry

http://www.rockwellautomation.com/solutions/security/faqs.html




We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

33

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?