Principal Security Consultant

heavyweightuttermostΜηχανική

5 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

229 εμφανίσεις

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Jeffrey A. Shearer, PMP

Principal Security Consultant

Network and Security
Services

SESAM Møde 6/4 2011


IT
-
Sikkerhed


Erik Gross Jensen

Solution Architect software


© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

What We Are Delivering Together


Education Series


Stratix 8000, and portfolio


Reference Architectures for Manufacturing


Common Technology View


Network and Security Services

http://www.ab.com/networks/architectures.html

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Network Management IT and

Production Control

Automation and Control Applications

CIP
-
Based Support in the Network

Local Applications

(Device Manager)

IT Network Management

(SNMP
-
Based)

Command Line Interface

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Reference Material

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

4

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet
-
td001_
-
en
-
p.pdf



© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Reference Architectures for

Manufacturing

Gbps Link for
Failover
Detection

Firewall

(Active)

Firewall

(Standby)

Layer 3
Router

Layer 3
Switch Stack

Layer 2 Switch

Drive

Controller

Controller

Drive

HMI

Controller

Drive

HMI

Distributed I/O

Distributed I/O

Level 0

2

HMI

Cell/Area #1

(Redundant Star Topology)

Cell/Area #2

(Ring Topology)

Cell/Area #3


(Bus/Star Topology)

Cell/Area Zone

Manufacturing Zone

Level 3

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Enterprise Zone

Levels 4 and 5

Windows 2003 Servers



Remote desktop connection



VPN

FactoryTalk Application Servers



View



Historian



AssetCentre



Transaction Manager

FactoryTalk Services


Platform



Directory



Security

Data Servers

Network Services



DNS, DHCP, syslog server



Network and security


management


Design guidance


Methodology


built on
Industry Standards


Best practices and
recommendations


Documented configuration
settings


Tested with Industrial
Applications



Cisco “Validated” network
design


“Future
-
ready” network
foundation


CIP Safety, CIP Sync, CIP
Motion


Voice, Video

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

High Level Architecture Review


Remote access involves
cooperation between:


Enterprise Zone


Information Technologies
(IT) and infrastructure of
the facility


Automation Demilitarized
Zone (Automation DMZ)


Knowledge of traffic that
must move from the plant
to enterprise systems


Manufacturing Zone


Cell and Area devices


Traffic flow and protocols

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

6

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Enterprise Zone


Enterprise Zone


“Levels” 4 & 5 owned
by Information
Technologies (IT)


Traditionally some
VLAN’s in place


Campus to Campus
communications


IT knowledgeable with
routing and firewalls


You need to work with
the IT personnel to get
access to the DMZ


Don’t bypass these
fine folks!


Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

7

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Automation DMZ


Automation DMZ


Shared ownership by IT
and Manufacturing
professionals


“Typically”


IT owns firewalls


IT configures the switches
on behalf of Manufacturing
professionals


Manufacturing
professionals own DMZ
terminal servers,
application servers, patch
management servers


DMZ requires cooperation
from both IT and
Manufacturing



Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

8

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Why a Demilitarized Zone (DMZ)?


To preserve smooth plantwide operations and
functioning of the Industrial Automation and
Control System (IACS) application and IACS
network, this zone requires clear isolation and
protection from the Enterprise zone via security
devices within the Demilitarized zone (DMZ)


This insulation not only enhances security
segmentation between the Enterprise and
Manufacturing zones, but may also represent an
organization boundary where IT and
manufacturing organizational responsibilities
interface.


This approach permits the Manufacturing zone to
function entirely on its own, irrespective of the
connectivity status to the higher levels

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

9

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Controlling Access to the Manufacturing Zone


Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

10

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV

Server

Historian Mirror

Web Services Operations

Application

Server

Router

Enterprise Network

Site Business Planning and Logistics Network

E
-
Mail, Intranet, etc.

FactoryTalk


Application


Server

FactoryTalk Directory

Engineering
Workstation

Domain Controller

FactoryTalk

Client

Operator
Interface

FactoryTalk

Client

Engineering
Workstation

Operator
Interface

Batch Control

Discrete Control

Drive Control

Continuous

Process Control

Safety
Control

Sensors

Drives

Actuators

Robots

Enterprise

Zone

DMZ

Manufacturing

Zone

Cell/Area

Zone

Web

E
-
Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and
Control

Area Supervisory
Control

Basic Control

Process

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

DMZ Topology


Firewall(s)


Enterprise Interface


DMZ Interface


Manufacturing
Interface


Firewalls are used to
block or allow access to
devices on these
interfaces based on a
set of rules


There will be assets like
switches and servers
that are part of the DMZ



Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

11

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Manufacturing Zone


Division of plant into
functional areas for secured
access


ISA
-
SP99 “Zones and
Conduit” model


OEM’s Participation


IP Address


VLAN ID’s


Access layer to Distribution
layer cooperation


System design requires full
cooperation of all System
Integrators, OEM’s, IT and
Engineering



Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

12

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Manufacturing Zone


Defense in depth still applies to
manufacturing zone


Defense in depth steps in the
manufacturing zone is still applied to:


Device Hardening


Application


Computers


Networks


Physical


Rockwell Automation products support the
defense in depth strategy



Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

13

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Defense in Depth Designs

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

14

(Confidential


For Internal Use Only)
Copyright © 2009 Rockwell
Automation, Inc. All rights reserved.

14


Apply security products
and supporting a defense
-
in
-
depth (or layered)
architecture;

1.
Network & Security
Design

2.
Limit
physical

access to all
equipment

3.
Control access to automation
network
s

4.
Control access to
computers

and
keep them up to date

5.
Control access to software
application
s that are used to
configure devices

6.
Control access to both the
configuration

and
data

in
automation
devices


Perimeter

Enforcement

Device

Security


Security Services

Application

Computer

Device


Physical

Network

This is not a “one size fits all problem”

you

are in the best position to decide which risks are the most
urgent and which tools to use to reduce that risk


Design

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Configuration Access Control

Using FactoryTalk Security

(Confidential


For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved.

15


How does it work?


Provides centralized authentication and access control
by verifying the identity of each user (and computer)
who attempts to access the automation system and
then either granting or denying each user's request to
perform particular actions on features and resources
within the system



Authentication



verifies a user’s identity and verifies that a
request for service originates with that user.


Authorization



verifies a user’s request to access a software
product, feature, or system resource against a set of defined
access permissions.


Authenticates and authorizes users against a set of
defined permissions held in the FactoryTalk
Directory

Application

Computer

Device



Physical

Network

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Application: Device Configuration

(Confidential


For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved.

16


Use FactoryTalk Security to


Control computer and user
access to devices


Control use of selected
software applications that
access devices



Perimeter

Enforcement

Application

Operating System

Device


Physical

Network

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

17

17

FactoryTalk Security (FTS
-
05)



Product Policies


Defines which functions, features or users
of a
software application

can be used
across your site or enterprise


System Policies


Define the rules that govern how security is
implemented (like Password expirations)
across your site or enterprise


Computer and Computer Groups


Defines which computers can be used to
access your automation system


Networks and Devices


Defines which
actions

can be performed on
a specific hardware resource


User and User Groups (roles)


Defines which users or groups of users can
get access to your automation system


Product Policies


Restrict access to the features of
individual FactoryTalk
-
enabled products


Only users with the required level of
access can use the product features
that you have secured.



System policies


Define general security rules, such as
how frequently passwords must be
changed


Computers and Groups


You can use these accounts to enforce
line
-
of
-
sight security


Combine individual computer accounts
into groups, to make it easier to manage
security.


Networks and Devices


Secure access to control hardware


Securable actions can be defined for all
similar devices, groups of devices or can
be defined on a device by device basis


Actions

and
devices

can be put into
groups for easier management (new in
CPR9)


Users and User Groups


FactoryTalk User


User accounts that are held in the
FactoryTalk Directory


Windows Linked User


User accounts that already exist in a
Windows domain or workgroup


Combine user accounts into User Groups to
set up role
-
based security access;


Windows
-
linked User Group


reference user groups that already
exist in a Windows Domain


FactoryTalk Group


combine
individual Users and other groups into
a FactoryTalk Group


Including Windows Linked groups

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Manufacturing Security Design


Physical Security



limit physical access to
authorized personnel: areas, control panels,
devices, cabling, and control room


escort and
track visitors


Network Security



infrastructure framework


e.g. firewalls with intrusion detection and intrusion
prevention systems (IDS/IPS), and integrated
protection of networking equipment such as
switches and routers


Computer Hardening



patch management,
antivirus software as well as removal of unused
applications, protocols, and services


Application Security



authentication,
authorization, and audit software


Device Hardening



change management and
restrictive access


Perimeter
Enforcement
Application
Application
Computer
Device
Physical
Network
Perimeter
Enforcement
Application
Application
Computer
Device
Physical
Network
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Tenants of a Good Security Design:

The Physical
-

Switch Lock
-
in & Block
-
out

Panduit/RA Physical Layer Reference
Architectures Design Guide


MN05


PSL
-
DCPL


PSL
-
DCJB

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Additional Resources


Website
:
http://www.ab.com/networks/architectures.html


Whitepapers


Reference Architectures for Manufacturing


Securing Manufacturing Computer and Controller Assets


Production Software within Manufacturing Reference
Architectures


Design and Implementation Guides


ODVA
-

Network Infrastructure for EtherNet/IP: Introduction and
Considerations


ODVA
-

EtherNet/IP Media Planning and Installation Manual


Rockwell Automation and Cisco Design and Implementation
Guide


manufacturing reference architectures

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Additional Resources
-

Webcasts

Rockwell Automation and Cisco webcasts:


What Every IT Professional Should Know about Plant Floor
Networking


What Every Plant Floor Controls Engineer Should Know about
Working with IT

Rockwell Automation Knowledge Network webcasts:


Rockwell Automation and Cisco: Best Practices


Reference Architectures: Fundamentals of Ethernet Network
Design


Securing Manufacturing and Enterprise Network Convergence


Industrial Ethernet Resiliency

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.

Available Resources


Whitepapers


Stratix Switches within Integrated Architecture


Achieving Secure Remote Access to Plant Floor Applications
and Data


Recommendations for Designing, Selecting, Configuring and
Maintaining Wireless EtherNet/IP Networks


Industrial Ethernet Resiliency


late summer


IT Ready for OEMs


late summer


Design and Implementation Guides


DIG 2.0


Stratix 8000, resiliency, performance


Panduit and Rockwell Automation Physical Layer Reference
Architectures