Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities
|
|
- Martha Lucas
- 6 years ago
- Views:
Transcription
1 Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities Presented by Rockwell Automation Copyright 2014 Rockwell Automation, Inc. All rights reserved.
2 2 Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISA/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defence-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Defence-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defence-in-Depth Strategies Defence-in-Depth IDMZ Deployment
3 3 Industrial Network Security Trends No single technology, product or methodology can fully secure industrial control systems
4 Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 4 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Physical Security limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room. This may also include policies, procedures and technology to escort and track visitors Network Security infrastructure framework e.g. unified threat management (UTM) security appliances and integrated protection of networking assets such as switches and routers Computer Hardening patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security authentication, authorization, and accounting (AAA) software Device Hardening change management, controller communication encryption, and restrictive network connectivity through authentication Policies, Procedures & Awareness Physical Network Computer Application Device
5 5 Defence-in-Depth Critical Elements to Industrial Security one-size-fits-all A balanced Industrial Security Program must address both Technical and Non-Technical Elements Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management Technical controls technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs) Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the long-term security success
6 6 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Policies, Procedures & Awareness risk management, implementation of security policy to support manufacturing operations, backup policy, incident reporting, etc.
7 7 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Physical Security limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room. This may also include policies, procedures and technology to escort and track visitors
8 8 Defence-in-Depth Physical Security Restrict Industrial Automation and Control System (IACS) access to authorised personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Block-out unused ports and lock-in used ports
9 9 Defence-in-Depth Physical Security Blockout: RJ45 USB A/B LC Lock-in Colour coded inserts
10 10 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Network Security infrastructure framework e.g. unified threat management (UTM) security appliances and integrated protection of networking assets such as switches and routers
11 Defence-in-Depth Network Infrastructure Access Control and Hardening Cryptographic Image HTTPS (HTTP Secure) Secure Shell (SSH) SNMPv3 Restrict Access Port Security Dynamic learning of MAC addresses ACL (Access Control List) Local Authentication through AAA Server Resiliency Layer 2 Loop Prevention Quality of Service (QoS) Minimize Impact of DDoS Attacks Disable Unnecessary Services MOP (Maintenance Operations Protocol) IP redirects Proxy ARP Attack Prevention DHCP Snooping Rogue DHCP Server Protection DHCP Starvation Protection Dynamic ARP Inspection ARP Spoofing, man-in-themiddle attack Storm Control Thresholds Denial-of-service (DoS) attack Copyright 2013 Rockwell Automation, Inc. All rights reserved. 11
12 12 Defence-in-Depth Network Infrastructure Access Control and Hardening Disable unused ports Configure port security Number of allowed MAC addresses Static vs. Dynamic MAC addresses Sticky MAC addresses Violation Action Shutdown Restrict Protect
13 15 Defence-in-Depth Access Control Lists (ACLs) Industrial IACS Zone SNMP Sweep Ping Sweep CIP Class 3 CIP Class 1 http icmp - ping CIP Class 3 icmp - ping CIP Class 3 Zone Firewall Cell/Area IACS Zone CIP Class 3 CIP Class 1 icmp - ping
14 Defence-in-Depth Access Control Lists (ACLs) Action Protocol Source Destination and Mask Port Permit ICMP Any Permit TCP Any (WWW) Permit TCP Any (SSL) Permit UDP Any (SNMP) Permit UDP Any (SNMPTRAP) Permit TCP Any (SNMPTRAP) Deny IP Any Any All ACLs have an implied Deny Any Any at the end Any traffic not specifically allowed will be dropped Does not inspect traffic TCP/UDP Ports Used by Rockwell Automation Products Copyright 2013 Rockwell Automation, Inc. All rights reserved. 16
15 17 Defence-in-Depth Cisco / Rockwell Automation CPwE Reference Architectures Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure
16 18 Architectural Security Framework VLANs, Segmenting Domains of Trust Plant-wide IACS VLAN 40 IP Subnet /24 Plant-wide IACS VLAN 40 IP Subnet /24 Plant-wide IACS Stratix 8300 Plant-wide IACS Stratix 8300 Layer 3 Ring Ring Stratix 8000 Stratix 8000 Stratix 8000 Stratix 8000 Machine #1 OEM #1 Machine #2 OEM #2 Machine #1 OEM #1 Machine #2 OEM #2 Layer 2 Layer 2 Layer 2 Flat and Open IACS Network Infrastructure Machine #1 (OEM #1) VLAN 20 IP Subnet /24 Machine #2 (OEM #2) VLAN 30 IP Subnet /24 Structured and Hardened IACS Network Infrastructure
17 19 Architectural Security Framework Network Device Resiliency Distribution switches typically provide first hop (default gateway) redundancy StackWise (3750X), stack management Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack Catalyst 3560 HSRP HSRP Active Standby
18 Stratix 8000 & 8300 Layer 2 & Layer 3 Modular Managed Configurable up to 26 ports Base Unit - 6 or 10 port Expansion Modules Cooper, Fiber, SFP & PoE extensions SFP for multi & single mode fiber Wide variety of SFPs available Power over Ethernet (PoE) PoE & PoE+ port configurable CompactFlash card Stores configuration and IOS for easy device replacement Advanced feature set to address: EtherNet/IP applications Security Resiliency & Redundancy Operating Temp: -40ºC to 60ºC Dual Purpose Uplink Ports 10/100/1000 Copper or SFP Data Ports 10/100 Copper SFP Fiber Transceiver 100M and 1G Multimode and Singlemode Copper, fiber, SFP & PoE Expansion Modules Ideal for connecting into a higher level of the network infrastructure architecture Copyright 2013 Rockwell Automation, Inc. All rights reserved.
19 Stratix 5700 Family Layer 2 Managed Fixed Port 3 base platforms offering 20 configurations 6, 10 & 20 port base units 2 Gig port option SFP slots support multi & single mode fiber Wide variety of SFPs available SecureDigital flash card (optional) Stores configuration and IOS of switch Two software packages Lite & Full software versions Advanced feature set Same feature set as the Stratix 8000 Integrated NAT functionality Simple static routing *Combo ports can be either copper or SFP SD card for backup Ideal for connecting machines into the plant networks Converged Networks Copyright 2013 Rockwell Automation, Inc. All rights reserved.
20 Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Not Recommended Figure 2 Recommended Depends. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Figure 3 Figure 4 Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Figure 5 Better Figure 6 Best Figure 7 Copyright 2013 Rockwell Automation, Inc. All rights reserved. 22
21 Network Security Framework Industrial Demilitarized Zone (IDMZ) Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Trusted? Untrusted? Enterprise Zone Disconnect Point Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ No Direct Traffic Historian Mirror Web Services Operations Application Server Industrial Zone Trusted Disconnect Point Copyright 2013 Rockwell Automation, Inc. All rights reserved. 26
22 Stratix 5900 Layer 2 & Layer 3 Services Router Premiere routing and security services for Layer 2 or Layer 3 Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) Intrusion Prevention Systems (IPS) Connections: 1 Gigabit WAN 4 Fast Ethernet Industrially hardened, DIN rail mountable Ideal for Site to Site Connections, Cell/Zone Area Firewall & OEM Integration Ideal for helping protect communications through secure channels & restricting unwanted communications by policy and inspection Copyright 2013 Rockwell Automation, Inc. All rights reserved.
23 28 Architectural Security Framework Unified Threat Management Stratix Services Router Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level IDMZ Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Site-to-Site Connection Stratix ) Site-to-Site Connection Stratix ) Cell/Area Zone Firewall Stratix ) OEM Integration Levels 0-2 Cell/Area Zones Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1
24 29 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Computer Hardening patch management, anti-x software, removal of unused applications/protocols/services, closing unnecessary logical ports, protecting physical ports
25 Defence-in-Depth Computer Hardening: Patch Management Security Patch Management - establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches Keep computers up-to-date on service packs and hot fixes Disable automatic updates Check software vendor website Test patches before implementing Schedule patching during downtime Deploy and maintain Anti-X (e.g. - virus, spyware, malware) software Disable automatic updates and automatic scanning Test definition updates before implementing Schedule manually initiated scanning during downtime Uninstall unused Windows components Protocols and Services Protect unused or infrequently used USB, parallel or serial interfaces Copyright 2013 Rockwell Automation, Inc. All rights reserved. 30
26 31 Defence-in-Depth Computer Hardening: Microsoft Patch Management White paper Computer System Security Updates: Why patch your computers? Microsoft Patch Qualification for Rockwell Automation software products *TechConnect support contract required
27 32 Defence-in-Depth Computer Hardening: Security Advisory Index RA Knowledgebase Answer ID# Summary and links to RA Security-related Disclosures relating to RA products Page updated as new articles added to Knowledgebase Updates to page can be pushed to subscribers Recommendation: Register account on KB Subscribe to article #54102 as Add to My Favorite
28 33 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Application Security authentication, authorization and accounting (AAA) software
29 34 Application Access Control: FactoryTalk Security Use FactoryTalk Security to Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system. FactoryTalk Directory Authenticate the User Authorize Use of Applications Authorize Access to Specific Devices (All FactoryTalk Security enabled software)
30 35 Application Access Control: FactoryTalk Security Administrators can manage User Accounts Windows FactoryTalk User Groups Custom group or role Windows Group Computers Computer Groups System Policies Product Policies Product Actions
31 36 FactoryTalk Overview
32 37 Trusted FactoryTalk Security Authority Security Authority ID = 795D5EF ID = A73R5CG Security Authority PC #1 PC #2 ID= 795D5EF-12.. Logix 5000 Project ID = 795D5EF-12 Logix 5000 Project Security Administration FactoryTalk Services Security Administration FactoryTalk Services ID s Match EtherNet/IP ID s Don t Match
33 38 Securing Logix5000 Projects and Controllers Secure both RSLogix 5000 project files and Bind Programmable Automation Controller (PAC) hardware resources to the FactoryTalk Directory.
34 39 Defence-in-Depth Device Hardening Device Hardening change management, communication encryption, and restrictive access through authentication
35 40 Defence-in-Depth Device Hardening Change controller mode to RUN via key / switch
36 Tamper Detection: Firmware Digital Signatures How they re being introduced New products have their firmware digitally signed from day 1 (L7x, Micro 800 ) Digitally signed versions of existing products released as feasible (EN2T, DNB ) Purpose of digital signature Protect firmware from accidental and malicious corruption Ensure firmware was generated by Rockwell Automation How they work Rockwell Automation digitally signs firmware kits with a private key when they are released Devices locally check the signature with a corresponding public key Any change to the firmware kit will cause the signature check to fail in device
37 42 Content Protection: Source Protection Assign a password to any Routine or Add-On Instruction
38 43 Defence-in-Depth Controller Hardening - Source Protection Electronic design - Logix Controller Source Protection Source Protection to lock down Add-On Instruction Viewing can be permitted if desired Source Key values are obfuscated in Studio 5000 Source Keys can also be named. The name is displayed in place of the Source Key value
39 Tamper Detection: Controller Change Detection Every Logix Controller exposes a Change Detection Audit Value When something happens that can impact the behavior of the controller, the value changes Audit Value is available in RSLogix 5000, in other software applications and in other controllers via Message instruction The set of events that causes the Audit Value to change can be configured Copyright 2013 Rockwell Automation, Inc. All rights reserved. 44
40 Tamper Detection: Controller Change Detection The Audit Value is stored in every Controller Log entry FactoryTalk AssetCentre (in version 4.1), can monitor the Audit Value and read in the Controller Log Copyright 2013 Rockwell Automation, Inc. All rights reserved. 45
41 46 Tamper Detection: FactoryTalk AssetCentre Auditing Centrally collect records of all interactions with the control system
42 Tamper Detection: High Integrity Add-on Instructions High Integrity AOIs allows you to generate a signature for an AOI definition Use High Integrity AOIs to: Address the needs of regulated industries for auditing purposes Life Sciences, Food and Beverage, and others Maintain consistency and revision control in libraries
43 Application Access Control: Data Access Control Users can assign External Access settings of Read/Write, Read Only, or None to tags Useful to control which tags can be modified from an HMI or other external application A cryptographically licensed trusted connection is established between RSLogix TM 5000 and the Logix controller Ensures the External Access attribute can only by changed by RSLogix 5000 Who can use RSLogix 5000 to change this attribute controlled by FactoryTalk Security Users can also define tags as Constants Constants can not be modified by controller logic Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2013 Rockwell Automation, Inc. All rights reserved. 48
44 49 Architectural Security Framework Controller Hardening Encrypted Communications
45 EN2TSC ControlLogix Secure Communications Module Network hardening Control physical access Enables secure communications down to the controller chassis Create a secure link from a ControlLogix chassis to An engineering or HMI workstation A Services Router, like the Stratix 5900 Another ControlLogix chassis for secure controller-to-controller messaging
46 51 Architectural Security Framework Controller Hardening Encrypted Communications
47 52 Architectural Security Framework Controller Hardening Trusted Slot Designation Trusted Slot Designation
48 53 Architectural Security Framework Controller Hardening Encrypted Communications Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level IDMZ 2b) IPsec tunnel from 1756-EN2TSC module to Cisco ASA Firewall IPsec tunnel from ASA Firewall to Windows Server 2008 Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array 2a) IPsec tunnel from 1756-EN2TSC module to Windows Server ) IPsec tunnel between two EN2TSC modules 2b 1 2a 3 Workstation 3) L2TP tunnel from Windows 7 client to 1756-EN2TSC module Levels 0-2 Cell/Area Zones 1756-EN2TSC 1756-EN2TSC UTM Local Cell/Area Zone #1 Local Cell/Area Zone #2 Local Cell/Area Zone #3
49 54 What Can You Do to Mitigate Risk? Educate and create Awareness in your organization Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT , NIST , ISO/IEC (Formerly ISA-99) Implement Defence-in-Depth approach: no single product, methodology, nor technology fully secures IACS Establish Open Dialog between Production, Engineering, IT and Rockwell Automation (Incident Response Sharing) Establish an Industrial DMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General)
50 What Can You Do Now to Mitigate Risk? Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security: 1. Control who has network access 2. Employ firewalls and intrusion detection/prevention 3. Use Anti Virus Protection and patch your system 4. Manage & protect your passwords 5. Turn the processor key(s) to the Run Mode 6. Utilize features embedded in Rockwell Automation products today (example: FactoryTalk Security) 7. Develop a process to manage removable media 8. Block access ports (example: key connectors)
51 Additional Material Industrial Security Resources Assessment Services Security Technology Security FAQ Security Services Leadership & Standards Security Resources Security Advisory Index MS Patch Qualification Reference Architectures Assessment Services Copyright 2013 Rockwell Automation, Inc. All rights reserved. 56
52 57 Additional Resources (from literature.rockwellautomation.com) Design Guides Converged Plant-wide Ethernet (CPwE) Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks Manuals Logix 5000 Controllers Security Programming Manual
53 Copyright 2014 Rockwell Automation, Inc. All rights reserved.
T31 Improving Industrial Security and Robustness for Industrial Control Systems (ICS)
T31 Improving Industrial Security and Robustness for Industrial Control Systems (ICS) Mike Bush, Technology Manager Clark Case, Technology Manager Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc.
More informationIndustrial Network Trends & Technologies
Industrial Network Trends & Technologies EtherNet/IP on the Plant Floor PUBLIC INFORMATION 5058-CO900F IHS Technology Industrial Internet of Things 2014, April 2014 PUBLIC INFORMATION Forecasts tremendous
More informationT22 - Industrial Control System Security
T22 - Industrial Control System Security PUBLIC Copyright 2017 Rockwell Automation, Inc. All Rights Reserved. 1 Holistic Approach A secure application depends on multiple layers of protection and industrial
More informationCisco & Rockwell Automation Alliance. Mr. Gary Bundoc Solutions Architect Rockwell Automation Phil Inc.
Cisco & Rockwell Automation Alliance Mr. Gary Bundoc Solutions Architect Rockwell Automation Phil Inc. An Alliance that provides Seamless Solutions Network Infrastructure Remote Access Wireless Security
More informationTM01 - Developing Machines for the Fourth Industrial Revolution
TM01 - Developing Machines for the Fourth Industrial Revolution Bob Hicks OEM Segment Manager PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Agenda Industry 4.0 and The Connected
More informationL31 - Applying EtherNet/IP and Stratix Switches in Real-Time Manufacturing Applications
L31 - Applying EtherNet/IP and Stratix Switches in Real-Time Manufacturing Applications PUBLIC INFORMATION Rev 5058-CO900E Copyright 014 Rockwell Automation, Inc All Rights Reserved Why EtherNet/IP Devices?
More informationStratix Industrial Ethernet Switch. Features and Benefits
Stratix 5700 Industrial Ethernet Switch Features and Benefits Simple device replacement via SD card that holds the configuration for easy swap out Power over Ethernet versions available to provide the
More information1756-EN2TP Parallel Redundancy Protocol Module Network Redundancy
1756-EN2TP Parallel Redundancy Protocol Module Network Redundancy PUBLIC Copyright 2017 Rockwell Automation, Inc. All Rights Reserved. 1 1756-EN2TP Parallel Redundancy Protocol Module The 1756-EN2TP Parallel
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationHikCentral V.1.1.x for Windows Hardening Guide
HikCentral V.1.1.x for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1 Strict Password Policy... 2 1.2 Turn Off Windows Remote
More informationT28 - Design Considerations for Robust EtherNet/IP Networking
PUBLIC - 5058-CO900H Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. T28 - Design Considerations for Robust EtherNet/IP Networking PUBLIC PUBLIC Copyright 2015 Rockwell Automation, Inc. All
More informationT02 - Design Considerations for Robust EtherNet/IP Networking
T02 - Design Considerations for Robust EtherNet/IP Networking Scalable, Reliable, Safe and Secure Architectures for The Connected Enterprise Copyright 2017 Rockwell Automation, Inc. All Rights Reserved.
More informationKENDALL DATACOMM. INDUSTRIAL NETWORKING Switches, Micro Data Center (MDC), Industrial
KENDALL DATACOMM INDUSTRIAL NETWORKING Switches, Micro Data Center (MDC), Industrial Distribution Frames (IDF) and Zone Enclosures DATA - Jacks, Faceplates, Patch Panels, Patch Cords, Wire Management,
More informationNI11 IT and Plant Floor - Breaking Down the Barriers
NI11 IT and Plant Floor - Breaking Down the Barriers Presenters Tom Giorgi Director of Automation Jason Ostrander DataComm Specialist Related Sessions NI02 - Telecommunications Bonding and Grounding Industrial
More informationT01 - Select the Right Stratix Switch for Your Application
T01 - Select the Right Stratix Switch for Your Application PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Key Customer Challenges Customer Challenge Selection Criteria Customer
More informationCPwE Solution Design Manufacturing and Demilitarized Zones
CHAPTER 4 CPwE Solution Design Manufacturing and Demilitarized Zones Overview This chapter provides an overview and basic design considerations for the Manufacturing and Demilitarized zones of the CPwE
More informationL01 - Basic Stratix Switch and EtherNet/IP Features in Converged Plantwide Ethernet (CPwE) Architectures
L01 - Basic Stratix Switch and EtherNet/IP Features in Converged Plantwide Ethernet (CPwE) Architectures PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Agenda Introduction Stratix
More informationNI10 EtherNet I/P Best Practices & Topologies
NI10 EtherNet I/P Best Practices & Topologies Tom Steffen Rockwell Automation Presenters Related Sessions NI11 IT and Plant Floor Breaking Down the Barriers NI13 The Connected Enterprise NI03 - Testing
More informationApplying EtherNet/IP in Real-time Manufacturing. Copyright 2012 Rockwell Automation, Inc. All rights reserved.
Applying EtherNet/IP in Real-time Manufacturing Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda EtherNet/IP Enabling Network Convergence Stratix Industrial Ethernet
More informationMinewide Convergence of Control and Information
Minewide Convergence of Control and Information Pat Murray June 2010 Copyright 2009 Rockwell Automation, Inc. All rights reserved. Production Management Concerns Maintaining a Safe work Environment Lack
More informationPresenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.
Presenter Jakob Drescher Industry Cyber Security 1 Cyber Security? Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks. Malware or network traffic
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationL03 - Introduction to Network Security
L03 - Introduction to Network Security PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 1 Agenda Introduction Network Security Labs Wrap up Survey PUBLIC Copyright 2018 Rockwell Automation,
More informationFuture Trends in Industrial Networking
Future Trends in Industrial Networking Paul Brooks Business Development Manager, Networks Portfolio Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2011 Rockwell Automation, Inc.
More informationCompTIA Network+ Study Guide Table of Contents
CompTIA Network+ Study Guide Table of Contents Course Introduction Table of Contents Getting Started About This Course About CompTIA Certifications Module 1 / Local Area Networks Module 1 / Unit 1 Topologies
More informationIC32E - Pre-Instructional Survey
Name: Date: 1. What is the primary function of a firewall? a. Block all internet traffic b. Detect network intrusions c. Filter network traffic d. Authenticate users 2. A system that monitors traffic into
More informationFuture Trends in Industrial Networking
Future Trends in Industrial Networking Paul Brooks, Business Development Manager Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved. 1 2 Agenda Industry Trends EtherNet/IP in
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationTABLE OF CONTENTS. Section Description Page
GPA Cybersecurity TABLE OF CONTENTS Section Description Page 1. Cybersecurity... 1 2. Standards... 1 3. Guides... 2 4. Minimum Hardware/Software Requirements For Secure Network Services... 3 4.1. High-Level
More informationTestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified
TestOut Network Pro - English 4.1.x COURSE OUTLINE Modified 2017-07-06 TestOut Network Pro Outline - English 4.1.x Videos: 141 (18:42:14) Demonstrations: 81 (10:38:59) Simulations: 92 Fact Sheets: 145
More informationThis course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N
CompTIA Network+ (Exam N10-007) Course Description: CompTIA Network+ is the first certification IT professionals specializing in network administration and support should earn. Network+ is aimed at IT
More informationGigabit SSL VPN Security Router
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the
More informationSecurity Assessment Checklist
Security Assessment Checklist Westcon Security Checklist - Instructions The first step to protecting your business includes a careful and complete assessment of your security posture. Our Security Assessment
More informationTestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified
TestOut Network Pro - English 5.0.x COURSE OUTLINE Modified 2018-03-06 TestOut Network Pro Outline - English 5.0.x Videos: 130 (17:10:31) Demonstrations: 78 (8:46:15) Simulations: 88 Fact Sheets: 136 Exams:
More informationUnder the Hood with PlantPAx CT426
Under the Hood with PlantPAx CT426 PUBLIC Today s challenges: Fragmented and/or Disparate Control Systems SYSTEMS: Facilities Building Management System Utilities PLC + HMI Volatile Storage Safety Shutdown
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationField Agents* Secure Deployment Guide
GFK-3009 Field Agents* Secure Deployment Guide Jan 2017 These instructions do not purport to cover all details or variations in equipment, nor to provide for every possible contingency to be met during
More informationProduction Software Within Manufacturing Reference Architectures
Production Software Within Manufacturing Reference Architectures Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard Ethernet for manufacturing
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationIndustrial Security - Protecting productivity. Industrial Security in Pharmaanlagen
- Protecting productivity Industrial Security in Pharmaanlagen siemens.com/industrialsecurity Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationMassimiliano Sbaraglia
Massimiliano Sbaraglia Printer Layer 2 access connections to End-Point Layer 2 connections trunk or layer 3 p2p to pair distribution switch PC CSA PVST+ or MST (Spanning Tree Protocol) VLANs LapTop VoIP
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationAB Parts. Securing Process Control Systems. Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services
Securing Process Control Systems Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationCisco Exam Questions & Answers
Cisco 648-385 Exam Questions & Answers Number: 648-385 Passing Score: 800 Time Limit: 120 min File Version: 34.4 http://www.gratisexam.com/ Cisco 648-385 Exam Questions & Answers Exam Name: CXFF - Cisco
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationSample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.
HP ProCurve Threat Management Services zl Module NPI Technical Training NPI Technical Training Version: 1.00 5 January 2009 2009 Hewlett-Packard Development Company, L.P. The information contained herein
More informationIndicate whether the statement is true or false.
Indicate whether the statement is true or false. 1. Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall s database or violations of those rules. 2.
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationCyber Security Requirements for Electronic Safety and Security
This document is to provide suggested language to address cyber security elements as they may apply to physical and electronic security projects. Security consultants and specifiers should consider this
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationChapter 11: Networks
Chapter 11: Networks Devices in a Small Network Small Network A small network can comprise a few users, one router, one switch. A Typical Small Network Topology looks like this: Device Selection Factors
More informationHigh School Graduation Years 2016, 2017 and 2018
Secondary Task List 100 PERSONAL AND ENVIRONMENTAL SAFETY 101 List common causes of accidents and injuries in a computer facility. 102 Wear personal protective equipment. 103 List and identify safety hazard
More informationCisco Self Defending Network
Cisco Self Defending Network Integrated Network Security George Chopin Security Business Development Manager, CISSP 2003, Cisco Systems, Inc. All rights reserved. 1 The Network as a Strategic Asset Corporate
More informationStratix Industrial Networks Infrastructure At-A-Glance
Managed ing and Routing Security Appliance Wireless ArmorStratix 5700 Managed Stratix 8000 and Stratix 8300 Managed Stratix 5400 Managed Stratix 5410 Distribution Stratix 5900 Services Router Stratix 5950
More informationBuilding Smart Machines for Digital Transformation
Building Smart Machines for Digital Transformation Robert Hicks Regional Segment Lead - OEM RAOTM 2019, Bengaluru, 22 01 2019 Agenda 1 2 3 4 Smart Machines driving Digital Transformation Smart Machines
More informationReference Architectures for Industrial Automation and Control systems
Reference Architectures for Industrial Automation and Control systems Paul Didier, Cisco Systems www.odva.org Technical Track Control Network types Isolated ngle Controller ngle Controller 10s of devices
More informationW05 High Availability for Today s Process Market
W05 High Availability for Today s Process Market Jeff Ipser Product Manager Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda High Availability Overview Controllers Networks I/O What
More informationTestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified
TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:
More informationChapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationMike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS
Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS Can You Answer These Questions? 1 What s my company s exposure to the latest industrial cyber threat? Are my plants
More informationCISCO QUAD Cisco CCENT/CCNA/CCDA/CCNA Security (QUAD)
Our Learning Exclusive Custom exam prep software and materials Exam delivery in classroom with 98% success Course specific thinqtank Learning publications to promote fun exciting learning Extended hours
More informationRequest for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )
Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;
More informationQUOTATION CALL NOTICE
THE ODISHA STATE POLICE HOUSING & WELFARE CORPORATION LTD. (A Government of Odisha Undertaking) Letter No. 5764/OPHWC Date : 06 / 05 /2013 QUOTATION CALL NOTICE Quotations are invited from OEM for supply
More informationCertified SonicWALL Security Administrator (CSSA) Instructor-led Training
Instructor-led Training Comprehensive Services from Your Trusted Security Partner Additional Information Recommended prerequisite for the Certified SonicWALL Security Administrator (CSSA) exam Course Description:
More informationBroadcast Infrastructure Cybersecurity - Part 2
SBE Webinar Series - 2018 Broadcast Infrastructure Cybersecurity - Part 2 Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services KAMU FM-TV Broadcast Infrastructure Cybersecurity
More informationN-Dimension n-platform 340S Unified Threat Management System
N-Dimension n-platform 340S Unified Threat Management System Firewall Router Site-to-Site VPN Remote-Access VPN Serial SCADA VPN Proxy Anti-virus SCADA IDS Port Scanner Vulnerability Scanner System & Service
More informationNext-Generation Firewall Series Datasheet
RUIJIE NETWORKS COMPANY LIMITED www.ruijienetworks.com Ruijie 1600 Next-Generation Firewall Series Datasheet Ruijie 1600 Firewall Series is a collection of nextgeneration firewall offering security, routing
More informationTP-LINK. 24-Port Gigabit L2 Managed PoE Switch with 4 Combo SFP Slots. Overview. Datasheet TL-SG3424P.
TP-LINK TM 24-Port Gigabit L2 Managed PoE Switch with 4 Combo SFP Slots Overview The provides 24 10/100/1000Mbps ports that supports 802.3at/af-compliant PoE, with a total PoE power supply up to 320W,
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationDeploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationCertifyMe. CertifyMe
CertifyMe Number: 642-176 Passing Score: 800 Time Limit: 120 min File Version: 8.8 http://www.gratisexam.com/ CertifyMe 642-176 Exam A QUESTION 1 Refer to the exhibit. What are the two options available
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationQUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS
APPLICATION NOTE QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS Configuring Basic Security and Connectivity on Branch SRX Series Services Gateways Copyright 2009, Juniper Networks, Inc. Table
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationPrepKing. PrepKing
PrepKing Number: 642-176 Passing Score: 800 Time Limit: 120 min File Version: 9.8 http://www.gratisexam.com/ PrepKing 642-176 Exam A QUESTION 1 Refer to the exhibit. What are the two options available
More informationConnected Factory Architecture Theory and Practice
BRKIOT-2108 Connected Factory Architecture Theory and Practice Arun Siddeswaran, Solution Engineering Manager Frank Baro, Solution Architect Cisco Spark How Questions? Use Cisco Spark to communicate with
More informationSecurity with Passion. Endian UTM Virtual Appliance
Security with Passion Endian UTM Virtual Appliance Endian UTM Virtual Appliance Endian UTM Virtual Appliance: Secure and Protect your Virtual Infrastructure Whether you are securing your internal virtual
More informationCCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done.
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More information1- and 2-Port Fast Ethernet High-Speed WIC for Cisco Integrated Services Routers
1- and 2-Port Fast Ethernet High-Speed WIC for Cisco Integrated Services Routers The Layer 3 Cisco 1- and 2-Port Fast Ethernet High-Speed WAN interface cards (HWICs) (see Figures 1 and 2) supported on
More informationChapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.
Chapter Three test Name: Period: CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it. 1. What protocol does IPv6 use for hardware address resolution? A. ARP
More informationOnline Services Security v2.1
Online Services Security v2.1 Contents 1 Introduction... 2 2... 2 2.1... 2 2.2... 2 2.3... 3 3... 4 3.1... 4 3.2... 5 3.3... 6 4... 7 4.1... 7 4.2... 7 4.3... 7 4.4... 7 4.5... 8 4.6... 8 1 Introduction
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationTG-NET S5500 series switches are the next-generation enhanced IPv6 Layer 3 Core Switches. They adopt modular design, support up to four 10GB ports,
S5500 Series L3 10G Managed Switches Overview TG-NET S5500 series switches are the next-generation enhanced IPv6 Layer 3 Core Switches. They adopt modular design, support up to four 10GB ports, can achieve
More information2. Firewall Management Tools used to monitor and control the Firewall Environment.
Firewall Review Section 1 FIREWALL MANAGEMENT & ADMINISTRATION Common management practices with regard to administering the (company) network should be in accordance with company policies and standards.
More informationASIT-33018PFM. 18-Port Full Gigabit Managed PoE Switch (ASIT-33018PFM) 18-Port Full Gigabit Managed PoE Switch.
() Introduction Description 16 * 10/100/1000M PoE ports + 2 * Gigabit SFP optical ports. L2+ function with better performance of management, safety & QoS etc. Supprt Layer 2 switching function, including
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationImplementing and Configuring the Cell/Area Zone
CHAPTER 5 Implementing and Configuring the Cell/Area Zone Overview This chapter outlines the configurations and configuration options to implement the recommendations and best practices described in Chapter
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationThe IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.
I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and
More informationANATOMY OF AN ATTACK!
ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More information