Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities

Transcription

1 Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities Presented by Rockwell Automation Copyright 2014 Rockwell Automation, Inc. All rights reserved.

2 2 Industrial Network Security Trends Established Industrial Security Standards International Society of Automation ISA/IEC (Formerly ISA-99) Industrial Automation and Control Systems (IACS) Security Defence-in-Depth IDMZ Deployment National Institute of Standards and Technology NIST Industrial Control System (ICS) Security Defence-in-Depth IDMZ Deployment Department of Homeland Security / Idaho National Lab DHS INL/EXT Control Systems Cyber Security: Defence-in-Depth Strategies Defence-in-Depth IDMZ Deployment

3 3 Industrial Network Security Trends No single technology, product or methodology can fully secure industrial control systems

4 Copyright 2013 Rockwell Automation, Inc. All Rights Reserved. 4 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Physical Security limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room. This may also include policies, procedures and technology to escort and track visitors Network Security infrastructure framework e.g. unified threat management (UTM) security appliances and integrated protection of networking assets such as switches and routers Computer Hardening patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security authentication, authorization, and accounting (AAA) software Device Hardening change management, controller communication encryption, and restrictive network connectivity through authentication Policies, Procedures & Awareness Physical Network Computer Application Device

5 5 Defence-in-Depth Critical Elements to Industrial Security one-size-fits-all A balanced Industrial Security Program must address both Technical and Non-Technical Elements Non-technical controls - rules for environments: e.g. standards, policies, procedures, and risk management Technical controls technology to provide restrictive measures for non-technical controls: e.g. Firewalls, Group Policy Objects, Layer 3 access control lists (ACLs) Security is only as strong as the weakest link Vigilance and Attention to Detail are KEY to the long-term security success

6 6 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Policies, Procedures & Awareness risk management, implementation of security policy to support manufacturing operations, backup policy, incident reporting, etc.

7 7 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Physical Security limit physical access to authorized personnel: Cells/Areas, control panels, devices, cabling, and control room. This may also include policies, procedures and technology to escort and track visitors

8 8 Defence-in-Depth Physical Security Restrict Industrial Automation and Control System (IACS) access to authorised personnel only Control panels, devices, cabling, and control room Locks, gates, key cards Video Surveillance Other Authentication Devices (biometric, keypad, etc.). Block-out unused ports and lock-in used ports

9 9 Defence-in-Depth Physical Security Blockout: RJ45 USB A/B LC Lock-in Colour coded inserts

10 10 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Network Security infrastructure framework e.g. unified threat management (UTM) security appliances and integrated protection of networking assets such as switches and routers

11 Defence-in-Depth Network Infrastructure Access Control and Hardening Cryptographic Image HTTPS (HTTP Secure) Secure Shell (SSH) SNMPv3 Restrict Access Port Security Dynamic learning of MAC addresses ACL (Access Control List) Local Authentication through AAA Server Resiliency Layer 2 Loop Prevention Quality of Service (QoS) Minimize Impact of DDoS Attacks Disable Unnecessary Services MOP (Maintenance Operations Protocol) IP redirects Proxy ARP Attack Prevention DHCP Snooping Rogue DHCP Server Protection DHCP Starvation Protection Dynamic ARP Inspection ARP Spoofing, man-in-themiddle attack Storm Control Thresholds Denial-of-service (DoS) attack Copyright 2013 Rockwell Automation, Inc. All rights reserved. 11

12 12 Defence-in-Depth Network Infrastructure Access Control and Hardening Disable unused ports Configure port security Number of allowed MAC addresses Static vs. Dynamic MAC addresses Sticky MAC addresses Violation Action Shutdown Restrict Protect

13 15 Defence-in-Depth Access Control Lists (ACLs) Industrial IACS Zone SNMP Sweep Ping Sweep CIP Class 3 CIP Class 1 http icmp - ping CIP Class 3 icmp - ping CIP Class 3 Zone Firewall Cell/Area IACS Zone CIP Class 3 CIP Class 1 icmp - ping

14 Defence-in-Depth Access Control Lists (ACLs) Action Protocol Source Destination and Mask Port Permit ICMP Any Permit TCP Any (WWW) Permit TCP Any (SSL) Permit UDP Any (SNMP) Permit UDP Any (SNMPTRAP) Permit TCP Any (SNMPTRAP) Deny IP Any Any All ACLs have an implied Deny Any Any at the end Any traffic not specifically allowed will be dropped Does not inspect traffic TCP/UDP Ports Used by Rockwell Automation Products Copyright 2013 Rockwell Automation, Inc. All rights reserved. 16

15 17 Defence-in-Depth Cisco / Rockwell Automation CPwE Reference Architectures Flat and Open IACS Network Infrastructure Flat and Open IACS Network Infrastructure Structured and Hardened IACS Network Infrastructure

16 18 Architectural Security Framework VLANs, Segmenting Domains of Trust Plant-wide IACS VLAN 40 IP Subnet /24 Plant-wide IACS VLAN 40 IP Subnet /24 Plant-wide IACS Stratix 8300 Plant-wide IACS Stratix 8300 Layer 3 Ring Ring Stratix 8000 Stratix 8000 Stratix 8000 Stratix 8000 Machine #1 OEM #1 Machine #2 OEM #2 Machine #1 OEM #1 Machine #2 OEM #2 Layer 2 Layer 2 Layer 2 Flat and Open IACS Network Infrastructure Machine #1 (OEM #1) VLAN 20 IP Subnet /24 Machine #2 (OEM #2) VLAN 30 IP Subnet /24 Structured and Hardened IACS Network Infrastructure

17 19 Architectural Security Framework Network Device Resiliency Distribution switches typically provide first hop (default gateway) redundancy StackWise (3750X), stack management Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Gateway Load Balancing Protocol (GLBP) Catalyst 3750x Switch Stack Catalyst 3560 HSRP HSRP Active Standby

18 Stratix 8000 & 8300 Layer 2 & Layer 3 Modular Managed Configurable up to 26 ports Base Unit - 6 or 10 port Expansion Modules Cooper, Fiber, SFP & PoE extensions SFP for multi & single mode fiber Wide variety of SFPs available Power over Ethernet (PoE) PoE & PoE+ port configurable CompactFlash card Stores configuration and IOS for easy device replacement Advanced feature set to address: EtherNet/IP applications Security Resiliency & Redundancy Operating Temp: -40ºC to 60ºC Dual Purpose Uplink Ports 10/100/1000 Copper or SFP Data Ports 10/100 Copper SFP Fiber Transceiver 100M and 1G Multimode and Singlemode Copper, fiber, SFP & PoE Expansion Modules Ideal for connecting into a higher level of the network infrastructure architecture Copyright 2013 Rockwell Automation, Inc. All rights reserved.

19 Stratix 5700 Family Layer 2 Managed Fixed Port 3 base platforms offering 20 configurations 6, 10 & 20 port base units 2 Gig port option SFP slots support multi & single mode fiber Wide variety of SFPs available SecureDigital flash card (optional) Stores configuration and IOS of switch Two software packages Lite & Full software versions Advanced feature set Same feature set as the Stratix 8000 Integrated NAT functionality Simple static routing *Combo ports can be either copper or SFP SD card for backup Ideal for connecting machines into the plant networks Converged Networks Copyright 2013 Rockwell Automation, Inc. All rights reserved.

20 Scalable Network Security Framework One Size Does Not Fit All Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Plant-wide Network Switch with VLANs Plant-wide Network Plant-wide Network Plant-wide Network Figure 1 Not Recommended Figure 2 Recommended Depends. based on customer standards, security policies and procedures, risk tolerance, and alignment with IACS Security Standards Figure 3 Figure 4 Enterprise-wide Network Enterprise-wide Network Enterprise-wide Network Router (Zone Based FW) Firewall IDMZ Plant-wide Network Plant-wide Network Plant-wide Network Good Figure 5 Better Figure 6 Best Figure 7 Copyright 2013 Rockwell Automation, Inc. All rights reserved. 22

21 Network Security Framework Industrial Demilitarized Zone (IDMZ) Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Trusted? Untrusted? Enterprise Zone Disconnect Point Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ No Direct Traffic Historian Mirror Web Services Operations Application Server Industrial Zone Trusted Disconnect Point Copyright 2013 Rockwell Automation, Inc. All rights reserved. 26

22 Stratix 5900 Layer 2 & Layer 3 Services Router Premiere routing and security services for Layer 2 or Layer 3 Router + Firewall Virtual Private Network (VPN) Network Address Translation (NAT) Access Control Lists (ACL) Intrusion Prevention Systems (IPS) Connections: 1 Gigabit WAN 4 Fast Ethernet Industrially hardened, DIN rail mountable Ideal for Site to Site Connections, Cell/Zone Area Firewall & OEM Integration Ideal for helping protect communications through secure channels & restricting unwanted communications by policy and inspection Copyright 2013 Rockwell Automation, Inc. All rights reserved.

23 28 Architectural Security Framework Unified Threat Management Stratix Services Router Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level IDMZ Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Site-to-Site Connection Stratix ) Site-to-Site Connection Stratix ) Cell/Area Zone Firewall Stratix ) OEM Integration Levels 0-2 Cell/Area Zones Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1

24 29 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Computer Hardening patch management, anti-x software, removal of unused applications/protocols/services, closing unnecessary logical ports, protecting physical ports

25 Defence-in-Depth Computer Hardening: Patch Management Security Patch Management - establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches Keep computers up-to-date on service packs and hot fixes Disable automatic updates Check software vendor website Test patches before implementing Schedule patching during downtime Deploy and maintain Anti-X (e.g. - virus, spyware, malware) software Disable automatic updates and automatic scanning Test definition updates before implementing Schedule manually initiated scanning during downtime Uninstall unused Windows components Protocols and Services Protect unused or infrequently used USB, parallel or serial interfaces Copyright 2013 Rockwell Automation, Inc. All rights reserved. 30

26 31 Defence-in-Depth Computer Hardening: Microsoft Patch Management White paper Computer System Security Updates: Why patch your computers? Microsoft Patch Qualification for Rockwell Automation software products *TechConnect support contract required

27 32 Defence-in-Depth Computer Hardening: Security Advisory Index RA Knowledgebase Answer ID# Summary and links to RA Security-related Disclosures relating to RA products Page updated as new articles added to Knowledgebase Updates to page can be pushed to subscribers Recommendation: Register account on KB Subscribe to article #54102 as Add to My Favorite

28 33 Defence-in-Depth Multiple Layers to Protect the Network and Defend the Edge Application Security authentication, authorization and accounting (AAA) software

29 34 Application Access Control: FactoryTalk Security Use FactoryTalk Security to Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system. FactoryTalk Directory Authenticate the User Authorize Use of Applications Authorize Access to Specific Devices (All FactoryTalk Security enabled software)

30 35 Application Access Control: FactoryTalk Security Administrators can manage User Accounts Windows FactoryTalk User Groups Custom group or role Windows Group Computers Computer Groups System Policies Product Policies Product Actions

31 36 FactoryTalk Overview

32 37 Trusted FactoryTalk Security Authority Security Authority ID = 795D5EF ID = A73R5CG Security Authority PC #1 PC #2 ID= 795D5EF-12.. Logix 5000 Project ID = 795D5EF-12 Logix 5000 Project Security Administration FactoryTalk Services Security Administration FactoryTalk Services ID s Match EtherNet/IP ID s Don t Match

33 38 Securing Logix5000 Projects and Controllers Secure both RSLogix 5000 project files and Bind Programmable Automation Controller (PAC) hardware resources to the FactoryTalk Directory.

34 39 Defence-in-Depth Device Hardening Device Hardening change management, communication encryption, and restrictive access through authentication

35 40 Defence-in-Depth Device Hardening Change controller mode to RUN via key / switch

36 Tamper Detection: Firmware Digital Signatures How they re being introduced New products have their firmware digitally signed from day 1 (L7x, Micro 800 ) Digitally signed versions of existing products released as feasible (EN2T, DNB ) Purpose of digital signature Protect firmware from accidental and malicious corruption Ensure firmware was generated by Rockwell Automation How they work Rockwell Automation digitally signs firmware kits with a private key when they are released Devices locally check the signature with a corresponding public key Any change to the firmware kit will cause the signature check to fail in device

37 42 Content Protection: Source Protection Assign a password to any Routine or Add-On Instruction

38 43 Defence-in-Depth Controller Hardening - Source Protection Electronic design - Logix Controller Source Protection Source Protection to lock down Add-On Instruction Viewing can be permitted if desired Source Key values are obfuscated in Studio 5000 Source Keys can also be named. The name is displayed in place of the Source Key value

39 Tamper Detection: Controller Change Detection Every Logix Controller exposes a Change Detection Audit Value When something happens that can impact the behavior of the controller, the value changes Audit Value is available in RSLogix 5000, in other software applications and in other controllers via Message instruction The set of events that causes the Audit Value to change can be configured Copyright 2013 Rockwell Automation, Inc. All rights reserved. 44

40 Tamper Detection: Controller Change Detection The Audit Value is stored in every Controller Log entry FactoryTalk AssetCentre (in version 4.1), can monitor the Audit Value and read in the Controller Log Copyright 2013 Rockwell Automation, Inc. All rights reserved. 45

41 46 Tamper Detection: FactoryTalk AssetCentre Auditing Centrally collect records of all interactions with the control system

42 Tamper Detection: High Integrity Add-on Instructions High Integrity AOIs allows you to generate a signature for an AOI definition Use High Integrity AOIs to: Address the needs of regulated industries for auditing purposes Life Sciences, Food and Beverage, and others Maintain consistency and revision control in libraries

43 Application Access Control: Data Access Control Users can assign External Access settings of Read/Write, Read Only, or None to tags Useful to control which tags can be modified from an HMI or other external application A cryptographically licensed trusted connection is established between RSLogix TM 5000 and the Logix controller Ensures the External Access attribute can only by changed by RSLogix 5000 Who can use RSLogix 5000 to change this attribute controlled by FactoryTalk Security Users can also define tags as Constants Constants can not be modified by controller logic Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2013 Rockwell Automation, Inc. All rights reserved. 48

44 49 Architectural Security Framework Controller Hardening Encrypted Communications

45 EN2TSC ControlLogix Secure Communications Module Network hardening Control physical access Enables secure communications down to the controller chassis Create a secure link from a ControlLogix chassis to An engineering or HMI workstation A Services Router, like the Stratix 5900 Another ControlLogix chassis for secure controller-to-controller messaging

46 51 Architectural Security Framework Controller Hardening Encrypted Communications

47 52 Architectural Security Framework Controller Hardening Trusted Slot Designation Trusted Slot Designation

48 53 Architectural Security Framework Controller Hardening Encrypted Communications Enterprise-wide Business Systems Levels 4 & 5 Data Center Enterprise Zone Level IDMZ 2b) IPsec tunnel from 1756-EN2TSC module to Cisco ASA Firewall IPsec tunnel from ASA Firewall to Windows Server 2008 Plant-wide Site-wide Operation Systems Level 3 - Site Operations Physical or Virtualized Servers Industrial Zone FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array 2a) IPsec tunnel from 1756-EN2TSC module to Windows Server ) IPsec tunnel between two EN2TSC modules 2b 1 2a 3 Workstation 3) L2TP tunnel from Windows 7 client to 1756-EN2TSC module Levels 0-2 Cell/Area Zones 1756-EN2TSC 1756-EN2TSC UTM Local Cell/Area Zone #1 Local Cell/Area Zone #2 Local Cell/Area Zone #3

49 54 What Can You Do to Mitigate Risk? Educate and create Awareness in your organization Align with Industrial Automation and Control System Security Standards DHS External Report # INL/EXT , NIST , ISO/IEC (Formerly ISA-99) Implement Defence-in-Depth approach: no single product, methodology, nor technology fully secures IACS Establish Open Dialog between Production, Engineering, IT and Rockwell Automation (Incident Response Sharing) Establish an Industrial DMZ between the Enterprise and Industrial Zones Work with trusted partners knowledgeable in automation & security "Good enough" security now, is better than "perfect" security...never. (Tom West, Data General)

50 What Can You Do Now to Mitigate Risk? Practice these 8 Simple, Actionable Steps to enhance industrial reliability and security: 1. Control who has network access 2. Employ firewalls and intrusion detection/prevention 3. Use Anti Virus Protection and patch your system 4. Manage & protect your passwords 5. Turn the processor key(s) to the Run Mode 6. Utilize features embedded in Rockwell Automation products today (example: FactoryTalk Security) 7. Develop a process to manage removable media 8. Block access ports (example: key connectors)

51 Additional Material Industrial Security Resources Assessment Services Security Technology Security FAQ Security Services Leadership & Standards Security Resources Security Advisory Index MS Patch Qualification Reference Architectures Assessment Services Copyright 2013 Rockwell Automation, Inc. All rights reserved. 56

52 57 Additional Resources (from literature.rockwellautomation.com) Design Guides Converged Plant-wide Ethernet (CPwE) Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments Securing Manufacturing Computer and Controller Assets Production Software within Manufacturing Reference Architectures Achieving Secure Remote Access to plant-floor Applications and Data Design Considerations for Securing Industrial Automation and Control System Networks Manuals Logix 5000 Controllers Security Programming Manual

53 Copyright 2014 Rockwell Automation, Inc. All rights reserved.