Network Architectural Design for Cybersecurity in a Virtual World

Transcription

1 Network Architectural Design for Cybersecurity in a Virtual World Standards Certification Education & Training Publishing Conferences & Exhibits Kenneth Frische aesolutions 2016 ISA Water / Wastewater and Automatic Controls Symposium August 2-4, 2016 Orlando, Florida, USA

2 Kenneth Frische Industrial Cyber Security Principal at aesolutions 28 years of IT & OT experience Contributed to NIST and ISA cyber security standards Titles / credentials? School & degree? Aug 2-4, 2015 Orlando, Florida, USA 2

3 Presentation Outline NIST and ISA Series Cybersecurity Standards (quick view) OT Cyber Assessment (to ISA/IEC Standards) What If? Deliverable: Network Architectural Design Deliverable: Zones and Conduits Model We virtualize some of the devices in the Network Architectural Design Review issues Review Options Documentation Fixing the Zones and Conduits Model Questions and Discussion Aug 2-4, 2015 Orlando, Florida, USA 3

4 NIST Cybersecurity Framework Common Terminology Mapping your CSMS Aug 2-4, 2015 Orlando, Florida, USA 4

5 ISA Series Cybersecurity Standards Aug 2-4, 2015 Orlando, Florida, USA 5

6 Presentation Scope NIST Cybersecurity Framework: Protect and Recover ISA Standards ( ): Security Risk Assessment and System Design Aug 2-4, 2015 Orlando, Florida, USA 6

7 Sample Physical Network Architecture Level 4+ Level 3.5 DMZ Historian Antivirus Patch Mgmt Web Reporting Workstations Domain Controllers Supervisory Control Network (Levels 2 & 3) Development HMI Operator Stations Database Server Application Server Terminal Server Level 1.5 DMZ I/O Server(s) Control Network (Levels 0 & 1) Non TCP/IP based (serial) PLC Network PLCs Aug 2-4, 2015 Orlando, Florida, USA 7

8 Zones Level 4+ Level 3.5 DMZ Historian Antivirus Patch Mgmt Web Reporting Workstations Domain Controllers Supervisory Control Network (Levels 2 & 3) Development HMI Operator Stations Database Server Application Server Terminal Server Level 1.5 DMZ I/O Server(s) Control Network (Levels 0 & 1) Non TCP/IP based (serial) PLC Network PLCs Aug 2-4, 2015 Orlando, Florida, USA 8

9 Challenge Scenario: Decision made to virtualize all of the OT servers - IT currently manages the Domain Controllers in the OT DMZ - Database Server only needs data flow to the Application Server How can we apply the NIST Framework and the ISA Series Zones and Conduits model to the architectural design of our process control systems so as to enable safe, secure, and high performance operations? Aug 2-4, 2015 Orlando, Florida, USA 9

10 Standards and Best Practices (a few of them anyway) Network Architecture: DMZ between Purdue Model levels Zones and Conduits Model VM Management and Architecture: Locate Redundant VMs on separate Hardware Separation of Duties (IT vs OT); separate hosts Separation by Purdue Model and Zone Document the VM Architectures Aug 2-4, 2015 Orlando, Florida, USA 10

11 VM Architecture - what is possible? VM Host Domain Controller 1 VM ISA Level 3.5 Level 4+ Historian VM Antivirus VM Patch Mgmt VM Web Reporting VM Database Server VM Application Server VM ISA Level 2 Terminal Server VM I/O Server & Store and Forward VM ISA Level 1.5 Aug 2-4, 2015 Orlando, Florida, USA 11

12 VM Architecture A better way Level 4+ VM Host Domain Controller 1 VM ISA Level 3.5 Historian VM VM Host Antivirus VM Patch Mgmt VM Web Reporting VM VM Host Database Server VM Application Server VM Terminal Server VM ISA Level 2 VM Host I/O Server & Store and Forward VM ISA Level 1.5 Aug 2-4, 2015 Orlando, Florida, USA 12

13 VM Architecture - Redundancy Aug 2-4, 2015 Orlando, Florida, USA 13

14 VM Architecture Serial Networks Aug 2-4, 2015 Orlando, Florida, USA 14

15 Our Combined Architectural Design Level 4+ Level 3.5 DMZ Workstations Supervisory Control Network (Level 2 & 3) Level 1.5 DMZ I/O Server(s) Development HMI Operator Stations Control Network Non TCP/IP based (serial) PLC Network Aug 2-4, 2015 Orlando, Florida, USA 15 PLCs

16 Remember.every environment is different Aug 2-4, 2015 Orlando, Florida, USA

17 Questions and Discussion Kenneth Frische ( frish ) has over 28 years of experience in providing IT & OT Solutions for Military, Oil & Gas, Pharma, Food & Beverage, Packaging, Chemical, Water/Wastewater, Discrete Manufacturing, Supply Chain Logistics, and Correctional Facilities. From hands-on coding to management and consulting, Kenneth Frische has worn many hats to include: IT Director, Solutions Architect, Enterprise Architect, Project Manager, Req/Tech Spec Writer, and Programmer Lead. Kenneth.Frische@aesolns.com His domain expertise includes Process Control and HMI Systems Design and Development, MES integration, Database Management and Design, Business Intelligence / Data Analytics, Business Process Improvement, and Data Warehousing. Kenneth Frische has contributed to both NIST and ISA Cyber Security standards and currently provides Cyber Risk Assessment, Solutions Design services, cyber consulting, and ISA Series training as a member of the Cyber Security Services department at aesolutions. Aug 2-4, 2015 Orlando, Florida, USA 17

18 Discussion Example #1 Aug 2-4, 2015 Orlando, Florida, USA 18