T22 - Industrial Control System Security

Similar documents
Cyber security - why and how

IC32E - Pre-Instructional Survey

1756-EN2TP Parallel Redundancy Protocol Module Network Redundancy

Industrial Network Trends & Technologies

Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities

Cisco & Rockwell Automation Alliance. Mr. Gary Bundoc Solutions Architect Rockwell Automation Phil Inc.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Plant Security Services Protecting productivity in the digital era October

T31 Improving Industrial Security and Robustness for Industrial Control Systems (ICS)

T01 - Select the Right Stratix Switch for Your Application

CS 356 Operating System Security. Fall 2013

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

ABB Ability Cyber Security Services Protection against cyber threats takes ability

L01 - Basic Stratix Switch and EtherNet/IP Features in Converged Plantwide Ethernet (CPwE) Architectures

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

The Common Controls Framework BY ADOBE

Industrial Defender ASM. for Automation Systems Management

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

White Paper. Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Carbon Black PCI Compliance Mapping Checklist

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Under the Hood with PlantPAx CT426

IPM Secure Hardening Guidelines

Protecting productivity with Industrial Security Services

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

L03 - Introduction to Network Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Altius IT Policy Collection

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

CyberArk Privileged Threat Analytics

FactoryTalk AssetCentre Overview

Automating the Top 20 CIS Critical Security Controls

Symantec Security Monitoring Services

T14 - Network, Storage and Virtualization Technologies for Industrial Automation. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

T83 - Easing the Deployment of a Converged Plantwide Ethernet (CPwE) Compliant Architecture

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cisco Secure Ops Solution

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

NEN The Education Network

RSA NetWitness Suite Respond in Minutes, Not Months

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

One Hospital s Cybersecurity Journey

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

align security instill confidence

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

Chapter 9. Firewalls

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

COMPUTER NETWORK SECURITY

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Addressing Cyber Threats in Power Generation and Distribution

KENDALL DATACOMM. INDUSTRIAL NETWORKING Switches, Micro Data Center (MDC), Industrial

QuickBooks Online Security White Paper July 2017

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Cisco Connected Factory Accelerator Bundles

locuz.com SOC Services

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Security Standards for Electric Market Participants

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

AUTHORITY FOR ELECTRICITY REGULATION

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

T28 - Design Considerations for Robust EtherNet/IP Networking

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

ANATOMY OF AN ATTACK!

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Changing face of endpoint security

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

T68 - FactoryTalk AssetCentre Protecting Your Investment and Reducing Risk

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

2017 Annual Meeting of Members and Board of Directors Meeting

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

T02 - Design Considerations for Robust EtherNet/IP Networking

Secure Access & SWIFT Customer Security Controls Framework

BeOn Security Cybersecurity for Critical Communications Systems

Virtual Support Engineer

Best Practices in Securing a Multicloud World

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Sage Data Security Services Directory

Cyber Security Solutions for Industrial Controls

Cyber Security for Process Control Systems ABB's view

Digital Wind Cyber Security from GE Renewable Energy

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

CCISO Blueprint v1. EC-Council

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Transcription:

T22 - Industrial Control System Security PUBLIC Copyright 2017 Rockwell Automation, Inc. All Rights Reserved. 1

Holistic Approach A secure application depends on multiple layers of protection and industrial security must be implemented as a system. Defense in Depth Shield targets behind multiple levels of security countermeasures to reduce risk Openness Consideration for participation of a variety of vendors in our security solutions Flexibility Able to accommodate a customer s needs, including policies & procedures Consistency Solutions that align with Government directives and Standards Bodies PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 2

The Approach Strategic Develop an OT cyber security program Adopt an industry framework Understand business drivers and risk tolerances to drive target profiles Conduct assessments to develop an understanding of gaps Create an improvement plan to drive the tactical approach Tactical Execute on filling gaps as defined and prioritized in the strategic approach Use validated designs and architectures Implement pre-engineered infrastructure and software solutions to achieve targets PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 3

Methodology Securing your operations environments with a risk-based approach PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 4

ISA/IEC 62443 Certified Products, Systems and System Delivery Series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACS). Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems: End-users (for example; asset owner) System integrators Security practitioners ICS product/systems vendors PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 5

Recent Events Frequency of malware attacks are rapidly increasing Phishing attacks are the #1 delivery mechanism Increasing levels of adaption and scalability https://www.wired.com/story/crash-override-malware/ https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/ PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 6

Typical Access Points Remote access L 4 IDMZ L 3 L 2 Modems Business system connectivity USB and portable media Mobile PCs and devices L 0/1 People are the weakest link! PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 7

Our Plan of Attack Secure the infrastructure Harden the endpoints Detect and monitor PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 8

Secure Infrastructure 1. Establish the perimeter 2. Harden the interior 3. Prevent & contain PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 9

Secure Network Infrastructure Validated Architectures Help achieve infrastructure security through a common, validated system architecture leveraging the Stratix portfolio and Cisco security solutions. Design and Implementation Guides: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide Segmentation Methods within the Cell/Area Zone Securely Traversing IACS Data Across the Industrial Demilitarized Zone Deploying Identity Services within a Converged Plantwide Ethernet Architecture Site-to-site VPN to a Converged Plantwide Ethernet Architecture Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture IDENTITY SERVICES ENGINE Adaptive Security Appliances Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 10

The Stratix Portfolio Integrating Industrial and Enterprise Environments Leverage managed switches to build out robust networks that can manage ACL s, VLANs, and QoS policies Implement industrial firewalls (Stratix 5950) to isolate critical systems PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 11

Connectivity Considerations Data Diodes for more secure one-way data transfer Enables data to move out of control system networks without allowing any data in, for: View-only OPC View-only screen sharing Historian replication Backups Allow tightly controlled movement of data into control system networks for needed files, patches and software updates PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 12

Connectivity Considerations Network segmentation using private overlay networks on top of untrusted infrastructure Private networks can be mapped to users and/or devices Requires no changes to existing infrastructure Leverages HIPswitches and a centralized HIPConductor PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 13

Harden the Endpoints 1. User access control for endpoints and applications 2. Authorize appropriate software and devices 3. Establish a patching procedure PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 14

Hardened PCs and Servers System Infrastructure Configuration User Manual: Infrastructure: domain controller, Active Directory, Windows management and Windows group policies with recommendations (i.e. USB use policies, password complexity, time sync, etc.) WSUS for OS patch management coming soon! Application user authentication with FactoryTalk Security Prescribed role-based policies (maintenance, operator, admin, etc.) Area-based security models Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.pdf PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 15

Application Whitelisting Symantec embedded security: critical system protection Great for helping to protect PCs that can t be frequently updated Completely policy driven no signatures Features include: Application whitelisting Sandboxing Host firewall File protection Monitoring, and more PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 16

User Access Control and Authorization FactoryTalk Security Provides a centralized authority to verify identity of each user Active Directory integration Disconnected environment support Grants or deny user's requests to perform a particular set of actions on resources within the system Authenticate the user Authorize use of applications Authorize configuration access to controllers New in version 28: Temporary Privilege Escalation Guest User Access Reusable Permission Sets (Routines, Add-On Instruction, and Tags) Secondary Security Authority PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 17

Asset Inventory & Patch Management FactoryTalk AssetCentre REDUCE THE TIME IT TAKES TO GET lifecycle INFORMATION Export the asset inventory to Product Compatibility and Download Center (PCDC) PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 18

Disaster Recovery FactoryTalk AssetCentre Compares image or code 1to master file in archive Detects differences & generates an 2 event to FactoryTalk AssetCentre Email containing difference 3 report sent to users Version 10 Version 11 VS. WHEN A DIFFERENCE IS DETECTED Disaster Recovery can optionally be configured to create a new archive version PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 19

Detection and Monitoring 1. Alert on anomalous behavior 2. Identify known threats 3. Provide an audit trail to support analysis 4. Measure on-going compliance to policy PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 20

Network Security Appliances Stratix 5950 Security Appliance Strategic collaboration between Cisco and Rockwell Automation Based on recognized and proven technologies Adaptive security appliance for firewall and VPN SourceFire FirePower for inspection and detection Enhanced with OT context of protocols, behaviors, and features Key Features: Deep Packet Inspection for ICS protocols Threat & application update service DIN rail mount Connectivity Options: (4) 1Gig Copper (2) 1Gig Copper and (2) SFP Industrially-hardened PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 21

MANAGED ANOMALY DETECTION Powered by Capabilities Benefits Centrally Managed Services Individually Managed Site Appliance Line 3 Line 2 Security and Operational Alerts and Events Line 1 24x7 Monitoring and Response by Trained IT/OT Professionals IT Assets OT Assets Asset Monitoring Security and Operational Monitoring Comprehensive asset inventorying Passive network monitoring Vendor and protocol agnostic Deep network analysis Behavioral anomaly detection Active change detection Alert on operational and security events Incident response services Continuous monitoring without interrupting production Single solution for many ICS vendors Collect information on how assets are configured, communicate and change Discover issues with full visibility of ICS networks Validate operational tasks to reduce risk, and maintain process integrity Near real-time detection of cyber threats Recover from security Incidents with Highly-Trained Professionals Reduce risk of downtime with 24x7 response PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 22

Compliance and Reporting Tripwire Configuration Compliance Manager (CCM) Audit industrial automation networks and controllers for more secure and approved configurations Identify unauthorized changes, configuration hardening errors and security vulnerabilities Layer on top of a standard implementation of FactoryTalk AssetCentre for greater visibility into industrial automation applications PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 23

Industrial Security Landing Web Page Services Services Security Resources Security Technology Security Advisory Index Security FAQ Reference Architectures Microsoft Patch Qualification http://rockwellautomation.com/security secure@ra.rockwell.com PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 24

Thank You! PUBLIC www.rockwellautomation.com Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback