T22 - Industrial Control System Security PUBLIC Copyright 2017 Rockwell Automation, Inc. All Rights Reserved. 1
Holistic Approach A secure application depends on multiple layers of protection and industrial security must be implemented as a system. Defense in Depth Shield targets behind multiple levels of security countermeasures to reduce risk Openness Consideration for participation of a variety of vendors in our security solutions Flexibility Able to accommodate a customer s needs, including policies & procedures Consistency Solutions that align with Government directives and Standards Bodies PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 2
The Approach Strategic Develop an OT cyber security program Adopt an industry framework Understand business drivers and risk tolerances to drive target profiles Conduct assessments to develop an understanding of gaps Create an improvement plan to drive the tactical approach Tactical Execute on filling gaps as defined and prioritized in the strategic approach Use validated designs and architectures Implement pre-engineered infrastructure and software solutions to achieve targets PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 3
Methodology Securing your operations environments with a risk-based approach PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 4
ISA/IEC 62443 Certified Products, Systems and System Delivery Series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACS). Applies to those responsible for designing, manufacturing, implementing, or managing industrial control systems: End-users (for example; asset owner) System integrators Security practitioners ICS product/systems vendors PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 5
Recent Events Frequency of malware attacks are rapidly increasing Phishing attacks are the #1 delivery mechanism Increasing levels of adaption and scalability https://www.wired.com/story/crash-override-malware/ https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/ PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 6
Typical Access Points Remote access L 4 IDMZ L 3 L 2 Modems Business system connectivity USB and portable media Mobile PCs and devices L 0/1 People are the weakest link! PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 7
Our Plan of Attack Secure the infrastructure Harden the endpoints Detect and monitor PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 8
Secure Infrastructure 1. Establish the perimeter 2. Harden the interior 3. Prevent & contain PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 9
Secure Network Infrastructure Validated Architectures Help achieve infrastructure security through a common, validated system architecture leveraging the Stratix portfolio and Cisco security solutions. Design and Implementation Guides: Converged Plantwide Ethernet (CPwE) Design and Implementation Guide Segmentation Methods within the Cell/Area Zone Securely Traversing IACS Data Across the Industrial Demilitarized Zone Deploying Identity Services within a Converged Plantwide Ethernet Architecture Site-to-site VPN to a Converged Plantwide Ethernet Architecture Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture IDENTITY SERVICES ENGINE Adaptive Security Appliances Download these and more at: http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 10
The Stratix Portfolio Integrating Industrial and Enterprise Environments Leverage managed switches to build out robust networks that can manage ACL s, VLANs, and QoS policies Implement industrial firewalls (Stratix 5950) to isolate critical systems PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 11
Connectivity Considerations Data Diodes for more secure one-way data transfer Enables data to move out of control system networks without allowing any data in, for: View-only OPC View-only screen sharing Historian replication Backups Allow tightly controlled movement of data into control system networks for needed files, patches and software updates PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 12
Connectivity Considerations Network segmentation using private overlay networks on top of untrusted infrastructure Private networks can be mapped to users and/or devices Requires no changes to existing infrastructure Leverages HIPswitches and a centralized HIPConductor PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 13
Harden the Endpoints 1. User access control for endpoints and applications 2. Authorize appropriate software and devices 3. Establish a patching procedure PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 14
Hardened PCs and Servers System Infrastructure Configuration User Manual: Infrastructure: domain controller, Active Directory, Windows management and Windows group policies with recommendations (i.e. USB use policies, password complexity, time sync, etc.) WSUS for OS patch management coming soon! Application user authentication with FactoryTalk Security Prescribed role-based policies (maintenance, operator, admin, etc.) Area-based security models Download the manual at: http://literature.rockwellautomation.com/idc/groups/literature/documents/um/proces-um001_-en-p.pdf PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 15
Application Whitelisting Symantec embedded security: critical system protection Great for helping to protect PCs that can t be frequently updated Completely policy driven no signatures Features include: Application whitelisting Sandboxing Host firewall File protection Monitoring, and more PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 16
User Access Control and Authorization FactoryTalk Security Provides a centralized authority to verify identity of each user Active Directory integration Disconnected environment support Grants or deny user's requests to perform a particular set of actions on resources within the system Authenticate the user Authorize use of applications Authorize configuration access to controllers New in version 28: Temporary Privilege Escalation Guest User Access Reusable Permission Sets (Routines, Add-On Instruction, and Tags) Secondary Security Authority PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 17
Asset Inventory & Patch Management FactoryTalk AssetCentre REDUCE THE TIME IT TAKES TO GET lifecycle INFORMATION Export the asset inventory to Product Compatibility and Download Center (PCDC) PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 18
Disaster Recovery FactoryTalk AssetCentre Compares image or code 1to master file in archive Detects differences & generates an 2 event to FactoryTalk AssetCentre Email containing difference 3 report sent to users Version 10 Version 11 VS. WHEN A DIFFERENCE IS DETECTED Disaster Recovery can optionally be configured to create a new archive version PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 19
Detection and Monitoring 1. Alert on anomalous behavior 2. Identify known threats 3. Provide an audit trail to support analysis 4. Measure on-going compliance to policy PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 20
Network Security Appliances Stratix 5950 Security Appliance Strategic collaboration between Cisco and Rockwell Automation Based on recognized and proven technologies Adaptive security appliance for firewall and VPN SourceFire FirePower for inspection and detection Enhanced with OT context of protocols, behaviors, and features Key Features: Deep Packet Inspection for ICS protocols Threat & application update service DIN rail mount Connectivity Options: (4) 1Gig Copper (2) 1Gig Copper and (2) SFP Industrially-hardened PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 21
MANAGED ANOMALY DETECTION Powered by Capabilities Benefits Centrally Managed Services Individually Managed Site Appliance Line 3 Line 2 Security and Operational Alerts and Events Line 1 24x7 Monitoring and Response by Trained IT/OT Professionals IT Assets OT Assets Asset Monitoring Security and Operational Monitoring Comprehensive asset inventorying Passive network monitoring Vendor and protocol agnostic Deep network analysis Behavioral anomaly detection Active change detection Alert on operational and security events Incident response services Continuous monitoring without interrupting production Single solution for many ICS vendors Collect information on how assets are configured, communicate and change Discover issues with full visibility of ICS networks Validate operational tasks to reduce risk, and maintain process integrity Near real-time detection of cyber threats Recover from security Incidents with Highly-Trained Professionals Reduce risk of downtime with 24x7 response PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 22
Compliance and Reporting Tripwire Configuration Compliance Manager (CCM) Audit industrial automation networks and controllers for more secure and approved configurations Identify unauthorized changes, configuration hardening errors and security vulnerabilities Layer on top of a standard implementation of FactoryTalk AssetCentre for greater visibility into industrial automation applications PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 23
Industrial Security Landing Web Page Services Services Security Resources Security Technology Security Advisory Index Security FAQ Reference Architectures Microsoft Patch Qualification http://rockwellautomation.com/security secure@ra.rockwell.com PUBLIC Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 24
Thank You! PUBLIC www.rockwellautomation.com Copyright 2018 Rockwell Automation, Inc. All Rights Reserved. 25