T31 Improving Industrial Security and Robustness for Industrial Control Systems (ICS)

Similar documents
Fundamentals of Securing EtherNet/IP Networks & Practical Security Capabilities

Cisco & Rockwell Automation Alliance. Mr. Gary Bundoc Solutions Architect Rockwell Automation Phil Inc.

T14 - Network, Storage and Virtualization Technologies for Industrial Automation. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

T22 - Industrial Control System Security

Quick Start Guide. FactoryTalk Security System Configuration Guide

Virtual Support Engineer

AB Drives. T4 - Process Control: Virtualization for Manufacturing. Insert Photo Here Anthony Baker. PlantPAx Characterization & Lab Manager

TM01 - Developing Machines for the Fourth Industrial Revolution

FactoryTalk AssetCentre Overview

Using Virtualization in Manufacturing Industries to Improve the Utilization and Availability of Resources and Applications

Virtual Support Engineer Remote Access and Monitoring Solutions for OEMs & System Integrators

FactoryTalk Security. System Configuration Guide

T68 - FactoryTalk AssetCentre Protecting Your Investment and Reducing Risk

T02 - Increasing Software Development Efficiency Using the Integrated Architecture Tools

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

IPM Secure Hardening Guidelines

Networks: Access Management Windows NT Server Class Notes # 10 Administration October 24, 2003

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

RSView32 to FactoryTalk View SE Migration

L31 - Applying EtherNet/IP and Stratix Switches in Real-Time Manufacturing Applications

Cyber security for digital substations. IEC Europe Conference 2017

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Advanced Security Measures for Clients and Servers

Securing Plant Operation The Important Steps

Security in Automation possible threats and integrated measures in CODESYS

Ransomware. How to protect yourself?

Mobility and Portability with Today's Rockwell Software

CYBERSECURITY RISK LOWERING CHECKLIST

Last Revised: January 13, :16:43

CONFIGURATION GUIDE. Catalog Number 1756-HIST2G. Rockwell Automation Publication 1756-UM106D-EN-E-January 2018

AssetCentre. Asset Management INSTALLATION GUIDE INTEGRATED PRODUCTION & PERFORMANCE SUITE

AudBase Security Document Page 0. Maintaining Data Security and Integrity

Michael Wells Microsoft Specialist, Dell EMC. SQL DBaaS on Microsoft Azure Stack

Considerations for Batch & Sequencing System Selection. Copyright 2013 Rockwell Automation, Inc. All Rights Reserved.

Security+ SY0-501 Study Guide Table of Contents

Managing Certificates

Cyber Security for Process Control Systems ABB's view

RSA Authentication Manager 8.0 Security Configuration Guide

Field Agents* Secure Deployment Guide

RSView SE V4.0 (CPR7+) Server Redundancy Guidelines

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Minewide Convergence of Control and Information

OneID An architectural overview

WHITE PAPER. Title. Managed Services for SAS Technology

Industrial Defender ASM. for Automation Systems Management

Confirmed VPN Privacy Audit and Open Watch Analysis Summary Report and Documentation

ncrypted Cloud works on desktops and laptop computers, mobile devices, and the web.

PCI DSS Compliance. White Paper Parallels Remote Application Server

Studio 5000 System Release 2018

Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

Google Identity Services for work

Data Protection and Synchronization for Desktop and Laptop Users VERITAS BACKUP EXEC 9.1 FOR WINDOWS SERVERS DESKTOP AND LAPTOP OPTION

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Improving Operational Productivity with a Modern Approach to Distributed Control

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

The Common Controls Framework BY ADOBE

SEAhawk and Self Encrypting Drives (SED) Whitepaper

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

User Manual. ControlFLASH Firmware Upgrade Kit User Manual

Security Digital Certificate Manager

MFA Enrollment Guide. Multi-Factor Authentication (MFA) Enrollment guide STAGE Environment

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

W05 High Availability for Today s Process Market

RSLinx Enterprise GETTING RESULTS GUIDE. PUBLICATION LNXENT-GR001F-EN-E August 2010 Supersedes Publication LNXENT-GR001E-EN-E

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Providing an Enterprise File Share and Sync Solution for

Yellow Dog Inventory Upgrade System Requirements and Process

AT&T Global Network Client for Android

WatchGuard XTMv Setup Guide

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

W11 Hyper-V security. Jesper Krogh.

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

QuickBooks Online Security White Paper July 2017

ThinManager TM Advanced Lab: From New Server to Completed Deployment. For Classroom Use Only!

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

maxecurity Product Suite

Process System Security. Process System Security

Building Smart Machines for Digital Transformation

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Splashtop Enterprise for IoT Devices - Quick Start Guide v1.0

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

Getting Results Guide. RSLinx Enterprise

Rev X 341. Table 111. Access Levels and Descriptions

W11 EOI Integration in Action. Arlen Jacobs Kou Vang. Allen-Bradley Parts. Copyright 2009 Rockwell Automation, Inc. All rights reserved.

Future Trends in Industrial Networking

Automation Change Management for Regulated Industries

User Guide. Admin Guide. r

VMware AirWatch: Directory and Certificate Authority

Source Control: Subversion

User Guide SecureLogin 8.1

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

RSA Authentication Manager 7.1 Administrator s Guide

AB Parts. Securing Process Control Systems. Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services

Transcription:

T31 Improving Industrial Security and Robustness for Industrial Control Systems (ICS) Mike Bush, Technology Manager Clark Case, Technology Manager Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda How did we get here? What can we do to protect our systems? Logix Security FactoryTalk Security Keeping Appraised

How did we get here? Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 3

How did we get here? Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 4

How did we get here? Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 5

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 6 How did we get here?

How did we get here? Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 7

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 8 How did we get here?

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 9 Agenda How did we get here? What can we do to protect our systems? Logix Security FactoryTalk Security Keeping Appraised

What can we do to protect our systems? Implement a good network design Use tools offered by Rockwell Automation and our partners Keep apprised Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 10

Good Network Design Comprehensive Network Security Model for Defense-in-Depth Industrial Security Policy Implement DMZ Copyright 2012 Rockwell Automation, Inc. All rights reserved. 11 Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 12 Copyright 2012 Rockwell Automation, Inc. All rights reserved. Network & Security Services at a Glance ASSESS Assess the current state of the security program, design, policy Assess the current state of the network design, implementation DESIGN/PLAN Design and plan a network infrastructure Design and plan security program, policy, infrastructure, business continuity plan IMPLEMENT Installation and configuration of a network Implementation of a security program, infrastructure design, policy training AUDIT Audit current architecture compared to governing body (ODVA, CNI, IEEE, TIA/EIA) Audit security program compared to governing body (NERC CIP, ISA SP-99, NIST 800-53, NIST 800-82 MANAGE/MONITOR Manage, maintain and monitor uptime and issues on the network Managed Security Services (Incident response, disaster recovery, monitoring)

Products from Encompass Partners Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 13

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 14 Agenda How did we get here? What can we do to protect our systems? Logix Security FactoryTalk Security Keeping Appraised

Controller Security Tools Turn the Switch Match The Project Protect the Source Embedded Change Log FactoryTalk Security Data Access Control Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 15

Data Access Control Users can assign External Access settings of Read/Write, Read Only, or None to tags Useful to control which tags can be modified from an HMI or other external application A cryptographically licensed trusted connection is established between RSLogix TM 5000 and the Logix controller Ensures the External Access attribute can only by changed by RSLogix 5000 Who can use RSLogix 5000 to change this attribute controlled by FactoryTalk Security Users can also define tags as Constants Constants can not be modified by controller logic Improves security of tags especially when used in conjunction with FactoryTalk Security Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 16

Firmware Digital Signatures How they re being introduced New products have their firmware digitally signed from day 1 (L7x, Micro 800 ) Digitally signed versions of existing products released as feasible (EN2T, DNB ) Purpose of digital signature Protect firmware from accidental and malicious corruption Ensure firmware was generated by Rockwell Automation How they work Rockwell Automation digitally signs firmware kits with a private key when they are released Devices locally check the signature with a corresponding public key Any change to the firmware kit will cause the signature check to fail in device Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 17

New in Logix v20 Controller Change Detection Every Logix Controller exposes a Change Detection Audit Value When something happens that can impact the behavior of the controller, the value changes Audit Value is available in RSLogix 5000, in other software applications and in other controllers via Message instruction The set of events that causes the Audit Value to change can be configured Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 18

New in Logix v20 Controller Change Detection The Audit Value is stored in every Controller Log entry FactoryTalk AssetCentre (in version 4.1), will be able to monitor the Audit Value and read in the Controller Log Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 19

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 20 Agenda How did we get here? What can we do to protect our systems? Logix Security FactoryTalk Security Keeping Appraised

FactoryTalk Security Use FactoryTalk Security to Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices (Step 1) Request Access Security Authority (FactoryTalk Directory) (Step 2) Access Granted or Denied (Step 3 - optional) Authorize access to specific devices How does it work? Provides a centralized authority to verify identity of each user and grants or deny user's requests to perform a particular set of actions on resources within the system. (All FactoryTalk Security enabled software) User Roles (FT groups or Windows groups) User Accounts (FT users or Windows users) Computers and Computer Groups System Policies (plant wide) Product Policies Controllers to be secured Secure Controllers by Area (resource groups) Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 21

FactoryTalk Security Configuration The FactoryTalk Directory can be configured to secure system access based on: Secure Controllers by Area (resource groups) Product Policies System Policies (plant wide security) Computers and Computer Groups Controllers (to be secured) User s (Windows or FactoryTalk Users) User Roles (Windows or FactoryTalk Groups) Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

FactoryTalk Security Disconnected Operation Cached Credentials FactoryTalk Directory provides a central storage repository (yellow pages) for: Security configuration information (Users, roles, controllers, permissions ) Every time a client connects to the Directory, it is updated with the latest security information and that information is cached locally when disconnected from the Directory Client Client Client FactoryTalk Directory Security Authority Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 23

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 24 New in v2.50 / Logix v20 (SR5) FactoryTalk Security - Cache Expiration Disconnected operation is supported by caching the Directory s security credentials on the client computer This new Policy defines how long those credential are valid while disconnected

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 25 Coming in v2.51 / Logix v21(sr5.1) FactoryTalk Security - Cache Expiration - Override by Computer Allow modification of the Directory Cache setting by; Computer Group Or Computer

New in Logix v20 (SR5) Security Authority Identifier With FactoryTalk Services Platform SR5 and Logix V20 Configures Logix Controllers to require that all users be authenticated from a specific instance of the FactoryTalk Directory before they can access the controller (Security Authority Identifier) Security Authority Identifier gets stored in the project ( project binding ) secures the offline file Anyone working on a project (on-line or off-line) with the Security Authority ID required box checked Is first required to Log On.. using the FactoryTalk Directory used to secure the project Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 26

New in Logix v20 Security Authority Identifier Using the FactoryTalk Administration Console, the Security Authority Identifier can be Viewed or changed (without changing the FTDirectory contents) Encrypted with a passphrase or password to allow for secure backup copies (disaster recovery) Enable secure duplication and distribution to allow multiple FTDirectories to share the same ID! Can be used to replace the CPU Lock functionality that was deprecated in v20 The Security Authority Identifier looks like this Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 28 Security Authority Identifier Best Practices Backup the Directory and Encrypt it There are no backdoors so keep it in a safe place Backup your projects Offline projects are also secured Option: save a secured and unsecured offline project

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 29 Coming in v2.51 / Logix v21(sr5.1) Standard User Out-of-box Default Access FactoryTalk Security is installed by Logix 5000 (automatically) starting with v20 Windows With v20, security is always on but effectively disabled to allow out-of-box default access during installation; If you are a Windows Administrator on your local computer; You automatically become a FactoryTalk Administrator and Automatically get Logged In as FTAdministrator by just launching Logix 5000 With v21, we are adding Authenticated Users group to the out-of-box default access If you are a Windows Standard User on your local computer; You automatically become a FactoryTalk User and Automatically get Logged In by just launching Logix 5000 Eliminates the Log On to FactoryTalk pop-up dialog

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 30 Coming in v2.51 / Logix v21 (SR5.1) Application Authorization Acts like an application white listing service to accept or deny Directory Access from software applications ( no Yellow Pages for you ) Manage access by; App Name, Version, Computer and Publisher (Rockwell Automation) Publisher column displays the digital signature that verifies the authenticity of the software Diagnostic Log contains a record of accept and deny

Additional Information FactoryTalk Security FactoryTalk Security Help Publication FTSEC QS001D-EN-E Nov 2011 Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 31

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri New in Logix v20 Trusted Slot Designation

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 1756-EN2TSC Secure Communication Module Maintenance Port Site operations Remote Workstation Optional Cisco VPN Appliance (ASA) Remote 1756-EN2TSC 1756-EN2TSC Secure Communications between a CLX controller and plant level systems (ie. MES, Site operations, peer to peer with other systems, user workstations, etc.) Users or Systems must authenticate themselves to this module before gaining access to modules on the local 1756 Backplane

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 34 Agenda How did we get here? What can we do to protect our systems? Logix Security FactoryTalk Security Keeping Appraised

Keeping Apprised ICS CERT http://www.us-cert.gov/control_systems/ics-cert/ Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 35

Keeping Apprised SCADASEC Mailing List Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri 36

Keeping Apprised http://rockwellautomation.com/security Assessment Services Security Technology Security FAQ Security Services Leadership & Standards secure@ra.rockwell.com Pretty Good Privacy (PGP) Public Key Security Resources Knowledgebase w/ Security Technotes MS Patch Qualification Reference Architectures Assessment Services Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 37

Keeping Apprised - Microsoft Patch Qualification Whitepaper Computer System Security Updates: Why patch your computers? Knowledgebase Article #: 35530* Microsoft Patch Qualification for Rockwell Automation software products http://rockwellautomation.custhelp.com/app/answers/detail/a_id/35530 Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 38

Keeping Apprised - Microsoft Patch Qualification Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 39

Keeping Apprised Security Advisory Index AID#54102 Rockwell Automation Knowledgebase Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 40

To make sure you get the news you can use http://rockwellautomation.com/security Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved. 41

Questions? Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Backup Slides: CPU Lock using FactoryTalk Security and SAID Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri OEM CPU Lock of Logix Controller Bob s Computer Tom s Computer FactoryTalk Directory (on local laptop) w/ default security permissions FactoryTalk Directory (on local laptop) w/ default security permissions Both OEM users need to lock and unlock the controller

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copyri Bob Locks the Controller Bob s Computer (Local FTDirectory) x (bobs_cpu) Step 1: Bind the controller project to Bob s FactoryTalk Directory and download to lock the project (Note: Bob s Security Authority ID is: Step2: Open Admin Console and select backup the FTDirectory Step3: Enter a passphrase to encrypt the file (=> Welcome1 ) And add file name ( CPU Lock file ) Step4: Email the CPU Lock file to Tom, call Tom and give him the secret passphrase

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Tom Unlocks the Controller Tom s Computer (Local FTDirectory) Step 1: Extract the file from Bob s email Step2: Open Admin Console and select restore the Directory (select the CPU Lock File ) Step3: Enter the passphrase that Bob gave Tom (=> Welcome1 ) Step4: Select restore security authority identifier only (Note: the ID is now the same as the one on Bob s computer) Open Logix 5000 and connect to the controller!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback