To Join the Teleconference Dial 866-774-1453 Please specify conference ID 63118549 You must dial in using a telephone to hear the audio portion of the broadcast. All participant telephone lines are muted. To ask a question, use the WebEx chat feature and select Send to Host. We will send a copy of this presentation and a recording of this broadcast within a few days.

Practical Applications of Security to Industrial Control Systems FactoryTalk Security Eugene Krymskiy Engineer Sr. Systems Technical Support March 29, 2012

Agenda Presentation Data Access Security Questions?

Our Approach to Industrial Security Aligned w/ US Gov’t Agencies, ISA99IEC and other emerging standards A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.

Rockwell Automation Security Fundamentals Apply products and services supporting a defense-in-depth (or layered) architecture Limit user and computer access to both configuration and data in automation devices Limit use of automation software applications Limit access to computers and keep computers patched Limit access to automation networks Limit physical access to all equipment and networks Layered Security Model Security Services Physical Perimeter Enforcement Network Computer Application Device Security Device DEFENSE in DEPTH

Data Access Security

System-level Security: FactoryTalk Security Use FactoryTalk Security to Manage the insider threat by authenticating the user and authorizing the use of Rockwell Automation software applications to access automation devices How does it work? Provides a centralized authority to verify the identity of each user and; Granting or denying each user's request to perform a particular set of actions on resources within the system Security Authority (Domain Controller and / or FactoryTalk Network Directory) (Step 1) Request Access (Step 2) Access Granted or Denied (Step 3 - optional) Authorize access to specific devices (All FactoryTalk Security enabled software)

FactoryTalk Network Directory Provides a central storage repository (yellow pages) for: Location of all Data Servers (including 3rd-parties) Location of all Alarms & Events Servers and Historical Databases Graphic displays (for HMI Servers) Security configuration information (Users, roles, resources, permissions …….) So how does this work?? Alarm Server HMI Client Alarm Client Data Client Data Server HMI Server Security Server Client Alarm Server Alarm Client HMI Server HMI Client Data Server Data Client Data Server Data Client Data server

Centralized Security Administration Secure Controllers by Area (resource groups) Assign access permissions to specific controller groups Product Policies product specific configuration System Policies (plant wide security) Computers and Computer Groups Controllers to be secured User Accounts (FT users or Windows users) User Roles (FT groups or Windows groups FT Live Data FT Diagnostics FT Security

FactoryTalk Security Configuration Step 1: Tighten the default security configuration Remove the local Windows Administrator group (Hint: most people have admin rights on their computer) Remove Permissions granted to “all users” (Hint: all users have full rights by default) Step 2: Create accounts for each user or link to a Windows Domain and allow IT to manage the users! Step 3: Add the names of all the computers that will be accessing the system Step 4: Assign your users to roles or groups or link to Windows Domain Groups in allow IT to manage the groups! Step 5: Add the appropriate Permissions to the new roles Step 6: Assign the new Roles & Permissions to automation resources Role User Computer Resources Permissions Example: Clark on COMPUTER3 is an Engineer that can Download Bottling Line Controllers.

Network Security: Isolating Network Traffic Application Operating System Device Physical Network Production Control Process History Operator Interface Optimizing Manufacturing Security Zone DMZ Terminal Services Domain Controller Firewall Site Business Network Enterprise Network Router Enterprise Email, Intranet, shared drives, etc web Email TCP/IP FactoryTalk Directory Server Best Practices Location

FactoryTalk Directory Architecture and Settings

FactoryTalk Directory Structure Step 1: The FactoryTalk directory is an integral part of FactoryTalk security; both components of the FactoryTalk Services Platform. Let’s take a few minutes to examine the FactoryTalk Directory structure and familiarize ourselves with different components. Launch FactoryTalk Administration Console: Double click on the following icon on the desktop Step 2: Select the Network option when prompted and click OK Select Network in the FactoryTalk Directory Window and click OK.

FactoryTalk Directory Structure Step 3: The image below illustrates the structure for the FactoryTalk Network Directory following the FactoryTalk Services Platform installation. The Instant Fizz Application used in this presentation has also been added to the directory. Note that the computer hosting the FactoryTalk Directory is indicated at the top of the Application Explorer Window.

FactoryTalk Directory Structure Note the available policy information for FactoryTalk-aware products is in FactoryTalk Directory. These policies can be modified on a product-by-product basis for specific users, groups, and computers included within the FactoryTalk Directory. Several examples of these settings will be explored in subsequent sections of this lab. Names of Computers registered with the FactoryTalk Directory. FactoryTalk User Groups defined within the FactoryTalk Directory. These can be either native FactoryTalk User Groups or linked to Windows User Groups. FactoryTalk Users defined within the FactoryTalk Directory. These can be either native FactoryTalk Users or linked to Windows User Accounts. Step 4: Expend root folders in the network directory tree

Users & User Groups (System Folder) The Users and Groups folder is used to create, edit, delete, and manage the user accounts and groups that have access to the FactoryTalk Directory. By using Users and Groups, you can to control who accesses the FactoryTalk system and what actions they can perform. Security access to software or controllers can be applied to a single user, group of users, a computer, or by an action. This is all managed within the FactoryTalk Administration Console. For example, using FactoryTalk Security you can assign rights to a user account or group limiting the ability of that user or group from perform a download to a specific controller, or editing the value of a specific tag, or modifying HMI screens.

Users & User Groups (System Folder)

Users & User Groups (System Folder)

Users & User Groups (System Folder) Step 5: Double-click on the Administrators Group to view the FactoryTalk Administrators. The Administrators group in FactoryTalk is not the Windows Administrators. The FactoryTalk Administrators are Administrators for FactoryTalk products.

Users & User Groups (System Folder) Step 6: The Windows Administrators group is added to the FactoryTalk Administrators group during the FactoryTalk Services Platform installation. This is referred to as nesting Windows Linked Groups into FactoryTalk groups. This nesting of the groups gives the Windows Administrators group full rights to Rockwell Automation products using FactoryTalk Security.

Users & User Groups (System Folder)

Computers & Groups (System Folder)

Policies (System folder)

Policies (System folder)

Policies (System folder)

Policies (System folder)

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security 5. In the New User window create the following user account (example) User Name Password Group Membership FTAdmin ftadmin Administrators Set the username to FTAdmin. User names in FactoryTalk are not case sensitive. Set the password to ftadmin. In FactoryTalk user password are case sensitive. The password created for the FTAdmin user must be greater than or equal to the Minimum password length Security Policy. By default this Security Policy is set to 6 characters. If you tried to create a password less than 6 characters, FactoryTalk would have given you an error message.

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Tightening FactoryTalk Security

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Modify Permissions

Change System Policies

Change System Policies

Change System Policies

Change System Policies

Change System Policies

Change System Policies

Questions