Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Published byMalakai Alewine Modified over 10 years ago

Similar presentations

Presentation on theme: "Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa."— Presentation transcript:

1 Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa

2 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 2 © 2011 ODVA, Inc. All rights reserved. www.odva.org Agenda Securing EtherNet/IP Networks Introduction Best Practices Isolated Control Network with Single Controller Isolated Network with multiple Controllers Enterprise Connected and Integrated Control Systems Other Considerations Emerging Industrial Security Technologies ISA 99

3 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 3 © 2011 ODVA, Inc. All rights reserved. www.odva.org Introduction High level paper for customers, implementers to identify security concepts per type of control networks. Start with Risk identification and analysis Identify Risk reduction and mitigation techniques There will be costs and trade-offs Differences between IT and Industrial Automation and Control Working with IT

4 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 4 © 2011 ODVA, Inc. All rights reserved. www.odva.org Who Needs to Talk to Whom?

5 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 5 © 2011 ODVA, Inc. All rights reserved. www.odva.org Control Network types Isolated Single Controller Single Controller 10s of devices Potentially multiple switches Limited non-CIP traffic Sharing data via sneaker net or transferable device Isolated Multiple Controller Multiple Controllers Up to 100s of devices 10s of switches, maybe a router A few networks Potentially multiple switches Controllers sharing data Some non-CIP traffic (e.g. HTTP, file sharing, etc.) Enterprise Connected Many Controllers Up to 1000s of devices Lots of switches and routers and other network infrastructure Many networks Sharing data, applications and services between Enterprise and Plant networks Could have lots of non-CIP traffic (e.g. Voice, Video, etc.)

6 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 6 © 2011 ODVA, Inc. All rights reserved. www.odva.org Best Practices – Isolated Single Controller Managed Switches Diagnostics Port Security Device Maintenance End-device security OS patches Anti-virus Network and Application monitoring and management

7 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 7 © 2011 ODVA, Inc. All rights reserved. www.odva.org Isolated Multiple Controller VLANs Basic segmentation Performance Quality of Service Protect key traffic from performance or some Denial of Service Previous Considerations and… IGMP (Multicast management) Network Resiliency Spanning Tree or Device Level Ring (DLR)

8 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 8 © 2011 ODVA, Inc. All rights reserved. www.odva.org Quality of Service Operations Classification and Marking Queuing and (Selective) Dropping Post-Queuing Operations

9 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 9 © 2011 ODVA, Inc. All rights reserved. www.odva.org Connected and Integrated Control Firewall and DMZ Control traffic flows Protect Plant from Enterprise threats Intrusion Detection Monitor and stop known and unknown attacks Previous Considerations and… Remote Access VPN to Firewall/DMZ Terminal Services into controlled, locked-down server

10 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 10 © 2011 ODVA, Inc. All rights reserved. www.odva.org Firewalls A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based A firewall's basic task is to control traffic between computer networks with different zones of trust Todays firewalls combine multilayer stateful packet inspection and multiprotocol application inspection Virtual Private Network (VPN), Anti-x, Authentication and Intrusion Prevention Services (IPS) have been integrated Despite these complexities, the primary role of the firewall is to enforce security policy Enterprise Plant

11 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 11 © 2011 ODVA, Inc. All rights reserved. www.odva.org De-Militarized Zone Enterprise Plant Demilitarized zone is a physical or logical sub-network that contains and exposes an entities external data and services to a larger un-trusted network Typically requires a Firewall DMZ may contain terminal server, replicated historian, AV, patch, DNS, AD/LDAP or mail servers. Buffers a zone from the threats, traffic, scans and other network-born activities in other networks DMZ

12 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 12 © 2011 ODVA, Inc. All rights reserved. www.odva.org Virtual Private Network (VPN) Overview Mechanism for secure communication over IP (Internet) Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread) Remote Access (RA) VPN components Client (mobile or fixed) Termination device (high number of endpoints) VPN Security Appliance VPN Client or Browser VPN tunnel

13 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 13 © 2011 ODVA, Inc. All rights reserved. www.odva.org VPN - What Are We Talking About? Secure VPN includes a number of technologies IPsec L2TP/IPSec TLS (HTTPS/SSL) DTLS SSL HMAC-MD5 HMAC-SHA-1 RSA digital certificates Pre-Shared key DES 3DES AES RC4 TunnelingEncryptionAuthentication*Integrity *IKE 1st Phase, Not User Auth.

14 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 14 © 2011 ODVA, Inc. All rights reserved. www.odva.org Wireless CIP and EtherNet/IP, being based on open standards, is readily transportable over standard wireless technologies. Common wireless security practices include: IEEE 802.1x Network Access Control and authentication with shared keys Encryption – WPA2 is best practice Disable SSID broadcasting for control WLAN Rogue access point and end-point detection

15 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 15 © 2011 ODVA, Inc. All rights reserved. www.odva.org Authenticator (e.g. Access Point) Authentication Server (e.g. RADIUS) Wireless Client How 802.1x Works IEEE 802.1X (Port-based Network Access Control) restricts port access to authorized users only. Authentication is done using the local user database or an external RADIUS (Remote Authentication Dial In User Service) server.

16 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 16 © 2011 ODVA, Inc. All rights reserved. www.odva.org Security - Authentication MAC address filtering Fast Ethernet Moving Process Field Engineers Access Point AP Client MAC Address Access Rights 00-11-12-23-34-45Deny 00-11-12-23-34-46Allow Deny or Allow

17 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 17 © 2011 ODVA, Inc. All rights reserved. www.odva.org Other Security Considerations Other considerations include: Security enhanced operating systems Virtual Private Network (VPN) – tunneled encryption outside for traffic external to Plant network Enhanced authentication via Biometrics Network Access Control and Protection to verify every device on the network

18 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 18 © 2011 ODVA, Inc. All rights reserved. www.odva.org AUTHENTICATE users and devices to the network Posture and Remediate the device for policy compliance Audit and Report who is on my network Network Access Control Differentiated Access role based access control NAC is solution that uses a set of protocols to define and implement a policy that describes how to secure access to the network by devices. Network Access Control controls access to a network with policies, including pre-admission endpoint security policy checks and post- admission controls over where users and devices can go on a network and what they can do. Network Access Protection (NAP) is Microsofts implementation of NAC.

19 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 19 © 2011 ODVA, Inc. All rights reserved. www.odva.org ISA 99

20 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 20 © 2011 ODVA, Inc. All rights reserved. www.odva.org ISA 99 Working Groups

21 Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 21 © 2011 ODVA, Inc. All rights reserved. www.odva.org ISA 99 SALs

Download ppt "Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa."

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security.

Network Security.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.

1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 12 Network Security.

Chapter 12 Network Security.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

Similar presentations

Ads by Google