Download presentation
Presentation is loading. Please wait.
Published byLeon McLaughlin Modified over 9 years ago
1
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security Services SESAM Møde 6/4 2011 IT-Sikkerhed Erik Gross Jensen Solution Architect software
2
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. What We Are Delivering Together Education Series Stratix 8000, and portfolio Reference Architectures for Manufacturing Common Technology View Network and Security Services http://www.ab.com/networks/architectures.html
3
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Network Management IT and Production Control Automation and Control Applications CIP-Based Support in the Network Local Applications (Device Manager) IT Network Management (SNMP-Based) Command Line Interface
4
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Material Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 4 http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf
5
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Architectures for Manufacturing Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Layer 3 Router Layer 3 Switch Stack Layer 2 Switch Drive Controller Drive HMI Controller Drive HMI Distributed I/O Level 0–2 HMI Cell/Area #1 (Redundant Star Topology) Cell/Area #2 (Ring Topology) Cell/Area #3 (Bus/Star Topology) Cell/Area Zone Manufacturing Zone Level 3 Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Windows 2003 Servers Remote desktop connection VPN FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security Data Servers Network Services DNS, DHCP, syslog server Network and security management Design guidance –Methodology – built on Industry Standards –Best practices and recommendations –Documented configuration settings –Tested with Industrial Applications –Cisco “Validated” network design “Future-ready” network foundation –CIP Safety, CIP Sync, CIP Motion –Voice, Video
6
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. High Level Architecture Review Remote access involves cooperation between: –Enterprise Zone Information Technologies (IT) and infrastructure of the facility –Automation Demilitarized Zone (Automation DMZ) Knowledge of traffic that must move from the plant to enterprise systems –Manufacturing Zone Cell and Area devices Traffic flow and protocols Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 6
7
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Enterprise Zone –“Levels” 4 & 5 owned by Information Technologies (IT) –Traditionally some VLAN’s in place –Campus to Campus communications –IT knowledgeable with routing and firewalls You need to work with the IT personnel to get access to the DMZ –Don’t bypass these fine folks! Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 7
8
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Automation DMZ –Shared ownership by IT and Manufacturing professionals “Typically” –IT owns firewalls –IT configures the switches on behalf of Manufacturing professionals –Manufacturing professionals own DMZ terminal servers, application servers, patch management servers DMZ requires cooperation from both IT and Manufacturing Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 8
9
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Why a Demilitarized Zone (DMZ)? To preserve smooth plantwide operations and functioning of the Industrial Automation and Control System (IACS) application and IACS network, this zone requires clear isolation and protection from the Enterprise zone via security devices within the Demilitarized zone (DMZ) This insulation not only enhances security segmentation between the Enterprise and Manufacturing zones, but may also represent an organization boundary where IT and manufacturing organizational responsibilities interface. This approach permits the Manufacturing zone to function entirely on its own, irrespective of the connectivity status to the higher levels Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 9
10
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Controlling Access to the Manufacturing Zone Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 10 No Direct Traffic Flow from Enterprise to Manufacturing Zone
11
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. DMZ Topology Firewall(s) –Enterprise Interface –DMZ Interface –Manufacturing Interface Firewalls are used to block or allow access to devices on these interfaces based on a set of rules There will be assets like switches and servers that are part of the DMZ Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 11
12
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Division of plant into functional areas for secured access –ISA-SP99 “Zones and Conduit” model OEM’s Participation –IP Address –VLAN ID’s –Access layer to Distribution layer cooperation System design requires full cooperation of all System Integrators, OEM’s, IT and Engineering Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 12
13
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Defense in depth still applies to manufacturing zone Defense in depth steps in the manufacturing zone is still applied to: –Device Hardening –Application –Computers –Networks –Physical Rockwell Automation products support the defense in depth strategy Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 13
14
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Defense in Depth Designs Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 14 (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 14 Apply security products and supporting a defense- in-depth (or layered) architecture; 1.Network & Security Design 2.Limit physical access to all equipment 3.Control access to automation networks 4.Control access to computers and keep them up to date 5.Control access to software applications that are used to configure devices 6.Control access to both the configuration and data in automation devices Perimeter Enforcement Device Security Security Services Application Computer Device Physical Network This is not a “one size fits all problem” …you are in the best position to decide which risks are the most urgent and which tools to use to reduce that risk Design
15
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Configuration Access Control Using FactoryTalk Security (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 15 How does it work? –Provides centralized authentication and access control by verifying the identity of each user (and computer) who attempts to access the automation system and then either granting or denying each user's request to perform particular actions on features and resources within the system Authentication – verifies a user’s identity and verifies that a request for service originates with that user. Authorization – verifies a user’s request to access a software product, feature, or system resource against a set of defined access permissions. –Authenticates and authorizes users against a set of defined permissions held in the FactoryTalk Directory Application Computer Device Physical Network
16
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Application: Device Configuration (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16 Use FactoryTalk Security to –Control computer and user access to devices –Control use of selected software applications that access devices Perimeter Enforcement Application Operating System Device Physical Network
17
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. 17 FactoryTalk Security (FTS-05) Product Policies –Defines which functions, features or users of a software application can be used across your site or enterprise System Policies –Define the rules that govern how security is implemented (like Password expirations) across your site or enterprise Computer and Computer Groups –Defines which computers can be used to access your automation system Networks and Devices –Defines which actions can be performed on a specific hardware resource User and User Groups (roles) –Defines which users or groups of users can get access to your automation system Product Policies –Restrict access to the features of individual FactoryTalk-enabled products –Only users with the required level of access can use the product features that you have secured. System policies –Define general security rules, such as how frequently passwords must be changed Computers and Groups –You can use these accounts to enforce line-of-sight security –Combine individual computer accounts into groups, to make it easier to manage security. Networks and Devices –Secure access to control hardware –Securable actions can be defined for all similar devices, groups of devices or can be defined on a device by device basis –Actions and devices can be put into groups for easier management (new in CPR9) Users and User Groups –FactoryTalk User User accounts that are held in the FactoryTalk Directory –Windows Linked User User accounts that already exist in a Windows domain or workgroup –Combine user accounts into User Groups to set up role-based security access; Windows-linked User Group – reference user groups that already exist in a Windows Domain FactoryTalk Group – combine individual Users and other groups into a FactoryTalk Group –Including Windows Linked groups
18
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Security Design Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security – authentication, authorization, and audit software Device Hardening – change management and restrictive access
19
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Tenants of a Good Security Design: The Physical - Switch Lock-in & Block-out Panduit/RA Physical Layer Reference Architectures Design Guide – MN05 PSL-DCPL PSL-DCJB
20
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources Website : http://www.ab.com/networks/architectures.html http://www.ab.com/networks/architectures.html Whitepapers –Reference Architectures for ManufacturingReference Architectures for Manufacturing –Securing Manufacturing Computer and Controller AssetsSecuring Manufacturing Computer and Controller Assets –Production Software within Manufacturing Reference Architectures Design and Implementation Guides –ODVA - Network Infrastructure for EtherNet/IP: Introduction and ConsiderationsODVA - Network Infrastructure for EtherNet/IP: Introduction and Considerations –ODVA - EtherNet/IP Media Planning and Installation ManualODVA - EtherNet/IP Media Planning and Installation Manual –Rockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architecturesRockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architectures
21
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources - Webcasts Rockwell Automation and Cisco webcasts: What Every IT Professional Should Know about Plant Floor NetworkingWhat Every IT Professional Should Know about Plant Floor Networking What Every Plant Floor Controls Engineer Should Know about Working with ITWhat Every Plant Floor Controls Engineer Should Know about Working with IT Rockwell Automation Knowledge Network webcasts: Rockwell Automation and Cisco: Best Practices Reference Architectures: Fundamentals of Ethernet Network Design Securing Manufacturing and Enterprise Network Convergence Industrial Ethernet Resiliency
22
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Available Resources Whitepapers –Stratix Switches within Integrated Architecture –Achieving Secure Remote Access to Plant Floor Applications and Data –Recommendations for Designing, Selecting, Configuring and Maintaining Wireless EtherNet/IP Networks –Industrial Ethernet Resiliency – late summer –IT Ready for OEMs – late summer Design and Implementation Guides –DIG 2.0 – Stratix 8000, resiliency, performance –Panduit and Rockwell Automation Physical Layer Reference Architectures
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.