botlek Studiegroep
17-February-2011
Plantwide Benefits of EtherNet/IP
Clive Barwise
Ferry Hallewas
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
www.ODVA.org
2/22/2011
Plantwide Network Architectures
Converged Plantwide Ethernet (CPwE) Architectures
Level 4 – Data Center
Level 3 - Site Operations
Cell/Area Zones
Levels 0-2
Processing
Filling
Material Handling
EtherNet/IP Networking - Industrial & IT Network Convergence
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP – Differentiator #1
EtherNet/IP
Differentiator #1
Established
2/22/2011
3
EtherNet/IP – Established (partial list)
280+
280+EtherNet/IP
EtherNet/IPVendors
VendorsRegistered,
Registered,
over
over3,000,000
3,000,000nodes
nodesshipped
shipped
Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
5
Industrial Ethernet
EtherNet/IP – Standard and Established
EtherNet/IP
EtherNet/IP is the current global leader for nodes sold
Standard/Unmodified
Ethernet & TCP/IP
•
Standard:
– Future Proof Technology
– Mix commercial and industrial
information on one common
network infrastructure
– Scalable plantwide networks
with 1,000s of nodes
– Topology to match your plant
– Diverse and broad supplier
support
Source IMS Research
Rockwell Automation, Omron, and Schneider Electric use EtherNet/IP as core technology.
Many other vendors also provide EtherNet/IP.
Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
6
Network Evolution – EtherNet/IP
Controllers
Ethe
rNe
t/IP
I/O
Low Cost EtherNet/IP:
•NEO ASIC
•2 port embedded switch
•Lower cost scalable chipset/stacks
•PHY designed for 1G
•PoF – Poly Fiber media
•PoE – Power over Ethernet
Robots
Devices
time
Future
Today
HMI
Servo &
Standard
Drives
Safety I/O
Instruments
Valves
Safety
Components
DeviceNet
E3 Overload
E1 Overload
$xx
• Cost of EtherNet/IP implementation
continues to lower
–
Faster adoption of devices on Ethernet
–
EDS for devices on CIP networks
–
2-port DLR technology for simplified integration
Pushbuttons,
PhotoEye,
Proximity &
Limit Switches
cost
EtherNet/IP
EtherNet/IP
EtherNet/IP
• Cost of DeviceNet implementation levels
–
Continues to provide solution for low cost devices
MCC Today
•All DeviceNet inside
MCC Short-term
•EtherNet/IP - Drives
•DeviceNet - Overloads
MCC Future
•All EtherNet/IP
•PoF media
7
EtherNet/IP – Differentiator #2
EtherNet/IP
Differentiator #2
Standard…
Not “Standards-Based”
2/22/2011
Layer 7 – Application
Common Industrial Protocol
• CIP: Implicit traffic
– I/O control, drive control,
Produced/Consumed tags
– Uses UDP protocol (unicast and
multicast)
• Ethernet/Industrial Protocol or EtherNet/IP
specifies how CIP communication packets
can be transported over standard Ethernet
and TCP/IP technology.
• CIP: Explicit traffic
FTP
– HMI, Message Instructions,
Program upload/download
– Uses TCP protocol
OPC
CIP
SNMP
BOOTP
DHCP
TCP
UDP
Layer 4
• Other common traffic
– HTTP, Email, SNMP, etc.
OSPF
ICMP
Standard Ethernet and IP Protocol suite
Future proof
Established – 280+ registered vendors
Supported – All EIP products require
conformance testing
IGMP
Real-Time
I/O Control
Explicit
Messaging
• Advantages of EtherNet/IP
–
–
–
–
HTTP
Layers 5-7
IP
ARP
RARP
Layer 3
IEEE 802.3 Ethernet
Layer 1-2
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
Standard vs. “standards-based”
• Standard
– Uses standard switches
– Integrates easily into existing
Ethernet installations and corporate
networks
– Requires no special training or
knowledge from IT workforce
2/22/2011
9
Standard
• “Standards-based”
– Requires the use of proprietary switches
or protected segments
– Potential integration issues with existing
Ethernet installations
– Requires extra training and knowledge
from IT workforce
Ethernet/Industrial Protocol
EtherNet/IP vs. Ethernet and IP vs. Ethernet/IP
• Standard
–
–
–
–
•
•
•
•
IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)
IETF - Internet Engineering Task Force, standard Internet Protocol (IP)
IEC - International Electrotechnical Commission
ODVA - Common Industrial Protocol (CIP)
IT Friendly and Future Proof (Sustainable)
Established - products, applications and vendors
Multidiscipline control and information platform
ODVA
– Supported by global industry vendors such as
Cisco Systems®, Omron®, Schneider Electric®,
Rockwell Automation and many more!
– Conformance & Performance Testing
http://www.odva.org
Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
11
OSI Reference Model
Network Independent
Layer No.
7. Application
6. Presentation
5. Session
4. Transport
3. Network
Network
Independent
2. Data Link
1. Physical
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
12
EtherNet/IP Advantage Summary
• ODVA - Cisco Systems and Rockwell Automation are principal members
• IT friendly - Standard Ethernet and TCP/IP Protocol Suite
• Future proof – Sustainable
– Industry Standards such as IEEE and IETF
• Portability and Routability
– Physical layer and data link layer independence
• Established – 280+ Registered Vendors, over 3,000,000 nodes
• Supported – All EtherNet/IP products require conformance testing
• Multidiscipline Support
– Discrete Control, Process Control, Batch Control, Configuration,
Information/Diagnostics, Safety Control, Time Synchronization, Motion Control and
Energy Management
• Common industrial application protocol
– DeviceNet, ControlNet and EtherNet/IP
– Seamless bridging throughout CIP networks
Welcome and Introduction
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP – Differentiator #3
EtherNet/IP
Differentiator #3
More Than a Fieldbus
2/22/2011
13
EtherNet/IP – Technology Convergence
More Than a Fieldbus
Commercial Technologies
Webpage
FTP
Video/Voice
Over IP
Instruments
HMI
Business &
Traditional
Plant Floor
Applications
Real-Time
Plant Floor
Control
Applications
Business System
Drives
Wireless
Robots
Controllers
Remote
Access
I/O
Email
Devices
Programming Terminals
Other
Commercial
Technologies
Mix
MixBusiness,
Business,Industrial,
Industrial, and
andCommercial
CommercialTechnologies
TechnologiestotoSolve
Solve
Applications
Applications––Plant-wide
Plant-wide
Industrial Network Convergence
Continuing Trend
Evolution of industrial Ethernet applications
Information
I/O Control
Safety
Applications
Motion
Control
Instrumentation
Energy
Near future
Industrial Network Convergence
EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
16
Industrial Network Convergence
Continuing Trend
Corporate Network
Corporate Network
Back-Office Mainframes and
Servers (ERP, MES, etc.)
Control Network
Gateway
Human Machine
Interface (HMI)
Office
Applications,
Internetworking,
Data Servers,
Storage
Controller
Supervisory
Control
Phone
Camera
Controller
Robotics
Office
Applications,
Internetworking,
Data Servers,
Storage
Back-Office Mainframes and
Servers (ERP, MES, etc.)
Supervisory
Control
Robotics
Motors, Drives
Actuators
I/O
Sensors and other
Input/Output Devices
Motors, Drives
Actuators
Safety
Controller
Safety
I/O
Human Machine
Interface (HMI)
Industrial Network
Sensors and other
Input/Output Devices
Industrial Network
Traditional – 3 Tier
Industrial Network Model
Converged Plantwide Ethernet
Industrial Network Model
EtherNet/IP - Enabling/Driving
Convergence of Control and Information
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
17
Industrial Networks
Continuing Trends
• Open Networks Are In Demand
– Broad availability of products, applications and vendor support for Industrial
Automation and Control System (IACS)
– Network standards for coexistence and interoperability
• Convergence of Network Technologies
– Reduce the number of different networks in an operation and create a seamless
information sharing from the plant floor to the enterprise
– Use common network design and troubleshooting tools across the plant and
enterprise, and avoid special tools for each application
• Better Asset Utilization to Support Lean Initiatives
– Reduce training, support, and inventory for different networking technologies
– Common network infrastructure assets, while accounting for environmental
requirements
• Future Proof – Maximizing Investments
– Support new technologies and features without a network forklift upgrade
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
18
Many field device integration options
Operator
Work Stations
Engineering
Work Station
Asset
Management
Ethernet (supervisory network)
Process
Controller
Compact
HART
Hart IO
HART
Drives
FFLDC
FF H1
CN2PA
EN2PA
FFLD
FF H1
Profi PA
Motor
Control Centers
Instrument with EtherNet/IP
•
Technical highlights / features
– Dual Ethernet port design (support for
ring topology)
– Integrated Webserver and Ethernet
switch functionality
– Electronic Data Sheet (EDS file)
located in the device
2/22/2011
Configuration within a FDT frame
Calibration management
Planning, calibrate and reporting
2/22/2011
EtherNet/IP
Industrial Networks
similarities and differences
between IT and Plant Floor
IT vs. Industrial Network Requirements
Trend - Industrial and IT Network Convergence
• Enterprise (IT) Network Requirements
–
–
–
–
–
–
–
Internet Protocols
Wide Area Network (WAN)
High availability – redundant star topologies
Latency, jitter, etc.
Voice, video, data applications
IP Addressing - dynamic
Security - pervasive
• Industrial Network Requirements
So, what are the
similarities and
differences?
– Industrial and internet protocols
– Local Area Network (LAN)
– Resiliency – ring topologies are prominent,
redundant star topologies are emerging
– Latency, jitter, etc.
– Information, control, safety, synchronization and motion
– IP Addressing – static
– Security – emerging: Open by Default vs.
Closed by Configuration
EtherNet/IP Networking - Industrial & IT Network Convergence
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
24
Cultural and Organizational Convergence
Trend - Industrial and IT Network Convergence
Security Policies
IT Network
Industrial Network
Protecting Intellectual
Property and Company
Assets
24/7 Operations, High OEE
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
Types of Data Traffic
Converged Network of Data,
Voice and Video
Converged Network of Data,
Control, Information, Safety and Motion
Access Control
Strict Network Authentication
and Access Policies
Strict Physical Access
Simple Network Device Access
Implications of a
Device Failure
Continues to Operate
Could Stop Operation
Threat Protection
Shut Down Access to
Detected Threat
Potentially Keep Operating
with a Detected Threat
ASAP
During Uptime
Scheduled
During Downtime
Focus
Priorities
Upgrades
EtherNet/IP Networking - Industrial & IT Network Convergence
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
EtherNet/IP
Considerations
2/22/2011
25
Application Requirements
Function
Communication
Technology
Period
Industries
Applications
Process
Automation
Discrete
Automation
Information
Integration,
Slower Process
Automation
Time-critical
Discrete Automation
Motion Control
.Net, DCOM, TCP/IP
Industrial Protocols - CIP
Hardware and Software
solutions, e.g. CIP Motion, PTP
1 second or longer
10 ms to 100 ms
<1 ms
Oil & gas, chemicals,
energy, water
Auto, food & beverage,
semiconductor,
metals, pharmaceutical
Subset of discrete automation
Pumps, compressors,
Material handling, filling,
mixers, instrumentation labeling, palletizing, packaging
Motion
Control
Printing presses, wire drawing,
web making, pick & place
Networking Best Practices for Real-Time EtherNet/IP Performance
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
27
Networking Best Practices
Best practices for reducing Latency and Jitter, and to increase data
Availability, Integrity and Confidentiality
• Robust Physical Layer
• Segmentation
–
–
–
–
•
•
•
•
•
Structure and Hierarchy – Multi-tier Network Model
Logical Framework – organization into levels and zones
Topology
Virtual LANs (VLANs)
Resiliency Protocols and Redundant Topologies
Time Synchronization
Prioritization - Quality of Service (QoS)
Multicast Management
Security - Defense-in-Depth
Networking Best Practices for Real-Time EtherNet/IP Performance
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
28
Logical Framework
Converged Plantwide Ethernet (CPwE) Architectures
Layer 3
Distribution
Switch
Cell/Area Zones
Levels 0–2
Layer 2
Access Switch
Level 2 HMI
HMI
Layer 2 Access Switch
Drive
Controller
Drive
HMI
Controller
HMI
I/O
I/O
Media &
Connectors
Drive
Level 1
Controller
Controller
Cell/Area Zone #1
Redundant Star Topology
Flex Links Resiliency
Cell/Area Zone #2
Ring Topology
Resilient Ethernet Protocol (REP)
I/O
Level 0
Drive
Cell/Area Zone #3
Bus/Star Topology
EtherNet/IP Networking - Industrial & IT Network Convergence
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
29
Resiliency Protocols and Redundant Topologies
Layer 2 – Loop Avoidance
Redundant
Star
Ring
Cisco Catalyst
3750 StackWise
Switch Stack
Cisco Catalyst
3750 StackWise
Switch Stack
Resilient Ethernet
Protocol (REP)
Flex Links
Star/Bus
Linear
Cisco Catalyst
3750 StackWise
Switch Stack
Cisco
Catalyst 2955
HMI
HMI
Controller
Controllers
HMI
Controllers
HMI
Controllers,
Drives, and Distributed I/O
Cell/Area Zone
Cell/Area Zone
Controllers, Drives, and Distributed I/O
Controllers, Drives, and Distributed I/O
Cell/Area Zone
Cell/Area Zone
Redundant Star
Ring
Linear
Best
OK
Worst
Cabling Requirements
Ease of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance
Fundamentals of Network Resiliency and Redundancy
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
30
Logically Isolate areas of control (VLAN)
(Confidential – For Internal Use Only)
31
Copyright © 2008 Rockwell
Segmentation by Function, not by Location (VLAN)
Clear division of responsibilities can easily be obtained
32
2/22/2011
Control between Subnets
• Controllers communicate to other
EtherNet/IP devices via unicast
– Produce & Consume Standard & Safety tags +
standard I/O
• Unicast also allows EtherNet/IP
communications to span multiple subnets
• Interlocking of remote controllers over the
plant infrastructure
• Streamline traffic on the network by
allowing one-to-one transmission of
EtherNet/IP I/O data which greatly
eliminates unwanted multicast traffic
• Layer 3 switching to communicate across
VLANs
* Hardware support may vary
Fundamentals of Securing
Ethernet Control
Networks
Clive Barwise
Networks Business Manager
Rockwell Automation EMEA.
@ KROHNE Altometer Nederland B.V.
Kerkeplaat 12
3313 LC DORDRECHT
2/22/2011
Agenda
1. Industrial Network Security Trends
2. Defense-in-Depth
3. Secure Remote Access
4. Conclusion Steps for a secure future
What is security for you
Converged Plantwide Ethernet (CPwE) Architectures
• What do users want from the
control system.
• System Performance.
– Do things at the appropriate
speed.
• Continuous Operation
ERP, Email,
Wide Area Network
(WAN)
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
for Failover
Detection
– Availability
• Accuracy
– How much did I make
• Privacy of data
– Only select people should have
this information
• Freedom for data Access
Firewall
(Standby)
Cisco
ASA 5500
Firewall
(Active)
•
•
•
•
View
Historian
AssetCentre,
Transaction Manager
Catalyst
6500/4500
FactoryTalk Services
Platform
Remote
Access
Server
• Directory
• Security/Audit
Data Servers
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
FactoryTalk Application Servers
Cisco
Catalyst Switch
Catalyst 3750
StackWise
Switch Stack
Network Services
• DNS, DHCP, syslog server
• Network and security mgmt
Cell/Area Zones
Levels 0–2
– Reports on my phone.
– Connect from Home.
• Technology Convergence.
– IT Technologies embedded is the
system.
• Video
• IP Phones
• Wireless
2/22/2011
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Drive
HMI
Controller
HMI
Controller
DIO
HMI
DIO
Cell/Area #1
Redundant Star Topology
Flex Links Resiliency
DIO
Drive
Drive
Controller
Cell/Area #2
Ring Topology
Resilient Ethernet Protocol (REP)
DIO
Cell/Area #3
Bus/Star Topology
Industrial Network Security Trends
Commonly Reported Business Disruptions
•• Denial
Denial of
of service
service
•• Worms
Worms and
and viruses
viruses
•• Application
Application of
of Security
Security patches
patches
•• Sabotage
Sabotage
•• Unauthorized
Unauthorized actions
actions by
by vendors
vendors
•• Unauthorized
Unauthorized access
access
•• Unauthorized
Unauthorized actions
actions by
by employees
employees
•• Unintended
Unintended employee
employee actions
actions
•• Natural
Natural or
or manmade
manmade disaster
disaster
•• Theft
Theft
Unaddressed security risks increase potential for disruption
to control system’s uptime and safe operation
Industrial Network Security Trends
Two Critical Elements to Security
• Security is basically two pronged:
– Technical vs. Non-technical
– A balanced Security Program must address both
Technical (technology) and Non-Technical (procedures)
Elements
Non
Technical
Technical
“one-size-fits-all”
2/22/2011
• Technical controls - Firewalls, Group Policy
Objects, Layer 3 ACLs, etc. - provide restrictive
measures for non-technical controls
• Non-technical controls - rules for environments,
such as policy and procedure, risk management
• Security is only as strong as the weakest link
• Vigilance and Attention to Detail are KEY to the
long-term security success
Industrial Network Security Trends
Two Critical Elements to Security
• When a Technical Control is
lacking, the non-technical control
will only provide so much
protection
• When a Non-Technical Control is
lacking, the technical control will
only provide so much protection
– Example: Firewalls are in place to prevent
operators from surfing the web from a control
system HMI; however there is no nontechnical control in place stating you shouldn’t
change the HMI’s network port access to the
other side of the firewall
– This exposes a non-technical attack vector
(i.e. a social engineering type attack
– Example: Policy states you should not surf
the web from a control system HMI; however
there is no technical control in place
preventing such access or behavior
– This exposes a technical attack vector (i.e.
unauthorized access from non control system
elements
• How much security is enough security?
– The amount of security is a system should rise to meet a corporation’s level of risk
tolerance.
– In theory, the more security that is properly designed and deployed in a system, a lower
amount of risk should remain.
EPIC Security FAIL!
• Failure to follow good design
principles may have unintended
consequences.
• Safety systems may or may not
help, depending on the
infrastructure.
2/22/2011
Consequences: ICS Network Issues
• ICS Network issues are much more than “data loss” - there are real world,
physical consequences
• You cannot fix these “issues” by restoring from backups…
NOTE:
This will be deadly
Just because you can…doesn’t always mean you should
Industrial Network Security Trends
Map Evolving Standards
Industry:
Industry:
NERC,AGA,
NERC,AGA,
API,CIDX,
API,CIDX,
AWWA,Etc.
AWWA,Etc.
NIST
NIST
INL
INL
EU
EU
Regulations
Regulations
ISA
ISA S99
S99
CIDx
CIDx
ISA
ISA
IEC
IEC 62443
62443
IEC
IEC 62443
62443
ISA
ISA S99
S99
API
API
DHS
DHS
AGA
AGA
EuroSCSIE
EuroSCSIE
NERC
NERC
FERC
FERC
PAST
2/22/2011
SmartGrid
SmartGrid
component
component
NIST
NIST 800
800
FERC
FERC
WW && WW
WW
Rail
Rail &&
Transport
Transport
SmartGrid
SmartGrid
component
component
PRESENT
DHS
DHS
ICS-CERT
ICS-CERT
FUTURE
Industrial Network Security Trends
Industry Standards
• International Society of Automation & IEC
–
–
–
–
ISA-99
Industrial Automation and Control System (IACS) Security
DefenseDefense-inin-Depth
DMZ Deployment
• National Institute of Standards and Technology
–
–
–
–
NIST 800-82
Industrial Control System (ICS) Security
DefenseDefense-inin-Depth
DMZ Deployment
• Department of Homeland Security / Idaho National Lab
–
–
–
–
DHS INL/EXT-06-11478
Control Systems Cyber Security: Defense-in-Depth Strategies
DefenseDefense-inin-Depth
DMZ Deployment
Defense-in-Depth
Multiple Layers to Protect the network and Defend the edge
• Physical Security – limit physical access to
authorized personnel: areas, control panels,
devices, cabling, and control room – escort and
track visitors
• Network Security – infrastructure framework – e.g.
firewalls with intrusion detection and intrusion
prevention systems (IDS/IPS), and integrated
protection of networking equipment such as
switches and routers
• Computer Hardening – patch management,
antivirus software as well as removal of unused
applications, protocols, and services
• Application Security – authentication,
authorization, and audit software
• Device Hardening – change management and
restrictive access
2 /2 2 /2 0 1 1
Physical
Network
Computer
Application
Device
Defense
in Depth
Security Model
Defense-in-Depth
Physical Security - Examples
• Physical Security Plan —create and maintain a physical security plan
(PSP)
• Physical Access Controls - document and implement the operational and
procedural controls to manage physical access at all access points to the
PSP’s twenty-four hours a day, seven days a week.
–
–
–
–
Card Key
Special Locks
Security Personnel
Other Authentication Devices (Biometric, keypad, token, etc)
Defense-in-Depth
Physical Security - Examples
2/22/2011
Defense-in-Depth
Physical Security - Examples
• Panduit Keyed LC deployments
– Lock-In (left)
– Blockout (right)
– Prevents unintentional moves, adds, and changes
Defense-in-Depth
Computer Hardening - Examples
• Security Patch Management - establish and document a security patch
management program for tracking, evaluating, testing, and installing
applicable cyber security software patches
– Keep computers up-to-date on service packs and hot fixes
•
•
•
•
Disable automatic updates
Check software vendor website
Test patches before implementing
Schedule patching during downtime
– Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection
software
• Disable automatic updates and automatic scanning
• Test definition updates before implementing
• Schedule manually initiated scanning during downtime
• Uninstall unused Windows components
– Protocols and Services
• Protect unused or infrequently used USB, parallel or serial interfaces
2/22/2011
Defense-in-Depth
Controller Hardening - Examples
• Physical procedure:
– Restrict control panel access to authorized personnel
– Switch the Logix Controller key to “RUN”
• Electronic design:
–
–
–
–
Logix Controller CPU Lock feature
Logix Controller Source Protection
Authentication, authorization and audit (AAA) by implementing FactoryTalk Security
Change Management with disaster recovery: FactoryTalk AssetCentre
Defense-in-Depth
Application Security - Examples
•Primarily AAA
–Authenticate
–Authorize
–Audit
• Reduce Security if
– One Login
• Computer
• Network
• Application
2/22/2011
Defense-in-Depth
Network Security
• Comprehensive Network Security
Model for Defense-in-Depth
• Security is not a bolt-on component
• Industrial Security Policy
• Implement DMZ
• Engage the experts Network &
Security Services team
• Remote/Partner Access Policy,
with robust & secure implementation
Network Security Services
Must Not Compromise
Operations of the Cell/Area Zone
Industrial and IT Network Convergence
Logical Infrastructure Framework
Enterprise Network
Level 5
Level 4
E-Mail, Intranet, etc.
Terminal
Services
Patch
Management
Application
Mirror
Enterprise
Security
Zone
Site Business Planning and Logistics Network
Firewall
AV
Server
Web Services
Operations
Web
E-Mail
CIP
Application
Server
DMZ
Firewall
Level 3
Level 2
FactoryTalk
Application
Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Site Operations
and Control
Area
Supervisory
Control
FactoryTalk
Client
FactoryTalk
Client
Operator
Interface
Engineering
Workstation
Operator
Interface
Basic Control
Level 1
Level 0
Batch
Control
Sensors
Discrete
Control
Drive
Control
Drives
Industrial
Security
Zone
Continuous
Process
Control
Actuators
Robots
Safety
Control
Cell/Area
Zone
Process
• Network Segmentation
• Demarcation Line for: Security Policies, Quality of Service
Policies, Multicast Groups.
2/22/2011
Defense-in-Depth
Demilitarized Zone (DMZ)
• Industrial Security Policy
• All network traffic from either side of the DMZ terminates in the DMZ;
network traffic does not directly traverse the DMZ
• No primary services are permanently
housed in the DMZ
Enterprise
Disconnect Point
Security
Zone
• DMZ shall not permanently
house data
Replicated
DMZ
• Be prepared to “turn-off” access
Services
via the firewall
No Direct
• No control traffic into the DMZ
Traffic
Industrial Protocols stay at home.
Industrial
Disconnect Point
• Application Data Mirror
Security
Zone
Secure Remote Access
Solution is Application Driven
• Industrial application within a greater Enterprise
– Larger manufacturer with production (industrial) and business (IT) systems integration
– Requirements
• IT presence, defense-in-depth requirement, alignment with Industrial Security Standards
– Recommended Solution
• Rockwell Automation & Cisco Secure Remote Access solution, Rockwell Automation
Network and Security Services
WAN
Remote Site
Plant Engineer
Machine Builder
System Integrator
2/22/2011
Enterprise Systems
Plantwide Systems
Secure Remote Access
Converged Plantwide Ethernet (CPwE) Architectures
• Logical framework
• Industrial and IT network
convergence
• Hierarchical segmentation
–
–
–
–
Scalability
Resiliency
Traffic management
Policy enforcement
ERP, Email,
Wide Area Network
(WAN)
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
for Failover
Detection
Firewall
(Standby)
Cisco
ASA 5500
Firewall
(Active)
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre,
Transaction Manager
Catalyst
6500/4500
FactoryTalk Services
Platform
Remote
Access
Server
• Directory
• Security/Audit
Data Servers
Cisco
Catalyst Switch
Network Services
Catalyst 3750
StackWise
Switch Stack
• DNS, DHCP, syslog server
• Network and security mgmt
Cell/Area Zones
Levels 0–2
• Security policies
– Defense-in-depth
• Secure remote access
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Drive
HMI
Controller
HMI
Controller
DIO
HMI
DIO
Cell/Area #1
Redundant Star Topology
Flex Links Resiliency
Drive
Drive
DIO
DIO
Controller
Cell/Area #2
Ring Topology
Resilient Ethernet Protocol (REP)
Cell/Area #3
Bus/Star Topology
Secure Remote Access
CPwE - Solution
•
•
•
•
2/22/2011
Enterprise
Data Center
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
SSL VPN
•
Remote Engineer
or Partner
IPSEC VPN
•
Secure remote access for
employees and trusted partners
such as machine builders and
system integrators
Meeting the security
requirements of IT while
enabling manufacturers to
leverage shared, distributed
company resources and trusted
partners
Management of assets monitor, configure and audit
Simplifies change management,
version control, regulatory
compliance, and software
license management
Network and application
authentication and authorization
Simplifies remote client
health management
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Demilitarized Zone (DMZ)
Gbps Link
Failover
Detection
Cisco
ASA 5500
Remote Desktop
Protocol (RDP)
Firewall
(Active)
Firewall
(Standby)
Demilitarized Zone (DMZ)
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre
Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
Remote Access Server
Catalyst
6500/4500
• RSLogix 5000
• FactoryTalk View Studio
Catalyst 3750
StackWise
Switch Stack
EtherNet/IP
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
Secure Remote Access
CPwE - Solution
Remote Engineer
or Partner
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
Secure Remote Access
CPwE - Solution
Remote Engineer
or Partner
Enterprise
Data Center
IPSEC VPN
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted
to IP address of plant DMZ
firewall
Cisco VPN Client
Internet
Enterprise Edge
Firewall
Enterprise Zone
Levels 4 and 5
Enterprise
WAN
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
2/22/2011
Secure Remote Access
CPwE - Solution
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted
to IP address of plant DMZ
firewall
2. Portal on plant firewall enables
access to industrial application
data and files
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
SSL VPN
Intrusion protection system
(IPS) on plant firewall detects
and protects against attacks
from remote host
Enterprise
Data Center
IPSEC VPN
–
Remote Engineer
or Partner
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Demilitarized Zone (DMZ)
Gbps Link
Failover
Detection
Cisco
ASA 5500
Firewall
(Active)
Firewall
(Standby)
Demilitarized Zone (DMZ)
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
Secure Remote Access
CPwE - Solution
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted
to IP address of plant DMZ
firewall
2. Portal on plant firewall enables
access to industrial application
data and files
3. Firewall proxies a client
session to remote
access server
SSL VPN
Intrusion protection system
(IPS) on plant firewall detects
and protects against attacks
from remote host
Enterprise
Data Center
IPSEC VPN
–
Remote Engineer
or Partner
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Demilitarized Zone (DMZ)
Gbps Link
Failover
Detection
Cisco
ASA 5500
Firewall
(Standby)
Catalyst
6500/4500
Remote Desktop
Protocol (RDP)
Firewall
(Active)
Demilitarized Zone (DMZ)
Remote Access Server
Industrial Zone
Site Operations and Control
Level 3
Cell/Area Zones
Levels 0–2
2/22/2011
Secure Remote Access
CPwE - Solution
1. Remote engineer or partner
establishes VPN to corporate
network; access is restricted
to IP address of plant DMZ
firewall
2. Portal on plant firewall enables
access to industrial application
data and files
3. Firewall proxies a client
session to remote
access server
4. Access to applications on
remote access server is
restricted to specified plant
floor resources through
industrial application security
Cisco VPN Client
Internet
Enterprise Zone
Levels 4 and 5
Enterprise Edge
Firewall
SSL VPN
Intrusion protection system
(IPS) on plant firewall detects
and protects against attacks
from remote host
Enterprise
Data Center
IPSEC VPN
–
Remote Engineer
or Partner
Enterprise
Connected
Engineer
Enterprise
WAN
HTTPS
Enterprise Zone
Levels 4 and 5
Patch Management
Terminal Services
Application Mirror
AV Server
Demilitarized Zone (DMZ)
Gbps Link
Failover
Detection
Cisco
ASA 5500
Remote Desktop
Protocol (RDP)
Firewall
(Active)
Firewall
(Standby)
Demilitarized Zone (DMZ)
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre
Transaction Manager
FactoryTalk Services
Platform
• Directory
• Security/Audit
Data Servers
Remote Access Server
Catalyst
6500/4500
• RSLogix 5000
• FactoryTalk View Studio
Catalyst 3750
StackWise
Switch Stack
Industrial Zone
Site Operations and Control
Level 3
EtherNet/IP
Cell/Area Zones
Levels 0–2
Reviewing the lessons, application to the future and verification of success
SECURITY IN SUMMARY
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
62
Steps to Increasing Security
1. Create a Program
NOTE: This is different than an Enterprise Security Program.
“Programs” drive accountability, action and responsibility.
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
63
Steps to Increasing Security (cont)
2. Know what you have in your process
•Every control system event must be coded. EVERY ONE!
•This means that every almost network event can be predicted
– Some exceptions, like ARP, NetBIOS traffic, etc.
•If it can be predicted, it can be whitelisted and authorized via tiered firewall
rule sets and layer 3 access control lists (ACLs)
•If these can be whitelisted, other network events can be tuned for
disclosure in intrusion detection and prevention systems (IDS/IPS)
Knowing what you have in your process allows for the creation of a
defensible network architecture and response posture
REMEMBER: Security is about variable management.
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
64
Steps to Increasing Security (cont)
3. Harden your endpoints
•Enable the security features of products implemented in the environment!
•Configure what you already have in the environment
– Most Microsoft Windows platforms now support firewalls. Use them.
– Enable Infrastructure & Application security features (Active Directory features, etc.)
– Enable Control System software and hardware security features (key switch, etc.)
•Through the processes created in the Industrial Control System Security
Program (see step 1), maintain ICS life cycle by enacting:
– Endpoint Protection updates (patches, virus definitions, host IDS/IPS signatures, etc)
– Change and Configuration management
Variables: Good guys need to manage all of them.
The bad guys only need one variable for compromise…
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
65
Steps to Increasing Security (cont)
4. Audit the Environment
Design/Implementation Audits
•Configuration audits to verify end states conforms to the Conceptual
and Detailed Design projects
•Very important as “things change” during implementation
Safety Audits
•Many times required by regulation – now part of the common “culture”
Security Audits
•Many times required by regulation (depending on industry)
•Ensures proper security management going forward (i.e. hire/fire
procedures, governance and security programs, etc.)
•Security should be and will be part of the common “culture”
66
2/22/2011
Steps to Increasing Security (cont)
5. Monitor the Systems
Si ViS PACEM, PARA BELLUM
If you wish for peace, prepare for war.
•Infrastructure: double edged sword
– The purveyance of an attack (vector)
– Greatest asset in digital protection (mitigation)
•Many Commercial & FOSS packages available to assist
– Multi-Tier and Distributed UTM and Intrusion Detection/Prevention Systems
– Distributed packet capture, Syslog, SNMP, Nagios and various management apps
If you wish for a stable, secure network, prepare for the day your network
completely falls apart, fails, and turns against you.
Complacency Kills–100% Vigilance is REQUIRED
The End…for now…
• Go Beyond Defense-in Depth: no single methodology nor technology fully
secures industrial networks.
• This is a people problem too!
– Industrial Control Systems Security Programs are uniquely different from Enterprise
Security Programs
– Work with security expert Services team and establish an open dialog between
Manufacturing and IT
2/22/2011
Industrial Network Security
Design and Implementation Considerations
• Implement Defense-in-Depth approach: no single product, methodology, nor
technology fully secures industrial networks
• Align with Industrial Automation and Control System Security Standards
– DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA-99
•
•
•
•
Establish an open dialog between Industrial and IT groups
Establish a Industrial security policy, unique from enterprise security policy
Establish a DMZ between the Enterprise and Industrial Zones
Keep FactoryTalk applications and Services Platform within the Industrial
Zone
• Deploy a methodology and/or procedure to buffer production data to and
from the Enterprise Zone in the event DMZ connectivity is disrupted
• Work with your vendor Network and Security Services team
Additional Material
ODVA
• Website:
– http://www.odva.org/
• Media Planning and Installation Manual
– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_Ether
NetIP_Media_Planning_and_Installation_Manual.pdf
• Network Infrastructure for EtherNet/IP: Introduction and Considerations
– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00035R0_Infrast
ructure_Guide.pdf
• Device Level Ring
– http://www.odva.org/Portals/0/Library/CIPConf_AGM2009/2009_CIP_Networks_Conference_
Technical_Track_Intro_to_DLR_PPT.pdf
• The CIP Advantage
– http://www.odva.org/default.aspx?tabid=54
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
70
Additional Material
Cisco and Rockwell Automation Alliance
• Website
– http://www.ab.com/networks/architectures.html
• Design Guides
– CPwE DIG 2.0
• Education Series
• Whitepapers
– Securing Manufacturing Computer and
Controller Assets
– Production Software within Manufacturing
Reference Architectures
– Achieving Secure Remote Access to Plant Floor
Applications and Data
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
71
Additional Material
Cisco and Rockwell Automation Alliance
• Education Series Webcasts
– The Trend - Network Technology and Cultural Convergence
– What every IT professional should know about Plant Floor Networking
– What every Plant Floor Controls Engineer should know about working with IT
– Industrial Ethernet: Introduction to Resiliency
– Fundamentals of Secure Remote Access
for Plant Floor Applications and Data
– Securing Architectures and Applications
for Network Convergence
– Available Online
• http://www.ab.com/networks/architectures.html
Fundamentals of EtherNet/IP Networking
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011
72
Questions?
Copyright © 2010 Rockwell Automation, Inc. All rights reserved.
2/22/2011