Fundamentals of Securing Ethernet/IP
Networks
Jason Dely, CISSP
Principal Security Consultant
[email protected]
Jeffrey Shearer, CISSP, PMP
Principal Security Consultant
[email protected]
November 7, 2012
Rev 5058-CO900B
5058-CO900C
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
 Changing Landscape of Industrial Automation
 Layered Security & Defense in Depth for ICS
 Design-for-Security
 Incident Response and Vulnerability Management
 Security in the Integrated Architecture
 Network & Security Services (NSS)
 Call to Action & Open Discussion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Evolving Landscape
Themes of a contemporary world




Interconnected, networked digital devices
Complex systems needing unfettered access to data
Security risks and new threat-actors are very real
Security breaches are becoming the „norm‟
Themes of Industrial Control Systems (ICS)
 Systems are growingly complex and interconnected
 ICS „Data‟ spans both information and control
 Targeted attacks against Control Systems are a reality
Consistent Concerns and Desires
 Design and maintain a system resilient to attacks
 Comply with emerging standards and legislation
 Protect what is important…
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
3
Risks and Threats to Networked Systems
Application of
Security patches
Natural or Man-made
disasters
Worms and
viruses
Theft
Sabotage
Unauthorized
access
Denial of Service
Unauthorized actions by
employees
Unauthorized
remote access
Unintended
employee actions
Unaddressed security risks increase potential for
disruption to system uptime and safe operation
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Why is Industrial Security critical?
 Industrial Ethernet is established.
 Convergence of Manufacturing and
Enterprise systems is a reality.
 Stand-alone control systems
are quickly disappearing.
Source: ARC Survey of Control System Engineers 2009
 Remote Access is essential
 Internal– from the business system to the factory
 External– for monitoring and maintenance
Industrial Control Systems are part of the
Enterprise and no longer islands of automation.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Government Attention to ICS Security
 Energy & Power Distribution
 Chemical & Refineries
 Defense
 Transportation
 Water/Wastewater
Sectors
HSPD 7
 Critical Manufacturing
Homeland Security
Presidential Directive 7
Attacks on critical infrastructure could significantly disrupt
the functioning of government and business alike.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
6
Our Focus on Industrial Security
Reduce risks to safe and reliable operation
…Control system architecture with layered security to
help maintain operational integrity under threat
Data Protection
and Confidentiality
Network
Remote
Access
Partners
IP
Role-based
Security
AntiTamper
and
Detection
Supply-chain
Protection
protection
Protect assets & information
Data
…Product and system features to help
control access, tamper-proof and limit
information exposure
Government and Standards Alignment
…Responsible disclosure with control system solutions that follow
global standards and help fulfill independent & regulatory security requirements
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
7
What is Industrial Security?
 Reduce risks associated with
unintended or malicious actions
The use of proven
technologies, policies &
procedures to…
 Improve ability to be free from
danger, injury or loss
 Enhance protection of key assets
from disruption, loss or damage
RISK =
Threat × Vulnerability × Consequence
 Protect & limit potential exposure or damage to key assets
Protect of People, Property & Proprietary Information
from unintended or malicious actions taken against it
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
8
Ways to address risk
AS A QUICK REVIEW…
There are four ways to deal with risk:
1. Risk Mitigation – address it head on
2. Risk Acceptance – i.e. the Risk Tautology
(it is what it is)
3. Risk Transference – i.e. insurance
4. Risk Avoidance – Project X is risky…let‟s
not do Project X
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
√

Changing Landscape of Industrial Automation
 Layered Security & Defense in Depth for ICS
 Design-for-Security
 Incident Response and Vulnerability Management
 Security in the Integrated Architecture
 Network & Security Services (NSS)
 Call to Action & Open Discussion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Two Critical Elements to Security
A corporation’s risk tolerance
level – often a “fuzzy gray line.”
Risk
Averse
• How much security is enough
security?
NonTechnical Technical
Risk
Friendly
• The amount of security is a system
should rise to meet a corporation‟s
level of risk tolerance.
Attack vector
Attack vector
Non
Technical
Technical
Non
Technical
• In theory, the more security that is
properly designed and deployed in a
system, a lower amount of risk
should remain.
Technical
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Global Security Standards
ISA99 and IEC 62443
ISA99
Over 260
members from
+200 companies
 The ISA99 Committee has aligned S99 standard
with IEC conventions
 Allows fast track acceptance as global standard
 Minimal modifications made for Int‟l acceptance
 IEC is adopting the work of ISA99 as a global
security standard IEC 62443








IEC 62443
Part -1-1 TS - Terminology, concepts and models (Pub‟d)
Part -1-3 System security compliance metrics (Draft)
Part -2-1 Establish industrial automation and control sys security program (Pub‟d)
Part -2-3 Patch management in the IACS environment (Proposed)
Part -2-4 Certification of IACS supplier security policies and practices (Proposed)
Part -3-1 TR - Security technologies for industrial automation & control sys (Pub‟d)
Part -3-2 Security assurance levels for zones and conduits (Draft)
Part -3-3 System security requirements and security assurance level (Draft)
 IEC evaluating WIB 2.0 Supplier security policies
and practices for IEC 62443-2-4 (in progress)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Security Trends
Logical Model
Enterprise Network
Level 5
Level 4
E-Mail, Intranet, etc.
Site Business Planning and Logistics Network
Terminal
Services
Gateway
Patch
Management
Application
Mirror
Enterprise
Security
Zone
Firewall
AV
Server
Web Services
Operations
Web
E-Mail
CIP
Application
Server
DMZ
Firewall
Level 3
Level 2
FactoryTalk
Application
Server
FactoryTalk
Directory
Engineering
Workstation
FactoryTalk
Client
Remote
Access
Server
Site Operations
and Control
Area
Supervisory
Control
Operator
Interface
FactoryTalk
Client
Operator
Interface
Engineering
Workstation
Basic Control
Level 1
Level 0
Batch
Control
Sensors
Discrete
Control
Drive
Control
Drives
Continuous
Process
Control
Actuators
Industrial
Security
Zone
Safety
Control
Robots
Cell/Area
Zone
Process
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Security Trends
Established Industrial Security Standards
 International Society of Automation
 ISA-99
 Industrial Automation and Control System (IACS) Security
 Defense-in-Depth
 DMZ Deployment
 National Institute of Standards and Technology
 NIST 800-82
 Industrial Control System (ICS) Security
 Defense-in-Depth
 DMZ Deployment
 Department of Homeland Security / Idaho National Lab
 DHS INL/EXT-06-11478
 Control Systems Cyber Security: Defense-in-Depth Strategies
 Defense-in-Depth
 DMZ Deployment
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Our Approach to Industrial Security
A secure application depends on multiple layers of protection.
Industrial security must be implemented as a system.
 Layered Security Model
Shield potential targets behind multiple levels
of protection to reduce security risks
Physical
Network
Computer
Application
Device
 Defense in Depth
Use multiple security countermeasures to
protect integrity of components or systems
 Openness
Consideration for participation of a variety of
vendors in our security solutions
 Flexibility
Able to accommodate a customer‟s needs,
including policies & procedures
 Consistency
Solutions that align with Government
directives and Standards Bodies
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
15
Networking Design Considerations
Security
Recommendations and guidance to help reduce Latency and Jitter, to
help increase data Availability, Integrity and Confidentiality, and to help
design and deploy a Robust, Secure and Future-Ready EtherNet/IP
network infrastructure
• Robust Physical Layer
• Segmentation
• Resiliency Protocols and Redundant Topologies
• Time Synchronization
• Prioritization - Quality of Service (QoS)
• Multicast Management
• Convergence-Ready Solutions
• Security - Defense-in-Depth
• Scalable Secure Remote Access
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Security Considerations in Converged
Plantwide Ethernet (CPwE) Architectures
ERP, Email,
Wide Area Network
(WAN)
 Logical framework
 Industrial and IT network
convergence
 Hierarchical segmentation




Scalability
Resiliency
Traffic management
Policy enforcement
 Access Controls
 Security policies

Defense-in-depth
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Patch Management
Terminal Services
Application Mirror
AV Server
Gbps Link
for Failover
Detection
Firewall
(Standby)
Cisco
ASA 5500
Firewall
(Active)
Industrial Zone
Site Operations and Control
Level 3
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre,
Transaction Manager
Catalyst
6500/4500
FactoryTalk Services
Platform
Remote
Access
Server
• Directory
• Security/Audit
Data Servers
Demilitarized Zone (DMZ)
Cisco
Catalyst Switch
Catalyst 3750
StackWise
Switch Stack
Network Services
• DNS, DHCP, syslog server
• Network and security mgmt
Cell/Area Zones
Levels 0–2
Rockwell Automation
Stratix 8000
Layer 2 Access Switch
Drive
HMI
Controller
HMI
Controller
DIO
HMI
DIO
Cell/Area #1
Redundant Star Topology
Flex Links Resiliency
DIO
Drive
Drive
Controller
Cell/Area #2
Ring Topology
Resilient Ethernet Protocol (REP)
DIO
Cell/Area #3
Bus/Star Topology
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
17
Defense-in-Depth Security
 Comprehensive Network Security
Model for Defense-in-Depth
 Security is not a bolt-on component
 Industrial Security Policy
 Implement DMZ
 Network & Security Services
 Remote access policy with
robust & secure implementation
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
18
Security Design – the Attributes
 Principle of Least Route (PoLR)



Principle of Least Privilege applies to Applications/User level system access
PoLR applies to network connectivity restriction or “reachability.”
This means small subnets and ACLs (subnet = /29 or /28)
 Security Domain Segmentation is required (i.e. DMZs).
 VLANs are for managing traffic not security.
 Monitoring is REQUIRED



Revisits the IDS/IPS argument
Is IDS sufficient?
Is IPS appropriate for the ICS
environment? Interior? Fringe?
Don‟t forget Microsoft:
IPsec Filters via GPO, netsh, WF/ICS, WMIC, PowerShell, etc...
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
√
 Changing Landscape of Industrial Automation
√
 Layered Security & Defense in Depth for ICS
√
 Design-for-Security
 Incident Response and Vulnerability Management
 Security in the Integrated Architecture
 Network & Security Services (NSS)
 Call to Action & Open Discussion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Design for Security approach
Specifications
Audits & Gaps
Enhance &
Improve
Resiliency & Robustness
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
21
Vulnerability Assessment
 Review coding practices










Firmware/Patch update behavior
Password Policy (i.e. No defaults, Expiration)
Open TCP / UDP ports (Traffic Mapping)
Server Hardening Practices
SNMP Policy / Usage
Principle of Least Route
Protocol Compliance
Preparation for compliance with ISA99 / IEC62443
Evolving specifications …v1.0  v2.0
Impacts to disrupted operations at runtime
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
22
Component Level Risk Assessment
 Anti-tamper capabilities
 Authorization & Authentication
 Physical security (controller
 Role Based Access Control
key switch)
System from Vendor of choice
 CPU Lock (unauthorized
 Integration with Microsoft
access)
Active Directory (AD)
 Read/Write Tags
 Defined Constants (Persistent
Tags)
 IP & Know-how Protection
 Main Controller Function
 Source code
Blocks are not user accessible
 Custom routines
 Firmware signing
 Authenticity
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
23
Patch Management
 Are you following a structured process
for patch management for your control
system equipment?
 Where do you learn about the
availability of new patches?
 How do you build confidence that a
patch is going to work and not disrupt
your system when applied?
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
24
Microsoft Patch Management
Microsoft Patch
Qualification
for Rockwell Automation software
Whitepaper:
Why patch your
Computers?
*TechConnect support contract required
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/35530
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
25
Change Control / Disaster Recovery
*note: this is a representative example.
 Uncontrolled (and controlled) change can disrupt the integrity and
availability of a system.
 All components of a system must be controlled.
 How do you protect yourself from change?
 Do you have a solid backup and disaster recovery strategy?
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
26
Scalable Secure Remote Access
Solution is Application Driven
Stand-alone Application
WAN
 Example: small manufacturer with few
automated machines
 Requires: Little to no IT, no alignment
with Industrial Security Standards
 Recommended Solution: Stand-alone
security appliance
Security
Appliance
WAN
Router
Remote Site
Plant Engineer
Machine Builder
System Integrator
Plant Site
Industrial application within a greater Enterprise
 Example: Larger manufacturer with production (industrial) and business (IT) systems integration
 Requires: IT presence, defense-in-depth requirement, alignment with Industrial Security Standards
 Recommended Solution: Rockwell Automation & Cisco Secure Remote Access solution, Rockwell
Automation Network and Security Services
WAN
It’s about policy, procedures and scalability.
One-size-does-not-fit-all.
Remote Site
Enterprise Systems
Plantwide Systems
Plant Engineer
Machine Builder
System Integrator
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
27
Product-level Security
 Source protection and high-integrity AOIs
 Data access control
Security Authority
(Domain Controller
and/or FactoryTalk
Directory)
 Trusted slot designation
 Authentication and authorization for user access control
 Security server validation at controller level
 Controller change detection
 Firmware digital signatures
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
28
Responding to Risks and Threats
• Legal, PR, product & security experts
• Coordination with government agencies
• Commands highest internal priority
RECEIVE
EVALUATE
& ASSESS
MITIGATE &
REMEDIATE
CLOSE
Communications
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
29
Executing the plan
RSLogix 5000
▼
FactoryTalk Service
RNAutility.dll
Sept 13
Sept 16
Sept 27
Oct 5
Individual FTSP
Patches released
Click me!
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
30
Security Advisory Index
Vulnerabilities, Advisories and Disclosures
 We expect them.
 We plan for them.
 We work to avoid them.
 We support our customers.
https://rockwellautomation.custhelp.com/app/utils/create_account
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
31
Security Launch & Landing Pad
http://rockwellautomation.com/security
Security
Resources
Assessment
Services
Security
Technology
w/ Security Technotes
Security
FAQ
MS Patch
Qualification
Security
Services
Reference
Architectures
Leadership &
Standards
Assessment
Services
Knowledgebase
[email protected]
Pretty Good Privacy (PGP) Public Key
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
32
Steps to Increasing Security
1. Create a Program
NOTE: This is different than an Enterprise Security Program.
“Programs” drive accountability, action and responsibility.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
33
Steps to Increasing Security (cont.)
2. Know what you have in your process
 Every control system event must be coded. EVERY ONE!
 This means that every almost network event can be predicted
 Some exceptions, like ARP, NetBIOS traffic, etc.
 If it can be predicted, it can be whitelisted and authorized via tiered
firewall rule sets and layer 3 access control lists (ACLs)
 If these can be whitelisted, other network events can be tuned for
disclosure in intrusion detection and prevention systems (IDS/IPS)
Knowing what you have in your process allows for the creation of a
defensible network architecture and response posture
REMEMBER: Security is about variable management.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Steps to Increasing Security (cont.)
3. Harden your endpoints
 Enable the security features of products implemented in the environment!
 Configure what you already have in the environment
 Most Microsoft Windows platforms now support firewalls. Use them.
 Enable Infrastructure & Application security features (Active Directory
features, etc.)
 Enable Control System software and hardware security features (key
switch, etc.)
 Through the processes developed, maintain ICS life cycle by enacting:
 Endpoint Protection updates (patches, virus definitions, host IDS/IPS
signatures, etc)
 Change and Configuration management
Variables: Good guys need to manage all of them.
The bad guys only need one variable for compromise…
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Steps to Increasing Security (cont.)
4. Audit the Environment
Design/Implementation Audits
 Configuration audits to verify end states conforms to the Conceptual
and Detailed Design projects
 Very important as “things change” during implementation
Safety Audits
 Many times required by regulation – now part of the common “culture”
Security Audits
 Many times required by regulation (depending on industry)
 Ensures proper security management going forward (i.e. hire/fire
procedures, governance and security programs, etc.)
 Security should be and will be part of the common “culture”
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Steps to Increasing Security (cont.)
5. Monitor the Systems
Si ViS PACEM, PARA BELLUM
If you wish for peace, prepare for war.
 Infrastructure: double edged sword


The purveyance of an attack (vector)
Greatest asset in digital protection (mitigation)
 Many Commercial & FOSS packages available to assist
Multi-Tier and Distributed UTM and Intrusion Detection/Prevention Systems
 Distributed packet capture, Syslog, SNMP, Nagios and various management
apps

If you wish for a stable, secure network, prepare for the day your network completely
falls apart, fails, and turns against you.
Complacency Kills–100% Vigilance is REQUIRED
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
√
 Changing Landscape of Industrial Automation
√
 Layered Security & Defense in Depth for ICS
√
 Design-for-Security
√
 Incident Response and Vulnerability Management
√
 Security in the Integrated Architecture
 Network & Security Services (NSS)
 Call to Action & Open Discussion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Consulting Project Services
Security Program Development
Network & Security
Services (NSS)
Consulting Team provides
industry expertise & insight,
and supporting leadershipguidance to design and
create a complete security
deployment plan
Security
Physical
Services
Perimeter
Enforcement
Network
Computer
Application
Device
Device
Security
For help with design and deployment of security
programs or response to security incidents.
• Security Program Development & Deployment
• Security Incident Response
Reviewing customer IT security policy is part of the process – IT Policies
are used, adapted or enhanced to fit manufacturing needs.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
39
Network & Security Services Line Card
NETWORKS
SECURITY
Assess
Design Assessment
Onsite Assessment
• General
• Comprehensive
Policy, Design and Onsite Assessment
• Operational
• Risk
• Vulnerability
Plan /
Design
Network Design Development
Network Migration Development
Network Standards Development
Security Program Development
• Security Policy Development
• Security Design Development
• Business Continuity Planning
Network Installation
Network Configuration
Security Program Implementation
• Security Configuration
• Non production Penetration Testing
• Security vulnerability management & system hardening
• Security Policy Training
Network Audit
Security Audit
Network Management
• Remote Monitoring
• Incident Response
• Onsite Support
Managed Security
• Remote Monitoring
• Incident Response
• Disaster Recovery Assistance
Implement
Audit
Manage /
Monitor
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
40
Secure Remote Access Whitepapers
http://literature.rockwellautomation.com/idc/groups/lit
erature/documents/wp/enet-wp009_-en-e.pdf
http://literature.rockwellautomation.com/idc/groups/litera
ture/documents/wp/enet-wp025_-en-e.pdf
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
41
Industrial Security Resources
 Security-enhanced Products and Technologies

Rockwell Automation product and technologies with security capabilities
that help increase overall control system system-level security.

http://www.rockwellautomation.com/solutions/security/technology.html
 EtherNet/IP Plantwide Reference Architectures

Control system validated designs and security best-practices that
complement recommended layered security/defense-in-depth measures.

http://www.ab.com/networks/architectures.html
 Network & Security Services (NSS)

RA consulting specialists that conduct security risk assessments and
make recommendations for how to avert risk and mitigate vulnerabilities.

http://www.rockwellautomation.com/services/security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
42
Security Launch & Landing Pad
http://rockwellautomation.com/security
Security
Resources
Assessment
Services
Security
Technology
w/ Security Technotes
Security
FAQ
MS Patch
Qualification
Security
Services
Reference
Architectures
Leadership &
Standards
Assessment
Services
Knowledgebase
[email protected]
Pretty Good Privacy (PGP) Public Key
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
43
Agenda and Topic List
√
 Changing Landscape of Industrial Automation
√
 Layered Security & Defense in Depth for ICS
√
 Design-for-Security
√
 Incident Response and Vulnerability Management
√
 Security in the Integrated Architecture
√
 Network & Security Services (NSS)
 Call to Action & Open Discussion
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Security 2012 & Beyond…
 It‟s about continuing Partnering & Collaboration efforts
 Users, Vendors, Researchers and Agencies
 Cooperation and coordination
 It‟s about enhancing Communication
 Needs, desires and vigilance
 Interdepartmental relationships
 Consistency and Objectivity
 It‟s about furthering Standards
 Process, Policy & Procedures (with compensating controls)
 Internal and External - emerging global standards
 Continuous Improvement (Suppliers & Users)
 It‟s about ongoing Acknowledgement and Addressing Risk
 Everybody has something to lose
 Everybody has something to protect
REMEMBER: IGNORING RISK IS NOT AN OPTION
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Questions?
Follow ROKAutomation on Facebook & Twitter.
Connect with us on LinkedIn.
www.rockwellautomation.com
Rev 5058-CO900B
5058-CO900C
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.