Академический Документы
Профессиональный Документы
Культура Документы
integration - extending IT
security to the cell/area zone of
the plant/site architecture
PUBLIC
Agenda
1 2 3
State of plant-wide / Key challenges CPwE industrial
site-wide cybersecurity cybersecurity framework
4 5
Extending visibility Key takeaways
and security group
segmentation to
cell/area zone(s)
$11.7B
in damages due to
WHY ARE INDUSTRIAL COMPANIES A TARGET?
Legacy unpatched infrastructure and a lack of skilled
resources to properly manage cyber risk. The adversaries
ransomware attacks know these environments have many vulnerabilities and if
attacked can mean major consequences for the infected.
IN THE LAST
2 YEARS
WHY ARE COMPANIES STRUGGLING TO
53%
ADDRESS THIS?
Most industrial automation environments are poorly
of industrial manufacturers have inventoried. If you do not know what is connected in the
experienced a cybersecurity environment, you cannot secure it.
breach in their facility
Lack of visibility
Antiquated systems Of what’s out there
Unpatched, legacy
systems
Access control
Insecure design Access needs evolving
Lack of segmentation
Change control
24/7/365 operations
OT security skills
IT sec Ops knowledge
Business needs
Real-time information
Where are software-defined solutions being Where are software-defined solutions being
used today within operational technology used today within information technology (IT)?
(OT)? Public/private service providers (SPs)
Relay panel(s) versus programmable controller SD-WAN – software-defined wide area network
Enterprise IT
SDN – software-defined networking (centralized)
SDA – software-defined access (decentralized)
SDI – software-defined infrastructure
SDDC – software-defined Datacenter
Indicators and switches vs. graphic terminals SDS – software-defined storage
SDx – software-defined everything (converged compute,
storage, security & networking)
Security
Software-defined security group policies and access
control … TrustSec, security group tags (SGT)
Default Permit Predetermined segmentation policy Limit manual touches and improves
SD- Network access Communication flow error prone workflows
based on device type, location, etc.
Control policy Analysis
Leading digital transformation for The Connected Enterprise with industrial ready, world-
class control, power and information systems and IT networking and security technologies
Unified
Wireless
standards creates
Identity/Mobility
Services
Network/Security
Standards
Dashboards Data Servers
flexibility and scalability
A converged
infrastructure built on a
Better Together common architecture
Enable business Optimize production Minimize risk framework makes the
agility yield network data-ready
Remote
worker/expert
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 14
CPwE industrial cybersecurity framework
Key features:
• IDMZ
• Remote user
• Data brokers
• Firewall-based segmentation of
plant/site and enterprise networks
• Industrial Zone (Plant/Site Network)
• Identity and mobility services for IACS devices & users • Cell/Area Zone
• Cisco Firepower and security management • Stratix® 5950 Cell/Area Zone and asset boundary
• FactoryTalk® Network Manager™ software for discovery, • Scalable device security group tagging and policy enforcement
visibility, and network management • Network flow diagnostics
• Network flow-based anomaly detection • Secure network infrastructure configuration and management
• CIP Security™ to help protect confidentiality, integrity and harden IACS devices
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 15
Extending visibility and security group
segmentation to cell/area zone(s)
OT-IT collaboration / convergence / integration
Extending visibility and security group segmentation to cell/area zone(s)
SXP On-demand
Controller
CIP™ pxGrid (IP to SGT Mappings) remote access
Next
FactoryTalk® ISE Generation
CIP™
Network Manager™ Firewall
Drive software C O N T E X T
Context based
anomaly detection
I/O Other Protocols
Stealthwatch
FactoryTalk®
Network Manager™ software
FactoryTalk® Network Manager™ software shares industrial asset identity with ISE over pxGrid
… this visibility combined with context, becomes a force-multiplier for security
EWS EWS
Security Group
IDMZ
Role-based Enforcement
Network Enforcement
Manager™ NetFlow SGACLs
ISE Stealth
pxGrid IT User watch
Context
SGT 100 SGT 30 SGT 10 SGT 20
Level 3 NetFlow
Site Operations NetFlow
IES IES
SGT 100 - N Y Y
SGT 30
SGT 30 N - Y Y
IES IES IES IES
Requirement
• Monitor traffic flows and detect anomalous traffic behavior
• Easily identify the source of anomaly
Workflow
1. Compromised camera initiates port scan
2. Stealthwatch anomaly detection engine identifies port scan from NetFlow data and
raises alarm – host group in alarm indicates the offending asset [Camera, Cell/Area-2]
3. Stealthwatch sends quarantine request to ISE
4. ISE moves camera access port on Stratix® switch to isolated VLAN to quarantine it
(change of authorization)
PAC_10 I/O_10
PAC_20 Drive_20
Cell/Area Zone 10 Cell/Area Zone 20
Levels 0-2 Levels 0-2
Security Group 10 Security Group 20
VLAN 10 VLAN 20
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 26
Key takeaways
Segmentation & access control methodology comparison
Key takeaways
Traditional Software-defined
VLAN & ACL FactoryTalk® (FactoryTalk® Network Manager™
software) & TrustSec (ISE/SGT)
Workflow function Attribute OT IT Cost Risk Attribute OT IT Cost Risk
IACS asset and network • Manual/automatic inventory X X • Automatic inventory discovery X X
device discovery discovery and manual database and automatic database
creation via IT and OT tools creation via OT tools
OT-IT security team; • Manual X X • Manual X X
security group access
policy definition
OT access policy; • Manual and static (VLAN X X • Automatic and dynamic (once X
configuration creation and assignment, ACL initial policy templates have
implementation creation) been created)
OT access policy; • Challenging to document: X X • Self documenting: X
configuration Difficult to maintain and update Easier to maintain and update
documentation Limited audit capability Supports audit capability
OT access policy; • Autonomous approach (alone): X X • Unified approach (centralized): X
configuration Lacks scalability and agility Scalable and agile
enhancements (future- No coordinated orchestration Supports coordinated
ready) orchestration
Required OT skill sets • Initial IACS provisioning: X X • Initial IACS provisioning: X X
• Addition of IACS device(s): X X • Addition of IACS device(s): X
• IACS device replacement: OT X X • IACS device replacement: X
can replace the device, but not Reduced MTTR, less time that
change the network to a machine is not running
accommodate PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 28
Key takeaways
Business outcomes drive modernization projects Form a team of key stakeholders from OT and
Agility to quickly adapt to new market trends IT to develop an industrial cybersecurity
(future-ready) program and access control policy
Cost reduction through lower MTTR and higher OEE Utilize Stratix® managed infrastructure devices –
(reliability, safety and security) best of Rockwell Automation and Cisco, to
Risk reduction – reliable and secure plant-wide enable Industrial IoT architectures
architectures based on proven reference architectures Network and security services enable modernization
Assessment, design and planning are key steps Converged Plantwide Ethernet (CPwE)
to modernizing aging network infrastructure architected, tested and validated designs helps
Know where you are starting from to simplify designs, speed deployment, and
Have a vision, based on business drivers, for scalable, reduce risk in deploying new technologies
reliable, safe, secure, and future-ready Industrial IoT Leverage Network & Security Services, as a
architectures trusted partner, which has knowledge and
expertise with IIoT applications and OT-IT
cybersecurity
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 29
Additional Sessions
Session Title
NT01 Fundamentals of EtherNet/IP IIoT Network Technology
NT03 Design Considerations for Reliable EtherNet/IP Networking
NT05 Applying EtherNet/IP Network Features for High Performance Machine-level Architectures
SS01 Safety System Development Process and Configuration Tools Overview
SS05 Cybersecurity for OT Systems: Why? And Where Do I Start?
SS06 CIP Security: Improving Control System Defense in Depth Security