The next phase of the OT-IT

integration - extending IT
security to the cell/area zone of
the plant/site architecture

PUBLIC
Agenda

1 2 3
State of plant-wide / Key challenges CPwE industrial
site-wide cybersecurity cybersecurity framework

4 5
Extending visibility Key takeaways
and security group
segmentation to
cell/area zone(s)

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 2

State of plant-wide / site-wide
cybersecurity
Market pressures are putting productivity and profitability at
risk for industrial operations

$25 Trillion 28% of

manufacturing
Global GDP growth organizations reporting
from 2000 to 2016, a loss of revenue due
facilitated by rapid Aging to security incidents in Industrial
globalization
Infrastructure the last year IoT
Modernization
through digital
transformation
is needed…
87% of 3.2 Billion
manufacturing
executives report that By 2020, the number
aging infrastructure of vertical-specific
Rapid Industrial IoT business
impacts their Security Risks devices
Globalization operations and Threats

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 4

Cyber crime pays, and it’s only getting worse
State of plant-wide / site-wide cybersecurity
$11.7B
in damages due to
ransomware attacks
IN THE LAST
2 YEARS
53%
of industrial manufacturers have
experienced a cybersecurity
breach in their facility
WHY ARE INDUSTRIAL COMPANIES A TARGET?
Legacy unpatched infrastructure and a lack of skilled
resources to properly manage cyber risk. The adversaries
know these environments have many vulnerabilities and if
attacked can mean major consequences for the infected.
WHY ARE COMPANIES STRUGGLING TO
ADDRESS THIS?
Most industrial automation environments are poorly
inventoried. If you do not know what is connected in the
environment, you cannot secure it.
Source: Cybersecurity Ventures. LNS Research Study.
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 5
Threat actors and types
State of plant-wide / site-wide cybersecurity

NATION STATES INSIDERS TERRORISTS HACKTIVISTS CYBERCRIMINALS

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 6

Key challenges
Cybersecurity challenges in industrial environments
Key challenges

Lack of visibility
Antiquated systems Of what’s out there
Unpatched, legacy
systems
Access control
Insecure design Access needs evolving
Lack of segmentation
Change control
24/7/365 operations
OT security skills
IT sec  Ops knowledge
Business needs
Real-time information

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 8

 Addressing security via tighter OT-IT integration:
Key challenges for IIoT networks … why a software-defined security strategy?

Challenge to segment/scale Complex to manage/orchestrate

Connected Enterprise IIoT Architecture
Ever increasing number of IIoT Multiple touch-points to set up (error
endpoint types prone workflows)

Slower issue resolution Multiple stakeholders to manage

Separate policies for enterprise
and operations areas of the OT-IT collaboration required
network. Escalation of issues
manual and cross functional

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 9

Software-defined examples and use cases
Key challenges … what is a software-defined security strategy?
 Where are software-defined solutions being
used today within operational technology
(OT)?
 Relay panel(s) versus programmable controller
 Indicators and switches vs. graphic terminals
 Where are software-defined solutions being
used today within information technology (IT)?
 Public/private service providers (SPs)
 SD-WAN – software-defined wide area network
 Enterprise IT
 SDN – software-defined networking (centralized)
 SDA – software-defined access (decentralized)
 SDI – software-defined infrastructure
 SDDC – software-defined Datacenter
 SDS – software-defined storage
 SDx – software-defined everything (converged compute,
storage, security & networking)
 Security
 Software-defined security group policies and access
control … TrustSec, security group tags (SGT)
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 10
 Software-defined – segmentation and access control
How? Bringing IACS context from FactoryTalk® Network Manager™ software to the TrustSec environment from Cisco®
Custom Deny

3 Segmentation at scale Automated orchestration

ISE 2 Stealthwatch

Default Permit Predetermined segmentation policy Limit manual touches and improves
SD- Network access Communication flow error prone workflows
based on device type, location, etc.
Control policy Analysis

Group 3 Group 4 Improved OEE

Default Deny
Predetermined reactions to Reduce OT-IT friction
Group 1 Group 2
common escalations (e.g.,
Group 5 Employee Virtual Network
remote access requests, Collaborate on predetermined
network access for service policy to drive greater
IIoT Virtual Network(s)
personal in the plant, adding productivity of human assets
new devices to the network)
Policy enforcement 4
Application Context
IP: 192.168.13.50
Type: Automation controller
Vendor: Allen-Bradley
Model: 1756-L71/A*
Firmware: 21.006*
Group: Packaging
Location: Switch 1 Fa0/1
Stratix® infrastructure portfolio 1

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 11

CPwE industrial cybersecurity
framework
Together, Cisco and Rockwell Automation can help

Leading digital transformation for The Connected Enterprise with industrial ready, world-
class control, power and information systems and IT networking and security technologies

Worldwide leader in IT Global leader in industrial

networking and security control, power and
information solutions

Trusted domain experts with Committed to future industry Dedicated to developing

a strategic alliance success ground-breaking solutions

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 13

 Introducing Converged Plantwide Ethernet (CPwE),
a holistic blueprint for digital transformation
Collection of architected,
The CPwE Converged Network Architectures tested and validated network
and security designs
Industrial operations Enterprise Cloud
Simplify network and security
Production systems Business systems Hybrid-cloud
design by connecting
Site B industrial operations and
Site A
business systems
OEM Convergence Industrial Business Office
Ready Security/Safety Systems Applications
Smart IIoT Secure and Secure and
Devices Reliable
Data Internetworking
Reliable
Data
An open solution that
adheres to regulatory
EtherNet/IP / Industrial Sharing Sharing
OPC UA Data Center

Unified
Wireless
standards creates
Identity/Mobility
Services
Network/Security
Standards
Dashboards Data Servers
flexibility and scalability

A converged
infrastructure built on a
Better Together common architecture
Enable business Optimize production Minimize risk framework makes the
agility yield network data-ready
Remote
worker/expert
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 14
 CPwE industrial cybersecurity framework

Defense in depth approach:

1) Access, segmentation, policy
2) Threat detection
3) Behavior analysis
4) Content protection
5) Cloud security and threat intel

Key features:
• IDMZ
• Remote user
• Data brokers
• Firewall-based segmentation of
plant/site and enterprise networks
• Industrial Zone (Plant/Site Network)
• Identity and mobility services for IACS devices & users • Cell/Area Zone
• Cisco Firepower and security management • Stratix® 5950 Cell/Area Zone and asset boundary
• FactoryTalk® Network Manager™ software for discovery, • Scalable device security group tagging and policy enforcement
visibility, and network management • Network flow diagnostics
• Network flow-based anomaly detection • Secure network infrastructure configuration and management
• CIP Security™ to help protect confidentiality, integrity and harden IACS devices
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 15
Extending visibility and security group
segmentation to cell/area zone(s)
 OT-IT collaboration / convergence / integration
Extending visibility and security group segmentation to cell/area zone(s)

Visibility into OT IIoT Devices,

Industrial assets Network security use cases
Context & Intent from OT users,
Enforcement by IT C O N T E X T

Dynamic security group

OT Platform segmentation
IT Platform
Stratix® IES
CIP™ Catalyst
HMI
9000
V I S I B I L I T Y
CIP™ I N T E N T
C O N T E X T

SXP On-demand
Controller
CIP™ pxGrid (IP to SGT Mappings) remote access
Next
FactoryTalk® ISE Generation
CIP™
Network Manager™ Firewall
Drive software C O N T E X T

Context based
anomaly detection
I/O Other Protocols
Stealthwatch

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 17

Visibility into industrial networks
Adding OT context and intent … extending visibility and security group segmentation to cell/area zone(s)

FactoryTalk®
Network Manager™ software

FactoryTalk® Network Manager™ software shares industrial asset identity with ISE over pxGrid
… this visibility combined with context, becomes a force-multiplier for security

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 18

FactoryTalk® Network Manager™ software
Putting OT in the driver’s seat … extending visibility and security group segmentation to cell/area zone(s)

OT uses FactoryTalk® Network Manager™ software to express context and

intent to influence the OT-IT owned, IT enforced, security group access policy
Configuration
Network
Troubleshooting and
Visibility
Maintenance
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 19
 Cell/area zone security group segmentation
Extending visibility and security group segmentation to cell/area zone(s)

Sample SGACL Policy Table

Security group segmentation requirement
Role-based Enforcement
• Visibility of IACS devices in the production environment
• Automated, scalable means to group devices and apply policies
• Segment the industrial network so only IACS devices can communicate with each other in
the Cell/Area Zone

Security group policy pre-staging

• IT and OT decide on the security group segmentation policy – i.e., types of tags and the
rules for communication
• IT configures ISE with secure group tags (SGT), segmentation policy (SG-ACLs),
FactoryTalk® Network Manager™ context match, and user authorization policies

Workflow during asset classification

1. FactoryTalk® Network Manager™ software collects topology and device information
2. OT user assigns a tag to IACS devices denoting it has special communication privileges
3. FactoryTalk® Network Manager™ software sends OT user intent and asset details to ISE
via pxGrid
4. ISE receives network and device telemetry from Stratix® switches
5. Profiling policy match in ISE results policy assignment (SGTs) to Stratix® switches
6. ISE deploys policy enforcement into network infrastructure as SG-ACLs

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 20

Segmentation (zoning) - security groups
Extending visibility and security group segmentation to cell/area zone(s)

VLANs with static ACLs VLANs with dynamic ACLs

challenges? challenges?

Plant-wide network Plant-wide network

Enforcement Authentication, Enforcement

ACLs Authorization and DACLs
Accounting (AAA)

IES IES IES IES

IES IES IES IES IES IES IES IES

EWS EWS

PAC_10 I/O_10 PAC_10 I/O_10

PAC_20 Drive_20 PAC_20 Drive_20
Cell/Area Zone 10 Cell/Area Zone 20 Cell/Area Zone 10 Cell/Area Zone 20
Levels 0-2 Levels 0-2 Levels 0-2 Levels 0-2
VLAN 10 VLAN 20 VLAN 10 VLAN 20

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 21

Segmentation (zoning) - security groups
Extending visibility and security group segmentation to cell/area zone(s)

Software-Defined Enterprise WAN

Security Group
IDMZ

Segmentation FactoryTalk® Industrial Zone

Application(s) Levels 0-3
(Plant-wide Network)
OT User SGT 100

Sample SGACL Policy Table FactoryTalk® NetFlow

Role-based Enforcement
Network Enforcement
Manager™ NetFlow SGACLs
ISE Stealth
pxGrid IT User watch
Context
SGT 100 SGT 30 SGT 10 SGT 20
Level 3 NetFlow
Site Operations NetFlow
IES IES
SGT 100 - N Y Y
SGT 30
SGT 30 N - Y Y
IES IES IES IES

SGT 10 Y Y Y N SGT 10 SGT 10 SGT 20 SGT 20

EWS

SGT 20 Y Y N Y PAC_10 I/O_10

PAC_20 Drive_20
Cell/Area Zone 10 Cell/Area Zone 20

SGT – Security Group Tag

Levels 0-2 Levels 0-2
Security Group 10 Security Group 20
VLAN 10 VLAN 20
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 22
 On-demand remote access
OT manages access as defined by IT security … extending visibility & security group segmentation to cell/area zone(s)

Remote Access Requirement

• Only a specific asset in the cell/area zone being serviced must be accessible to
the employee or OEM over remote VPN
• No dependency on IT to enable access during maintenance window

Security policy pre-staging

1. IT user pre-defines profiling rules in ISE to match custom attributes and
assign SGT in authorization policies
2. IT user pre-defines SGT firewall rules in IDMZ firewall to allow remote access

Workflow during maintenance window

1. During maintenance, OT user changes asset attribute tag in FactoryTalk®
Network Manager™ software, which denotes intent to allow remote access by
employee or OEM
2. FactoryTalk® Network Manager™ software sends OT user intent and asset
details to ISE in pxGrid, which results in asset reauthorization
3. ISE distributes new policy to firewall and Catalyst switches to enable remote
access

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 23

 Monitoring flows and anomaly detection
IT monitoring and anomaly detection based on OT security groupings

Requirement
• Monitor traffic flows and detect anomalous traffic behavior
• Easily identify the source of anomaly

Security policy pre-staging

• Assets grouped in FactoryTalk® Network Manager™ software by OT user automatically
create host groups in Stealthwatch – [PAC/PLC, I/O, IoT] etc.
• IT user defines alarms in Stealthwatch for host security group zone map violations – e.g.,
alarm on inter-zone asset communication
• IT user configures policies in ISE to quarantine devices on violations

Workflow
1. Compromised camera initiates port scan
2. Stealthwatch anomaly detection engine identifies port scan from NetFlow data and
raises alarm – host group in alarm indicates the offending asset [Camera, Cell/Area-2]
3. Stealthwatch sends quarantine request to ISE
4. ISE moves camera access port on Stratix® switch to isolated VLAN to quarantine it
(change of authorization)

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 24

Stealthwatch … reconnaissance using dynamic NetFlow
IT monitoring and anomaly detection based on OT security groupings

Monitor Detect Analyze Respond

 Understand your  Identify what  Collect and analyze  Accelerate network

network normal applications and holistic network audit troubleshooting and
devices are talking to trails threat mitigation
 Gain real-time
each
situational awareness of  Achieve faster root  Respond quickly to
all traffic  Leverage network cause analysis to threats by taking action
behavior anomaly conduct thorough to quarantine through
 No requirement for
detection and analytics forensic investigations Cisco® ISE
spanning traffic or
secondary networks  Detect behaviors linked
to APTs, insider threats,
DDoS, and malware

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 25

CPwE network security
Extending visibility and security group segmentation to cell/area zone(s)

 Deploying Network Security within a

Enterprise WAN
Converged Plantwide Ethernet Architecture
IDMZ
 CPwE Collateral
 White Paper - ENET-WP023B-EN-P
Industrial Zone
 Design & Implementation Guide FactoryTalk®
Levels 0-3
Application(s)
– ENET-TD019A-EN-P OT User (Plant / Site Network)
SGT 100
 Solution Overview
 Outlines Cisco / Rockwell Automation
FactoryTalk®
Network Security Use Cases: Network
NetFlow
Enforcement
 Visibility and Identification Manager™
pxGrid ISE IT User Stealth
NetFlow SGACLs
watch
 Security Group Policy Segmentation Context
 Network flow and threat (e.g., malware) detection Level 3 NetFlow
Site Operations NetFlow IES
 OT managed remote user (employee, partner) access
IES
SGT 30
 FactoryTalk® Network Manager™ software
 Stratix® 5400 switches– NetFlow and Security Group Tag Support IES IES IES IES
SGT 10 SGT 20 SGT 20
 Cisco Identity Services Engine (ISE) and Stealthwatch SGT 10 EWS

PAC_10 I/O_10
PAC_20 Drive_20
Cell/Area Zone 10 Cell/Area Zone 20
Levels 0-2 Levels 0-2
Security Group 10 Security Group 20
VLAN 10 VLAN 20
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 26
Key takeaways
Segmentation & access control methodology comparison
Key takeaways

Traditional Software-defined
VLAN & ACL FactoryTalk® (FactoryTalk® Network Manager™
software) & TrustSec (ISE/SGT)
Workflow function Attribute OT IT Cost Risk Attribute OT IT Cost Risk
IACS asset and network • Manual/automatic inventory X X • Automatic inventory discovery X X
device discovery discovery and manual database and automatic database
creation via IT and OT tools creation via OT tools
OT-IT security team; • Manual X X • Manual X X
security group access
policy definition
OT access policy; • Manual and static (VLAN X X • Automatic and dynamic (once X
configuration creation and assignment, ACL initial policy templates have
implementation creation) been created)
OT access policy; • Challenging to document: X X • Self documenting: X
configuration  Difficult to maintain and update  Easier to maintain and update
documentation  Limited audit capability  Supports audit capability
OT access policy; • Autonomous approach (alone): X X • Unified approach (centralized): X
configuration  Lacks scalability and agility  Scalable and agile
enhancements (future-  No coordinated orchestration  Supports coordinated
ready) orchestration
Required OT skill sets • Initial IACS provisioning: X X • Initial IACS provisioning: X X
• Addition of IACS device(s): X X • Addition of IACS device(s): X
• IACS device replacement: OT X X • IACS device replacement: X
can replace the device, but not Reduced MTTR, less time that
change the network to a machine is not running
accommodate PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 28
Key takeaways
 Business outcomes drive modernization projects
 Agility to quickly adapt to new market trends
(future-ready)
 Cost reduction through lower MTTR and higher OEE
(reliability, safety and security)
 Risk reduction – reliable and secure plant-wide
architectures based on proven reference architectures
 Assessment, design and planning are key steps
to modernizing aging network infrastructure
 Know where you are starting from
 Have a vision, based on business drivers, for scalable,
reliable, safe, secure, and future-ready Industrial IoT
architectures
 Form a team of key stakeholders from OT and
IT to develop an industrial cybersecurity
program and access control policy
 Utilize Stratix® managed infrastructure devices –
best of Rockwell Automation and Cisco, to
enable Industrial IoT architectures
 Network and security services enable modernization
 Converged Plantwide Ethernet (CPwE)
architected, tested and validated designs helps
to simplify designs, speed deployment, and
reduce risk in deploying new technologies
 Leverage Network & Security Services, as a
trusted partner, which has knowledge and
expertise with IIoT applications and OT-IT
cybersecurity
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 29
Additional Sessions
Session Title
NT01 Fundamentals of EtherNet/IP IIoT Network Technology
NT03 Design Considerations for Reliable EtherNet/IP Networking
NT05 Applying EtherNet/IP Network Features for High Performance Machine-level Architectures
SS01 Safety System Development Process and Configuration Tools Overview
SS05 Cybersecurity for OT Systems: Why? And Where Do I Start?
SS06 CIP Security: Improving Control System Defense in Depth Security

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. 30

Thank You
www.rockwellautomation.com