handout vortrag manfred bauer cisco
TRANSCRIPT
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 1/23
Internet of Things - ja mitSicherheit
Manfred BauerIOT Sales Lead Germany
September 2014
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 2/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Internet of Everything (IoE)
Networked Connection of People, Process, Data, Things
PeopleConnecting People in MoreRelevant, Valuable Ways
ProceDeliverinto the Riat the Rig
DataLeveraging Data into
More Useful Information forDecision Making
ThingPhysicalConnectEach OthDecision
IoE
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 3/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Smart Factory as Internet of Things
Connection between
products, machinesand Internet
Collecinformspecial
Networking betweenmachines andproducts within the
shop floor
Situational offer formservices
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 4/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Example: Building the Factory of the Future
FactorySecurity
ConvergedNetwork Platforms
ConnectedFactory Applications
IndustrialIdentity Services
Industrial DeepPacket Inspection IP Cameras
E
n
o
vty
Things TorqSensors Asset Tags IP HD
CameraRobots Parts
RuggedizedWirelessAccessPoints
Industrial Routersand Switches
Hardened MobileM2M Gateway
Real Time SupplyChain
AssetUtilization
Accelerated NPI New BusinessModels
Productivity
Flexible mfg• Flexible controls• Flexible networks
Resiliency (REP)Integrated managementNear Zero Downtime
DistributedCompute
Machine-as-a-ServiceRemote Asset Mgmt
Mobility• 2.4/5Ghz• Clean air
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 5/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Industrie 4.0 Demands Cross Domain Data Manageme
Data CenterIT Clients
Plants
Internet
Classical IT Responsibility
NetworkDevices
PortPeople Locations
Machines
Classical OT ResponsibilityEnd to End Secure Connectivity and Computing Demands Seamless Network Conce
Machines
ThingsProcessData
The secure entity management reach a new magnitude of scale
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 6/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Industrie 4.0 Demands World Wide Connectivity
Primary DC
Backup DC
Plant 1
Supplier 1
Plant 2
Internet and Intranet needs s,scalable and reliable networfunctions based on trusted de
Selective feature choice betwtechnologies like Multi-ProtoLabel-Switching (MPLS) anencryption based accesstechnologies (like IPSEC)
Context based Security in thcomplete value chain withmanageable rules handled byTrustSec based profiles
DMZ
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 7/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Main Problem with separated OT/IT Networks
Data CenterIT Clients
Plants
Internet
IT Controlled Security Isolated/confuse world of O
MachinesRemoteExpert
Secure ThirdParty Access
Global Location Routingseparated from Intra
Intranet
Plant wide selectiveAccess to Machine
SelectivFuncti
DMZGlobal IT
DMZPlant IT
Isolated orIndus. FW
SelectiveAuthenticationAuthorization
SelectiveAuthenticationAuthorization
Authorization
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 8/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT/OT Converged Security Model
IT
DMZ
OT
Enterprise Network
Control, Automation
Demilitarized Zone
Process, Supervisory
Cloud OT Partners & Services
Internet
Ruggedized FirewallRuggedized IDS / IPSSegmentation: VLANs, VRFs, ACLs
Plant Edge (VPN, IPS Remote AccesStateful Firewall, NGFWAccess Control
Cloud-based Threat ProtectionNetwork-wide Policy EnforcementSecurity Information Event Managem
SIEM, Remote Services PlatformOT Policy Mgmt, SW, Config, AV AsCyber Physical Access Control Syste
Enterprise Edge (VPN, IPS, NGFW)Anti-Virus, Malware DetectionCorporate Directory, Web Email Secu
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 9/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Priority shifts in IoT
Security Policies IT Network IoT Network
Focus Protecting Intellectual Property and
Company Assets24/7 Operations, High OEE, Safety,
Priorities1. Conf identiality2. Integrity3. Availability
1. Availabilit2. Integrity3. Confidenti
Types of Data Traffic Converged Network of Data,Voice and Video (Hierarchical)
Converged Network of Data, CoInformation, Safety and Motion (P2
Implications of a
Device FailureContinues to Operate Could Stop Processes, Impact Ma
Harm
Threat Protection Shut Down Access toDetected Threat and Remediate
Potentially Keep Opwith a Detected Th
Upgrades and Patch Mgmt ASAPDuring Uptime
ScheduledDuring Downti
Infrastructure Life Cycle Equipment upgrades and refresh <5yr Avoid Equipment upgrades (lifespan 1
Deployment conditions Controlled physical environments Harsh environments (temp, v
Security in IoT networks is crucial as people, communitiefinancial systems could be negatively impacted by
cyber/physical security breaches
Top priorities are availability, safety, and ease-of-us
Biggest pain point is the management of who, what, whwhen, and how (people, data, evi es , and pro
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 10/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Access Control• User and Device Identity• Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy• Network Segmentation• Secure Connectivity
Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility
Device and Platform Integrity• Device Hardening and Secure Platform• Configuration Assurance
IoT Security Principles
P ol i c
y M
an
a g em
en
t wi t h
OT
/ I T
C
onv er g
en
c e & E
a s e of
U s e
O p er a
t i onR
el i a
b i l i
t y & S af e
t y
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 11/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT/OT Converged Security Model – Manufacturing
Web Apps DNS FTP
Internet
Gbps Link forFailover
Detection
Firewall(Active)
Firewall(Standby)
Factory Application
Servers
Access Switch
Network Services
CoreSwitches
AggregationSwitch
Patch Mgmt.Terminal Services
Application Mirror AV Server
Cell/Area #1(Redundant Star Topology)
DriveController
HMI DistributedI/O
Controller
DriveDrive
HMI
Distributed I/O
HMI
Cell/Area #2(Ring Topology)
Cell/Area #3(Linear Topology)
Layer 2 Access Switch
Controller
Cell/Area ZoneLevels 0 2
Manufacturing ZoneLevel 3
Demilitarized ZoneLevel 3.5
Enterprise NetworkLevels 4 5
Ruggedized Firewall
Ruggedized Intrusion Prot
Remote Monitoring / Surv
SW, Config Asset Mgm
VPN Remote Access Se
Next-Generation Firewall
Intrusion Prevention (IPS
Cloud-based Threat ProteNetwork-wide Policy EnfAccess Control (applicatio
Stateful Firewall
Intrusion Protection/DetecPhysical Access Control S
ISE
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 12/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Let’s do some maintenance!
Enterprise Network
VPN
DMZ
Supervisory Network
Control System Network
RemoteFacility
IEDs, PLCs,Sensors,
Actuators
Historian
SCADA/DCS Historian
Cloud Systems
App ServerWeb Server
I ,,
I ,,
I ,,I , ,
RemoteServices
VPN
Field NetworkActuators Se
Internet
IoE Cyber Security: Protection
ApplicationVisibility,IPS/IDSIdentityServices
Engine
Switching
VideoSurveillance
Manager
Routers
Firewalls AccessPoints
Network SecurityMgmt.
Onion LayersSecure Zones
Cells Zones Plants
Segmented Access(Role-Based)
Security Policy, AAAand Identity Services
Industrial Cyber Security
Security Monitoring,Threat Detection, Incidentand Event Monitoring
Physical SecuritySmart, Programmable Cameras
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 13/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT/OT Converged Security Model – Transportation
PTC
IPICSVSMS / VSOM
IP/MPLSDomain
UCS
WAN / Core
Control Center
Trackside
Ruggedized Firewall
Ruggedized Intrusion D
Remote Monitoring / Su
SW, Config Asset Mg
VPN Remote Access
Next-Generation Firewa
Intrusion Prevention (IP
Cloud-based Threat ProNetwork-wide Policy EApplication-Level Acce
Stateful Firewall
Intrusion Detection (IDPhysical Access Contro
Process Control &Safety Networks
Offload
VSMS
PTC 3000
TMC
On-boardMultiservice Networks
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 14/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cloud &Services
LightingPoles
Municipal Command& Control Center
SmartGrid
BuildingOptimization
CityWiFi
Home EnergyMgmnt
Traffic FloOptimizati
FactoryOptimization
AutomatedCar SystemIntelligent Digital
Signage
ConnectedAmbulances
Parking
INTELLIGENTCITY INTELLIGENT
Building INTELLIGENTHIGHWAY
Example Smart City
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 15/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IoE Application Centric Architecture
Network Automation(APIC SDN Controller)
Application Ena(Fog Compu
IOx Analytic
APIs
Cisco ONE Platform
SmartLED lighting
WasteSensors
IP HDCamera
ParkingSensors
WaterSensors
APIs
Routing/Config QoS Security
Things
DataCenter AccessWAN
Application PolicyInfrastructure ControllerApplications to Programthe Networks• Auto Config• QoS• Security
Cisco and 3 rd Party Apps
Fog ComputingBusiness Applicationsthat run on the network• Hosted Bus Apps• App Store• App Management
IOxDistributed Computeand Storage• IOS + Linux• BYOA• BYOI
SASOSIsoft RoOx
Hardened Edge Platforms: Embedded Storage and Com
IOSLinu
Distributed AppIOx SD
ApplicationManagement
ApplS
Cisco IoT Strateg is Working!
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 16/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco IoT Strategy is Working!
Whole Offer
Security
Application Enablement
Management / “Ease of Use”
+Ruggedized platformsIndustrial featuresProtocol translation
Converged networkingIoT Gateway/AggregationMobility
Foundation Differentiation
Auto discovery / auto configurationZero touch deploymentVideo management at scaleVisualization
Ruggedized security - IPS/FW/VPNSingle policy managementIndustrial signatures
Application data processingDistributed controlVideo analytics at the edge
Third-party interfaces
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 17/23
Thank you.
IoTG Extended Security Products Portfolio
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 18/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IoTG Extended Security Products Portfolio
Industrial FirewallIndustry leading firewall, intrusion prevention, VPN,remote access, and other services. features
Industrial IPSDefense against complex industrial network attacks
WirelessIncrease mobility without compromising security with threat-protected WLAN services
Cisco Security Policy Mgmt andEnforcementPolicy-based access control, identity-aware networking, and data
integrity
Secure RouterProvides secure remote access and zone
segmentation for most IoT use cases
ProductsTechnologies/Use Cases
A
Cisco WLC, PI, M
IE switches, ASA
f l d f
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 19/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Sourcefire security platform has 3 main components:
• L2-L7 Firewall
•
Next Generation IPS (Intrusion Prevention System) • AMP (Advanced Malware Protection)
Able to manage security threats during the full attack continuum – Before, DuAfter
Sourcefire Can Be Applied for OT Environments
NGFW NGIPS AMP
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 20/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sourcefire value in process control
NGFW
NGIPS
• Passively discover ICSassets & create context
• Layer 2-7 firewall• Application discovery,
monitoring and control
• Detect and preventintrusions
• Wrap SCADA protocols
• Monitor
client-siHMIs• Network
mapping• Retrospe
& quara
ISE C B A li d f OT E i
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 21/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Typical OT use cases for ISE as a common policy platform:
• Local User Access Wired Connection on the Mfg Plant Floor or Utility Substaex.
• Local User Access Wireless Connection, similar OT locations as above
• Remote User Access – Employee or Contractor needs to access HMI or OT contsystem remotely
When the endpoints attempt network access, they will be dynamically profiled, andprovided the appropriate access privileges based on their identity.
Change of Authorization (CoA) can be enforced by the network infrastructure in (3) w
1. VLAN swap,
2. downloadable ACL (dACL), and
3. Security Group Tag (SGT).
ISE Can Be Applied for OT Environments
ISE Employee and Contractor using assets on plant/zone flo
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 22/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Demilitarized Zo(DMZ) Firewalls
Enterprise Networ
Levels 4 –5
ISE - Employee and Contractor using assets on plant/zone flo
Gbps Link forFailoverDetection
Firewall(Active)
Firewall(Standby)Cisco
ASA 5500
Cisco
CatalystSwitch
Network Services
Cisco Catalyst
6500/4500
Cisco Cat. 3750X
Patch Management,
Terminal Services,Application Mirrors, AVServers
Industrialnet#2
Industrialnet#1
CISCO IE2K/3K
AD MDMDNS FTP
Internet
ISE PSN
ISE ADMIN
3cont
assetby ISE
is dCisc
enforc
Enforcement forzone 2 done here
MULTI-AUTH
Contractor Employee
Contractor Employee
Cisco IE3K/2KEnforcement
pushed to IE3K, soenforcement is done
within zone
3 rd Party Switch
Cisco Ind stri l Portfolios (IoT B siness Unit)
8/10/2019 Handout Vortrag Manfred Bauer Cisco
http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 23/23
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Industrial Portfolios (IoT Business Unit)
• Wireless• Gateway
Router
• Embedded
• WirelessAccess Point
• EthernetSwitching