technical track securing ethernet/ip networks presented by: paul didier - cisco eddie lee - moxa
TRANSCRIPT
Technical Track
www.odva.org
Securing EtherNet/IP Networks
Presented by: Paul Didier - CiscoEddie Lee - Moxa
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 2© 2011 ODVA, Inc. All rights reserved. www.odva.org
Agenda
Securing EtherNet/IP Networks Introduction Best Practices
• Isolated Control Network with Single Controller• Isolated Network with multiple Controllers• Enterprise Connected and Integrated Control Systems
Other Considerations Emerging Industrial Security Technologies
• ISA 99
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 3© 2011 ODVA, Inc. All rights reserved. www.odva.org
Introduction
High level paper for customers, implementers to identify security concepts per type of control networks.
• Start with Risk identification and analysis• Identify Risk reduction and mitigation techniques• There will be costs and trade-offs• Differences between IT and Industrial Automation
and Control• Working with IT
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 4© 2011 ODVA, Inc. All rights reserved. www.odva.org
Who Needs to Talk to Whom?
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 5© 2011 ODVA, Inc. All rights reserved. www.odva.org
Control Network types
Isolated Single Controller• Single Controller• 10s of devices• Potentially multiple
switches• Limited non-CIP traffic• Sharing data via sneaker
net or transferable device
Isolated Multiple Controller• Multiple Controllers• Up to 100s of devices• 10s of switches, maybe a
router• A few networks• Potentially multiple switches• Controllers sharing data• Some non-CIP traffic (e.g.
HTTP, file sharing, etc.)
Enterprise Connected• Many Controllers• Up to 1000s of devices• Lots of switches and routers
and other network infrastructure
• Many “networks”• Sharing data, applications
and services between Enterprise and Plant networks
• Could have lots of non-CIP traffic (e.g. Voice, Video, etc.)
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 6© 2011 ODVA, Inc. All rights reserved. www.odva.org
Best Practices – Isolated Single Controller
• Managed Switches • Diagnostics• Port Security
• Device Maintenance• End-device security
• OS patches• Anti-virus
• Network and Application monitoring and management
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 7© 2011 ODVA, Inc. All rights reserved. www.odva.org
Isolated Multiple Controller
• VLANs• Basic segmentation• Performance
• Quality of Service• Protect key traffic from
performance or some Denial of Service
Previous Considerations and…
• IGMP (Multicast management)• Network Resiliency
• Spanning Tree or Device Level Ring (DLR)
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 8© 2011 ODVA, Inc. All rights reserved. www.odva.org
Quality of Service Operations
Classification and Marking
Queuing and (Selective) Dropping
Post-Queuing Operations
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 9© 2011 ODVA, Inc. All rights reserved. www.odva.org
Connected and Integrated Control
• Firewall and DMZ• Control traffic flows• Protect Plant from
Enterprise threats
• Intrusion Detection• Monitor and stop known
and unknown attacks
Previous Considerations and…
• Remote Access• VPN to Firewall/DMZ• Terminal Services into controlled, locked-down
server
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 10© 2011 ODVA, Inc. All rights reserved. www.odva.org
Firewalls A firewall is a security device which is configured
to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based
A firewall's basic task is to control traffic between computer networks with different zones of trust
Today’s firewalls combine multilayer stateful packet inspection and multiprotocol application inspection
Virtual Private Network (VPN), Anti-x, Authentication and Intrusion Prevention Services (IPS) have been integrated
Despite these complexities, the primary role of the firewall is to enforce security policy
Enterprise
Plant
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 11© 2011 ODVA, Inc. All rights reserved. www.odva.org
De-Militarized Zone
Enterprise
Plant
• Demilitarized zone is a physical or logical sub-network that contains and exposes an entities external data and services to a larger un-trusted network
• Typically requires a Firewall• DMZ may contain terminal server,
replicated historian, AV, patch, DNS, AD/LDAP or mail servers.
• Buffers a zone from the threats, traffic, scans and other network-born activities in other networks
DMZ
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 12© 2011 ODVA, Inc. All rights reserved. www.odva.org
Virtual Private Network (VPN) Overview
Mechanism for secure communication over IP (Internet)
Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread)
Remote Access (RA) VPN components Client (mobile or fixed) Termination device (high number of endpoints)
VPN Security Appliance
VPN Client or Browser
VPN tunnel
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 13© 2011 ODVA, Inc. All rights reserved. www.odva.org
VPN - What Are We Talking About?
Secure VPN includes a number of technologies
• IPsec• L2TP/IPSec• TLS (HTTPS/SSL)
• DTLS• SSL
• HMAC-MD5• HMAC-SHA-1
• RSA digital certificates
• Pre-Shared key
• DES• 3DES • AES• RC4
Tunneling Encryption Authentication* Integrity
B A N K
*IKE 1st Phase, Not User Auth.
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 14© 2011 ODVA, Inc. All rights reserved. www.odva.org
Wireless
CIP and EtherNet/IP, being based on open standards, is readily transportable over
standard wireless technologies.Common wireless security practices include:• IEEE 802.1x Network Access Control and
authentication with shared keys• Encryption – WPA2 is best practice• Disable SSID broadcasting for control WLAN• Rogue access point and end-point detection
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 15© 2011 ODVA, Inc. All rights reserved. www.odva.org
Authenticator (e.g. Access Point)
Authentication Server(e.g. RADIUS)
Wireless Client
Wireless Client
How 802.1x Works
IEEE 802.1X (Port-based Network Access Control) restricts port access
to authorized users only. Authentication is done using the local user
database or an external RADIUS (Remote Authentication Dial In User
Service) server.
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 16© 2011 ODVA, Inc. All rights reserved. www.odva.org
Security - Authentication
MAC address filtering
Fast Ethernet
Moving Process
Field Engineers
Access Point
AP Client
MAC Address Access Rights
00-11-12-23-34-45 Deny
00-11-12-23-34-46 Allow
Deny or Allow
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 17© 2011 ODVA, Inc. All rights reserved. www.odva.org
Other Security Considerations
Other considerations include:• Security enhanced operating systems• Virtual Private Network (VPN) – tunneled encryption outside for traffic external to Plant network
• Enhanced authentication via Biometrics• Network Access Control and Protection to verify every device on the network
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 18© 2011 ODVA, Inc. All rights reserved. www.odva.org
AUTHENTICATEusers and devices to the network
Posture and Remediatethe device for policy compliance
Audit and Reportwho is on my network
Network Access Control
Differentiated Accessrole based access control
NAC is solution that uses a set of protocols to define and implement a policy that describes how to secure access to the network by devices. Network Access Control controls access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.Network Access Protection (NAP) is Microsoft’s implementation of NAC.
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 19© 2011 ODVA, Inc. All rights reserved. www.odva.org
ISA 99
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 20© 2011 ODVA, Inc. All rights reserved. www.odva.org
ISA 99 Working Groups
Technical Track 2011 ODVA Industry Conference & 14th Annual Meeting page 21© 2011 ODVA, Inc. All rights reserved. www.odva.org
ISA 99 SALs