Weitere ähnliche Inhalte
Ähnlich wie Mfg workshop security (20)
Kürzlich hochgeladen (20)
Mfg workshop security
- 1. A Phased Approach That Keeps Things Running
Robert Albach
ralbach@cisco.com
Getting To Safe and Secure
- 2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
@$2+B
Losses
Impacts
- 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2018’s Top Security News
- 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
April 2018:
Bad Headlines;
System Boundaries
- 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2018
Malware Impacts
Continue
- 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where are We Today?
- 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Matter of
Trust:
2015 Ukraine
Utility Attack
- 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
0
20
40
60
80
100
120
140
160
180
200
1 - Wholly within the
OT group.
2 - IT owns the DMZ,
OT owns the rest.
3 - IT owns down to
the agregation layer.
4 - IT owns down to
the access layer.
5 - A hybrid IT team
reporting to OT.
6 - Unclear, still
sorting it out.
7 - I don't know as I
don't work there.
8 - Not applicable to
my situation.
Where does the security role for OT
reside in your organization?
Driven by OT Teams Driven by IT OT or IT or TBD?
IoT Sec Talks 2016 May – 620 respondents
Cisco: Multiple Paths to Secure the Plant
- 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Vision of the Future – Connected Systems
From Cloud to Enterprise to Cell
Cloud HQ DMZ Factory
- 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Stacks in Connected Manufacturing
- 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application of Industrial
Security
• Deployment Priorities, Common Use Case Examples - Manufacturing
- 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Evolve to Secure: Phased Security Architecture
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning &
Logistics Network
Enterprise
Zone
DMZ
Control
Zone
Cell/Area
Zone
Site Manufacturing Operations
and Control
Area Supervisory
Control
Basic Control
ProcessSensors Drives Actuators Turbine
FactoryTalk
Client
HMI HMIEngineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
C-Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Level 0
v v
PWR CONINOUT
PoE
5 6
1 42 3
First Phase –
Secured Connectivity
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC
62443
NERC / NIST /
Third Phase –
Converged Security &
Depth
Policy Driven
Response
Deeper Vision /
Control
ISO / IEC 27001:2013
Application Control
Threat Control
ISA – 95,99 / IEC
62443
NERC / NIST /
Second Phase –
Secured Visibility & Control
- 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Themes
• Secure Connectivity
• Threat Control
• Safe Environment
• Secure Remote Access
• What can connect
• What can talk to what
• What is vulnerable
• Protect the vulnerable
• Network protection
• Device protections
• What are the controls for access
• How to secure access
- 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Secure Connectivity
[Segmentation]
- 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Everywhere
- 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Network Segmentation
…and Application Segmentation and Control
- 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Case for Purposeful Network Design
- 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Original Designs Lack Security /
Or Security Eroded Over Time
- 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Discover, Control and Protect your Connected Devices
Policy
Users
IT/IoT Devices
Medical
Devices
1400+
300+
(Device Type fingerprint number)
ISE
pxGrid
Compliance
Vulnerability
Threat
Industry Specific
Visibility Tool
Control in the Network Fabric
Context directory,
aggregating context from
all sources, native and
external
- 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Network Director – IoT BU Tie-Ins
- 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation: How To
Routing
Router / Switch
NGFW
IE
Switch
IPS
AppID
TrustSec
IND
ISE
StealthWatch
AnyConnect
CloudLock
- 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Threat Prevention
- 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Intrusion Phase
• Reconnaissance
• Targeting
• Weaponization
• Develop / Test
• Delivery /
Exploit / Persist
• Install
• Modify Systems
• Command and
Control
• Attack
• Anti-Forensics
Kill Chain – ICS Variant
Attacks Start at the IT Side
- 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attacks Can Break
Things…
- 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
German Smelter Attack: Attack and Mitigations
• What is known:
• Phishing Attack
• Malware
• Access to ICS
System
• Shutdown
commands
• Damaged smelter
Email / Web
Protections
AMP
- 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quantifying Threats by Technology Stack
Vulnerabilities by Top 50 Vendors:
IT – 99.53%
IT Stack Vulns – 44%
[Web – 35%]OT – 0.47%
- 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case:
Vulnerability Exploitation / Malware Protection
Sinapsis SQL
injection attempt
Petya Malware /
Ransomeware
- 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat – Vulnerable ICS System Protections
* 1:45477 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton
ICS malware transfer attempt (malware-cnc.rules)
* 1:45478 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton
ICS malware transfer attempt (malware-cnc.rules)
- 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Talos – ICS Research
<-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt (protocol-scada.rules)
<-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
<-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
<-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
<-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
<-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
<-> PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt (protocol-scada.rules)
180+ ICS Vulnerability
Protection Rules in 2017
- 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos ICS Security Research
- 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vuln
Discovery
Patch
Published
Patch
Applied?
Maintenance
Window
Operation
Maintenance
Window
Vulnerability
Protection Rule
Placed In-Line
Mitigations – When “Fix it” Has to Wait
- 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Application Visibility and
Control
[Safety / Security]
- 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stopping Misconfiguration of a Robot Arm
- 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Protocol Aware Application Control
- 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Modbus rule
to prevent a
set point
change
limit > 50 on
RTU-0122
OT Pre-Processors – Modbus command inspection
- 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploying In-Line Security Slowly / Safely
First:
Learn Out of Band
– via span / Tap –
cycle through rules
Provide Flow to
Stealthwatch
Second:
Tune rules / see
what would hit and
potential impacts.
Use flow learning
for possible ACLs.
Third:
Move in-line but
with “alert” only.
Check latency and
other network
impacts.
Fourth:
Go live and active.
Sleep well.
- 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Remote Access
[A Brief Mention]
- 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility
And Control
Security Use Case: Remote Access
Cross Boundary Policy
Asset Access Control and QOS
Trusted
Contractor
maintains new
pump on floor
- 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remote
Access
Guidance
DHS
For Your
Reference
- 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Ver.10 XXXX Maintenance Support Agreement
• SERVICE AGREEMENT TERMS AND CONDITIONS
• XXXXX, a division of YYYYY North America Corporation (“ZZZZZ”) will perform the services (“Services”) listed below
and on the above pages of this service agreement and any exhibits ("Exhibits") attached to it (together, the
“Agreement”) under the following terms and conditions:
• 4. Customer’s Responsibility
• Throughout the term of this Service Agreement, Customer agrees to:
• c. provide suitable remote access to the System to enable ZZZZZ to perform its services hereunder, including but not
limited to VPN access to the System;
• d) REMOTE SERVICE. For on-site options, if remote Service is available, the Customer will allow NNN to keep
diagnostic and maintenance programs resident on Customer's system or site for the exclusive purpose of performing
diagnostics and repair. The Customer has no ownership interest in this software provided by NNN. NNN may remove
these programs and any NNN -loaned equipment upon termination of coverage. Customer's system must be
configured to permit access. For NNN to provide remote Service, the Customer must allow NNN remote access to
eligible NNN systems using the appropriate protocol and method supported by that system. The Customer must
provide the necessary equipment designated for that protocol and method of communication to provide remote access
to the eligible NNNNt system. NNN will advise the Customer what is required at the time of installation.
Remote Access in Contracts:
- 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Flowdown
DFARS 252.204-7012 (b) Adequate Security. The
Contractor shall provide adequate security on all
covered contractor information systems.
- 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Validated Designs:
Your Guides to Security
- 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Partner Driven Validated Designs
- 47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Validated Design for Industrial DMZ
- 48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Need More?
Services for Security
- 49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services
DesignAssess risk Incident
response
Support
- 50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3
• Get Help
• IT for IT technologies
• Look at design guides
• Consider external
services
• Act
• Commit to making
change
Third
1
• Update your network
• Gain a view of the
network and applications
• Establish NW access
control that reflects the
application paths
First
2
• Protect the FULL
technology stack
• From IDMZ to Cell
• From Factory to Cloud
• Determine what is truly
necessary
Second
- 52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backup
- 53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Industrial System Leadership
$1B+
Cisco Industrial Switches
and Routers Deployed
1000s of Industrial Deployments
Operating on Cisco Industrial Equipment
- 54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Participating in 58 industrial standards groups
IEEE / IEC / ISA / ISO / IETF / AVnu / HART / ETSI / Heathrow / OPC / ProfiNET /
OMG – DDS / OIC / IIC / FDT / ODVA / OASIS / AllSeen / OneM2M / Wi-Sun /
LORa / SiGFOX / ETSI / SAE / ITU / UCA / CIGRE(T) / COW / HomePlug / G3 /
AIOTI
Cisco Industrial Standards Participation
IEC
61850 Utility, Industrial, Transportation (Data)
62351 Utility, Industrial, Smart City (Security)
62357 Utility, Smart Cities (Architecture)
62443 Energy Et Al, Industrial (PCS Security)
61508 Industrial, Utility, other energy (Safety)
- 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Manufacturer Usage
Description (MUD)
- 56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Manufacturer Usage Descriptions
Mobile phone Cloud Controllers
Manufacturer Usage Descriptions
Usage descriptions for each
device
Control signals from cloud
controller
Attacks
Internet
- 57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Who Does What
Cisco
• Interpret descriptions
from the manufacturer
• Instantiate appropriate
configuration in
devices
• Monitor/Audit for
counter-indications
Device
manufacturer
• If device has
implemented 802.1AR
– no code changes on
the device
• Emit MUD URI via
DHCP, LLDP, or via
802.1AR
• Create a simple XML
file and publish it
somewhere
Network
Administrator
• Allow the feature to be
turned on (by default)
• Check definition of
“local” (we may be
able to help)
• (Optionally) Use our
auditing capabilities
- 58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Extend defense in depth
Authenticate devices to the network
(Use 802.1x and 802.1AR)
Prevent lateral movement
Protect against introduction of
devices that are already 0wn3d
(Use Cisco ISE or AMP)Provide a scalable security approach
for IoT
Does Does not
This approach…