networks - SESAM World
Download
Report
Transcript networks - SESAM World
SESAM Møde 6/4 2011
IT-Sikkerhed
Erik Gross Jensen
Solution Architect software
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Jeffrey A. Shearer, PMP
Principal Security Consultant
Network and Security
Services
What We Are Delivering Together
•
•
•
•
•
Education Series
http://www.ab.com/networks/architectures.html
Stratix 8000, and portfolio
Reference Architectures for Manufacturing
Common Technology View
Network and Security Services
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Network Management IT and
Production Control
IT Network Management
(SNMP-Based)
Automation and Control Applications
Local Applications
(Device Manager)
CIP-Based Support in the Network
Command Line Interface
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Reference Material
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
4
Reference Architectures for
Manufacturing
• Design guidance
– Methodology – built on
Industry Standards
– Best practices and
recommendations
– Documented configuration
settings
– Tested with Industrial
Applications
– Cisco “Validated” network
design
• “Future-ready” network
foundation
– CIP Safety, CIP Sync, CIP
Motion
– Voice, Video
Enterprise Zone
Levels 4 and 5
Windows 2003 Servers
Gbps Link for
Failover
Detection
Firewall
(Standby)
Firewall
(Active)
Demilitarized Zone (DMZ)
Manufacturing Zone
Level 3
FactoryTalk Application Servers
•
•
•
•
View
Historian
AssetCentre
Transaction Manager
Layer 3
Router
Network Services
• DNS, DHCP, syslog server
• Network and security
management
FactoryTalk Services
Platform
• Directory
• Security
Layer 3
Switch Stack
Data Servers
Level 0–2
Cell/Area Zone
Layer 2 Switch
HMI
Controller
HMI
Drive
Controller
Drive
Drive
HMI Distributed I/O
Cell/Area #1
(Redundant Star Topology)
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Demilitarized Zone (DMZ)
• Remote desktop connection
• VPN
Distributed I/O
Controller
Cell/Area #2
(Ring Topology)
Cell/Area #3
(Bus/Star Topology)
High Level Architecture Review
• Remote access involves
cooperation between:
– Enterprise Zone
• Information Technologies
(IT) and infrastructure of
the facility
– Automation Demilitarized
Zone (Automation DMZ)
• Knowledge of traffic that
must move from the plant
to enterprise systems
– Manufacturing Zone
• Cell and Area devices
• Traffic flow and protocols
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
6
Enterprise Zone
• Enterprise Zone
– “Levels” 4 & 5 owned
by Information
Technologies (IT)
– Traditionally some
VLAN’s in place
– Campus to Campus
communications
– IT knowledgeable with
routing and firewalls
• You need to work with
the IT personnel to get
access to the DMZ
– Don’t bypass these
fine folks!
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
7
Automation DMZ
•
Automation DMZ
– Shared ownership by IT
and Manufacturing
professionals
•
“Typically”
– IT owns firewalls
– IT configures the switches
on behalf of Manufacturing
professionals
– Manufacturing
professionals own DMZ
terminal servers,
application servers, patch
management servers
•
DMZ requires cooperation
from both IT and
Manufacturing
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
8
Why a Demilitarized Zone (DMZ)?
• To preserve smooth plantwide operations and
functioning of the Industrial Automation and
Control System (IACS) application and IACS
network, this zone requires clear isolation and
protection from the Enterprise zone via security
devices within the Demilitarized zone (DMZ)
• This insulation not only enhances security
segmentation between the Enterprise and
Manufacturing zones, but may also represent an
organization boundary where IT and
manufacturing organizational responsibilities
interface.
• This approach permits the Manufacturing zone to
function entirely on its own, irrespective of the
connectivity status to the higher levels
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
9
Controlling Access to the Manufacturing Zone
Level 5
Level 4
E-Mail, Intranet, etc.
Patch Management
Historian Mirror
Level 2
FactoryTalk
Application
Server
Enterprise
Zone
Site Business Planning and Logistics Network
Terminal Services
Level 3
Enterprise Network
Router
Web Services Operations
FactoryTalk Directory
FactoryTalk
Client
Firewall
AV
Server
Engineering
Workstation
Web
E-Mail
CIP
Application
Server
Firewall
Domain Controller
Manufacturing
Zone
Site Manufacturing Operations and
Control
Area Supervisory
Control
FactoryTalk
Client
Operator
Interface
Engineering
Workstation
Operator
Interface
Basic Control
Level 1
Level 0
Batch Control
Discrete Control
Sensors
Drive Control
Drives
DMZ
Continuous
Process Control
Actuators
Safety
Control
Robots
Cell/Area
Zone
Process
No Direct Traffic Flow from Enterprise to Manufacturing Zone
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
10
DMZ Topology
• Firewall(s)
– Enterprise Interface
– DMZ Interface
– Manufacturing
Interface
• Firewalls are used to
block or allow access to
devices on these
interfaces based on a
set of rules
• There will be assets like
switches and servers
that are part of the DMZ
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
11
Manufacturing Zone
•
Division of plant into
functional areas for secured
access
– ISA-SP99 “Zones and
Conduit” model
•
OEM’s Participation
– IP Address
– VLAN ID’s
– Access layer to Distribution
layer cooperation
•
System design requires full
cooperation of all System
Integrators, OEM’s, IT and
Engineering
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
12
Manufacturing Zone
•
•
Defense in depth still applies to
manufacturing zone
Defense in depth steps in the
manufacturing zone is still applied to:
–
–
–
–
–
•
Device Hardening
Application
Computers
Networks
Physical
Rockwell Automation products support the
defense in depth strategy
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
13
Defense in Depth Designs
Apply security products
and supporting a defensein-depth (or layered)
architecture;
Design
Security
Physical
Services
Perimeter
Network
Enforcement
1. Network & Security Design
Computer
2. Limit physical access to all
equipment
Application
3. Control access to automation
Device
Device
networks
Security
4. Control access to computers and
keep them up to date
5. Control access to software
applications that are used to
This is not a “one size fits all problem”
configure devices
in thetobest
position
6. …you
Controlare
access
both
the to decide which risks are the most
configuration
in tools to use to reduce that risk
urgentand
anddata
which
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Copyright ©
2010 Rockwell Automation, Inc. All rights reserved.
14
(Confidential – For Internal Use Only)
14
Configuration Access Control
Using FactoryTalk Security
Physical
Network
Computer
Application
Device
• How does it work?
– Provides centralized authentication and access control
by verifying the identity of each user (and computer)
who attempts to access the automation system and
then either granting or denying each user's request to
perform particular actions on features and resources
within the system
• Authentication – verifies a user’s identity and verifies that a
request for service originates with that user.
• Authorization – verifies a user’s request to access a
software product, feature, or system resource against a set of
defined access permissions.
– Authenticates and authorizes users against a set of
defined permissions held in the FactoryTalk
Directory
© 2009 Cisco Systems, Inc. and Rockwell Automation,
Inc. All rights
(Confidential
– Forreserved.
Internal Use
Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved.
15
Application: Device Configuration
• Use FactoryTalk Security to
– Control computer and user
access to devices
– Control use of selected
software applications that
access devices
Physical
Perimeter
Network
Enforcement
Operating System
Application
Device
© 2009 Cisco Systems, Inc. and Rockwell Automation,
Inc. All rights
(Confidential
– Forreserved.
Internal Use
Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved.
16
FactoryTalk Security (FTS-05)
•• Networks
and
Devices
Users
and
User
• • Product
System
Computers
policies
Policies
and Groups
Groups
• Product
Policies
–– Secure
access
to control hardware
FactoryTalk
User
–––
––
•
•
•
•
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Restrict
Define
You can
general
access
use these
security
to the
accounts
features
rules, to
such
ofenforce
as
Defines
which
functions,
features
or
users
Securable
actions
can
be
defined
for
all
individual
how
line-of-sight
frequently
FactoryTalk-enabled
security
passwords
must
products
be
•
User
accounts
that
are
held
in
the
of
a software
application
be used
similar
devices,
groups
ofcan
devices
or can
changed
FactoryTalk
Directory
–– across
Only
Combine
users
individual
with
the
required
computer
level
accounts
of
your
site
or
enterprise
be defined on a device by device basis
access
intoPolicies
groups,
canLinked
use
to make
the
product
it easier
features
to manage
–
Windows
User
System
– Actions
and
devices
can
be
put
into
that
security.
have
secured.
• you
User
accounts
that already
exist in ais
– Define
the
rules
that
govern
how
security
groups for easier management (new
in
Windows
domain
or workgroup
implemented
(like
Password
expirations)
CPR9)
across
your
siteaccounts
or enterprise
– Combine
user
into User Groups to
set up and
role-based
security
access;
Computer
Computer
Groups
– Defines
which computers
can
be used
• Windows-linked
User
Group
– to
accessreference
your automation
system
user groups
that already
a Windows Domain
Networksexist
and inDevices
– Defines
which actions
can– be
performed on
• FactoryTalk
Group
combine
a specific
hardware
resource
individual
Users
and other groups into
FactoryTalk
User and aUser
GroupsGroup
(roles)
– Including
groups
– Defines which
users Windows
or groupsLinked
of users
can
get access to your automation system
17
Manufacturing Security Design
• Physical Security – limit physical access to
authorized personnel: areas, control panels,
devices, cabling, and control room – escort and
track visitors
• Network Security – infrastructure framework –
e.g. firewalls with intrusion detection and intrusion
prevention systems (IDS/IPS), and integrated
protection of networking equipment such as
switches and routers
• Computer Hardening – patch management,
antivirus software as well as removal of unused
applications, protocols, and services
• Application Security – authentication,
authorization, and audit software
• Device Hardening – change management and
restrictive access
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Physical
Perimeter
Network
Enforcement
Computer
Application
Device
Tenants of a Good Security Design:
The Physical - Switch Lock-in & Block-out
PSL-DCPL
PSL-DCJB
Panduit/RA Physical Layer Reference
Architectures Design Guide – MN05
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Additional Resources
• Website: http://www.ab.com/networks/architectures.html
• Whitepapers
– Reference Architectures for Manufacturing
– Securing Manufacturing Computer and Controller Assets
– Production Software within Manufacturing Reference
Architectures
• Design and Implementation Guides
– ODVA - Network Infrastructure for EtherNet/IP: Introduction and
Considerations
– ODVA - EtherNet/IP Media Planning and Installation Manual
– Rockwell Automation and Cisco Design and Implementation
Guide – manufacturing reference architectures
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Additional Resources - Webcasts
Rockwell Automation and Cisco webcasts:
• What Every IT Professional Should Know about Plant Floor
Networking
• What Every Plant Floor Controls Engineer Should Know about
Working with IT
Rockwell Automation Knowledge Network webcasts:
• Rockwell Automation and Cisco: Best Practices
• Reference Architectures: Fundamentals of Ethernet Network
Design
• Securing Manufacturing and Enterprise Network Convergence
• Industrial Ethernet Resiliency
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.
Available Resources
• Whitepapers
– Stratix Switches within Integrated Architecture
– Achieving Secure Remote Access to Plant Floor Applications
and Data
– Recommendations for Designing, Selecting, Configuring and
Maintaining Wireless EtherNet/IP Networks
– Industrial Ethernet Resiliency – late summer
– IT Ready for OEMs – late summer
• Design and Implementation Guides
– DIG 2.0 – Stratix 8000, resiliency, performance
– Panduit and Rockwell Automation Physical Layer Reference
Architectures
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved.