1 / 21

Securing EtherNet /IP Networks

Securing EtherNet /IP Networks. Presented by: Paul Didier - Cisco Eddie Lee - Moxa. Agenda. Securing EtherNet /IP Networks Introduction Best Practices Isolated Control Network with Single Controller Isolated Network with multiple Controllers

wilmer
Download Presentation

Securing EtherNet /IP Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa

  2. Agenda • Securing EtherNet/IP Networks • Introduction • Best Practices • Isolated Control Network with Single Controller • Isolated Network with multiple Controllers • Enterprise Connected and Integrated Control Systems • Other Considerations • Emerging Industrial Security Technologies • ISA 99

  3. Introduction • High level paper for customers, implementers to identify security concepts per type of control networks. • Start with Risk identification and analysis • Identify Risk reduction and mitigation techniques • There will be costs and trade-offs • Differences between IT and Industrial Automation and Control • Working with IT

  4. Who Needs to Talk to Whom?

  5. Control Network types • Isolated Single Controller • Single Controller • 10s of devices • Potentially multiple switches • Limited non-CIP traffic • Sharing data via sneaker net or transferable device Isolated Multiple Controller • Multiple Controllers • Up to 100s of devices • 10s of switches, maybe a router • A few networks • Potentially multiple switches • Controllers sharing data • Some non-CIP traffic (e.g. HTTP, file sharing, etc.) Enterprise Connected • Many Controllers • Up to 1000s of devices • Lots of switches androuters and other network infrastructure • Many “networks” • Sharing data, applications and services between Enterprise and Plant networks • Could have lots of non-CIP traffic (e.g. Voice, Video, etc.)

  6. Best Practices – Isolated Single Controller • Managed Switches • Diagnostics • Port Security • Device Maintenance • End-device security • OS patches • Anti-virus • Network and Application monitoring and management

  7. Isolated Multiple Controller Previous Considerations and… • VLANs • Basic segmentation • Performance • Quality of Service • Protect key traffic from performance or some Denial of Service • IGMP (Multicast management) • Network Resiliency • Spanning Tree or Device Level Ring (DLR)

  8. Quality of Service Operations Post-Queuing Operations Classification and Marking Queuing and (Selective) Dropping

  9. Connected and Integrated Control Previous Considerations and… • Firewall and DMZ • Control traffic flows • Protect Plant from Enterprise threats • Intrusion Detection • Monitor and stop known and unknown attacks • Remote Access • VPN to Firewall/DMZ • Terminal Services into controlled, locked-down server

  10. Firewalls • A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based • A firewall's basic task is to control traffic between computer networks with different zones of trust • Today’s firewalls combine multilayer stateful packet inspection and multiprotocol application inspection • Virtual Private Network (VPN), Anti-x, Authentication and Intrusion Prevention Services (IPS) have been integrated • Despite these complexities, the primary role of the firewall is to enforce security policy Enterprise Plant

  11. De-Militarized Zone • Demilitarized zone is a physical or logical sub-network that contains and exposesan entities external data and services to a larger un-trusted network • Typically requires a Firewall • DMZ may contain terminal server, replicated historian, AV, patch, DNS, AD/LDAP or mail servers. • Buffers a zone from the threats, traffic, scans and other network-born activities in other networks Enterprise DMZ Plant

  12. Virtual Private Network (VPN) Overview • Mechanism for secure communication over IP (Internet) • Authenticity (unforged/trusted party) • Integrity (unaltered/tampered) • Confidentiality (unread) • Remote Access (RA) VPN components • Client (mobile or fixed) • Termination device (high number of endpoints) VPN tunnel VPN Security Appliance VPN Client or Browser

  13. VPN - What Are We Talking About? Secure VPN includes a number of technologies Tunneling Encryption Authentication* Integrity • IPsec • L2TP/IPSec • TLS (HTTPS/SSL) • DTLS • SSL • DES • 3DES • AES • RC4 • RSA digital certificates • Pre-Shared key • HMAC-MD5 • HMAC-SHA-1 *IKE 1st Phase, Not User Auth.

  14. Wireless • CIP and EtherNet/IP, being based on open standards, is readily transportable over standard wireless technologies. • Common wireless security practices include: • IEEE 802.1x Network Access Control and authentication with shared keys • Encryption – WPA2 is best practice • Disable SSID broadcasting for control WLAN • Rogue access point and end-point detection

  15. How 802.1x Works IEEE 802.1X (Port-based Network Access Control) restricts port access to authorized users only. Authentication is done using the local user database or an external RADIUS (Remote Authentication Dial In User Service) server. Wireless Client Authentication Server (e.g. RADIUS) Authenticator (e.g. Access Point) Wireless Client

  16. Fast Ethernet Security - Authentication • MAC address filtering Moving Process AP Client DenyorAllow Field Engineers Access Point

  17. Other Security Considerations • Other considerations include: • Security enhanced operating systems • Virtual Private Network (VPN) – tunneled encryption outside for traffic external to Plant network • Enhanced authentication via Biometrics • Network Access Control and Protection to verify every device on the network

  18. Network Access Control NAC is solution that uses a set of protocols to define and implement a policy that describes how to secure access to the network by devices. Network Access Control controls access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. Network Access Protection (NAP) is Microsoft’s implementation of NAC. AUTHENTICATEusers and devices to the network Posture and Remediatethe device for policy compliance Differentiated Accessrole based access control Audit and Reportwho is on my network

  19. ISA 99

  20. ISA 99 Working Groups

  21. ISA 99 SALs

More Related