ferry hallewas - automation technology · plantwidebenefits of ethernet/ip clive barwise ferry...

2/22/2011

Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

Plantwide Benefits of EtherNet/IPClive BarwiseFerry Hallewas

botlek Studiegroep17-February-2011

www.ODVA.org

2/22/2011

Plantwide Network ArchitecturesConverged Plantwide Ethernet (CPwE) Architectures

Level 3 - Site OperationsLevel 4 – Data Center

Cell/Area ZonesLevels 0-2

Processing Filling Material Handling

EtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

3

EtherNet/IP – Differentiator #1

EtherNet/IP

Differentiator #1

Established

2/22/2011

EtherNet/IP – Established (partial list)

5Welcome and Introduction


280+ EtherNet/IP Vendors Registered, over 3,000,000 nodes shipped

280+ EtherNet/IP Vendors Registered, over 3,000,000 nodes shipped

Industrial EthernetEtherNet/IP – Standard and Established

Source IMS Research

Rockwell Automation, Omron, and Schneider Electric use EtherNet/IP as core technology.

Many other vendors also provide EtherNet/IP.

Standard/UnmodifiedStandard/Unmodified

Ethernet & TCP/IPEthernet & TCP/IP• Standard:

– Future Proof Technology– Mix commercial and industrial

information on one common network infrastructure

– Scalable plantwide networks with 1,000s of nodes

– Topology to match your plant– Diverse and broad supplier

support

EtherNetEtherNet/IP is the current global leader for nodes sold/IP is the current global leader for nodes sold



2/22/2011

Network Evolution – EtherNet/IP

DeviceNet

HMI

Controllerstime

EtherNet/IPServo &

Standard

Drives

Robots

Valves

Devices

I/O

Safety I/O

E1 Overload

SafetyComponents

E3 Overload

cost

$xx

Today Future

Pushbuttons, PhotoEye, Proximity &

Limit Switches

Low Cost EtherNet/IP:

•NEO ASIC•2 port embedded switch•Lower cost scalable chipset/stacks•PHY designed for 1G•PoF – Poly Fiber media•PoE – Power over Ethernet

EtherNet/IP EtherNet/IP EtherNet/IP

MCC Today

•All DeviceNet inside

MCC Short-term

•EtherNet/IP - Drives•DeviceNet - Overloads

MCC Future

•All EtherNet/IP•PoF media

• Cost of EtherNet/IP implementation

continues to lower– Faster adoption of devices on Ethernet

– EDS for devices on CIP networks

– 2-port DLR technology for simplified integration

• Cost of DeviceNet implementation levels– Continues to provide solution for low cost devices

Instruments

7


EtherNet/IP

Differentiator #2

Standard…

Not “Standards-Based”

2/22/2011

Layer 7 – ApplicationCommon Industrial Protocol

FTP HTTP OPC SNMPBOOTPDHCP

IP

IEEE 802.3 Ethernet

OSPFICMP

IGMP

RARPARP

Explicit

Messaging

Real-Time

I/O Control

UDP

CIP

TCP

Layer 1-2

Layer 3

Layers 5-7

Layer 4

• CIP: Implicit traffic

– I/O control, drive control, Produced/Consumed tags

– Uses UDP protocol (unicast and multicast)

• CIP: Explicit traffic

– HMI, Message Instructions, Program upload/download

– Uses TCP protocol

• Other common traffic

– HTTP, Email, SNMP, etc.

• Advantages of EtherNet/IP

– Standard Ethernet and IP Protocol suite

– Future proof

– Established – 280+ registered vendors

– Supported – All EIP products require conformance testing

• Ethernet/Industrial Protocol or EtherNet/IP

specifies how CIP communication packets

can be transported over standard Ethernet

and TCP/IP technology.

Fundamentals of EtherNet/IP NetworkingCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 9

Standard vs. “standards-based”

• Standard– Uses standard switches

– Integrates easily into existing Ethernet installations and corporate networks

– Requires no special training or knowledge from IT workforce

• “Standards-based”– Requires the use of proprietary switches

or protected segments

– Potential integration issues with existing Ethernet installations

– Requires extra training and knowledge from IT workforce

Standard

2/22/2011

Ethernet/Industrial ProtocolEtherNet/IP vs. Ethernet and IP vs. Ethernet/IP

• Standard– IEEE 802.3 - standard Ethernet, Precision Time Protocol (IEEE-1588)

– IETF - Internet Engineering Task Force, standard Internet Protocol (IP)

– IEC - International Electrotechnical Commission

– ODVA - Common Industrial Protocol (CIP)

• IT Friendly and Future Proof (Sustainable)

• Established - products, applications and vendors

• Multidiscipline control and information platform

• ODVA– Supported by global industry vendors such asCisco Systems®, Omron®, Schneider Electric®,

Rockwell Automation and many more!

– Conformance & Performance Testing

http://www.odva.org



OSI Reference ModelNetwork Independent

4. Transport

3. Network

2. Data Link

1. Physical

Layer No.

Network

Independent


7. Application

6. Presentation

5. Session

2/22/2011

EtherNet/IP Advantage Summary

• ODVA - Cisco Systems and Rockwell Automation are principal members

• IT friendly - Standard Ethernet and TCP/IP Protocol Suite

• Future proof – Sustainable– Industry Standards such as IEEE and IETF

• Portability and Routability– Physical layer and data link layer independence

• Established – 280+ Registered Vendors, over 3,000,000 nodes

• Supported – All EtherNet/IP products require conformance testing

• Multidiscipline Support– Discrete Control, Process Control, Batch Control, Configuration,Information/Diagnostics, Safety Control, Time Synchronization, Motion Control and Energy Management

• Common industrial application protocol– DeviceNet, ControlNet and EtherNet/IP

– Seamless bridging throughout CIP networks13

Welcome and IntroductionCopyright © 2010 Rockwell Automation, Inc. All rights reserved.


EtherNet/IP

Differentiator #3

More Than a Fieldbus

2/22/2011

EtherNet/IP – Technology Convergence

Mix Business, Industrial, and Commercial Technologies to Solve Applications – Plant-wide

Mix Business, Industrial, and Commercial Technologies to Solve Applications – Plant-wide

Email

Webpage

Remote

Access

Video/Voice

Over IP

Other

CommercialTechnologies

Wireless

FTP

Commercial Technologies

Controllers

Business System

Programming Terminals

HMIBusiness & Traditional Plant Floor

Applications

Robots

I/O Devices

Real-Time Plant Floor

Control Applications

Drives

Instruments

More Than a Fieldbus

Industrial Network ConvergenceContinuing Trend

Industrial Network Convergence

Evolution of industrial Ethernet applications

EtherNet/IP - Enabling/Driving

Convergence of Control and Information


Information I/O ControlSafety

ApplicationsMotionControl

InstrumentationEnergy

Near future

2/22/2011

Industrial Network ConvergenceContinuing Trend

EtherNet/IP - Enabling/Driving

Convergence of Control and Information

Converged Plantwide EthernetIndustrial Network Model

Corporate Network

Sensors and otherInput/Output Devices

Motors, DrivesActuators

SupervisoryControl

Robotics

Back-Office Mainframes andServers (ERP, MES, etc.)

OfficeApplications,Internetworking,Data Servers,Storage

Human MachineInterface (HMI)

SafetyController

Traditional – 3 TierIndustrial Network Model

Corporate Network

Sensors and otherInput/Output Devices

Controller

Motors, DrivesActuators

Robotics

Back-Office Mainframes andServers (ERP, MES, etc.)

OfficeApplications,Internetworking,Data Servers,Storage

Control NetworkGateway

Human MachineInterface (HMI)

SupervisoryControl

Camera

Phone

Industrial NetworkIndustrial Network

SafetyI/O

I/O

Controller


Industrial NetworksContinuing Trends

• Open Networks Are In Demand– Broad availability of products, applications and vendor support for Industrial Automation and Control System (IACS)

– Network standards for coexistence and interoperability

• Convergence of Network Technologies– Reduce the number of different networks in an operation and create a seamless information sharing from the plant floor to the enterprise

– Use common network design and troubleshooting tools across the plant and enterprise, and avoid special tools for each application

• Better Asset Utilization to Support Lean Initiatives– Reduce training, support, and inventory for different networking technologies– Common network infrastructure assets, while accounting for environmental requirements

• Future Proof – Maximizing Investments– Support new technologies and features without a network forklift upgrade


2/22/2011

Many field device integration options

Engineering

Work Station

Process

Controller

FFLDC

FF H1

Operator

Work Stations

Compact HART

Asset

Management

Ethernet (supervisory network)

HART

FF H1

FFLD

Drives

Motor Control Centers

Profi PAEN2PACN2PA

Hart IO

Instrument with EtherNet/IP

• Technical highlights / features

– Dual Ethernet port design (support for ring topology)

– Integrated Webserver and Ethernet switch functionality

– Electronic Data Sheet (EDS file) located in the device

2/22/2011

Configuration within a FDT frame

Calibration management

Planning, calibrate and reporting

2/22/2011

EtherNet/IP

Industrial Networks similarities and differences between IT and Plant Floor

IT vs. Industrial Network RequirementsTrend - Industrial and IT Network Convergence

• Enterprise (IT) Network Requirements– Internet Protocols– Wide Area Network (WAN)– High availability – redundant star topologies– Latency, jitter, etc.– Voice, video, data applications– IP Addressing - dynamic– Security - pervasive

• Industrial Network Requirements– Industrial and internet protocols– Local Area Network (LAN)– Resiliency – ring topologies are prominent, redundant star topologies are emerging

– Latency, jitter, etc.– Information, control, safety, synchronization and motion– IP Addressing – static– Security – emerging: Open by Default vs. Closed by Configuration

So, what are the

similarities and

differences?


24

2/22/2011

Cultural and Organizational ConvergenceTrend - Industrial and IT Network Convergence

Security Policies IT Network Industrial Network

Focus

Protecting Intellectual Property and Company

Assets24/7 Operations, High OEE

Priorities

Confidentiality

Integrity

Availability

Availability

Integrity

Confidentiality

Types of Data TrafficConverged Network of Data,

Voice and VideoConverged Network of Data,

Control, Information, Safety and Motion

Access ControlStrict Network Authentication

and Access Policies

Strict Physical Access

Simple Network Device Access

Implications of a

Device FailureContinues to Operate Could Stop Operation

Threat ProtectionShut Down Access to

Detected ThreatPotentially Keep Operating with a Detected Threat

UpgradesASAP

During UptimeScheduled

During DowntimeEtherNet/IP Networking - Industrial & IT Network Convergence Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

25

EtherNet/IP

Considerations

2/22/2011

Networking Best Practices for Real-Time EtherNet/IP PerformanceCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 27

Application Requirements

Discrete

Automation

Motion

Control

Process

Automation

Function

Information Integration,

Slower Process Automation

Time-criticalDiscrete Automation

Motion Control

CommunicationTechnology

.Net, DCOM, TCP/IP Industrial Protocols - CIPHardware and Software

solutions, e.g. CIP Motion, PTP

Period 1 second or longer 10 ms to 100 ms <1 ms

IndustriesOil & gas, chemicals,

energy, water

Auto, food & beverage, semiconductor,

metals, pharmaceuticalSubset of discrete automation

ApplicationsPumps, compressors, mixers, instrumentation

Material handling, filling, labeling, palletizing, packaging

Printing presses, wire drawing, web making, pick & place

Networking Best Practices for Real-Time EtherNet/IP PerformanceCopyright © 2010 Rockwell Automation, Inc. All rights reserved. 28

Networking Best Practices

� Best practices for reducing Latency and Jitter, and to increase data Availability, Integrity and Confidentiality

• Robust Physical Layer

• Segmentation

– Structure and Hierarchy – Multi-tier Network Model

– Logical Framework – organization into levels and zones

– Topology

– Virtual LANs (VLANs)

• Resiliency Protocols and Redundant Topologies

• Time Synchronization

• Prioritization - Quality of Service (QoS)

• Multicast Management

• Security - Defense-in-Depth

2/22/2011

Logical FrameworkConverged Plantwide Ethernet (CPwE) Architectures


29

Levels 0–2

Level 1 Controller

Layer 3 Distribution

Switch

Drive

Controller

Controller

Drive

HMI

Controller

Drive

HMI

I/O

HMI

Cell/Area Zones

Layer 2 Access Switch

Level 0 Drive

Level 2 HMILayer 2

Access Switch

Media & Connectors

Cell/Area Zone #1Redundant Star TopologyFlex Links Resiliency

Cell/Area Zone #2Ring TopologyResilient Ethernet Protocol (REP)

Cell/Area Zone #3Bus/Star Topology

I/O

I/O

Fundamentals of Network Resiliency and Redundancy Copyright © 2010 Rockwell Automation, Inc. All rights reserved.

30

Redundant Star Ring Linear

Cabling Requirements

Ease of Configuration

Implementation Costs

Bandwidth

Redundancy and Convergence

Disruption During Network Upgrade

Readiness for Network Convergence

Overall in Network TCO and Performance Best OK Worst

RedundantStarFlex Links

RingResilient Ethernet Protocol (REP)

Star/BusLinear

HMI

CiscoCatalyst 2955

Cell/Area Zone

Cisco Catalyst3750 StackWise

Switch Stack

Controllers,Drives, and Distributed I/O

HMI

Cell/Area Zone

Controllers

Controllers, Drives, and Distributed I/O

Cell/Area ZoneControllers, Drives, and Distributed I/O

HMI

Controllers

Cell/Area Zone

HMI

Controller


Switch Stack


Switch Stack

Resiliency Protocols and Redundant TopologiesLayer 2 – Loop Avoidance

2/22/2011

(Confidential – For Internal Use Only) Copyright © 2008 Rockwell

31

Logically Isolate areas of control (VLAN)

Segmentation by Function, not by Location (VLAN)

32

Clear division of responsibilities can easily be obtainedClear division of responsibilities can easily be obtained

2/22/2011

Control between Subnets

• Controllers communicate to other EtherNet/IP devices via unicast– Produce & Consume Standard & Safety tags +

standard I/O

• Unicast also allows EtherNet/IP communications to span multiple subnets

• Interlocking of remote controllers over the plant infrastructure

• Streamline traffic on the network by allowing one-to-one transmission of EtherNet/IP I/O data which greatly eliminates unwanted multicast traffic

• Layer 3 switching to communicate across VLANs

* Hardware support may vary

Fundamentals of Securing Ethernet Control

Networks

Clive Barwise

Networks Business Manager

Rockwell Automation EMEA.

@ KROHNE Altometer Nederland B.V.Kerkeplaat 12

3313 LC DORDRECHT

2/22/2011

Agenda

1. Industrial Network Security Trends

2. Defense-in-Depth

3. Secure Remote Access

4. Conclusion Steps for a secure future

What is security for youConverged Plantwide Ethernet (CPwE) Architectures

• What do users want from the control system.

• System Performance.– Do things at the appropriate

speed.

• Continuous Operation– Availability

• Accuracy– How much did I make

• Privacy of data– Only select people should have

this information

• Freedom for data Access– Reports on my phone.– Connect from Home.

• Technology Convergence.– IT Technologies embedded is the

system.• Video• IP Phones• Wireless

Catalyst 3750StackWise

Switch Stack

FactoryTalk Application Servers• View• Historian• AssetCentre, • Transaction Manager

FactoryTalk Services Platform• Directory• Security/Audit

Data Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

DIO

Levels 0–2

HMI

Cell/Area #1Redundant Star TopologyFlex Links Resiliency

Cell/Area #3Bus/Star Topology

Cell/Area Zones

Demilitarized Zone (DMZ)


Enterprise ZoneLevels 4 and 5

Rockwell AutomationStratix 8000


CiscoASA 5500

CiscoCatalyst Switch

Industrial Zone Site Operations and Control

Level 3

Remote AccessServer

Catalyst6500/4500

Patch ManagementTerminal ServicesApplication MirrorAV Server

ERP, Email,

Wide Area Network

(WAN)

Network Services• DNS, DHCP, syslog server• Network and security mgmt

Drive

Controller

HMI DIO

Controller

Drive

Controller

Drive

HMI

Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)

DIODIO

2/22/2011

• Denial of service• Denial of service

• Natural or manmade disaster• Natural or manmade disaster

• Theft• Theft

Industrial Network Security TrendsCommonly Reported Business Disruptions

• Worms and viruses• Worms and viruses

• Unauthorized access• Unauthorized access

• Application of Security patches• Application of Security patches

• Unauthorized actions by employees• Unauthorized actions by employees

• Unauthorized actions by vendors• Unauthorized actions by vendors

• Unintended employee actions• Unintended employee actions

• Sabotage• Sabotage

Unaddressed security risks increase potential for disruption

to control system’s uptime and safe operation

Industrial Network Security Trends Two Critical Elements to Security

• Security is basically two pronged:– Technical vs. Non-technical

– A balanced Security Program must address both Technical (technology) and Non-Technical (procedures) Elements

• Technical controls - Firewalls, Group Policy Objects, Layer 3 ACLs, etc. - provide restrictive measures for non-technical controls

• Non-technical controls - rules for environments, such as policy and procedure, risk management

• Security is only as strong as the weakest link

• Vigilance and Attention to Detail are KEY to the long-term security success

TechnicalNon

Technical

“one-size-fits-all”

2/22/2011

Industrial Network Security Trends Two Critical Elements to Security

• When a Technical Control is lacking, the non-technical control will only provide so much protection– Example: Policy states you should not surf

the web from a control system HMI; however there is no technical control in place preventing such access or behavior

– This exposes a technical attack vector (i.e. unauthorized access from non control system elements

• When a Non-Technical Control is lacking, the technical control will only provide so much protection– Example: Firewalls are in place to prevent

operators from surfing the web from a control system HMI; however there is no non-technical control in place stating you shouldn’t change the HMI’s network port access to the other side of the firewall

– This exposes a non-technical attack vector (i.e. a social engineering type attack

• How much security is enough security?– The amount of security is a system should rise to meet a corporation’s level of risk

tolerance.

– In theory, the more security that is properly designed and deployed in a system, a lower amount of risk should remain.

EPIC Security FAIL!

• Failure to follow good design principles may have unintended consequences.

• Safety systems may or may not help, depending on the infrastructure.

2/22/2011

Consequences: ICS Network Issues

• ICS Network issues are much more than “data loss” - there are real world, physical consequences

• You cannot fix these “issues” by restoring from backups…

Just because you can…doesn’t always mean you should

NOTE:NOTE:This will be deadlyThis will be deadly

FERCFERC

Industrial Network Security TrendsMap Evolving Standards

NISTNIST

CIDxCIDx

APIAPI

AGAAGA

Rail &

Transport

Rail &

Transport

NERCNERC

EuroSCSIEEuroSCSIE

IEC 62443IEC 62443

SmartGrid

component

SmartGrid

component

NIST 800NIST 800

ISA S99ISA S99

ISA S99ISA S99

IEC 62443IEC 62443

SmartGrid

component

SmartGrid

component

INLINL

PAST PRESENT FUTURE

Industry:

NERC,AGA,

API,CIDX,

AWWA,Etc.

Industry:

NERC,AGA,

API,CIDX,

AWWA,Etc.

DHSDHS

EU

Regulations

EU

Regulations

ISAISA

ICS-CERTICS-CERT

W & WWW & WWFERCFERC

DHSDHS

2 /2 2 /2 0 1 1

• International Society of Automation & IEC– ISA-99

– Industrial Automation and Control System (IACS) Security

–– DefenseDefense--inin--DepthDepth

–– DMZ DeploymentDMZ Deployment

• National Institute of Standards and Technology– NIST 800-82

– Industrial Control System (ICS) Security



• Department of Homeland Security / Idaho National Lab– DHS INL/EXT-06-11478

– Control Systems Cyber Security: Defense-in-Depth Strategies



Industrial Network Security TrendsIndustry Standards

Defense-in-DepthMultiple Layers to Protect the network and Defend the edge

• Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors

• Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers

• Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services

• Application Security – authentication, authorization, and audit software

• Device Hardening – change management and restrictive access

Defensein Depth

Computer

Device

Physical

Network

Application

Security Model

2/22/2011

Defense-in-DepthPhysical Security - Examples

• Physical Security Plan —create and maintain a physical security plan (PSP)

• Physical Access Controls - document and implement the operational and procedural controls to manage physical access at all access points to the PSP’s twenty-four hours a day, seven days a week. – Card Key

– Special Locks

– Security Personnel

– Other Authentication Devices (Biometric, keypad, token, etc)


2/22/2011


• Panduit Keyed LC deployments– Lock-In (left)

– Blockout (right)

– Prevents unintentional moves, adds, and changes

Defense-in-DepthComputer Hardening - Examples

• Security Patch Management - establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches– Keep computers up-to-date on service packs and hot fixes

• Disable automatic updates

• Check software vendor website

• Test patches before implementing

• Schedule patching during downtime

– Deploy and maintain Anti-X (antivirus, antispyware, etc.) and malware detection software

• Disable automatic updates and automatic scanning

• Test definition updates before implementing

• Schedule manually initiated scanning during downtime

• Uninstall unused Windows components– Protocols and Services

• Protect unused or infrequently used USB, parallel or serial interfaces

2/22/2011

Defense-in-DepthController Hardening - Examples

• Physical procedure:– Restrict control panel access to authorized personnel

– Switch the Logix Controller key to “RUN”

• Electronic design: – Logix Controller CPU Lock feature

– Logix Controller Source Protection

– Authentication, authorization and audit (AAA) by implementing FactoryTalk Security

– Change Management with disaster recovery: FactoryTalk AssetCentre

Defense-in-DepthApplication Security - Examples

•Primarily AAA–Authenticate

–Authorize

–Audit• Reduce Security if

– One Login

• Computer

• Network

• Application

2/22/2011

Defense-in-DepthNetwork Security

• Comprehensive Network Security Model for Defense-in-Depth

• Security is not a bolt-on component

• Industrial Security Policy

• Implement DMZ

• Engage the experts Network & Security Services team

• Remote/Partner Access Policy,with robust & secure implementation

Network Security ServicesMust Not Compromise Operations of the Cell/Area Zone

Industrial and IT Network ConvergenceLogical Infrastructure Framework

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

FactoryTalkApplication

Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalkClient

Operator Interface

FactoryTalkClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

EnterpriseSecurity Zone

DMZ

IndustrialSecurity Zone

Cell/Area Zone

WebE-Mail

CIP

Firewall

Firewall

Site Operationsand Control

Area Supervisory

Control

Basic Control

Process

• Network Segmentation• Demarcation Line for: Security Policies, Quality of Service

Policies, Multicast Groups.

2/22/2011

Defense-in-DepthDemilitarized Zone (DMZ)

• Industrial Security Policy

• All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ

• No primary services are permanentlyhoused in the DMZ

• DMZ shall not permanentlyhouse data

• Be prepared to “turn-off” accessvia the firewall

• No control traffic into the DMZIndustrial Protocols stay at home.

• Application Data Mirror

No Direct Traffic

EnterpriseSecurity

Zone

IndustrialSecurity

Zone

Disconnect Point

Disconnect Point

DMZReplicated Services

Secure Remote AccessSolution is Application Driven

• Industrial application within a greater Enterprise– Larger manufacturer with production (industrial) and business (IT) systems integration

– Requirements

• IT presence, defense-in-depth requirement, alignment with Industrial Security Standards

– Recommended Solution

• Rockwell Automation & Cisco Secure Remote Access solution, Rockwell Automation Network and Security Services

Plantwide SystemsEnterprise SystemsRemote SitePlant Engineer

Machine BuilderSystem Integrator

WAN

2/22/2011

Secure Remote AccessConverged Plantwide Ethernet (CPwE) Architectures

• Logical framework

• Industrial and IT network convergence

• Hierarchical segmentation– Scalability

– Resiliency

– Traffic management

– Policy enforcement

• Security policies– Defense-in-depth

• Secure remote access


Switch Stack

FactoryTalk Application Servers• View• Historian• AssetCentre, • Transaction Manager

FactoryTalk Services Platform• Directory• Security/Audit

Data Servers

Gbps Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

DIO

Levels 0–2

HMI

Cell/Area #1Redundant Star TopologyFlex Links Resiliency

Cell/Area #3Bus/Star Topology

Cell/Area Zones




Rockwell AutomationStratix 8000


CiscoASA 5500

CiscoCatalyst Switch


Level 3

Remote AccessServer

Catalyst6500/4500


ERP, Email,

Wide Area Network

(WAN)

Network Services• DNS, DHCP, syslog server• Network and security mgmt

Drive

Controller

HMI DIO

Controller

Drive

Controller

Drive

HMI

Cell/Area #2Ring TopologyResilient Ethernet Protocol (REP)

DIODIO

FactoryTalk Application Servers• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform• Directory

• Security/Audit

Data Servers

Levels 0–2Cell/Area Zones





Level 3

Internet


EnterpriseWAN

EnterpriseData Center

Gbps Link Failover

Detection

Firewall(Active)Firewall

(Standby)


CiscoASA 5500

Remote Access Server• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500

Remote Engineeror Partner

EnterpriseConnectedEngineer

Enterprise EdgeFirewall

HTTPS

Cisco VPN Client

Remote Desktop Protocol (RDP)


Switch Stack

EtherNet/IP

IPS

EC

VP

N

SS

LV

PN

Secure Remote AccessCPwE - Solution

• Secure remote access for employees and trusted partners such as machine builders and system integrators

• Meeting the security requirements of IT while enabling manufacturers to leverage shared, distributed company resources and trusted partners

• Management of assets -monitor, configure and audit

• Simplifies change management, version control, regulatory compliance, and software license management

• Network and applicationauthentication and authorization

• Simplifies remote clienthealth management

2/22/2011







Level 3

Internet



Cisco VPN Client







Level 3

Internet


EnterpriseWAN



Cisco VPN ClientIPS

EC

VP

N


1. Remote engineer or partner establishes VPN to corporate network; access is restricted to IP address of plant DMZ firewall

2/22/2011







Level 3

Internet


EnterpriseWAN


Gbps Link Failover

Detection


(Standby)


CiscoASA 5500




Cisco VPN ClientIPS

EC

VP

N

SS

LV

PN

HTTPS


2. Portal on plant firewall enables access to industrial application data and files

– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host







Level 3

Internet


EnterpriseWAN


Gbps Link Failover

Detection


(Standby)


CiscoASA 5500

Remote Access ServerCatalyst6500/4500




HTTPS

Cisco VPN Client


IPS

EC

VP

N

SS

LV

PN


2. Portal on plant firewall enables access to industrial application data and files

– Intrusion protection system (IPS) on plant firewall detects and protects against attacks from remote host

3. Firewall proxies a client session to remote access server

2/22/2011

FactoryTalk Application Servers• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform• Directory

• Security/Audit

Data Servers



2. Portal on plant firewall enables access to industrial application data and files – Intrusion protection system

(IPS) on plant firewall detects and protects against attacks from remote host

3. Firewall proxies a client session to remote access server

4. Access to applications on remote access server is restricted to specified plant floor resources through industrial application security






Level 3

Internet


EnterpriseWAN


Gbps Link Failover

Detection


(Standby)


CiscoASA 5500

Remote Access Server• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500




HTTPS

Cisco VPN Client



Switch Stack

EtherNet/IP

IPS

EC

VP

N

SS

LV

PN

SECURITY IN SUMMARYReviewing the lessons, application to the future and verification of success

Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 62

2/22/2011

Steps to Increasing Security

1. Create a ProgramNOTE: This is different than an Enterprise Security Program.


“Programs” drive accountability, action and responsibility.

Steps to Increasing Security (cont)

2. Know what you have in your process

•Every control system event must be coded. EVERY ONE!

•This means that every almost network event can be predicted– Some exceptions, like ARP, NetBIOS traffic, etc.

•If it can be predicted, it can be whitelisted and authorized via tiered firewall rule sets and layer 3 access control lists (ACLs)

•If these can be whitelisted, other network events can be tuned for disclosure in intrusion detection and prevention systems (IDS/IPS)

Knowing what you have in your process allows for the creation of a

defensible network architecture and response posture


REMEMBER: Security is about variable management.

2/22/2011


3. Harden your endpoints

•Enable the security features of products implemented in the environment!

•Configure what you already have in the environment– Most Microsoft Windows platforms now support firewalls. Use them.

– Enable Infrastructure & Application security features (Active Directory features, etc.)

– Enable Control System software and hardware security features (key switch, etc.)

•Through the processes created in the Industrial Control System Security Program (see step 1), maintain ICS life cycle by enacting:

– Endpoint Protection updates (patches, virus definitions, host IDS/IPS signatures, etc)

– Change and Configuration management


Variables: Good guys need to manage all of them.

The bad guys only need one variable for compromise…


4. Audit the EnvironmentDesign/Implementation Audits

•Configuration audits to verify end states conforms to the Conceptual and Detailed Design projects

•Very important as “things change” during implementation

Safety Audits

•Many times required by regulation – now part of the common “culture”

Security Audits

•Many times required by regulation (depending on industry)

•Ensures proper security management going forward (i.e. hire/fireprocedures, governance and security programs, etc.)

•Security should be and will be part of the common “culture”66

2/22/2011


5. Monitor the Systems

Si ViS PACEM, PARA BELLUM

If you wish for peace, prepare for war.

•Infrastructure: double edged sword– The purveyance of an attack (vector)

– Greatest asset in digital protection (mitigation)

•Many Commercial & FOSS packages available to assist– Multi-Tier and Distributed UTM and Intrusion Detection/Prevention Systems

– Distributed packet capture, Syslog, SNMP, Nagios and various management apps

If you wish for a stable, secure network, prepare for the day your network

completely falls apart, fails, and turns against you.

Complacency Kills–100% Vigilance is REQUIRED

The End…for now…

• Go Beyond Defense-in Depth: no single methodology nor technology fully secures industrial networks.

• This is a people problem too!– Industrial Control Systems Security Programs are uniquely different from Enterprise Security Programs

– Work with security expert Services team and establish an open dialog between Manufacturing and IT

2/22/2011

Industrial Network SecurityDesign and Implementation Considerations

• Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks

• Align with Industrial Automation and Control System Security Standards– DHS External Report # INL/EXT-06-11478, NIST 800-82, ISA-99

• Establish an open dialog between Industrial and IT groups

• Establish a Industrial security policy, unique from enterprise security policy

• Establish a DMZ between the Enterprise and Industrial Zones

• Keep FactoryTalk applications and Services Platform within the Industrial Zone

• Deploy a methodology and/or procedure to buffer production data to and from the Enterprise Zone in the event DMZ connectivity is disrupted

• Work with your vendor Network and Security Services team

Additional MaterialODVA

• Website:– http://www.odva.org/

• Media Planning and Installation Manual– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00148R0_EtherNetIP_Media_Planning_and_Installation_Manual.pdf

• Network Infrastructure for EtherNet/IP: Introduction and Considerations– http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00035R0_Infrastructure_Guide.pdf

• Device Level Ring – http://www.odva.org/Portals/0/Library/CIPConf_AGM2009/2009_CIP_Networks_Conference_

Technical_Track_Intro_to_DLR_PPT.pdf

• The CIP Advantage– http://www.odva.org/default.aspx?tabid=54


2/22/2011

Additional MaterialCisco and Rockwell Automation Alliance

• Website– http://www.ab.com/networks/architectures.html

• Design Guides– CPwE DIG 2.0

• Education Series

• Whitepapers– Securing Manufacturing Computer and

Controller Assets

– Production Software within ManufacturingReference Architectures

– Achieving Secure Remote Access to Plant FloorApplications and Data


Additional MaterialCisco and Rockwell Automation Alliance

• Education Series Webcasts

– The Trend - Network Technology and Cultural Convergence

– What every IT professional should know about Plant Floor Networking

– What every Plant Floor Controls Engineer should know about working with IT

– Industrial Ethernet: Introduction to Resiliency

– Fundamentals of Secure Remote Accessfor Plant Floor Applications and Data

– Securing Architectures and Applicationsfor Network Convergence

– Available Online

• http://www.ab.com/networks/architectures.html


2/22/2011


Questions?

ferry hallewas - automation technology · plantwidebenefits of ethernet/ip clive barwise ferry...

Documents