secure remote access solutions - iica · scalable secure remote access considerations – direct...
TRANSCRIPT
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C
Secure Remote Access SolutionsBalancing security and remote access – Bob Hicks, Rockwell Automation
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda
Reference Material
Secure Remote Access Examples
Defence in Depth
Control System Network Security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Industrial Network Security TrendsNetwork Convergence
� Enterprise (IT) Network Requirements� Internet Protocols� Wide Area Network (WAN)� High availability – redundant star topologies� Determinism, latency, jitter, etc.� Voice, video, data applications� IP Addressing - dynamic� Security - pervasive
� Industrial Network Requirements� Industrial and internet protocols
� Local Area Network (LAN) - packets are small: 100–200 bytes,but communicated very frequently (every 0.5 to 10s of ms)� Resiliency – ring topologies are prominent, redundant star topologies are emerging
� Latency, jitter, etc.� Information, control, safety, time synchronization and motion� IP Addressing – static� Security – emerging: Open by Default, must be Closed by Configuration
So, what are the similarities and differences?
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Access for Trusted PartnersSecure Remote Access Requirements
� Availability of global equipment, machines and services
� Requires scalable services for ma users
� Machine Builders, System Integrators, vendors, contractors
� Reduces OEM cost pressures� On-site commissioning reduction in
resources and duration
� Warranty support; dispatching of resources
� Optimization services; partnership vs. supplier
� IT-ready solutions� Elimination of security
back doors
� Holistic industrial networkinfrastructure security solutions
System
Integrator
System
Integrator
Trusted Partners
Machine
Builder
Machine
Builder
Industrial Plantwide Systems
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda
Reference Material
Secure Remote Access Examples
Defence in Depth
Control System Network Security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthSecurity Policies and Procedures
� Securing industrial assets requires:� A comprehensive network security model
� Multi-layer security approach – Defense-in-Depth
Procedural, physical and electronic measures
� Alignment with applicable industry standards
� Risk assessment:
Current risk analysis
Determination of acceptable risk
Deployment of risk mitigation techniques
� Developed against a defined set of security policies
� Policy - plan of action with procedures to protect company assets
� Security policies are unique from company to company, although there are some common attributes and methodology to developing
� Industrial security policy, unique from and in addition to enterprise security policy
� Identify Domains of Trust and appropriately apply security to maintain policy
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthMultiple Layers to Protect the network and Defend the edge
� Physical Security – limit physical access to authorized
personnel: areas, control panels, devices, cabling, and
control room – escort and track visitors
� Network Security – infrastructure framework – e.g.
firewalls with intrusion detection and intrusion prevention
systems (IDS/IPS), and integrated protection of
networking equipment such as switches and routers
� Computer Hardening – patch management, antivirus
software as well as removal of unused applications,
protocols, and services
� Application Security – authentication, authorization,
and audit software
� Device Hardening – change management and
restrictive access
Defensein Depth
Computer
Device
Physical
Network
Application
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthPhysical Security - Examples
Defensein Depth
Computer
Device
Physical
Network
Application
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Defense-in-DepthNetwork - Demilitarized Zone (DMZ)
� All network traffic from either side of the DMZ terminates in the DMZ; network traffic does
not directly traverse the DMZ
� Application Data Mirror
� No primary services are permanently
housed in the DMZ
� DMZ shall not permanently
house data
� No control traffic into the DMZ
- Automation and Control Data stays home
� Be prepared to “turn-off” access
via the firewall
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
DMZReplicated Services
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
� Multi-layer packet and traffic analysis� Advanced application and protocol inspection services� Network application controls
� Flexible user and network based access control services� Stateful packet inspection� Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
� Real-time protection from application and OS level attacks� Network-based worm and virus mitigation� Spyware, adware, malware detection and control� On-box event correlation and proactive response
� Low latency� Diverse topologies� Multicast support
� Services virtualization� Network segmentation & partitioning� Routing, resiliency, load-balancing
� Threat protected SSL and IPSec VPN services� Zero-touch, automatically updateable IPSec remote access� Flexible clientless and full tunneling client SSL VPN services� QoS/routing-enabled site-to-site VPN
Firewall with Application Layer Security
Access ControlandAuthentication
IPS and Anti-X Defenses
Intelligent NetworkingServices
SSL and IPSecConnectivity
Defense-in-DepthNetwork Firewalls - Unified Threat Management (UTM)
� Modern Firewalls provide a range of security services
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda
Reference Material
Secure Remote Access Examples
Defence in Depth
Control System Network Security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access ExampleOffsite connection for SI/OEM
� Required to view a machine’s PLC processor from a hotel room to help
troubleshoot the system
� Upload alarm datalog from siteOEM, SI, Engineer
Factory
Processing Filling Material Handling
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
� View manufacturing data from Web Reporting Software for decision
makers who are located in the enterprise (office) zone
Data Center
Processing Filling Material Handling
Web Reporting Server
Remote Access ExampleSecure connection from within organisation
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Scalable Secure Remote AccessConsiderations – Direct vs. Indirect Access
14
Remote SiteIndustrial
Plantwide Systems
Direct Access
• Design Considerations – how will these be enforced?– Network and application authentication and authorization – Change management, version control, regulatory compliance, and software license management
– Remote client health management – Alignment with established IACS security standards
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Direct Connection Exampleseg. 3G/HSDPA Modems
� A potential benefit of 3G/HSDPA gateways
for remote access is that they could avoid
IT concerns with connecting automation
equipment to company LAN and
configuring a VPN to allow the remote
OEM technician access to the IACS.
� 3G/HSDPA gateways aren’t an end in
themselves, still requires a defense-in-
depth security approach.
� ? Network and application authentication/authorization
� ? Change management, version control, regulatory
compliance, and software license management
� ? Remote client health management
� ? Alignment with established IACS security standards
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Scalable Secure Remote AccessConsiderations – Direct vs. Indirect Access
16
• Design Considerations– Greater network and application authentication and authorization – Simplified asset management – change management, version control, regulatorycompliance, and software license management
– Simplified remote client health management– Greater alignment with established IACS standards
Remote SiteIndustrial
Plantwide Systems
Indirect Access
Remote Access Server (RAS)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference ArchitectureCisco / Rockwell Validated Design
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference ArchitectureHigh Level Architecture Review
� Remote access involves
cooperation between:
� Enterprise Zone� Information Technologies
(IT) and infrastructure of
the facility
� Automation Demilitarized Zone (Automation DMZ)
� To design it requires
knowledge of data that
must move from the plant
to enterprise systems
� Manufacturing Zone� Cell and Area devices
� Industrial Protocols
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop TechnologiesOptions Recommended in Reference Architecture
� Two options of Remote Desktop Technologies being discussed today
� Option 1 – Host a Remote Desktop Session from the Cisco Firewall� Option 2 – Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer
Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .
Remote
Desktop
Client
Remote
Desktop
Firewall:
Secure RDP Session
Host
Remote
Desktop
Client
Remote
Desktop
MS 2008 R2
Secure RDP Session
Host
Option 1Option 2
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Protocol Via Cisco ASA 5500 Firewall
• Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall
• Same user experience as Microsoft Remote Desktop Gateway
• Configure Firewall to host the RDP session
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 21
Remote Desktop Protocol Via Cisco ASA 5500 Firewall
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Protocol Via Cisco ASA 5500 Firewall
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Gatewayvia Windows Server Solution
� Remote Desktop Gateway (RD Gateway), formerly
Terminal Services Gateway is a role service in the
Remote Desktop Services server role included with
Windows Server® 2008 R2.
� Enables authorized remote users to connect to
resources on an internal corporate or private
network, from any Internet-connected device that
can run the Remote Desktop Connection (RDC)
client.
� RD Gateway uses the Remote Desktop Protocol
(RDP) over HTTPS to establish a secure, encrypted
connection between remote users and internal
network resources
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
HTTPS Remote Access via Remote Desktop Gateway
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Secure Remote AccessConverged Ethernet (CPwE) RD Gateway
25
FactoryTalk Application Servers• View
• Historian
• AssetCentre
• Transaction Manager
FactoryTalk Services Platform• Directory
• Security/Audit
Data Servers
Levels 0–2
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise ZoneLevels 4 and 5
Industrial Zone Site Operations and Control
Level 3
Internet
Enterprise ZoneLevels 4 and 5
EnterpriseWAN
EnterpriseData Center
Gbps Link Failover
Detection
Firewall(Standby)Firewall
(Active)
Patch ManagementApplication MirrorAV Server
Remote Access Server• Remote Desktop Services• RSLogix 5000• FactoryTalk View Studio
Catalyst6500/4500
Remote Engineeror Partner
EnterpriseConnectedEngineer
Enterprise EdgeFirewall
GenericVPN Client
Remote Desktop Protocol (RDP)
Catalyst 3750StackWise
Switch Stack
EtherNet/IP
IPS
EC
VP
N
Remote Gateway Services
Remote Desktop Protocol (RDP) over RCP/HTTPS
SS
LV
PN
Secure remote access for employees
and trusted partners
� Meeting the security requirements of IT
� Common IT Infrastructure
� Following established Industrial Control
System security standards
� Defense-in-depth
� DMZ
� Enables remote asset management:
monitoring, configuration and audit
� Helps simplify change management,
version control, regulatory compliance
and software license management
� Helps simplify remote client
health management
� One size does not fit all – need a
scalable secure solutions
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda
Reference Material
Secure Remote Access Examples
Defence in Depth
Control System Network Security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Web Resources - Securitywww.rockwellautomation.com/security
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference ArchitectureRockwell and CISCO Alliance
http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access for End UsersWhitepaper: enet-wp009
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access for OEMsWhitepaper: enet-wp025
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
SummarySecurity and Remote Access
� Use industry best practice published guidelines for secure remote access solution
� Remote connection into the Plant – indirect access� Additional Information:
� Reference Architecture
� Education Series Webcast
� Whitepapers
� Common IT network infrastructure
� Follow emerging Industrial Automation and Control System security standards
� Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks
� Establish an open dialog between Industrial and IT groups
� Establish a Industrial security policy, unique from enterprise security policy
� Establish a DMZ between the Enterprise and Industrial Zones