secure remote access solutions - iica · scalable secure remote access considerations – direct...

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.Rev 5058-CO900C

Secure Remote Access SolutionsBalancing security and remote access – Bob Hicks, Rockwell Automation

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda

Reference Material

Secure Remote Access Examples

Defence in Depth

Control System Network Security


Industrial Network Security TrendsNetwork Convergence

� Enterprise (IT) Network Requirements� Internet Protocols� Wide Area Network (WAN)� High availability – redundant star topologies� Determinism, latency, jitter, etc.� Voice, video, data applications� IP Addressing - dynamic� Security - pervasive

� Industrial Network Requirements� Industrial and internet protocols

� Local Area Network (LAN) - packets are small: 100–200 bytes,but communicated very frequently (every 0.5 to 10s of ms)� Resiliency – ring topologies are prominent, redundant star topologies are emerging

� Latency, jitter, etc.� Information, control, safety, time synchronization and motion� IP Addressing – static� Security – emerging: Open by Default, must be Closed by Configuration

So, what are the similarities and differences?


Access for Trusted PartnersSecure Remote Access Requirements

� Availability of global equipment, machines and services

� Requires scalable services for ma users

� Machine Builders, System Integrators, vendors, contractors

� Reduces OEM cost pressures� On-site commissioning reduction in

resources and duration

� Warranty support; dispatching of resources

� Optimization services; partnership vs. supplier

� IT-ready solutions� Elimination of security

back doors

� Holistic industrial networkinfrastructure security solutions

System

Integrator

System

Integrator

Trusted Partners

Machine

Builder

Machine

Builder

Industrial Plantwide Systems


Agenda

Reference Material


Defence in Depth



Defense-in-DepthSecurity Policies and Procedures

� Securing industrial assets requires:� A comprehensive network security model

� Multi-layer security approach – Defense-in-Depth

Procedural, physical and electronic measures

� Alignment with applicable industry standards

� Risk assessment:

Current risk analysis

Determination of acceptable risk

Deployment of risk mitigation techniques

� Developed against a defined set of security policies

� Policy - plan of action with procedures to protect company assets

� Security policies are unique from company to company, although there are some common attributes and methodology to developing

� Industrial security policy, unique from and in addition to enterprise security policy

� Identify Domains of Trust and appropriately apply security to maintain policy


Defense-in-DepthMultiple Layers to Protect the network and Defend the edge

� Physical Security – limit physical access to authorized

personnel: areas, control panels, devices, cabling, and

control room – escort and track visitors

� Network Security – infrastructure framework – e.g.

firewalls with intrusion detection and intrusion prevention

systems (IDS/IPS), and integrated protection of

networking equipment such as switches and routers

� Computer Hardening – patch management, antivirus

software as well as removal of unused applications,

protocols, and services

� Application Security – authentication, authorization,

and audit software

� Device Hardening – change management and

restrictive access

Defensein Depth

Computer

Device

Physical

Network

Application


Defense-in-DepthPhysical Security - Examples

Defensein Depth

Computer

Device

Physical

Network

Application


Defense-in-DepthNetwork - Demilitarized Zone (DMZ)

� All network traffic from either side of the DMZ terminates in the DMZ; network traffic does

not directly traverse the DMZ

� Application Data Mirror

� No primary services are permanently

housed in the DMZ

� DMZ shall not permanently

house data

� No control traffic into the DMZ

- Automation and Control Data stays home

� Be prepared to “turn-off” access

via the firewall

No Direct Traffic

EnterpriseSecurity

Zone

IndustrialSecurity

Zone

Disconnect Point

Disconnect Point

DMZReplicated Services


� Multi-layer packet and traffic analysis� Advanced application and protocol inspection services� Network application controls

� Flexible user and network based access control services� Stateful packet inspection� Integration with popular authentication sources including

Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID

� Real-time protection from application and OS level attacks� Network-based worm and virus mitigation� Spyware, adware, malware detection and control� On-box event correlation and proactive response

� Low latency� Diverse topologies� Multicast support

� Services virtualization� Network segmentation & partitioning� Routing, resiliency, load-balancing

� Threat protected SSL and IPSec VPN services� Zero-touch, automatically updateable IPSec remote access� Flexible clientless and full tunneling client SSL VPN services� QoS/routing-enabled site-to-site VPN

Firewall with Application Layer Security

Access ControlandAuthentication

IPS and Anti-X Defenses

Intelligent NetworkingServices

SSL and IPSecConnectivity

Defense-in-DepthNetwork Firewalls - Unified Threat Management (UTM)

� Modern Firewalls provide a range of security services


Agenda

Reference Material


Defence in Depth



Remote Access ExampleOffsite connection for SI/OEM

� Required to view a machine’s PLC processor from a hotel room to help

troubleshoot the system

� Upload alarm datalog from siteOEM, SI, Engineer

Factory

Processing Filling Material Handling


� View manufacturing data from Web Reporting Software for decision

makers who are located in the enterprise (office) zone

Data Center

Processing Filling Material Handling

Web Reporting Server

Remote Access ExampleSecure connection from within organisation


Scalable Secure Remote AccessConsiderations – Direct vs. Indirect Access

14

Remote SiteIndustrial

Plantwide Systems

Direct Access

• Design Considerations – how will these be enforced?– Network and application authentication and authorization – Change management, version control, regulatory compliance, and software license management

– Remote client health management – Alignment with established IACS security standards


Direct Connection Exampleseg. 3G/HSDPA Modems

� A potential benefit of 3G/HSDPA gateways

for remote access is that they could avoid

IT concerns with connecting automation

equipment to company LAN and

configuring a VPN to allow the remote

OEM technician access to the IACS.

� 3G/HSDPA gateways aren’t an end in

themselves, still requires a defense-in-

depth security approach.

� ? Network and application authentication/authorization

� ? Change management, version control, regulatory

compliance, and software license management

� ? Remote client health management

� ? Alignment with established IACS security standards


Scalable Secure Remote AccessConsiderations – Direct vs. Indirect Access

16

• Design Considerations– Greater network and application authentication and authorization – Simplified asset management – change management, version control, regulatorycompliance, and software license management

– Simplified remote client health management– Greater alignment with established IACS standards

Remote SiteIndustrial

Plantwide Systems

Indirect Access

Remote Access Server (RAS)


Reference ArchitectureCisco / Rockwell Validated Design

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf


Reference ArchitectureHigh Level Architecture Review

� Remote access involves

cooperation between:

� Enterprise Zone� Information Technologies

(IT) and infrastructure of

the facility

� Automation Demilitarized Zone (Automation DMZ)

� To design it requires

knowledge of data that

must move from the plant

to enterprise systems

� Manufacturing Zone� Cell and Area devices

� Industrial Protocols


Remote Desktop TechnologiesOptions Recommended in Reference Architecture

� Two options of Remote Desktop Technologies being discussed today

� Option 1 – Host a Remote Desktop Session from the Cisco Firewall� Option 2 – Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer

Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .

Remote

Desktop

Client

Remote

Desktop

Firewall:

Secure RDP Session

Host

Remote

Desktop

Client

Remote

Desktop

MS 2008 R2

Secure RDP Session

Host

Option 1Option 2


Remote Desktop Protocol Via Cisco ASA 5500 Firewall

• Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall

• Same user experience as Microsoft Remote Desktop Gateway

• Configure Firewall to host the RDP session


Remote Desktop Gatewayvia Windows Server Solution

� Remote Desktop Gateway (RD Gateway), formerly

Terminal Services Gateway is a role service in the

Remote Desktop Services server role included with

Windows Server® 2008 R2.

� Enables authorized remote users to connect to

resources on an internal corporate or private

network, from any Internet-connected device that

can run the Remote Desktop Connection (RDC)

client.

� RD Gateway uses the Remote Desktop Protocol

(RDP) over HTTPS to establish a secure, encrypted

connection between remote users and internal

network resources


HTTPS Remote Access via Remote Desktop Gateway


Secure Remote AccessConverged Ethernet (CPwE) RD Gateway

25

FactoryTalk Application Servers• View

• Historian

• AssetCentre

• Transaction Manager

FactoryTalk Services Platform• Directory

• Security/Audit

Data Servers

Levels 0–2

Cell/Area Zones

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Enterprise ZoneLevels 4 and 5

Industrial Zone Site Operations and Control

Level 3

Internet

Enterprise ZoneLevels 4 and 5

EnterpriseWAN

EnterpriseData Center

Gbps Link Failover

Detection

Firewall(Standby)Firewall

(Active)

Patch ManagementApplication MirrorAV Server

Remote Access Server• Remote Desktop Services• RSLogix 5000• FactoryTalk View Studio

Catalyst6500/4500

Remote Engineeror Partner

EnterpriseConnectedEngineer

Enterprise EdgeFirewall

GenericVPN Client

Remote Desktop Protocol (RDP)

Catalyst 3750StackWise

Switch Stack

EtherNet/IP

IPS

EC

VP

N

Remote Gateway Services

Remote Desktop Protocol (RDP) over RCP/HTTPS

SS

LV

PN

Secure remote access for employees

and trusted partners

� Meeting the security requirements of IT

� Common IT Infrastructure

� Following established Industrial Control

System security standards

� Defense-in-depth

� DMZ

� Enables remote asset management:

monitoring, configuration and audit

� Helps simplify change management,

version control, regulatory compliance

and software license management

� Helps simplify remote client

health management

� One size does not fit all – need a

scalable secure solutions


Agenda

Reference Material


Defence in Depth



Web Resources - Securitywww.rockwellautomation.com/security


Reference ArchitectureRockwell and CISCO Alliance

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf


Remote Access for End UsersWhitepaper: enet-wp009


Remote Access for OEMsWhitepaper: enet-wp025


SummarySecurity and Remote Access

� Use industry best practice published guidelines for secure remote access solution

� Remote connection into the Plant – indirect access� Additional Information:

� Reference Architecture

� Education Series Webcast

� Whitepapers

� Common IT network infrastructure

� Follow emerging Industrial Automation and Control System security standards

� Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks

� Establish an open dialog between Industrial and IT groups

� Establish a Industrial security policy, unique from enterprise security policy

� Establish a DMZ between the Enterprise and Industrial Zones

secure remote access solutions - iica · scalable secure remote access considerations – direct...

Documents