Upload
dinhtram
View
218
Download
0
Embed Size (px)
Citation preview
Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Digital Transformation – Is Your Network Ready
Thomas HouseRockwell AutomationMay 2018Horizon Smart Manufacturing Exposition 2018
2Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Agenda
D e f i n i n g a d i g i t a l t r a n s f o r m a t i o n
C h a l l e n g e s f a c i n g i n d u s t r i a l i n f r a s t r u c t u r e
C o n n e c t e d S e r v i c e s
C y b e r S e c u r i t y
A r c h i t e c t u r e s & S o l u t i o n s
4Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
LOWER COSTPLANT BEHAVIOR
Inventory120 days to 82 days
CapEx30% per year in
capital avoidance
Productivity ►4% to 5% per year
FASTER TIME TO MARKETSUPPLY CHAIN / LEAD TIMES
Delivery Mid-80s to 96%
Lead Times Reduced 50%
ENTERPRISE RISKCUSTOMER SERVICE
Time to Want 82% to 98%
Quality50% reduction in
PPM
The Connected EnterpriseRockwell Automation … our own Journey
6Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
• Downtime?• Security lapses?• Performance degradation?
Is your network ready?
7Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
IT/OT ConvergenceInflexibilitySkills Gap Vulnerability
CHALLENGES FACING INDUSTRIAL INFRASTRUCTURE
8Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
MATERIALS & TRANSPORTCONTROLLERS SENSORS,
ACTUATORSMACHINES & EQUIPMENT
Why IT/OT Convergence?
9Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Priority is availability Priority is confidentiality
End-points are heterogeneous, task
specific with long lifespans
End-points are of homogenous, multi-purpose with short
lifespans
Architectures are ubiquitous
Architectures are proprietary
Outcomes are physicalOutcomes are digital
OT vs. IT
10Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Cisco/Rockwell Automation CollaborationConverged Plantwide Ethernet (CPwE)
Design and Implementation GuideIndustrial Networking Specialist
Certification (IMINS)
11Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Connected Serv icesA c c e l e r a t i n g d i g i t a l t r a n s f o r m a t i o n t o a C o n n e c t e d E n t e r p r i s e
12Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Industrial Network Distribution Solution
ASSESS DESIGN IMPLEMENT SUPPORT & MANAGE
CO
NS
ULT
ING
SE
RV
ICE
S
Industrial Data Center
PR
E-E
NG
INE
ER
ED
SO
LUTI
ON
SAccelerating Digital Transformation
13Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Cyber Secur i tyY o u d o n ’ t h a v e t o b e a t a r g e t t o b e t h e v i c t i m
14Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
INDUSTRIAL CYBER RISK EQUATION
Countermeasures
ThreatsVulnerabilities Consequences
Basic Industrial Cyber Hygiene Advanced Countermeasures
15Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
ICS-Focused Campaigns, Attacks, Frequency20172010 2011 2012 2013 2014
STUXNETWorm Targeting
SCADA and Modifying PLCs
OPERATION AURORA
APT Cyber Attack on 20+ High Tech,
Security & Defense Companies
NIGHT DRAGON
Advanced Persistent Threat Targeting Global Energy
SHAMOONVirus Targeting Energy Sector
LargestWipe Attack
RED OCTOBERCyber-Espionage
Malware Targeting Gov’t & Research
Organizations
FLAMEVirus use for
Targeted Cyber Espionage in the
Middle East
DUQUWorm Targeting ICS
Information Gathering
and Stealing
GAUSSInformation Stealer
Malware
HAVEXIndustrial Control System Remote Access Trojan &
Information Stealer
HEARTBLEEDSecurity Bug and
Vulnerability Exploited
by Attackers
2015 2016
BLACKENERGYMalware Injected into
Ukrainian Power Company Network, Cut Power to the Affected Region.
OP GHOULSpear-phishing
Campaign Targeting Middle East Industrial Organizations
140197
257 245295
BLACKENERGY
Malware Injected into Power Company
Network, Attackers Cut Power to the Affected
Region.
ICS CERT INCIDENT COUNT**Only Reported Incidents in U.S.
NOTPETYA
Ransomware Malware Based
On Stolen NSAExploits that Impacted
ICS Systems
290
INDUSTROYER
Malware Targeting Electric Utility – Used in 2016 Ukraine Grid
Attack
WANNACRYGeneral ransomware which impacted ICS
Systems
16Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
ICS THREAT VECTORS
DMZ
IT Network
OT Network
ICS Supply Chain
Remote Maintenance
Insider Threat
On-Site Maintenance
Direct Attackon Plant Network
Direct Attack via
IT Network
USBIndirect Attack
(Compromised VPN) (Compromised Device)
VPN Device
ExternalAdversaries
17Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Archi tectures and Solut ionsI n f r a s t r u c t u r e e n a b l e s a n d p r o t e c t s a D i g i t a l T r a n s f o r m a t i o n
18Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Network Infrastructure Networks
Converged Plantwide Architecture
Co-developed with Cisco leveraging Industry Standards and best practices (NIST, IEC, etc.)
DMZ Servers as demarcation point
Full portfolio of Stratix Managed and Lightly Managed switches
Assess, Design, Implement, Monitor, Manage Services
Security Appliances
IDMZ Firewalls
Stratix 5950 Cell/Zone Firewalls
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site NetworkIDMZ
Firewalls
Maint. Laptop EWSInfrastructure &
Automation Servers
Proxy Services
Enterprise Services Security Operations
OT Core Switch
IT Core Switch
19Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Asset Management Asset Inventory
FactoryTalk AssetCentre and Claroty
Vulnerability Management
Disaster Recovery
Automated back-up
Application change detection
Reporting Asset Management
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site NetworkIDMZ
Firewalls
Maint. LaptopFactoryTalk
Asset CentreFactoryTalk
Directory
Proxy Services
Enterprise Services Security Operations
OT Core Switch
IT Core Switch
OT Log Server
20Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Patch Management Operating System Patching
Patch Qualification Testing Lab
Qualified Windows Patch Feed
Delivery of a curated set of Windows patches catered to your specific Rockwell Automation software and operating system combination
Remote Patch Administration Services
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site Network
Supply Chain (Third Party Vendors)
IDMZFirewalls
Maint. Laptop EWSInfrastructure &Automation Servers
Proxy Services
Enterprise Services
RA Azure WSUS
OT Core Switch
IT Core Switch
OEM Laptop
OTSecurityServices
Remote Support Cloud(Microsoft Azure)
Plant WSUS/SCCM
Microsoft
21Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Authentication and Authorization Windows Domain Architecture
Active Directory
Authentication Best Practices
FactoryTalk Security
Integration into Windows Domain Architecture
Authentication and Authorization services for FactoryTalk and Studio5000
Local and Centralized audit trail
Remote Access
Secure Vendor Access
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site NetworkIDMZ
Firewalls
Maint. LaptopFactoryTalk
Asset CentreFactoryTalk
Directory
Proxy Services
Enterprise Services Security Operations
OT Core Switch
IT Core Switch
Active Directory
1
2
3
Secure Remote Access Server
EWS
22Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Computers & Endpoint Protection Anti Virus and Application Whitelisting
Symantec Endpoint Protection
Symantec Critical Systems Protection
Thin clients and Content Management
Reduced attack surface
Centralize OS management
Enhanced authentication capabilities
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site NetworkIDMZ
Firewalls
Maint. LaptopSecure Remote Access Server
Infrastructure & Application Servers
Proxy Services
Enterprise Services RA Azure WSUS
OT Core Switch
IT Core Switch
WSUS
23Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Threat Detection Threat Detection Services
Inventory to Baseline
Real-Time alerting on deviations
Incident Response Planning
Remote Support ServicesLevel 3.5-4
DMZ / IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site Network
Supply Chain (Third Party Vendors)
IDMZFirewalls
Maint. Laptop EWSInfrastructure &Automation Servers
Proxy Services
Enterprise Services
Remote Support Services
OT Core Switch
IT Core Switch
OEM Laptop
OTSecurityServices
Threat Detection Platform
24Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
Cisco Integration Enterprise Integration
FactoryTalk Network Manager
IPS/IDS with FirePower
Network Access Control: Identity Services Engine
Netflow Analysis: Stealthwatch & Claroty
iOS-based Switches: Stratix
Level 3.5-4DMZ /
IT Network
Level 3Site OpsNetwork
Level 2Area
SupervisoryNetwork
Level 0-1Controller /
Sensor Network
Site NetworkIDMZ
Firewalls
Maint. Laptop ISE Policy NodeInfrastructure &
Automation Servers
Proxy Services
Enterprise Services Security Operations
OT Core Switch
IT Core Switch
FTNM
25Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
DURINGBEFORE AFTER
Attack Continuum
cybersecurity framework
26Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
BEFORE
Identify & Protect Detect Respond & Recover
Asset Inventory Services
A PROACTIVE APPROACH TO INDUSTRIAL CYBER SECURITY
Qualified PatchManagement
Vulnerability and Risk Assessments
ICS Security Zone andCountermeasure Deployment
Real-Time Threat Detection Services
Remote Monitoring and Administration Services
Backup and Recovery Solutions
Incident Handling and Response
Incident Response and Disaster Recovery Planning Services
BUILD A SECURE, ROBUST, FUTURE-READY NETWORK FOR YOUR CONNECTED ENTERPRISE
Attack Continuum
DURING AFTER
ASSESS DESIGN IMPLEMENT MONITOR
27Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC
SCALABLE INFRASTRUCTURE SUPPORT
T E C HC O N N E C T – M A N A G E D S E R V I C E S
Manufacturing IT Support
Secure Remote Access
Asset Health Monitoring
Infrastructure Administration
Infrastructure as a Service