Digital Transformation – Is Your Network Ready · Windows Domain Architecture Active Directory Authentication Best Practices FactoryTalk Security Integration into Windows Domain

Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Digital Transformation – Is Your Network Ready

Thomas HouseRockwell AutomationMay 2018Horizon Smart Manufacturing Exposition 2018

2Copyright © 2018 Rockwell Automation, Inc. All Rights Reserved.PUBLIC

Agenda

D e f i n i n g a d i g i t a l t r a n s f o r m a t i o n

C h a l l e n g e s f a c i n g i n d u s t r i a l i n f r a s t r u c t u r e

C o n n e c t e d S e r v i c e s

C y b e r S e c u r i t y

A r c h i t e c t u r e s & S o l u t i o n s



LOWER COSTPLANT BEHAVIOR

Inventory120 days to 82 days

CapEx30% per year in

capital avoidance

Productivity ►4% to 5% per year

FASTER TIME TO MARKETSUPPLY CHAIN / LEAD TIMES

Delivery Mid-80s to 96%

Lead Times Reduced 50%

ENTERPRISE RISKCUSTOMER SERVICE

Time to Want 82% to 98%

Quality50% reduction in

PPM

The Connected EnterpriseRockwell Automation … our own Journey



• Downtime?• Security lapses?• Performance degradation?

Is your network ready?


IT/OT ConvergenceInflexibilitySkills Gap Vulnerability

CHALLENGES FACING INDUSTRIAL INFRASTRUCTURE


MATERIALS & TRANSPORTCONTROLLERS SENSORS,

ACTUATORSMACHINES & EQUIPMENT

Why IT/OT Convergence?


Priority is availability Priority is confidentiality

End-points are heterogeneous, task

specific with long lifespans

End-points are of homogenous, multi-purpose with short

lifespans

Architectures are ubiquitous

Architectures are proprietary

Outcomes are physicalOutcomes are digital

OT vs. IT


Cisco/Rockwell Automation CollaborationConverged Plantwide Ethernet (CPwE)

Design and Implementation GuideIndustrial Networking Specialist

Certification (IMINS)


Connected Serv icesA c c e l e r a t i n g d i g i t a l t r a n s f o r m a t i o n t o a C o n n e c t e d E n t e r p r i s e


Industrial Network Distribution Solution

ASSESS DESIGN IMPLEMENT SUPPORT & MANAGE

CO

NS

ULT

ING

SE

RV

ICE

S

Industrial Data Center

PR

E-E

NG

INE

ER

ED

SO

LUTI

ON

SAccelerating Digital Transformation


Cyber Secur i tyY o u d o n ’ t h a v e t o b e a t a r g e t t o b e t h e v i c t i m


INDUSTRIAL CYBER RISK EQUATION

Countermeasures

ThreatsVulnerabilities Consequences

Basic Industrial Cyber Hygiene Advanced Countermeasures


ICS-Focused Campaigns, Attacks, Frequency20172010 2011 2012 2013 2014

STUXNETWorm Targeting

SCADA and Modifying PLCs

OPERATION AURORA

APT Cyber Attack on 20+ High Tech,

Security & Defense Companies

NIGHT DRAGON

Advanced Persistent Threat Targeting Global Energy

SHAMOONVirus Targeting Energy Sector

LargestWipe Attack

RED OCTOBERCyber-Espionage

Malware Targeting Gov’t & Research

Organizations

FLAMEVirus use for

Targeted Cyber Espionage in the

Middle East

DUQUWorm Targeting ICS

Information Gathering

and Stealing

GAUSSInformation Stealer

Malware

HAVEXIndustrial Control System Remote Access Trojan &

Information Stealer

HEARTBLEEDSecurity Bug and

Vulnerability Exploited

by Attackers

2015 2016

BLACKENERGYMalware Injected into

Ukrainian Power Company Network, Cut Power to the Affected Region.

OP GHOULSpear-phishing

Campaign Targeting Middle East Industrial Organizations

140197

257 245295

BLACKENERGY

Malware Injected into Power Company

Network, Attackers Cut Power to the Affected

Region.

ICS CERT INCIDENT COUNT**Only Reported Incidents in U.S.

NOTPETYA

Ransomware Malware Based

On Stolen NSAExploits that Impacted

ICS Systems

290

INDUSTROYER

Malware Targeting Electric Utility – Used in 2016 Ukraine Grid

Attack

WANNACRYGeneral ransomware which impacted ICS

Systems


ICS THREAT VECTORS

DMZ

IT Network

OT Network

ICS Supply Chain

Remote Maintenance

Insider Threat

On-Site Maintenance

Direct Attackon Plant Network

Direct Attack via

IT Network

USBIndirect Attack

(Compromised VPN) (Compromised Device)

VPN Device

ExternalAdversaries


Archi tectures and Solut ionsI n f r a s t r u c t u r e e n a b l e s a n d p r o t e c t s a D i g i t a l T r a n s f o r m a t i o n


Network Infrastructure Networks

Converged Plantwide Architecture

Co-developed with Cisco leveraging Industry Standards and best practices (NIST, IEC, etc.)

DMZ Servers as demarcation point

Full portfolio of Stratix Managed and Lightly Managed switches

Assess, Design, Implement, Monitor, Manage Services

Security Appliances

IDMZ Firewalls

Stratix 5950 Cell/Zone Firewalls

Level 3.5-4DMZ /

IT Network

Level 3Site OpsNetwork

Level 2Area

SupervisoryNetwork

Level 0-1Controller /

Sensor Network

Site NetworkIDMZ

Firewalls

Maint. Laptop EWSInfrastructure &

Automation Servers

Proxy Services

Enterprise Services Security Operations

OT Core Switch

IT Core Switch


Asset Management Asset Inventory

FactoryTalk AssetCentre and Claroty

Vulnerability Management

Disaster Recovery

Automated back-up

Application change detection

Reporting Asset Management

Level 3.5-4DMZ /

IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site NetworkIDMZ

Firewalls

Maint. LaptopFactoryTalk

Asset CentreFactoryTalk

Directory

Proxy Services


OT Core Switch

IT Core Switch

OT Log Server


Patch Management Operating System Patching

Patch Qualification Testing Lab

Qualified Windows Patch Feed

Delivery of a curated set of Windows patches catered to your specific Rockwell Automation software and operating system combination

Remote Patch Administration Services

Level 3.5-4DMZ /

IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site Network

Supply Chain (Third Party Vendors)

IDMZFirewalls

Maint. Laptop EWSInfrastructure &Automation Servers

Proxy Services

Enterprise Services

RA Azure WSUS

OT Core Switch

IT Core Switch

OEM Laptop

OTSecurityServices

Remote Support Cloud(Microsoft Azure)

Plant WSUS/SCCM

Microsoft


Authentication and Authorization Windows Domain Architecture

Active Directory

Authentication Best Practices

FactoryTalk Security

Integration into Windows Domain Architecture

Authentication and Authorization services for FactoryTalk and Studio5000

Local and Centralized audit trail

Remote Access

Secure Vendor Access

Level 3.5-4DMZ /

IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site NetworkIDMZ

Firewalls

Maint. LaptopFactoryTalk

Asset CentreFactoryTalk

Directory

Proxy Services


OT Core Switch

IT Core Switch

Active Directory

1

2

3

Secure Remote Access Server

EWS


Computers & Endpoint Protection Anti Virus and Application Whitelisting

Symantec Endpoint Protection

Symantec Critical Systems Protection

Thin clients and Content Management

Reduced attack surface

Centralize OS management

Enhanced authentication capabilities

Level 3.5-4DMZ /

IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site NetworkIDMZ

Firewalls

Maint. LaptopSecure Remote Access Server

Infrastructure & Application Servers

Proxy Services

Enterprise Services RA Azure WSUS

OT Core Switch

IT Core Switch

WSUS


Threat Detection Threat Detection Services

Inventory to Baseline

Real-Time alerting on deviations

Incident Response Planning

Remote Support ServicesLevel 3.5-4

DMZ / IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site Network

Supply Chain (Third Party Vendors)

IDMZFirewalls

Maint. Laptop EWSInfrastructure &Automation Servers

Proxy Services

Enterprise Services

Remote Support Services

OT Core Switch

IT Core Switch

OEM Laptop

OTSecurityServices

Threat Detection Platform


Cisco Integration Enterprise Integration

FactoryTalk Network Manager

IPS/IDS with FirePower

Network Access Control: Identity Services Engine

Netflow Analysis: Stealthwatch & Claroty

iOS-based Switches: Stratix

Level 3.5-4DMZ /

IT Network


Level 2Area

SupervisoryNetwork


Sensor Network

Site NetworkIDMZ

Firewalls

Maint. Laptop ISE Policy NodeInfrastructure &

Automation Servers

Proxy Services


OT Core Switch

IT Core Switch

FTNM


DURINGBEFORE AFTER

Attack Continuum

cybersecurity framework


BEFORE

Identify & Protect Detect Respond & Recover

Asset Inventory Services

A PROACTIVE APPROACH TO INDUSTRIAL CYBER SECURITY

Qualified PatchManagement

Vulnerability and Risk Assessments

ICS Security Zone andCountermeasure Deployment

Real-Time Threat Detection Services

Remote Monitoring and Administration Services

Backup and Recovery Solutions

Incident Handling and Response

Incident Response and Disaster Recovery Planning Services

BUILD A SECURE, ROBUST, FUTURE-READY NETWORK FOR YOUR CONNECTED ENTERPRISE

Attack Continuum

DURING AFTER

ASSESS DESIGN IMPLEMENT MONITOR


SCALABLE INFRASTRUCTURE SUPPORT

T E C HC O N N E C T – M A N A G E D S E R V I C E S

Manufacturing IT Support

Secure Remote Access

Asset Health Monitoring

Infrastructure Administration

Infrastructure as a Service

The Automation Fair® Event

Join us at the 2018 Automation Fair EventPhiladelphia, Pennsylvania • November 14-15, 2018

Visit HS-E.com/Automation-Fair

Please complete the event survey to win a $25 Dunkin' Donuts

gift card.

Documents

Digital Transformation – Is Your Network Ready · Windows Domain Architecture Active Directory Authentication Best Practices FactoryTalk Security Integration into Windows Domain