Cisco’s anbefalinger for IT sikkerhed i produktionsnet · Cisco’s anbefalinger for IT ......

© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Cisco’s anbefalinger for IT sikkerhed i produktionsnet

Christian Helmundt Bermann

Systems Engineer - Security

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

1. Trussel’s billedet idag og i fremtiden

2. Cisco Security Intelligence Operations

3. Fra enterprise til produktionsnet

4. Cisco’s tilgang og anbefalinger i produktionsnet

5. Afrunding


2



• http://www.comon.dk/art/147746/kinesiske-hackere-har-snuppet-admin-password-paa-it-universitetet

• http://www.comon.dk/art/220735/det-hvide-hus-ramt-af-cyberangreb


3


� http://www.comon.dk/art/221833/stort-kinesisk-hacker-angreb-mod-coca-cola

� http://www.comon.dk/art/200056/kaempe-it-angreb-paa-el-nettet-i-europa



4



• Internet of everything


5




6


• Angreb bliver mere avancerede

• Bruger minimal båndbredde

• Hackerne får nemmere ved angreb i en verden hvor alt forbindes til alt



7


WEB REQUESTS

30BENDPOINTS

150M+WORLDWIDE EMAIL TRAFFIC

35%

WEB DATA RECEIVED PER DAY

100TBGLOBALLY DEPLOYED

DEVICES

750,000+


NEW DNS REQUESTS FOR EMAIL SENDERS

10,000UNIQUE, EXECUTABLE CODE SAMPLES

500MALWARE AND BOTNET BLOCKS

60,000

MALMAIL BLOCKS

300,000WEB REQUESTS

900,000


8


Visibility Control

Cisco SIO

WWW

ESA ASA WSA

AnyConnectCloud IPS

WWW

Email WebDevices

IPS EndpointsNetworks

24x7x365OPERATIONS

40+LANGUAGES

600+ENGINEERS, TECHNICIANS

AND RESEARCHERS

80+PH.D.S, CCIE, CISSP, MSCE

$100M+SPENT IN DYNAMIC RESEARCH

AND DEVELOPMENT

3 to 5MINUTE UPDATES

5,500+IPS SIGNATURES

PRODUCED

200+PARAMETERS TRACKED

70+PUBLICATIONS

PRODUCED

Info

rma

tio

nA

ctio

ns



9


“ …the trend in industrial operations is to interconnect systems, equipment, machinery and devices via networking, in order to provide real-time data and information for better decision making, control and management and, by extension, improved performance, quality and production…

Frost & Sullivan, July 2012


Source: AMR, Industry Week, Cisco Analysis

Isoleret statisk miljø

“Solid State”

Dynamisk, Integreret

mobil, real-Time

forbundet udstyr

“Liquid State”

Traditional produktion

Fremtidensproduktion

SensorerFleksibilitet

IT og styringMobil og

hjemmearbejde

SikkerhedIntegrerede kontor og

produktions data

Real-Time overvågning

af enheder ogtrafik

Collaboration værktøjer og

processer

RealTime


10


Enterprise Optimization Suite

Third-Party

Controllers,

Servers, etc.

Serial, OPC

or Fieldbus

EngineeringWork Place

Device Network

Firewall

Control Services

Network

Third-Party Application Server

ApplicationServer

HistorianServer

Workplaces

MobileOperator

ConnectivityServer

Control Network

Redundant

Enterprise Network

Serial RS485

Enterprise Network

Internet

IP


Confidentiality

Forhindre uautoriseret adgang til systemet.

IntegritySikre at data ikke ændres uden at det bliver opdaget.

AvailabilityTilgængelighed, oppetid

http://en.wikipedia.org/wiki/Information_security


11


• Enterprise netværk er C-I-A

Beskyttelse af data er vigtigst

• Industriele net er A-I-CAvailability og integrity er vigtigst

Robust hardware

Redudans

Høj oppetid


ISA99 udvikler standarder og er et udvalg der samler industrielle sikkerhedseksperter fra hele verden. Formålet er at udvikle og etablere standarder, anbefalede praksis, tekniske rapporter, og relaterede oplysninger, som vil definere procedurerne for gennemførelse af sikker industriel automatisering, kontrolsystemer og sikkerhedspraksis.

Cisco deltager aktivt I ISA99 med 8 medlemmer, hvor vi bruger voreserfaring fra netværk og infrastruktur.

http://isa99.isa.org/ISA99%20Wiki/Home.aspx


12



Systems

A set of products and services assembled and tested to work together to address a specific issue

Industrial switches developed with Rockwell, ISA 100 wireless developed with Honeywell

Architecture

Strategic Vision and Integrated portfolio of products, services, technology and business solutions, partnerships and routes to market.

Tecnology enables policies development (ISA99)

Solutions

Brings out the value addition that the system can bring to the customer’s business needs

Cross tested systems with Schlumberger, Emerson, Honeywell, ecc

Products

Cisco builds and sells products and services.

However, total value to the customer is realized only when Cisco moves beyond product and Services

ASA IPS series with SCADA signatures

Produkter rettetmod industriellenet

Samarbejdemed relevantepartnere

Netværksdesignud fra krav

Teknologi der errelevant I forholdtil brugerne


13


2

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

FactoryTalkApplication

Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalkClient

Operator Interface

FactoryTalkClient


Operator Interface

Batch Control

Discrete Control

Drive ControlContinuous

Process Control Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

WebE-Mail

CIP

Firewall

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process


EtherNet/IP (Industrial Protocols)

Real–Time Control

Fast Convergence

Traffic Segmentation and Management

Ease of Use

Site Operations and Control

Multi-Service Networks

Network and Security Management

Routing

Application and Data share

Access Control

Threat Protection

Gbps Link for Failover

Detection

Firewall(Active)

Firewall(Standby)

FactoryTalk Application

Servers

CiscoASA

CiscoCatalyst Switch

Network Services

Cisco Catalyst

Cisco CatalystSwitch Stack

Patch ManagementTerminal ServicesApplication Mirror

AV Server

Cell/Area #1(Redundant Star Topology)

Drive

Controller

HMI Distributed I/O

Controller

DriveDrive

HMI

Distributed I/O

HMI

Cell/Area #2(Ring Topology)

Cell/Area #3(Linear Topology)

Cisco industriialLayer 2 Access Switch

Controller

Enterprise/IT Integration

Collaboration

Wireless

Application Optimization

Cell/Area ZoneLevels 0–2Layer 2 Access

Manufacturing ZoneLevel 3Distribution and Core

Demilitarized Zone(DMZ) Firewalls

Enterprise NetworkLevels 4–5

Web Apps DNS FTP

Internet

Ove

rla

y se

cu

rity

mo

de

l


14


Netværkssikkerhed

Adgangskontrol

Mobiladgang

Indhold

Cisco Industriel sikkerhed: Information, beskyttelse og alarmering

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application

Server

FactoryTalk Directory


Domain Controller

FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

Web E-Mail

CIP

Firewall

Firewall



Basic Control

Process

• Stigende bekymring omkring

sikkerhed I produktionsnet og

end-to-end kommunikation.

• Cisco sikkerhedsarkitektur, bygger

sikkerhed ind i designet og giver

den dybde der skal til for at sikre

produktionsnetværket.


Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Enterprise Network

Site Business Planning and Logistics Network

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone



Basic Control

Process

VPN

VDI

WSA

IPS

ASA-CX

ASA

ISE


15


Industrial Control Signature Subscription Service tilCisco IPS

Registrerer, identificerer, stopper, og rapporterer om trusler i real tid, før de påvirker anlægget.

� Leverandører

Schneider, Siemens, GE

ABB, Yokogawa, Motorola

Emerson, Invensys

Honeywell

Rockwell Automation

og listen vokser……

� Standarder- SCADA- DCS- PLC- SIS- RTU



16


• Rockwell og Cisco har I samarbejde udarbejdet et dokumentomkring sikring af produktionsnetværk.

Converged Plantwide Ethernet (CPwE) Design and Implementation Guide

http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_DIG.html

• Omfattende beskrivelse af design, implementering og begreber

• Cisco validated design



17


� Angreb mod netværk bliver stadig mere avancerede.

� Produktionsnet bliver i stigende grad bundet sammen med enterprisenet.

� Truslerne mod netværk gør at det ikke kan/må ignoreres.

� Cisco bidrager med kendskab til netværksarkitektur

� Samarbejde på tværs er vigtigt for at lykkedes

�ISA-99

�Rockwell og Cisco


Thank you.

Cisco’s anbefalinger for IT sikkerhed i produktionsnet · Cisco’s anbefalinger for IT ......

Documents

Transcript of Cisco’s anbefalinger for IT sikkerhed i produktionsnet · Cisco’s anbefalinger for IT ......