BRKIOT-2204.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
BRKIOT-2204 Leveraging industrial device visibility and operational intent to inform security policies and controls Sunil Maryala – Technical Marketing Engineer IoT Daniel Behrens – Technical Marketing Engineer IoT Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKIOT-2204 BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 IT needs to be involved BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Common Security Discussions Secure Connectivity • What can connect • What can talk to what Threat Control • What is vulnerable • Protect the vulnerable Safe Environment • Network protection • Device protections Secure Remote Access • What are the controls for access • How to secure access BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco IoT Threat Defense Segmentation Visibility & Analysis Remote Access Services Extensible, scalable Detect anomalies, block Secure third-party access with Reduce risk, design, deploy, segmentation to protect IoT threats, identify compromised control and visibility and respond to incidents while devices hosts protecting the business Identity Services Umbrella AnyConnect Design Engine/TrustSec Stealthwatch Assess risk Next-Generation FW ISE/TrustSec Incident response Cognitive Threat Analytics Advanced Malware Protection BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Converged Industrial Architectures IT Network Industrial DMZ Enterprise • ACLs, IPS and IDS Zone • VPN Services IT Core • Portal and Remote Desktop Services 100 -240 V~, 4.85A MAX , 50/60Hz T M • G Application and Data Mirrors M 7 5 3 1 E R M E L E R T IV O W A O T O L O C N D S P A B A VP H N 6 4 2 0 O C SPD LNK LNK SPD LNK SPD LNK SPD LNK SPD Remote Access Gateway Remote Desktop Gateway Industrial Manufacturing Zone ( Plantwide ) Application Mirror DMZ AV and Patch Management Cisco NGFW and • AAA Identify Services IPS Solutions • Network Management • Anomaly Detection Network AAA Identity Anomaly • Plantwide Services Management Services Detection DNS, DHCP, AD Services • Traffic Enforcement ( Plant to IDMZ, North/South ) Remote Access Services Application Services ( FT MFG Core Manufacturing Services ) Stealth Zone IND ISE W atch Area Zone • Traffic Enforcement ( Cell to Cell, East/West ) • QoS Prioritization ` 1 4 5 10/100/1000 PoE+ 8 9 12 100 -240 V ~, 50 -60 Hz, 2A 100 -240 V~, 50 -60 Hz, 2 A IN IN ~ ~ L N L N MODE + Hi - + Hi - OUT OUT 1 1 1 2 2 2 2 2 2 T T T S S S S S S E E E B B B D D D D D D D D D X X X N N N E E E L L L o o o Y Y Y P P P U U U S S S S S S E E E C C C C C U U U C ! 100 -250 V , 2 A 100 -250 V , 2 A P P P P P P GPS ANT. DIG. TIMECODE ANA. TIMECODE S S S TOD E E • E U U U G G G E E E O O O N N N D D D U U U P P P Y Y SXP Y E E E M M M 3 3 3 4 4 4 1 1 1 I I I S S S D D D S S S R R R T T T PSU1 PSU2 ALARMS PSU EXPRESS SETUP ! + Lo - + Lo - 13 16 17 100/1000 SFP 20 21 24 25 1000/10G SFP+ 28 24 -60 V , 10 A 24 -60 V , 10 A CONSOLE ALARM • Netflow IE-4k, 5K Area MGMT T T T + A A A E E E - - - N N N C C Industrial C E E E D D RESET D T T T M M M G G G - M M CON M A A A 8 8 8 5 5 5 4 4 4 6 6 6 - - - . 2 2 2 0 0 SYS 0 - - - 1 1 1 5 5 5 . + + + 2 2 2 Zone 1 E E E L L L + B B B O O O - - - S S S C C C N N N D D D O O O C C Distribution C 2 - E E E L L L ISA3000 IN1 IN2 OUT O O O S S S N N ! N 1 2 O O O ISA3000 ALARM C C C 3 4 D D 3 D R R R COM A A A C C C IN2 D D D S S ISA3000 ( Inter-Cell ) 4 S REF IN1 • Industrial DPI GE -1 SYS 1 5 9 13 EXP SET UP 2 6 10 14 3 7 11 15 GE -1 • PO E Hardware Bypass ( Logically Open, Electrically Closed ) 4 8 12 16 GE -2 2 3 1 4 8 5 GE -2 7 6 1. MD I0+ 5. MD I3+ 2. MD I0- 6. MD I3- 3. MD I1+ 7. MD I2- 4. MD I1- 8. MD I2+ AL AR M • 1 2 Stateful Firewall and IPS 5 AL ARM 4 3 1 2 1. NO 2. NC 3. UNCONNECTED 4. UNCONNECTED 5. COMMO N 4 3 CONSO LE 1. RD+ 3. RD- 1 2 2. TD + 4. TD - MD I-X 5 4 3 1. RT S 4. RXD 2. CTS 5. GND 3. TXD PO WER DC _A 4 2 DC _B 3 1 1.DC_B+ 3.DC_A- 2.DC_A+ 4.DC_B- ! 48-54Vd c 0.3-3.3A PoE 1 2 3 4 Cell P P P P X X X X R R R R E E E E D D D D E E E E P P P P L L L L / / / / C C C C E E E E P P P 1 P R R R R E E E E N N N N E E E E U U U U S S S S P P P P o o o o Y Y Y Y S S S D D D D P P P P S S S S H H H H S DISPLAY IE-2k, 3K, 4K MODE Cell Zone 2 CONSOLE 1 Zone - DUAL 2 3 DC-A MEDIA 3 + EXPRESS 4 SETUP 4 ! + 12-54V 3.4-3.0A USB D D D D EXP - R R R Industrial R A A A A DC-B SYS C C C • C POE / POE+ + 9 D D D IN1 D S S S S M M M M R R R 5 10 R IN2 A A A A L L L L A A A A 11 OUT 12 6 E E E E 5 6 o o o X o PoE P P P P Access COM OUT IN PWR CON 7 13 14 IN2 • 15 REF L2NAT 8 IN1 16 • 802.1X, MAB • QoS Marking • *Netflow (IE4K Only) • *TrustSec Tagging (IE4K Only) • *Edge Compute (IE4K Only) • What are the differences in Industrial Networks? Agenda • Implications to discovery • How do we get started? • Comparison of Active and Passive solutions • Identifying assets via industrial protocols via IND • Leveraging ISE for centralized security policies in Industrial Environments • Gaining visibility into device communication patterns with Stealthwatch • Industrial Security and Firewalls • Nature of Industrial protocols and Security • Cisco Firepower for Industrial Security BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Differences in Industrial Environments Industrial Traffic - Ethernet/IP IDMZ Engineering Laptop Manufacturing Zone Network CIP Implicit - Producers & Consumer Management >80% local Cyclical I/O traffic, UDP unicast and multicast <500 Bytes, Frequent 0.5 to 10’s of ms, typically 20 ms IE2K / IE4K HMI IE2K / IE4K IE2K / IE4K HMI CIP Explicit - Informational control and Controller administration IE2K / IE4K Intra- and inter-cell/area zone traffic flow IE2K / IE4K IE2K / IE4K IE2K / IE4K Non-critical administrative or data traffic using Drive Cell/Area Zone Cell/Area Zone TCP ~1500 Bytes, infrequent Above 500 ms BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Industrial Traffic - Profinet PROFINET CBA PROFINET IO • Component Based Automation • Connection between distributed IO Devices and Controllers. • Built on DCOM (Distributed Component Object Model) and RPC (Remote Procedure Call) • Defines three communication channels technologies • PROFINET NRT – Non-Real-Time • Object oriented approach to communications • PROFINET RT – Real-Time between distributed islands of automation • PROFINET IRT – Isochronous Real-Time • Provides a scalable architecture for dealing with • IP application protocols for configuration and complex distributed automation and control systems maintenance functions: DHCP, DCP, DNS, HTTP/S, etc Standard (IT) Communications Factory Automation Motion Control Response <100ms Response <10ms Response <1ms HMI/SCADA, PROFINET CBA PROFINET CBA/RT PROFINET IRT IT Applications PROFINET IO Motion Control TCP/UDP/IP Ethernet UDP / Ethernet Time-Sync Ethernet Non Real-time Real-time Isochronous Real-time 100ms cycle 10ms cycle <1ms cycle BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Some common ethernet protocols in industrial environments Manufacturing Utilities Others • CIP - Ethernet/IP • GOOSE • BACnet • Profinet – S7 • DNP3 • MTConnect • ModbusTCP • ModbusTCP • OPC ( DA, UA ) • IEC 61850 ( Goose ) • CC Link • FINS BRKIOT-2204 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Industrial Network Topologies Star/Bus Linear Rings Redundant Star IE5K (Distribution IE5K (Distribution IE5K (Distribution Switch) Switch) Switch) Cell/Area Zone Cell/Area Zone Cell/Area Zone IE2K / IE4K IE2K / IE4K Cisco IE2KCatalyst / IE4K 2955 IE2K / IE4K HMI HMI Controllers Controller HMI IE2K / IE4K IE2K / IE4K Controllers IE2K / IE4K HMI Controllers, Drives, and Distributed I/O Controllers, Drives, and Distributed I/O Controllers, Drives,Cell/Area and Distributed Zone I/O Linear Ring Redundant Star Cabling Requirements Ease of Configuration Implementation Costs Bandwidth Redundancy and Convergence Disruption During Network Upgrade Readiness for Network Convergence Overall in Network TCO and Performance Worst OK Best BRKIOT-2204 © 2019 Cisco and/or its affiliates.