Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
A Phased Approach That Keeps Things Running
Robert Albach
ralbach@cisco.com
Securing the Internet of Things:
From Threat V...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Security 101
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Consumer
Primarily focused on the Industrial s...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Things”
e.g. Sensors, Motors, Robots, Heart R...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where are We Today?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Matter of
Trust:
2015 Ukraine
Utility Attack
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
0
20
40
60
80
100
120
140
160
180
200
1 - Whol...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Vision of the Future – Connected Systems
F...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Stacks in Connected Manufacturing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quantifying Threats by Technology Stack
Vulner...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Good
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Also Good
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Challenge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flash:
The
Weakest
Link
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application of Industrial
Security
• Deploymen...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Evolve to Secure: Phased Security Architecture...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chemical Facilities Anti-Terrorism Standards
S...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
First Phase –
Secured Connectivity
Third Phase...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Start: Secured / Connected Distribution
Securi...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Security to Legacy Power Systems
C...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Evolve to Security: Phased Security Architectu...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Driven Validated Designs
SmartConnect...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pipeline Data Retention Policy:
Where is it?
U...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Partnerships for Water Management
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
American Water Works
Assoc.
Recommended
Securi...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secured Branch
Architecture:
Products
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ventilation
IP Convergence Drives
Digital Ceil...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Digital Ceiling
Network Infrastructure
C...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Validated Designs with Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Connected Car Security Architect Solution
Smar...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenges:
Data Validity / Duplication
Truste...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
42
E2E Security Features Summary
..
HTTP DNSLD...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
#CLUS © 2018 Cisco and/or its affiliates. All ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Themes
• Secure Connectivity
• Threat...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Secure Connectivity
[Segmentation]
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Everywhere
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Original Designs Lack Security /
Or Security E...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Case for Purposeful Network Design
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Network Segmentation
…and A...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Outside the Plant
ABB:
1 – Tech Support for my...
51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WHAT IS IT
CISCO VISION
CISCO PORTFOLIO
Purp...
Industrial Security Baseline *
HARDWARE
Mechanical & Sensors
HARDWARE
Processors & Electronics
SOFTWARE
Applications & Res...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial IoT Segmentation: How To With What
...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• In summary, the following should be consider...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Threat Prevention
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Intrusion Phase
• Reconnaissance
• Targeting...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attacks Can Break
Things…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
German Smelter Attack: Attack and Mitigations
...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Filter
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Filter
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPNFilter
and
Water Supply
Attack
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case:
Vulnerability Exploitation ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Security Appliance 3000 Overview
Tr...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Talos – ICS Research
<-> PROTOCOL-SCADA ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos ICS Security Research
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vuln
Discovery
Patch
Published
Patch
Applied?
...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploying In-Line Security Slowly / Safely
Fir...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Application Visibility and
Control
[...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stopping Misconfiguration of a Robot Arm
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect Critical Infrastructure: Application C...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Protocol Aware Application ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Modbus rule
to prevent a
set point
change
li...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Equipment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cooling Power Fire
Data Centers: Connected or ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data
Center
UPS
Example:
APC /
Schneider
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Remote Access
[A Brief Mention]
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility
And Control
Security Us...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remote
Access
Guidance
DHS
For Your
Reference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Ver.10 XXXX Maintenance Support Agreement
• ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Flowdown
DFARS 252.204-7012 (b) Adequ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Physical / Cyber
Relationship
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Physical Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Station Security Stages:
Phy-Cyber ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Need More?
Services for Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services
DesignAssess risk Incident
response
S...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Now What?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3
• Get Help
• IT for IT technologies
• Look a...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial
Security
Newsletter
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Questions, Concerns?
ralbach@cisco.com
Cisco Connect Toronto 2018   IOT - unlock the power of data - securing the internet of things - from threat vectors to the...
Prochain SlideShare
Chargement dans…5
×

Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the internet of things - from threat vectors to the architectures

336 vues

Publié le

Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the internet of things - from threat vectors to the architectures

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the internet of things - from threat vectors to the architectures

  1. 1. A Phased Approach That Keeps Things Running Robert Albach ralbach@cisco.com Securing the Internet of Things: From Threat Vectors to Architecture
  2. 2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential @$2+B Losses Impacts
  3. 3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2018’s Top Security News
  4. 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential April 2018: Bad Headlines; System Boundaries
  5. 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2018 Malware Impacts Continue
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case: Software Update by your Remote Maintenance Vendor Use Case: Software Update by your Remote Maintenance Vendor Challenge: Remote Maintenance Vendor’s Software was hacked Customers Trust Their Equipment Suppliers
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Industrial Security 101
  8. 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Consumer Primarily focused on the Industrial space Internet of Things Enterprise Industrial Heavy Industries Light Industries Entertainment Home Automation Food Prep Utilities Health & Wellness Automotive Consumer on NW Physical Security Data Center Building Mgmt. Healthcare Retail Manufacturing Energy/Utilities Smart City Transportation Current focus
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Not Doing These >
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential “Things” e.g. Sensors, Motors, Robots, Heart Rate Monitor, Transformer, Water Meter Control Layer e.g. Workstations, Historians, Logic Controllers Corporate IT Traditional networking environment where Cisco is a market leader Internet / Cloud Industrial Technology Stack Simplified
  11. 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Where are We Today?
  12. 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A Matter of Trust: 2015 Ukraine Utility Attack
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 0 20 40 60 80 100 120 140 160 180 200 1 - Wholly within the OT group. 2 - IT owns the DMZ, OT owns the rest. 3 - IT owns down to the agregation layer. 4 - IT owns down to the access layer. 5 - A hybrid IT team reporting to OT. 6 - Unclear, still sorting it out. 7 - I don't know as I don't work there. 8 - Not applicable to my situation. Where does the security role for OT reside in your organization? Driven by OT Teams Driven by IT OT or IT or TBD? IoT Sec Talks 2016 May – 620 respondents Cisco: Multiple Paths to Secure the Plant
  14. 14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Vision of the Future – Connected Systems From Cloud to Enterprise to Cell Cloud HQ DMZ Factory
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Technology Stacks in Connected Manufacturing
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Quantifying Threats by Technology Stack Vulnerabilities by Top 50 Vendors: IT – 99.53% IT Stack Vulns – 44% [Web – 35%]OT – 0.47%
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Good
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Also Good
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A Challenge
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Flash: The Weakest Link
  21. 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application of Industrial Security • Deployment Priorities, Common Use Case Examples - Manufacturing
  22. 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Evolve to Secure: Phased Security Architecture Level 5 Level 4 Level 3 Level 2 Level 1 Enterprise Network Site Business Planning & Logistics Network Enterprise Zone DMZ Control Zone Cell/Area Zone Site Manuf acturing Operations and Control Area Superv isory Control Basic Control ProcessSensors Drives Actuators Turbine FactoryTalk Client HMI Magelis HMI Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control FactoryTalk App Server FactoryTalk Directory Engineering Workstation Domain Controller Terminal Server RDP Server App Server Patch Mgmt. E-Mail, Intranet, etc. Level 0 v v PWR CONINOUT PoE 5 6 1 42 3 First Phase – Secured Connectivity Third Phase – Converged Security & Depth Zone Segmentation Controlled Conduits ISA – 95,99 / IEC 62443 NERC / NIST / Application Control Threat Control ISA – 95,99 / IEC 62443 NERC / NIST / Policy Driven Response Deeper Vision / Control ISO / IEC 27001:2013 Second Phase – Secured Visibility & Control
  23. 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Built on Strong Foundations: Cisco Validated Designs
  24. 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Chemical Facilities Anti-Terrorism Standards Second Phase – Secured Visibility & Control Application Control Threat Control Zone Segmentation Controlled Conduits First Phase – Secured Connectivity
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential First Phase – Secured Connectivity Third Phase – Converged Security & Depth Zone Segmentation Controlled Conduits ISA – 95,99 / IEC 62443 NERC / NIST / Application Control Threat Control ISA – 95,99 / IEC 62443 NERC / NIST / Policy Driven Response Deeper Vision / Control ISO / IEC 27001:2013 Second Phase – Secured Visibility & Control v v PWR CONINOUT PoE 5 6 1 42 3 Evolve to Security: Phased Security Architecture
  26. 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Built on Strong Foundations: Cisco Validated Designs
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Start: Secured / Connected Distribution Security Ready Networking Access / Application Control NW Access Control
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introducing Security to Legacy Power Systems Challenges: 1. Non-Stop Environment 2. Older systems 3. Insecure design 4. Diverse providers 5. Diverse sub-systems Our Approach – Phased Deployment: 1. Network modernization 2. Visibility and Controls – Apps / Threats 3. Integrated Controls
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Evolve to Security: Phased Security Architecture First Phase – Secured Connectivity Third Phase – Converged Security & Depth Zone Segmentation Controlled Conduits ISA – 95,99 / IEC 62443 NERC / NIST / Application Control Threat Control ISA – 95,99 / IEC 62443 NERC / NIST / Policy Driven Response Deeper Vision / Control ISO / IEC 27001:2013 Second Phase – Secured Visibility & Control
  30. 30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case Driven Validated Designs SmartConnectedUpstream SmartConnectedPipelines SmartConnectedDistribution
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pipeline Data Retention Policy: Where is it? US Department of Transportation: Pipeline and Hazardous Materials Safety Administration Part 192 Gas Transmission Pipeline Integrity Management Code Section §192.947
  32. 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Partnerships for Water Management
  33. 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential American Water Works Assoc. Recommended Security Guidelines First Phase – Secured Connectivity Zone Segmentation Controlled Conduits Second Phase – Secured Visibility & Control Application Control Threat Control
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Secured Branch Architecture: Products
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Ventilation IP Convergence Drives Digital Ceiling Applications Experiences PBX 2005 Late 2000s 2010 20151995 Data Network IP Telephony Building Management Systems Using Low-Voltage PoE IP Cameras IP Building Systems on low-voltage PoE OpEx Coax BACnet Lighting Cloud Management and Analytics Sensing
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Digital Ceiling Network Infrastructure Cisco Switches • CoAP, PoE, PoE+, UPOE • Security with ISE • Converge disparate networks (HVAC, metering, lighting) into one IP network Digital Ceiling Network Infrastructure Applications Control Systems Intelligent Driver Sensors Energy Management Lighting Control API Building Management Smart Spaces API Wi-Fi Access Point Sensors (Light, Motion, CO2, BTLE) Lighting Building Automation HVAC IP Video Surveillance Camera LED fixtures/ Components
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Validated Designs with Security
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Connected Car Security Architect Solution Smart Devices Onboard Wi-Fi Hotspot Bluetooth OEM DC Telematics & OTA Content & Application Roadside Networks (5G, LTE, Satellite) Device & Network Management Security Management Management DC Vehicle-to-Vehicle Communication DSRCVehicle toInfrastructure (V2I) Vehicle toVehicle (V2V) DSRC IVN Controller IVN Controller AutomotiveRouter, IDS, FW, Mgmt IP/Ethernet Fabric CAN2IP Gateway CAN2IP, CAN IDS ADAS, Automated Driving, Infotainment, Analytics, Apps& Services E thernet Capable De vices Video Switch TALOS Identity and NAC DNS Firewall Umbrella Shared intelligence Shared contextual and Response Mitigation Consistent policy enforcement
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Challenges: Data Validity / Duplication Trusted Inputs and Outputs 1.) Known spoofing practices; 2.) Vehicle GPS accuracy; 3.) Broadcast overlaps.
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 E2E Security Features Summary .. HTTP DNSLDAP NMS Lighting Mgmt Building Mgmt Energy Mgmt Data Center Metering Analytics  802.1X (Authentication)  ECC Certificate  802.1AE (MACsec Encryption)  Key Management IoT Edge Device  VLAN Traffic Segregation  Switch Port Security Features  IPv4/IPv6 Security Features (ACL, Storm Control, Spanning Tree, IPv6 MLD, IPv6 RA)  Device Classification  802.1X/AE Integration IoT Gateway Node  Authentication Server Integration  Key Management  Network Monitoring  ISE Profiling  Firewall End-to-end Security for device authentication, privacy, and data integrity
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential #CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Policy Medical NAC Discover, Control and Protect your Medical Devices Users IT/IoT Devices Medical Devices 1400+ 300+ (Device Type fingerprint number) ISE pxGrid Compliance Vulnerability Threat Industry Specific Visibility Tool Control in the Network Fabric Context directory, aggregating context from all sources, native and external Checkout our innovation with FDA GUDID @ Innovation Forum
  44. 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case Themes • Secure Connectivity • Threat Control • Safe Environment • Secure Remote Access • What can connect • What can talk to what • What is vulnerable • Protect the vulnerable • Network protection • Device protections • What are the controls for access • How to secure access
  45. 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case: Secure Connectivity [Segmentation]
  46. 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Segmentation Everywhere
  47. 47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Original Designs Lack Security / Or Security Eroded Over Time
  48. 48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Case for Purposeful Network Design
  49. 49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Use Case: Network Segmentation …and Application Segmentation and Control
  50. 50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Outside the Plant ABB: 1 – Tech Support for my pumps; 2 – Gathers telemetry data on my pump. GE Predix: 1 – Hosts operating efficiency apps in cloud. SAP: Runs in my enterprise data center. When will my 4200s be built?
  51. 51. 51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential WHAT IS IT CISCO VISION CISCO PORTFOLIO Purpose Built Network Devices Network Connectivity CISCO IOT SYSTEM Portfolio Depth: Wired and Wireless, Routing and Switching Customized for Industries Cloud to Fog Comprehensive Portfolio Cisco IoT System Network Connectivity Industrial Switching IE 2000, 3000 CGS2000 IP67 IE 4000 IE 5000 Industrial Wireless Field AP 1552 Manufacturing WGB/AP (Rockw ell) Industrial AP IW 3700 802.11ac Mobile IP Gatew ay Field Network CGR 1000 819H 809H IR910 IR 509 829H Industrial Routing CGR 2000 ASR 903 ASR 902 Embedded Networks 5900 ESR 5921 Softw are Router ESS Sw itches
  52. 52. Industrial Security Baseline * HARDWARE Mechanical & Sensors HARDWARE Processors & Electronics SOFTWARE Applications & Resources Accelerometer & Gyroscope Input Alarm for Digital Sensors GPS Asset Tracking & Geo Fencing Sim Card Locking Plate Trust Anchor Module (ACT2 Chipset) Fast Hardw are Based Encryption Digital Signage Validation Code Signage Application Level Firew all Secure Boot Cisco Process (CSDL, Vulnerability Testing, PSIRT, TALOS Group) Hosted App lifecycle security w ith Cisco IOX* * Variations may exist between IE and IR platforms
  53. 53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Industrial IoT Segmentation: How To With What Routing Router / Switch NGFW IE Switch IPS AppID TrustSec IND ISE StealthWatch AnyConnect CloudLock OT Insights
  54. 54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • In summary, the following should be considered as recommended practice for general firewall rule sets: • The base rule set should be deny all, permit none. • Ports and services between the control network environment and the corporate network should be enabled and permissions granted on a specific case-by-case basis. There should be a documented business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow. • All “permit” rules should be both IP address and TCP/UDP port specific, and stateful if appropriate. • All rules should restrict traffic to a specific IP address or range of addresses. • Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in the DMZ. • Any protocol allowed between the control network and DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa). • All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. • Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices. • Control network devices should not be allowed to access the Internet. • Control networks should not be directly connected to the Internet, even if protected via a firewall. • All firewall management traffic should be carried on either a separate, secured management network (e.g., out of band) or over an encrypted network with two-factor authentication. Traffic should also be restricted by IP address to specific management stations. Firewall Rules Recommendations
  55. 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case: Threat Prevention
  56. 56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Intrusion Phase • Reconnaissance • Targeting • Weaponization • Develop / Test • Delivery / Exploit / Persist • Install • Modify Systems • Command and Control • Attack • Anti-Forensics Kill Chain – ICS Variant Attacks Start at the IT Side
  57. 57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Attacks Can Break Things…
  58. 58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential German Smelter Attack: Attack and Mitigations Cloud Systems • What is known: • PhishingAttack • Malware • Access to ICS System • Shutdown commands • Damaged smelter Email / Web Protections AMP
  59. 59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential VPN Filter
  60. 60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential VPN Filter
  61. 61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential VPNFilter and Water Supply Attack
  62. 62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Use Case: Vulnerability Exploitation / Malware Protection Sinapsis SQL injection attempt Petya Malware / Ransomeware
  63. 63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Industrial Security Appliance 3000 Overview TransportationManufacturing Energy Stateful inspection industrial firewall through ASA FW Industrial protocol (DNP3, Modbus, IEC 60870, CIP) visibility and rules for known vulnerabilities Vulnerability protections for ICS, Windows, MES components, OT applications, NW infrastructure High-performanceVPN, DNS, DHCP, NAT Hardware bypass, alarm I/O, dual-DC power, rapid set up via SD card, PTP support in HW Industrial protocol specific parsing, protocol abuse control, detect set-point level changes Certified for power substations, industrial, and railway and helps meet NERC-CIP, ISA99, IEC 62443, KEMA High Availability and latency controls
  64. 64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Talos – ICS Research <-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt(protocol-scada.rules) <-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules) <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules) <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules) <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules) <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules) <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules) <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) <-> PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt (protocol-scada.rules) 180+ ICS Vulnerability Protection Rules in 2017
  65. 65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Talos ICS Security Research
  66. 66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Vuln Discovery Patch Published Patch Applied? Maintenance Window Operation Maintenance Window Vulnerability Protection Rule Placed In-Line Mitigations – When “Fix it” Has to Wait
  67. 67. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Deploying In-Line Security Slowly / Safely First: Learn Out of Band – via span / Tap – cycle through rules Provide Flow to Stealthwatch Second: Tune rules / see what would hit and potential impacts. Use flow learning for possible ACLs. Third: Move in-line but with “alert” only. Check latency and other network impacts. Fourth: Go live and active. Sleep well.
  68. 68. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  69. 69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  70. 70. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  71. 71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case: Application Visibility and Control [Safety / Security]
  72. 72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Stopping Misconfiguration of a Robot Arm
  73. 73. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Protect Critical Infrastructure: Application Control
  74. 74. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Use Case: Protocol Aware Application Control
  75. 75. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A Modbus rule to prevent a set point change limit > 50 on RTU-0122 OT Pre-Processors – Modbus command inspection
  76. 76. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Data Center Equipment
  77. 77. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cooling Power Fire Data Centers: Connected or Disconnected Systems
  78. 78. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Data Center UPS Example: APC / Schneider
  79. 79. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  80. 80. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Use Case: Remote Access [A Brief Mention]
  81. 81. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application Visibility And Control Security Use Case: Remote Access Cross Boundary Policy Asset Access Control and QOS Trusted Contractor maintains new pump on floor
  82. 82. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Remote Access Guidance DHS For Your Reference
  83. 83. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Ver.10 XXXX Maintenance Support Agreement • SERVICE AGREEMENT TERMS AND CONDITIONS • XXXXX, a division of YYYYY North America Corporation (“ZZZZZ”) will perform the services (“Services”) listed below and on the above pages of this service agreement and any exhibits ("Exhibits") attached to it (together, the “Agreement”) under the following terms and conditions: • 4. Customer’s Responsibility • Throughout the term of this Service Agreement, Customer agrees to: • c. provide suitable remote access to the System to enable ZZZZZ to perform its services hereunder, including but not limited to VPN access to the System; • d) REMOTE SERVICE. For on-site options, if remote Service is available, the Customer will allow NNN to keep diagnostic and maintenance programs resident on Customer's system or site for the exclusive purpose of performing diagnostics and repair. The Customer has no ownership interest in this software provided by NNN. NNN may remove these programs and any NNN -loaned equipment upon termination of coverage. Customer's system must be configured to permit access. For NNN to provide remote Service, the Customer must allow NNN remote access to eligible NNN systems using the appropriate protocol and method supported by that system. The Customer must provide the necessary equipment designated for that protocol and method of communication to provide remote access to the eligible NNNNt system. NNN will advise the Customer what is required at the time of installation. Remote Access in Contracts:
  84. 84. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security Flowdown DFARS 252.204-7012 (b) Adequate Security. The Contractor shall provide adequate security on all covered contractor information systems.
  85. 85. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Physical / Cyber Relationship
  86. 86. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Physical Security
  87. 87. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Industrial Station Security Stages: Phy-Cyber Access
  88. 88. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Need More? Services for Security
  89. 89. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Services DesignAssess risk Incident response Support
  90. 90. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Now What?
  91. 91. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 • Get Help • IT for IT technologies • Look at design guides • Consider external services • Act • Commit to making change Third 1 • Update your network • Gain a view of the network and applications • EstablishNW access control that reflects the applicationpaths First 2 • Protect the FULL technologystack • From IDMZ to Cell • From Factory to Cloud • Determine what is truly necessary Second
  92. 92. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Industrial Security Newsletter
  93. 93. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Questions, Concerns? ralbach@cisco.com

×