The presentation covers assessment, implementation methodology, and current level of success for addressing four key objectives which are protecting the controls fieldbus (networks) from untrusted networks (domain), secure and safe remote support capability from both inside and outside of the company, control supplier access to manufacturing equipment when onsite, and protect manufacturing systems from Malware and intrusion. This system isn’t theoretical, it’s in broad use and full critical production. If the time and connectivity is available a quick remote access demonstration can be given. The presentation will wrap up with a series of thoughts and ideas that occur to me regarding security in general as I listen to other organizations and groups talking about various security needs and activities.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Securing Plant Floor Network, Jeffrey Smith of AAM
1. ICS Security from the Plant Floor Up
A Controls Engineers Approach to Securing
Plant Floor Networks
Jeffrey Smith
1
2. Less than a minute of blather about
Jeffrey Smith
2
3. How much do I want to spend?
Nothing. Zero. Nada. Zip.
3
4. ICS Security
1. Assess our current posture
2. Define key objectives for which to develop
a solution to improve that posture.
4
5. Key Objective #1
Protect the manufacturing controls networks
(EtherNet/IP fieldbus) from the
enterprise networks (untrusted networks)
and they from us.
5
6. Key Objective #1
Isolate the Controls Fieldbus from the
Enterprise network through two different
Firewalls, one managed by IT, one by Controls.
IT Firewall
IT SPACE
CONTROLS
Zenwall-5
Controls Firewall
Industrial Protocol DPI
EtherNet/IP Fieldbus
6
7. Key Objective #2
Secure and Safe Remote Support Capability
from inside and outside the company
7
8. Key Objective #3
Control and track supplier
access to Manufacturing Control Systems
when onsite in one of our facilities
8
10. Key Objective #4
Protect manufacturing systems from malware
attack by removing PC(s) from or isolating
them on the controls network.
Whitelist where applicable.
10
11. Say NO to PCs on your Fieldbus
Computer
Friends don’t let friends put PC(s) on
Controls Networks
11
12. Move the PCs to the Enterprise
ENTERPRISE NETWORK
12
14. Station Topology
STATION DEVICE LEVEL RING (DLR) TOPOLOGY
EtherNet/IP Ring Link
EtherNet/IP Ring Link
UPLINK #2
TO MACH 102
OP100
OP90
OP80
PanelView Plus
CompactLogix L3x ERM
E-TAP
Torque Tool
EtherNet/IP – Device Level Ring (DLR)
PowerFLEX
755 VFD
173x AENT
Numatics G3
14
Optional
E-TAP
Kinetix 6500
Servos
HMS
Gateway
20. Ethernet based Fieldbus
Is still young, it has long way to grow
and it’s a long way from mature when
compared to it’s IT counterpart.
20
21. Can we move to Ethernet?
•Many companies, small to large, are
just looking at making a move to an
Ethernet based fieldbus.
•What’s the value proposition of
Ethernet if we are pushing a huge
security posture on them at the same
time?
21
22. Controls Engineers
•Many don’t have experience with
Ethernet based controls networks.
•Companies are tight with training
dollars, more are forcing their support
staff to learn via OJT even though
technology growth is raging.
22
23. Migrating the “Ethernetly” Challenged
Are you helping? What does your
“Convert Legacy Fieldbus X to an
Ethernet fieldbus” Engineering Plan
look like?
23
24. Shore up the foundation
Perhaps for those who have taken a
“swag” at Ethernet based fieldbus, the
correct approach to TLC is to help
them “fix” their strategy for Control
System Ethernet and then help them
secure it.
TLC = Total Landed Cost
24
26. Pssst! We can do Controls Stuff…
When talking about security, let’s
capitalize on our seemingly forgotten
skillset of hardwired safety/security.
Might not be a singular product
purchased from a shelf, but it is value
controls can bring to the table.
It’s our cockpit door.
26
27. If we had a little money left…
“Replace all unmanaged switches
with managed switches.”
27
28. How to get started?
Do something,
a little today, and more tomorrow.
Eat the elephant one bite at a time.
28
29. Detection and Recovery
Not enough people talking about
Detection and Fast Recovery.
If we agree we will never stop every
attack, shouldn’t we spend time on detection
and recovery?
29
30. Ethernet in Automobiles
This year, the first production vehicle will be
released that uses Ethernet instead of CAN as
it’s primary vehicle communications network.
Nervous? I am.
30
33. Controls Security Appliance
• Fast, Low Latency Deep Packet Inspection of
Industrial Protocols
• Ability to easily configure and manage firewall
rules without needing a degree in “firewall”
• Horsepower to spare, with the ability to lay in
changes without interrupting performance.
33
34. ICS Security Appliances
• Can’t require an IT person at 2:00am when the
line is down.
• Best way to introduce yourself and your new
wiz-bang security “stuff” to the plant manager
is to take the line down OR prevent the 2:00am
support staff from bringing it back up.
34
35. ICS Security Appliances
You won’t forget him and he won’t forget you or
your security #%^!&%#*%.
And you thought CapEx funding of security initiatives was challenging before.…
35
36. ICS Security Appliances
• Must have easily replicatable configurations
• Must be scalable from small to large
• Must have reasonable pricing models to
accompany their scalability
36
37. Security = Risk Mitigation
I’m often asked “How much security is enough?”
“Whatever you need to
mitigate the risk you can’t live with.”
37