Industrial Network Security Architecture

#CLMEL
Industrial Network
Security Architecture
Evolution
Michael Boland, Distinguished Systems Engineer

BRKIOT-1315
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKIOT-1315
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Security risks increase the potential for disruption to control system
uptime, safe operation, and a loss of intellectual property.
Changes in Control and IT technologies, extended digital supply chains

and evolving organisational structures are demanding security is not just
a set of enforcement point solutions.
Indeed security must be integrated end-to-end throughout IT and

industrial network architectures to reduce cyber security and operations
impact risks.
This session will examine the evolution of industrial network design from
a security perspective, outlining leading network design patterns and
Cisco technologies.
Abstract
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Industry Models and Security
Design Patterns
• Security Prime Directive
• Production Systems Attacks
• Production Network Design
Models for Security
• Applying Security via Workflow
Integration
• Industrial Network Security
Evolution
Icon Key
SDA Fabric Border Node – A Fabric device
Layer 2 Switch (e.g. Core) that connects External Layer 3
network(s) to the SDA Fabric
Layer 3 Switch SDA Control Plane Nodes – Map System

that manages Endpoint to Device
relationships
PLC
SDA Fabric Edge Nodes – A Fabric device
(e.g. Access or Distribution) that connects
Remote I/O Wired Endpoints to the SDA Fabric
HMI SDA Fabric Enabled Wireless Controller
Surveillance Camera SDA Fabric Enabled Wireless Access Point
Smart Lighting
Icon Key
Router
Firewall
ISE
Clustered Firewalls
Directory Server Layer 3 Virtual

(Microsoft Active Directory, LDAP) Switch
e.g. VSS, Horizontal Stacking
Wireless LAN Controller
Wireless Access Point StealthWatch
“There is no such thing as
perfect security, only varying
levels of insecurity.”
Salman Rushdie, Author
Industry Models and
Security Design Patterns
Purdue Enterprise Reference Architecture/ISA-951
Scheduling and Control Hierarchy Levels in Industrial Companies
Business Planning and Logistics
Plant production scheduling, Level 4

Operational management, etc.
Defines the interfaces between
Enterprise activities and
Control activities.
Manufacturing Operations and Control
Level 3
Dispatching production, detailed production
Provides standard models and Scheduling, reliability assurance, etc.
terminology for describing the
interfaces between the business
Area Control Levels 2, 1 & 0
systems of an Enterprise and its
manufacturing-control systems. Cell/Line supervision, operations and process
control functions
Batch Continuous Discrete
ISA-88 Standard Control Control Control
1 ISA95 #CLMEL
- International Standard from the International Society of Automation BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ISA-95 Computer-Integrated Manufacturing Levels
Level 4 - The business-related activities needed to manage a manufacturing organisation that are
executed by enterprise-level software and systems to include:
• Plant scheduling - material use, delivery, and shipping
• Determining inventory levels
• Delivery of materials to the right place on time for production
• Timeframe – Months, weeks, days, shifts
Level 3 - The activities of work flow to produce the end products that are executed by the MES and
MES-related systems. Timeframe – shifts, hours, minutes, seconds.
Manufacturing
Level 2 - The activities of monitoring and controlling the physical processes that are executed by the
PLC, the HMI, and the Area and Unit Operations portion of the Supervisory Control and
Data Acquisition (SCADA) system.
Level 1 - Activities involved in sensing and manipulating the physical processes executed by valves,
sensors, motors, etc.
Level 0 - The actual physical processes
Source: http://www.pharmpro.com/article/2012/07/manufacturing-execution-systems
IEC-62443 (formerly ISA-99)
Security
Not addressed in
IEC-62443
NIST Special Publication 800-82 revision 2
Guide to Industrial Control Systems (ICS) Security
• Overview of Industrial Control Systems
• ICS Risk Management and Assessment
• ICS Security Program Development and Deployment
• ICS Security Architecture
• Applying Security Controls to ICS
NIST 800-82 (Revision 2)1
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics
Network Level 4
DMZ Demilitarisd Zone — Shared Access, “Jump Zone”
Manufacturing Zone Site Manufacturing Operations and Control Level 3
Area Control Level 2
Cell/Area Zone Basic Control Level 1
Process Level 0
1DMZ also defined in USA Department of Homeland Security INL/EXT-06-11478
Industrial Network Models – IEC-62443-3-2
Security Risk Assessment and System Design
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics Network Level 4
DMZ Demilitarised Zone — Shared Access, “Jump Zone”
Controlled Conduit
IEC-62443-3-2
Zone A
Zone B
Process Level 0
#CLMEL BRKIOT-1315
BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Industrial Network Models – ISA-62443-3-2 +
DMZ
Enterprise Network Zone E Level 5
Enterprise Zone
Controlled Conduit
DMZ
Manufacturing Zone
Demilitarised Zone —
X
Shared Access, “Jump Zone”
Site Manufacturing Operations and Control Level 3
Zone A
Process Level 0
Industrial Network Models – DMZ
Enterprise Network Zone Contractor
Level 5
Remote
Enterprise Zone
HTTPS
CC
Zone
DMZ Demilitarised Zone Terminal
Services
CC
RDP
Area Control HMI Level 2

Zone C
Process Level 0
Security Prime Directive
in Production Systems
Security Goals in Production Systems
Attack Continuum
Maintain
Sustain
Safe Production
Production
Environments
BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate
Security Challenges in Industrial Environments
Lack of Visibility
Antiquated Systems What’s out there, who is talking
Unpatched, legacy to who, what are they saying
systems Access Control
Access needs evolving
Insecure Design
Lack of segmentation Change Control
24/7/365 Operations
OT Security Skills
IT sec  Ops knowledge Business Needs
Real-time Information, no
downtime, quick access
Domains of Responsibility?
Operations Centres
Network Security
• Group
Operations Operations
• Division
Centre Centre
• Site
Datacentre
WAN • Group LAN Production
• Group • Division • Site Control Network
• Division • Site • Wired and Wireless
Enterprise Enterprise
Enterprise Services LAN
Datacentre
Services WAN
PCN Core,
Industrial Process Control
Internet Inter-site Distribution,
Datacentre LAN
PCN WAN Access Switches
Internet Industrial Physical Safety PCN Control

IoT
DMZ DMZ and Security LAN Switches
PCN WAN
Common Security
Issues, and …
Obligatory Scary Slides
2017 and 2018 Security News
Threat Landscape for Industrial Automation
Systems in H1 2018
Kaspersky Labs data from Industrial Windows Computers
• Supervisory control and data acquisition

(SCADA) servers
• Data storage servers (Historian) Percentage of ICS computers attacked, H1 2017 – H1 2018
• Data gateways (OPC)

• Stationary workstations of engineers and
operators
• Mobile workstations of engineers and
operators
• Human Machine Interface (HMI) Main sources of threats blocked on ICS computers (percentage
of computers attacked during half-year periods), H1 2017 H1
2018
Source: Kaspersky LAB ICS CERT, September 2018

https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2018/87913/
Types of Attacks in 2018 and 2019
• Production systems targeted with sophisticated modular malware
Calls home to report findings, receive further instructions and provide a 2nd backdoor
Maps network/devices/protocols
Trashes the joint - issuing fake control commands
Erasing registry keys and overwriting systems to bar
• Ransomware (Petya, Wannacry) and Malware (NotPetya) attacks crossing from IT to OT systems
Attack vector is common operating systems and database platforms upon which OT systems are built
• Common Tactics, Techniques and Procedures1 include …

Spear-phishing emails (from compromised legitimate account)
Watering-hole domains
Credential gathering
Open-source and network reconnaissance
Host-based exploitation
Targeting industrial control system (ICS) infrastructure
1US-CERT TA18-074A https://www.us-cert.gov/ncas/alerts/TA18-074A

Root remediation observations
• Human factors – HR systems immediately remove access rights to terminated employees, anti-
phishing, block USB drives
• Control systems software patching
• IT systems software patching
• Timely System backups
• IT/OT systems separation
• Compromised Credentials - Multi Factor Authentication
• Email and WWW attachment scanning/control
• Whitelist DNS from Industrial Networks to prevent “calling-home”
• Active monitoring
• Morphing threats – Automated Threat Updates
More and More Porous Boundaries …
• Machine builders want access to

machine telemetry
• Requesting direct machine-to-

cloud connectivity
• In some cases machines come

LTE with embedded LTE networking
which is outside operations control
Backdoor
• Presents a security “backdoor”

problem
Production Network
Design Models
for Security
Protect the Network – Hygiene Factors
• Cisco SAFE Design Guides
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
• Network Element Hardening
Deploy trusted platform security, implement secure protocols, disable unused services, limit access to
necessary ports and protocols, enforce via authentication, authorisation and accounting (AAA) with two factor
authentication, and control plane policing
• Network Element Services

Disable unnecessary services and enable only services that are needed
• Routing
Packet filtering, restricting routing-protocol membership, and controlling the propagation and learning of routing
information
• Switching
Restricting broadcast domains, STP security, ARP inspection, anti-spoofing, disabling unused ports, and
following VLAN best practices
Protect On-Network Services
• DNS
Patch management and the hardening of the DNS servers, using firewalls to control DNS queries and zone
traffic, implementing IPS to identify and block DNS-based attacks, etc.
• NTP
Implement NTP peer authentication, the use of access control lists, and device hardening, etc.
• DHCP
Server hardening and use of DHCP security features available on switches such as DHCP snooping and port
security, etc.
Implement Leading Practice Design for Security
• Time synchronise all network elements - NTP
• Enable logging for all network elements - syslog
• Partition (and filter) the network management address space
• Employ QoS to accurately classify and prioritise control and management traffic
• Enable Control Plane Policing (CoPP)
• Implement IEEE 802.1AE (MACsec where supported) to protect network traffic,

detect and prevent unauthorised LAN connections
Production Network Topology
WAN Datacentre
Separate IT and
Industrial
Applications/Services
Core • Physical
• Segmented
• Partitioned
Separate or converged
IT and Industrial
Distribution backbone networks
Access
Separate or
Converged Access
and Control Layer
switches
Control
Network Flow Visibility
• We cannot effectively secure that which we cannot see!
• Compiles system and network profile baselines
• Feeds security model planning and development
• Feeds network planning
• Feeds network forensics, detecting:
Abnormalities
Malicious activity
Anomalous activity
You cannot secure that which you cannot see!
Virtual • Flow Correlation
Enterprise Enterprise Switches • Flow Collectors
WAN Services WAN Services LAN

Datacentre
Intra and Inter-server flow
Internet monitoring required
Core IDS/IPS in traditional industrial network

designs only provides visibility of North-
South traffic
Flow monitoring should be ⤫ No East-West PCN Zone ⬌ PCN Zone
enabled at all industrial visibility
Distribution network layers – including ⤫ No intra-server flow visibility
the industrial datacentre …
… centrally correlated and
monitored
Access
NetFlow on core-only switches
Control alone only provides visibility of
North-South traffic
Visibility Through NetFlow
NetFlow Provides
• A trace of every conversation in Flow Information Packets
your network SOURCE ADDRESS 10.1.8.3
10.1.8.3
• An ability to collect records DESTINATION ADDRESS 172.168.134.2
everywhere in your network
(switch, router, or firewall) SOURCE PORT 47321
• Network usage measurements DESTINATION PORT 443
• An ability to find north-south as Switches

INTERFACE Gi0/0/0
well as east-west communication
IP TOS 0x00
• Lightweight visibility compared to
IP PROTOCOL 6
Switched Port Analyser (SPAN)- Routers
based traffic analysis NEXT HOP 172.168.25.1
• Indications of compromise (IOC) TCP FLAGS 0x1A
• Security group information SOURCE SGT 100

IE 4000, IE 4010 and IE 5000 Now : :
with Full Flexible NetFlow - Cisco IOS Internet 172.168.134.2
APPLICATION NAME NBAR SECURE-HTTP
Release 15.2(6)E1
Stitching Context to Provide User Transaction
Visibility
Use Cases Cisco StealthWatch
Internal User Network Network
Insider Threat Firewall Planning Segmentation TrustSec
Monitoring Operations Visualisation
Event Data Security Events Behavioural Analytics
Session Data | 100% network accountability

Client Server Translation Service User Application Traffic Group Mac SGT
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10
Visibility
User Interface TrustSec Threat Feed Group / NAT/Proxy LAYER 7 Cloud

Information Information Segment
Visibility with StealthWatch:
Connection Records of Behavioural Models
SECURITY ALARM
EVENTS (94 +) CATEGORY RESPONSE
Addr_Scan/tcp Concern
Addr_Scan/udp Alarm table
Bad_Flag_ACK**
COLLECT AND Beaconing Host Recon
ANALYSE FLOWS Bot Command Control Server
Bot Infected Host - Attempted Host snapshot
Bot Infected Host - Successful C&C
Flow_Denied
.
. Exploitation Email
FLOWS
ICMP Flood
.
.
Data hoarding
Max Flows Initiated Syslog / SIEM
Max Flows Served
.
Exfiltration
Suspect Long Flow
Mitigation
Suspect UDP Activity DDoS target
SYN Flood
Two Approaches to Flow Monitoring Architecture
Active Monitoring by Switches Tap/SPAN Traffic to Parallel Monitoring Infrastructure
Design NetFlow enabled on all production site switches, Passive optical taps or active spanning to packet monitors
e.g. with centralised flow correlation and analysis.
• Cisco Catalyst 9000 Core and Distribution • Distributed packet monitors connected to separate
switches segments (e.g. VLANs) on production switches
• Cisco Industrial Ethernet 4000 and 5000 • Or Distributed monitors connected to dedicated
switches monitoring network across the production site
Centralised NetFlow Collectors and StealthWatch

Advantages  Common integrated management model  Architecture supports the monitoring of legacy serial
 Catalyst 9000 switch UADP hardware allows industrial control buses
for the analysis of Encrypted industrial traffic  Complete separation of flow monitoring from control
flows (ETA – Encrypted Traffic Analytics) network infrastructure
 Forwards total packet to analysis systems – application
layer stateful analysis
Disadvantages ⤫ New switching hardware may be required at ⤫ Must monitor all ingress and egress ports to a switch
the Access and Control layers to capture all flows – physical port tapping or on-
⤫ Only looks at packet headers – not application switch port spanning
payload ⤫ Cost of replicating a parallel network for monitoring
Common Production Network Design
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Internet
Often No Separate
Industrial Datacentre
Switches
Firewalls Provide
Core Large Layer 2 Topology Spans “North-South” Control Only
⤫ Tromboning inter-
processor traffic
VLAN-based Segmentation  PCN ➜ Enterprise Services
via external
 PCN ➜ Industrial DC
switches
⤫ PCN Zone ⬌ PCN Zone
Distribution ⤫
⤫
Large Spanning Tree Domains
Difficult to Scale ⤫ Firewall Scale (Virtual
⤫ Large broadcast domains Contexts)
⤫ Complexity leads to
configuration errors
Access Non-Managed Control Layer
Switches
⤫ Difficult to Manage
Control ⤫ No Visibility of Control Traffic
Segmentation for Security
100’s
Network Segmentation
Mechanisms
E.g. Call Manager,
E.g. Site Historian,
“The capability to segment
VSOM Server, Group Based Policy*
SCADA Server, Unified Communications, Security
Packaging Line 4, Physical Safety and Security, Groups TrustSec SGT
a network in order to Conveyer,
Etc.
Network Management,
Etc.
Dynamic ACL
achieve data plane Production Service Permission
Filters Stateful ACL
Zones Zones
isolation over physical and Static ACL
virtual networks” VRF
Routing
DHCP Scope
Security Network
Network Zones Constructs VLAN
Segmentation Address – MAC / IP /

Subnet
Physical
Segmentation
Mechanisms E.g. Cisco ACI End Point Groups within a datacentre
Layer 2 Issues
• Network stability is compromised as a result of slow response to network
failures (slow convergence.) Spanning Tree Protocols are not built to
accommodate frequent link-flapping conditions, high error rates,
unidirectional failures or non-report of loss of signal
• Packet flooding and MAC address learning behaviours
• Broadcast storms, if uncontrolled, can result in network–wide outages
• Lack of visibility into packet paths for debugging
• There are many counter-measures and switch features that assist in
remediating these issues, but the poor degree of feature standardisation
and implementation differences make network designs based upon
extensive Layer 2 networking difficult to manage and debug
Switching Security Leading Practice (Access
Layer)
• Restrict broadcast domains
• Spanning Tree Protocol (STP) Security - Implement Rapid Per-VLAN Spanning Tree
(Rapid PVST+), BPDU Guard, and STP Root Guard to protect against inadvertent
loops
• DHCP Protection - Implement DHCP snooping on access VLANs to protect against
DHCP starvation and rogue DHCP server attacks
• IP Spoofing Protection - Implement IP Source Guard on access ports
• ARP Spoofing Protection - Implement dynamic ARP inspection (DAI) on access
VLANs
• MAC Flooding Protection - Enable Port Security on access ports
• Broadcast and Multicast Storm Protection - Enable storm control on access ports
VLAN Leading Practices
• Restrict VLANs to a single switch
• Configure separate VLANs for voice and data
• Configure all user-facing ports as non-trunking (DTP off)
• Disable VLAN dynamic trunk negotiation trunking on user ports
• Explicitly configure trunking on infrastructure ports rather than auto-
negotiation
• Use VTP transparent mode
• Disable unused ports and place in unused VLAN
• Do not use VLAN 1 for anything
• Use all tagged mode for native VLAN on trunks
Restrict Layer 2 Switching to Control and
Datacentre Layers
Datacentre
Internet
IP Routing to the Access

Layer assists with scale
Core Require another

virtualisation mechanism
– VRFs?
Distribution VLANs restricted to

Access/Control layers
Spanning Tree Protocols

Access only implemented on
Control Layer switches
Control Extending Control Layer

Fibre fibre where Layer 2
networking is required
VRF • Associates to one or more interfaces (Privatise an L3 Interface)
• Each VRF has its own
Forwarding table (CEF, RIB)
Routing process (EIGRP, OSPF, ISIS, BGP)
“Virtual Routing and • Interconnect options

Forwarding is a Control IEEE 802.1Q, LSPs, GRE, L2 circuits, physical cables
Plane technology that
allows a router (Layer 3
switch) to have multiple, VRF blue
partitioned, instances of VRF global
routing tables concurrently” VRF green
VRF router ospf 100 vrf green

router eigrp 100
!
network 11.0.0.0 0.255.255.255 area 0 address-family ipv4 vrf blue autonomous-system 100
no passive-interface vlan 2001 network 12.0.0.0 0.255.255.255
no auto-summary
exit-address-family
VRF Scaling
100’s
Hardware Platform Number of VRFs Supported
IE4000 and IE5000 26 E.g. Site Historian,

E.g. Call Manager,
VSOM Server,
SCADA Server,
Industrial Ethernet Packaging Line 4,
Unified Communications,
Physical Safety and Security,
Conveyer,
Switches Etc.
Network Management,
Etc.
Catalyst 9300 and 256 Production Service

IE3400 Access Switches Zones Zones
ASR 1000 WAN 8,000

(boundary) router
Security
Zones
“As a rule of thumb for VRF-Lite End-to-End it is usually
recommended in average-sized networks when not more than
10-15 distinct VRFs are needed”
Cisco Network Virtualisation - Path Isolation Design Guide Segmentation
Mechanisms
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_V
irtualization/PathIsol.html
Example Production Network VRFs
• Production Control Network – PCN
• Industrial Datacentre
• Industrial DMZ
• Production Services
• Infrastructure (Wireless Access Points)
• Physical Safety and Security
• Unified Communications (Voice and Video)
• Enterprise (Services)
• Production Network Management
• Control Centre
Firewalls
Datacentre
Virtual Firewalls perform
Internet inter-VM/process security
Performance / Cost?
Application Firewalls can

2-4 perform IDS/IPS functions
Core
Centralised Firewalls can
be clustered for High
8 - 16 Availability
Distribution
Distributed Firewalls difficult
to scale/manage
32 – 100’s
Access Cost may be justified by a
risk analysis
100’s – 1,000’s
Control
Fusion Routers Allow Centralised Clustered
Firewalls H Historian

Datacentre
Internet
Centralised Fusion Routers
interconnect VRFs. Forces
Fusion Router Fusion Router all inter-VRF traffic via
Route central clustered Firewalls
Prefix PS
Leaking
Core Across PCN
VRFs
Enables inter-VRF IDS/IPS
Production VRFs
Distribution
• Production Control Network – PCN
• Industrial DMZ (IDMZ) All intra-VRF traffic flows via
• Production Services (PS) the least-cost routed path
Access • Infrastructure (Wireless Access
Points)
• Physical Safety and Security
• Unified Communications (Voice and
Video)
Control •
•
Enterprise (Services)
Production Network Management
But how to we secure intra-VRF flows at scale?
• Control Centre
TrustSec Concepts
Classification
(Destination)
Classification
ISE ISE Directory
(Source)
Users, Devices Enforcement
Enforcement
IP 5 IP 5
Router DC FW DC Switch
Sharing Group Information

• Classify systems/users based on context (user role, device, location etc.)
• Context or role expressed as a Security Group
• Firewalls, routers and switches use Security Groups to make filtering decisions
• Classify once – reuse Security Group anywhere on network
Where does the Scalable Group Tag reside?
MACsec Frame Cisco MetaData Ethernet Frame Dynamically Classified Statically Classified
Destination MAC CMD EtherType Destination MAC • 802.1X Authentication • IP Address
0x8909
Source MAC Source MAC • Web Authentication • Subnets
Version
IEEE 802.1AE • MAC Auth. Bypass • L2 Interface
IEEE 802.1Q
Header Length • Passive identity [AD] • L3 Interface
CMD
IEEE 802.1Q SGT Opt Type • Remote Access • Port
128 or 256 bit
Encrypted *
AES-GCM
EtherType
CMD SGT Value • Profiling, Posture, MDM • VLANs
16-bit Payload
EtherType • VPN
Other CMD CRC • ACI (Application Centric
Payload Options
Infrastructure)
IEEE 802.1AE
Header SGT Value • Virtual Port Profiles
16-bit
CRC
Other
• QinQ
Cisco TrustSec Software-Defined Segmentation Platform
* Encrypted field by MACsec • DMVPN (IKEv2) and Capability Matrix
(Optional – Capable Hardware) • GRE https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
• IPSec (IKEv2) networks/trustsec/software-platform-capability-matrix.pdf
• GETVPN
• VXLAN #CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Network Segmentation with TrustSec
Enforcement
Security Group: Manager Switches
Username: johnd Routers
Segmentation based on RBAC Group: Store Firewall
• Independent from address based topology Managers DC Switch
Location: Store Office Hypervisor SW
Role based on context Time: Business Hour
• AD, LDAP attributes, device type, location, time,
access methods, etc…
AUTHORIZED
Use Tagging technology PERSONNEL
ONLY
• To represent logical group (Classification)
• To enforce policy on switch, router, and firewall
Software Defined
• Policy managed centrally TAG
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network
dynamically
Resource
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
Software Defined Segmentation with Cisco

access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
TrustSec
Traditional Security Policy
• Security Control Automation

• Simplified Access Management
• Improved Security Efficacy
ISE Directory
Identity and
Security Policy Network Elements only
Security Group ACLs are receive policies for Security
Packaging Line 4
SCADA Server
EGRESS only SGACL

Site Historian
TrustSec Role-Based Groups that have attached

Destination
Security Policy Access Control

PLC
HMI
Lists Network
Source
Packaging Line 4 PLC

Switch Router Wireless Firewall DC Switch
Permit OPC DA
HMI
permit TCP dst eq 135 Flexible and Scalable Policy Enforcement
deny all log
Site Historian
SCADA Server
Historian SCADA PNM
VRFs + SGTs
AD
H
HMI
S
HMI

WAN Services WAN Services LAN Services 666 1491
ISE
Internet
SGACL
SGACL
SGACL
Fusion Router
SGT
SGT 45666
333
SGT ⟷ 90
⟷ -333
1491Permit CIPCIP
- Permit Class
– Implicit 3 3
Class
Deny
Route
Prefix PS
Leaking
Core Across PCN
VRFs
Production VRFs
Distribution • Production Control Network
– PCN
• Industrial DMZ (IDMZ)
Production Services (PS)
Access •
• Infrastructure (Wireless 45
Access Points)
• Physical Safety and Security SGACL
• Unified Communications
(Voice and Video)
SGT 45 ⟷ 90 - Permit CIP Class 3
90 Operator
Control • Enterprise (Services)
333
333 SCADA
HIST
• Production Network
Management (PNM) Packaging PLSPLC PL4PLC Packaging Lines
• Control Centre Line 4 Sequencing
TrustSec-ACI Integration
What Policy integration example – Campus to Data Centre
Integration of TrustSec and ACI policy
groups enables customers to address Campus / Branch Datacentre
breach, segmentation & compliance TrustSec Policy Domain TrustSec SGTs mapped to and from ACI EPGs APIC-DC ACI Policy Domain
challenges by sharing policy groups
between TrustSec-enabled networks ISE
and ACI Data Centres. Production
Campus
Benefits Networks
Cohesive security policy

leveraging user roles and device Unified Non-
Coms. Compliant
Employee Control Physical
ACI
Systems Safety
type together with application And www
context Security Fabric
Industrial MES SCADA Site Database
Simplified security management Network
Director
App App Historian
App
Complementary group-based policy
approaches simplify security design,
operations and compliance
Capabilities
Consistent security policy groups can be shared between TrustSec and ACI domains:
End-to-end segmentation
Achieve consistent segmentation • Campus security groups can be used in ACI policies: ACI learns TrustSec Scalable Group Tags (SGTs), and
across the datacentre, branches, these SGTs are available for use by the APIC policy
users and devices • Endpoint Groups (EPGs) can be used in campus policies: ISE retrieves EPGs and creates SGTs
• Can also map groups between TrustSec-enabled Data Centres and ACI Data Centres
StealthWatch Aware of ACI Groups
Inter-Campus/Datacentre SGT-aware
StealthWatch
Policy Mapping
Integration of TrustSec and ACI policy SGTs in
groups allows us to make NetFlow NetFlow
aware of Groups from the DC Records APIC-DC
ISE
StealthWatch then receives NetFlow
ACI Group
with SGT information based on the DC
Info
groups from ACI
ACI Info
shared
using
Security
Group
www
Unified Non- Employee Control Physical
Tags
Coms. Compliant Systems Safety Industrial MES SCADA Site Database
And Network App App Historian
Security Director App
An Integrated Model
WWW
Threat Feeds and Security Intelligence

Cisco Web
DNS Security
Cisco Umbrella
Email
Security
Time to detection:
as little as
NG Firewalls
3.5 hours
Multi-Factor & Intrusion
Authentication Protection
Endpoint
Advanced
AnyConnect Malware
VPN NetFlow Protection
PxGrid StealthWatch
Anomaly Based
Directory Integrated Response Detection
Partner Ecosystem
Identity Services Engine SIEM, MDM, NBA,
Wired Wireless
#CLMEL VPN BRKIOT-1315 © 2019 Cisco and/or its IPS, IPAM,
affiliates. All rights etc.
reserved. Cisco Public 58
“Fools ignore complexity.
Pragmatists suffer it. Some can
avoid it. Geniuses remove it.”
Alan Perlis, American Scientist
Cisco Industrial Network Director – For OT users
Network management, device location, and visibility
Dashboard for monitoring Plug-and-play server for

alarms, system health, and zero-touch switch commissioning
traffic statistics
APIs for integration with Improved industrial asset visibility

automation systems and and network troubleshooting
security platforms with automation context
Native industrial
protocol support REST APIs for integration
with automation systems
Plug-and-play day-0
configuration OT intent-driven security
workflows through ISE integration
Operations user intent driven policy updates
Putting Operations Personnel in the driver’s seat
Switch
Port
Industrial Network Director PLC
Topology UI PxGrid attribute “Zone-
1” matches profiling
Tag policy-X and triggers
assets as Authorisation policy-Y dACL
Zone-1 NEW
pxGrid NEW
SGT
Update
Zone-
1 Industrial
OT User ISE
Network NEW
Director
VLAN
OT personnel use with IND UI to express intent pxGrid update results in automatic policy update
IT manages ISE. Operations use IND to express intent to influence Security Policy
Network Security
Evolution
Cloud Services Example
Telemetry Aggregation Analytics Analytics
Server Service Service
VM
VM
ISA-95 (Purdue) Model
VM
Datacentre
VLAN 24
VLAN 24
Enterprise
Network Level 5
VLAN 54
WAN Site Business Planning
and Logistics Network Level 4
Analytics Vendor X VRF

Telemetry Aggregation Server
Core Packaging VRF Demilitarised Zone1
Shared Access, “Jump Zone” Level 3.5
VM
Site Manufacturing Example of

Operations and Control Level 3
Fog
VLAN 14
Distribution Computing
Packaging
Zone P
Access Level 1
Basic Control
Control
Process Level 0
Intent-Based Networking
Policy
Domain Controller
Provision Intent Services
Create a new Packaging Line (virtual) network.
Set SCADA traffic IP priority to DSCP 27.
Allow boiler PLC <–> Historian OPC/UA traffic.
Orchestration Platform Network
Design
Users + Devices + Things
Assurance
Assurance
Network Telemetry Analytics
Management
Network Visibility
Assurance APIs Security
Device Management
Network Services Intrusion Detection
Automation
Data Flow Visibility Scalable Group Tagging Clocking
Network Firewalling VPNs Network Filters

Egress Queue / Schedule Quality of Service
Fabric Congestion Control
Technology Frequency Time

Marking
Segmentation
-Centric Policing / Shaping
Classification
VRF Connectivity, Forwarding
VLAN Tunnel and Pathing
Secure segmentation and on-boarding
Simplicity
Group 1 Group 2
Users • No VLAN, ACLs, or IP address
Employee virtual network management required
• Single network fabric
• Define one consistent policy
Devices Group 3 Group 4
Drag policy Production virtual network
to apply Security
Apps
• Simplified microsegmentation
Group 5 Group 6
• Policy enforcement
Contractor virtual network
Completely automated | Policy follows identity | Reduces lateral threat movement

Cisco Software Defined Access
Simplifying Campus Networking with Cisco Digital Network Architecture
Analytics ISA-95 (Purdue) Model

Service
Enterprise Analytics
Level 5 Service
Network
TLS
External Gateways Site Business Planning
Internet Cisco and Logistics Network Level 4
DNA External
Center Demilitarised Zone1
B B Shared Access, “Jump Zone” Level 3.5
Site Manufacturing
C Level 3
Operations and Control
Telemetry Servers
DMZ
Network
Fabric Identity
Services
Basic Control Level 1
Engine
Packaging Zone P
Process Level 0
Production
Telemetry
Packaging Zone P Application on VM1
Robots <-> Telemetry <->
Application on Analytics Cloud Service
Virtual Machine VM1 over Encrypted Tunnel T
Using HTTP Using HTTPS
IoT Switching portfolio
Aggregation
Access
Best in Class
IE5000
IE 3400 IE4000 IE4010
• Designed for all
industries
• For all industries
IE 3300 • Layer 2 • For all industries • Layer 2 or 3
IE 3200 • Layer 2 or 3
Feature
• 2 GE uplinks • Layer 2 or 3 (IP service)

• Up to 24 GE (IP service) (IP service) • 4 10 GE* uplinks
• Layer 2 ports • 4 GE uplinks • 4 GE uplinks • 24 GE downlinks
IE2000 IE2000U • Layer 2 • 2 GE uplinks • IEEE1588 PTP • Up to 20 GE • 28 total GE ports • IEEE1588 PTP
• 2 GE uplinks • Up to 24 GE • REP ports • IEEE1588 PTP (default and power
• 8 GE downlinks ports • IEEE1588 PTP (default and profiles)
• L2 or L3 (IP lite) • L2 or L3 (IP • IEEE1588 PTP • IEEE1588 PTP (default and
Roadmap power profiles) • Layer 2 NAT
• Small form factor services) Up to 8 power profiles)
IE1000 • IP30, IP67 • Small form factor
•
PoE/PoE+ ports
• Up to 16 • FNF
• Layer 2 NAT
• Layer 2 NAT • Up to 12 PoE/PoE+
PoE/PoE+ • PoE/PoE+ • Up to 12 or 24 • Dying gasp
• DLR (only Stratix) • PRP, REP • REP • REP • Up to 8 PoE /
• Layer 3 PoE/PoE+ • Cisco TrustSec
• MRP, REP • 1588 PTP PoE+ ports
• Lightly-managed • TrustSec® • Dying gasp SGT/SGACL
• Layer 2 NAT default and Roadmap Roadmap • Dying gasp
• Layer 2 only SGT/SGACL • Cisco TrustSec® • MACSec
• IEEE1588 PTP power profiles • FNF • FNF • Cisco® TrustSec
• 30 second • Layer 2 NAT, HW-ready • FNF
• Up to 8 PoE/PoE+ • Up to 4 • MACsec • Layer 3 SGT/SGACL
boot-up time • MACSec • MACSec HW- • TSN-ready
• Conformal PoE/PoE+ ports • Cisco DNA • MACSec • MACSec, FNF
• Web config tool • MRP, PRP, HSR ready • Stacking*
coating* Essentials • Profinet • Time-Sensitive
• Up to 8 • IOx • TSN-ready • Conformal coating*
• Cisco DNA • MRP Network (TSN)
PoE/PoE+ ports • TSN • IOx-ready • IOx-ready
Essentials • Cisco DNA E/A ready
• SDA FE • REP, PRP, HSR • REP, PRP, HSR
• Cisco DNA E/A • IOx • Cisco DNA E/A • Timing interfaces
• MRP, REP, PRP,
(IRIG-B, GPS, TOD)
HSR
• Cisco DNA E/A
• Cisco DNA E/A
10/100M 1G 10G
‘*’ –Selected Models
Extending Intent-Based Networking to IoT
IE 3200, IE 3300, IE 3400 SD-Access extended nodes
Cisco DNA Center
Automation
Policy Automation Analytics
Consistent policy across the
extended enterprise with
Cisco DNA Center and SDA Extension
IoT device visibility and policy

ISE for IoT: Visibility of IoT devices
SDA extension SDA fabric
with 600+ device profiles across
manufacturing, healthcare,
Industrial/IoT building automation
Streamline business operations

User mobility Cisco Operational Insights to unlock
Policy stays with user, IoT data to streamline operations
Device, Service
Extended enterprise Integrated network

(IoT network)
Catalyst IE3x00 Rugged Series – Extended Enterprise
Intent based Networking for IoT Edge to Multi-cloud
IE 3200 IE 3300 IE 3400 Warehouses
(basic) (flexible) (advanced)
Manageability
IBN – Cisco DNA Center management
and assurance*
Distribution centres
Redesigned, updated GUI – WEBUI
Stealthwatch with Netflow
Security
NG Secure Operating System IOS-XE Parking lots
IBN – enterprise fabric extension
IBN – enterprise fabric
Cisco TrustSec*
Airports
Differentiators
Advanced networking - Network Advantage*
Power over Ethernet - High density
* Post-FCS
Industrial Network Architecture Evolution
Today Future
CPwE CPwE (2013) + CPwE v5.1 TrustSec + VRF SDA for Industrial
Leading (TrustSec)
• IT ⬌ OT • Centralised • Fabric Network
Separation
Practice • Centralised
Dec.
2018 Firewalls • Centralised Firewalls
• North ⬌ South Network Design Firewalls • Fusion Routers • Fusion Routers
Firewalling • North ⬌ South • VRF ⬌ VRF • VRF ⬌ VRF Firewalling
• Centralised
Firewalling Firewalling • Zone ⬌ Zone RBACLs
• VLAN Firewalls
• East – West Zone • Zone ⬌ Zone • Intent-Based Networking
Segmentation • Fusion Routers
SGACLs SGACLs • Policy Controlled Security
• Zone ⬌ Zone
 Complex and • Policy Controlled • Policy Controlled
Firewalling • VRF Segmentation with
Inflexible Security Security
VNI+SGT (VXLAN
 Limited Security • VLAN + VRF
• SGT • VRF Networks encapsulation) Zones
Segmentation
Segmentation with SGT Zones • Simplifies and automates
 VLAN + VRF  No East-West within VRFs network and security
scalability issues Segmentation provisioning
Zone Stateful
Firewalling  Flexible, but rigid  Future for Industrial
design
methodology
required
Industrial Network Security Hierarchy
Embedded Processes Driven Security
Leadership
Production Team Systems Workflows Drive
security • APIs
• Customised Tools for non-security/network/operations staff
Layered Security Model (IT & OT),

Security Context Correlation across Layers,
Advanced Threat Security
Active Management with Dynamic Threat Updates
and Machine Learning,
Best Production ⬌ Enterprise ⬌ Cloud
NetOps and SecOps ➞ digital supply chain
Better
Traffic Flow Telemetry,
Adopt Centralised Policy Control Secure Visibility and Control
Map production/security Secure Network Environment

zones and traffic flows,
Whitelist Flows, Good • Apply Cisco Safe Guidelines
• Segment the Network into Production Zones
WWW/DNS/Email • Whitelist flow enforcement with logging
Baseline Exposed Network control plane, No AAA with multi-

factor Authentication, Flat Networks, Minimal
Production
Infrastructure and Inadequate Access Controls and Segmentation, No Web, Email
Systems or DNS security
Q&A
#CLMEL
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via
the Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
Thank you
#CLMEL
#CLMEL
References
• Cisco SAFE Design Guides
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
• Cisco VRF-Lite
Cisco Network Virtualisation - Path Isolation Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
• Cisco Network Virtualisation - Path Isolation Design Guide

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
• Cisco TrustSec Software-Defined Segmentation Platform and

Capability Matrix
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-
capability-matrix.pdf
References – Cisco Design Guides
• December 2018 – Deploying Network Security within a Converged
Plantwide Ethernet Architecture – Joint Cisco Systems and
Rockwell Automation design guide
https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/5-1/Network_Security/DIG/CPwE-5-1-
NetworkSecurity-DIG.html
References
• Kaspersky Lab Report – Pierre Audoin Consultants (PAC), CXP
Group, The State of Industrial Cybersecurity 2019
https://ics.kaspersky.com/media/2019-Kaspersky-ICS-Whitepaper.pdf
https://www.cert.gov.au/news/cyber-security-challenges-2019
https://acsc.gov.au/publications/protect/essential-eight-explained.htm
• “Crash Override / Industoyer” = Ukraine Power Grid Attack

https://www.wired.com/story/crash-override-malware/
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
https://en.wikipedia.org/wiki/Industroyer
• ISA analysis of 2015 Ukrainian Power Grid Cyberattacks

https://www.isa.org/intech/20190406/
Industrial Control Systems Training
• USA Department of Homeland Security ICS-CERT Virtual Learning
Portal (VLP) FREE
https://ics-cert-training.inl.gov/learn
• Good Reads
Industrial Cybersecurity, Pascal Ackerman
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78839-515-1
www.packtpub.com
Acronyms
AAA – Authentication, Authorisation, Accounting
ACI – (Cisco) Application Centric Infrastructure
ACK – Acknowledgement
ACL – Access Control List
AD – (Microsoft) Active Directory
API – Application Programming Interface
APIC – (Cisco) Application Policy Infrastructure Controller
APIC-DC – (Cisco) Application Policy Infrastructure Controller – DataCentre
ARP – Address Resolution Protocol
ASIC – Application-Specific Integrated Circuit
Acronyms
BGP – Border Gateway Protocol
BPDU – Bridge Protocol Data Unit
CoPP – Control Plane Policing
C&C – Command and Control
CC – Controlled Conduit
CEF – Cisco Express Forwarding
CIP – Common Industrial Protocol (ODVA)
CMD – Command
COS – Class Of Service
CPwE – Cisco Plantwide Ethernet
Acronyms
CRC – Cyclic Redundancy Check
CTS – Cisco TrustSec
dACL – Dynamic Access Control List
DAI – Dynamic ARP Inspection
DC – Datacentre
DDOS – Distributed Denial of Service
DHCP – Dynamic Host Configuration Protocol
DLR – Device Level Ring
DMVPN – Dynamic Multipoint Virtual Private Network
DMZ – Demilitarised Zone
Acronyms
DLR – Device Level Ring
DNS – Domain Name Service
DNA – (Cisco) Digital Network Architecture
DNA E/A/P – (Cisco) Digital Network Architecture Essentials/Advanced/Premium
Licensing
DSCP – (IP) Differentiated Services Code Point
DTP – (Cisco) Dynamic Trunking Protocol
EIGRP – Exterior Interior Gateway Routing Protocol
EPG – End Point Group
ERP – Enterprise Resource Planning
Acronyms
ERSPAN – Encapsulated Remote Switched Port Analyser
ETA – (Cisco) Encrypted Traffic Analytics
FNF – Flexible NetFlow
GPS – Global Positioning System
GE – Gigabit Ethernet
GETVPN – Group Encrypted Transport Virtual Private Network
GRE – Generic Routing Encapsulation
GUI – Graphical User Interface
HMI – Human Machine Interface
HR – Human Relations
Acronyms
HSR – High-availability Seamless Redundancy (Ring)
HTTP – Hypertext Transfer Protocol
HTTPS – Hypertext Transfer Protocol Secure
HW – Hardware
IACS – Industrial Automation and Control Systems
IBN – Intent-Based Networking
ICMP – Internet Control Message Protocol
ICS – Internet Control System
IE – Industrial Ethernet
IEC – International Electrotechnical Commission
Acronyms
IDS – Intrusion Detection System
IDMZ – Industrial De-Militarised Zone
IEEE – Institute of Electrical and Electronics Engineers
IETF – Internet Engineering Task Force
IKEv2 – Internet Key Exchange Version 2
IND – Industrial Network Director (Cisco)
IOS – (Cisco) Internet Operating System
IOS-XE – “XE” train of the (Cisco) Internet Operating System
IOx – Application environment for Cisco Networking Equipment
IP – Internet Protocol
Acronyms
IPAM – Internet Protocol Address Management
IPS – Intrusion Prevention System
IPSec – Internet Protocol Security (protocol suite)
ISA – International Society of Automation
ISE – Identity Services Engine (Cisco)
ISIS – Intermediate System to Intermediate System (Routing Protocol)
IND – (Cisco) Industrial Network Director
IOC – Indicators of Compromise
IRIG-B – Inter-Range Instrumentation Group time code “B”
IT – Internet Technology
Acronyms
ITSec – Internet Technology Security
L2 – (ISO Model) Layer 2
L3 – (ISO Model) Layer 3
LAN – Local Area Network
LDAP – Lightweight Directory Access Protocol
LIMS – Laboratory Information Management System
LSP – Label Switch Path
LTE – Long-Term Evolution (4G mobile communications standard)
Acronyms
NAT – Network Address Translation
MAB – MAC Authentication Bypass
MAC – Medium Access Control
MACsec – IEEE MAC Security Standard (IEEE 802.1AE)
MDM – Mobile Device Management
MES – Manufacturing Execution System
MRP – Media Redundancy Protocol
NAT – Network Address Translation
NBA – Network Behaviour Analysis
NTP – Network Time Protocol
Acronyms
ODVA – Open DeviceNet Vendor Association
OPC – Open Platform Communications (OPC Foundation)
OPC UA – OPC Unified Architecture
OPS – Operations
OSPF – Open Shortest Path First (Routing Protocol)
OT – Operations Technology
pxGrid – Platform Exchange Grid
PCN – Process Control Network
PLC – Programmable Logic Controller
POE – Power Over Ethernet
Acronyms
POE+ – Power Over Ethernet Plus
PRP – Parallel Redundancy Protocol
PTP – Precision Time Protocol
PVST+ – (Cisco) Rapid per VLAN Spanning Tree Plus
PROFINET – Process Field Net
PROFINET RT – PROFINET Real-Time
PROFINET IRT – PROFINET Isochronous Real-Time
QoS – Quality of Service
Acronyms
RADIUS – Remote Authentication Dial-In User Service
RBAC – Roll-Based Access Control
RBACL – Roll-Based Access Control List
RDP – Remote Desktop Protocol
REP – Resilient Ethernet Protocol
RIB – Routing Information Base
RSPAN – Remote Switch Port Analyser
Acronyms
SCADA – Supervisory Control And Data Acquisition
SDA – (Cisco) Software Defined Access
SGACL – Scalable Group Access Control List
SGT – Scalable Group Tag
SIEM – Security Information and Event Management
SNMP – Simple Network Management Protocol
SPAN – Switch Port Analyser
SPT – Spanning Tree
STP – Spanning Tree Protocol
SW – Software
Acronyms
TOD – Time Of Day
TCP – Transport Control Protocol
TLS – Transport Layer Security
TSN – Time Sensitive Networking
UADP – (Cisco ASIC) Unified Access Data Plane
UDP – User Datagram Protocol
USB – Universal Serial Bus
Acronyms
VoIP – Voice Over IP
VLAN – Virtual Local Area Network
VM – Virtual Machine
VN – Virtual Network
VXLAN – Virtual Extensible Local Area Network
VNI – VXLAN Network Identifier
VPN – Virtual Private Network
VRF – Virtual Routing and Forwarding
VSOM – (Cisco) Video Surveillance Operations Manager
Acronyms
VSS – Virtual Switching System
VTP – (Cisco) VLAN Trunking Protocol
VXLAN – Virtual Extensible Local Area Network
WAN – Wide Area Network
WEBUI – World Wide Web User Interface
WWW – World Wide Web

Industrial Network Security Architecture

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Industrial Network Security Architecture

Încărcat de

Drepturi de autor:

Formate disponibile

#CLMEL

Michael Boland, Distinguished Systems Engineer

Changes in Control and IT technologies, extended digital supply chains

Indeed security must be integrated end-to-end throughout IT and

Layer 3 Switch SDA Control Plane Nodes – Map System

HMI SDA Fabric Enabled Wireless Controller

Surveillance Camera SDA Fabric Enabled Wireless Access Point

Directory Server Layer 3 Virtual

Wireless Access Point StealthWatch

Plant production scheduling, Level 4

DMZ Demilitarisd Zone — Shared Access, “Jump Zone”

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Area Control Level 2

Cell/Area Zone Basic Control Level 1

DMZ Demilitarised Zone — Shared Access, “Jump Zone”

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Site Manufacturing Operations and Control Level 3

Area Control Level 2

Area Control HMI Level 2

Cell/Area Zone Basic Control Level 1

BEFORE DURING AFTER

Internet Industrial Physical Safety PCN Control

• Supervisory control and data acquisition

• Data gateways (OPC)

Source: Kaspersky LAB ICS CERT, September 2018

• Common Tactics, Techniques and Procedures1 include …

1US-CERT TA18-074A https://www.us-cert.gov/ncas/alerts/TA18-074A

• IT systems software patching

• Timely System backups

• IT/OT systems separation

• Compromised Credentials - Multi Factor Authentication

• Email and WWW attachment scanning/control

• Whitelist DNS from Industrial Networks to prevent “calling-home”

• Morphing threats – Automated Threat Updates

• Machine builders want access to

• Requesting direct machine-to-

• In some cases machines come

• Presents a security “backdoor”

• Network Element Services

• Enable logging for all network elements - syslog

• Partition (and filter) the network management address space

• Enable Control Plane Policing (CoPP)

• Implement IEEE 802.1AE (MACsec where supported) to protect network traffic,

WAN Services WAN Services LAN

Core IDS/IPS in traditional industrial network

• Network usage measurements DESTINATION PORT 443

• An ability to find north-south as Switches

• Indications of compromise (IOC) TCP FLAGS 0x1A

• Security group information SOURCE SGT 100

Event Data Security Events Behavioural Analytics

Session Data | 100% network accountability

1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10

User Interface TrustSec Threat Feed Group / NAT/Proxy LAYER 7 Cloud

Centralised NetFlow Collectors and StealthWatch

virtual networks” VRF

Segmentation Address – MAC / IP /

IP Routing to the Access

Core Require another

Distribution VLANs restricted to

Spanning Tree Protocols

Control Extending Control Layer

“Virtual Routing and • Interconnect options

routing tables concurrently” VRF green

VRF router ospf 100 vrf green