Deploy Secure Network Architectures for The Connected Enterprise

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2Rockwell Automation TechED 2017 @ROKTechED #ROKTechED
PUBLIC
Deploy Secure Network Architectures for The
Connected Enterprise

Abstract
 Protecting Industrial control automation system assets requires a holistic
defense-in-depth security approach, which addresses internal and external
security threats. This discussion reviews the security design and
implementation considerations within the Cisco and Rockwell Automation®
reference architectures. Learn about the architectural security framework,
identity services, IDMZ, Stratix® 5950 security appliance and Cisco
Adaptive Security Appliance (ASA) firewall solutions to help you improve
the availability, integrity and confidentiality of your network architecture.
Prior attendance of the Building Converged Plantwide Ethernet
Architectures session is recommended.

Agenda
Identity Services Engine (ISE)
Firewalls in the CPwE Security Framework
Firewall Technology, Deep Packet Inspection, Stratix® 5950 Security Appliance
Industrial Demilitarized Zone (IDMZ)
Converged Plantwide Ethernet Industrial Network Security Framework
Cyber security Framework

Converged Plantwide Ethernet
Industrial Network Security Framework
5

PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 6Rockwell Automation TechED 2017 @ROKTechED #ROKTechED 6
Industrial IT (Bridging OT-IT), Industrial IoT
Cisco and Rockwell Automation® Alliance
Stratix® 5900 Services Router, Stratix® 5950 Industrial Firewall, Stratix® 5100 Wireless Access Point/
Workgroup Bridge, and Stratix® 5000/Stratix® 8000 families of managed industrial Ethernet switches,
combine the best of both Rockwell Automation® and Cisco.
Collection of tested and validated architectures developed by subject matter authorities at Cisco and
Rockwell Automation®. The content of CPwE is relevant to both Operational Technology (OT) and
Information Technology (IT) disciplines and consists of documented architectures, best practices,
guidance and configuration settings to help manufacturers with design and deployment of a scalable,
reliable, safe, secure and future-ready plant-wide industrial network infrastructure.
A single scalable architecture, using open and standard Ethernet and IP networking technologies, such as
EtherNet/IP, enabling the Industrial Internet of Things to help achieve the flexibility, visibility and efficiency
required in a competitive manufacturing environment.
Education and services to facilitate OT and IT convergence, assist with successful architecture
deployment, and enable efficient operations that allow critical resources to focus on increasing
innovation and productivity.
People and Process Optimization:
Common Technology View:
Converged Plantwide Ethernet (CPwE) Architectures:
Joint Product Collaboration:

Converged Plantwide Ethernet (CPwE)
 Tested, validated and documented reference architectures
 Comprised of a collection of Cisco and Rockwell Automation® validated architectures,
following the Cisco Validated Design (CVD) program
 Developed from application and technology use cases
 Industry neutral, one-to-many approach, customers adapt to meet their application needs
 Tested for performance, availability, repeatability, scalability and security by subject matter
authorities at Cisco and Rockwell Automation® CPwE test labs
 Built on technology and industry standards (IEC, IEEE, IETF)
 “Future-ready” network design
 Content relevant to both OT and IT Engineers
 Deliverables
 White Papers, Design & Implementation Guides
recommendations, best practices, documented test results and configuration settings
 Proven architectures:
 Helps customers to reduce their costs by simplifying their designs, accelerating their deployments,
and reducing their risk in deploying new technology
7
Industrial IT (Bridging OT and IT), Industrial IoT

CPwE Architectures
Collection of Standalone Cisco and Rockwell Automation® Validated Designs
CPwE
REP
June 2014
CPwE
WLAN
Nov. 2014
CPwE
IDMZ
July 2015
CPwE
Baseline
Sept. 2011
CPwE
NAT
June 2015
CPwE
ISE
July 2015
CPwE
Migration
Jan. 2016
CPwE
VPN
March 2016
CPwE
Ind. Firewall
Dec. 2016
CPwE
Ind. Comp.
July 2017
CPwE
Resiliency
Dec. 2015
CPwE Test Labs
 Rockwell Automation® – Mayfield Heights, OH
 Cisco – Raleigh, NC (RTP)
 Panduit – Tinley Park, IL

CPwE Technical Resources
Topic Design Guide Whitepaper
Design Considerations for Securing IACS Networks — ENET-WP031A-EN-P
Converged Plantwide Ethernet – Baseline Document ENET-TD001E-EN-P —
Resilient Ethernet Protocol in a CPwE Architecture ENET-TD005B-EN-P ENET-WP033A-EN-P
Deploying 802.11 Wireless LAN Technology within a CPwE Architecture ENET-TD006A-EN-P ENET-WP034A-EN-P
Deploying Identity Services within a CPwE Architecture ENET-TD008A-EN-P ENET-WP037A-EN-P
Securely Traversing IACS Data Across the Industrial Demilitarized Zone (IDMZ) ENET-TD009A-EN-P ENET-WP038A-EN-P
Deploying Network Address Translation within a CPwE Architecture ENET-TD007A-EN-P ENET-WP036A-EN-P
Migrating Legacy IACS Networks to a CPwE Architecture ENET-TD011A-EN-P ENET-WP040A-EN-P
Deploying A Resilient Converged Plantwide Ethernet Architecture ENET-TD010A-EN-P ENET-WP039B-EN-P
Site-to-site VPN to a CPwE Architecture ENET-TD012A-EN-P —
Deploying Industrial Firewalls within a CPwE Architecture ENET-TD002A-EN-P ENET-WP011A-EN-P

CPwE Technical Resources
Deploying Industrial Firewalls within a CPwE Architecture ENET-TD002A-EN-P ENET-WP011A-EN-P
Subjects are covered in this session

Industrial IT (Bridging OT-IT), Industrial IoT
CPwE: Secure Connectivity between Manufacturing and Business Systems
Operational Technology
Industrial IT
Information Technology
Physical or Virtualized Servers
• FactoryTalk® Application Servers and
Services Platform
• Network & Security Services – DNS,
AD, DHCP, Identity Services (AAA)
• Storage Array
Remote
Access
Server
• Patch Management
• AV Server
• Application Mirror
• Remote Desktop Gateway Server
Distribution
Switch Stack
HMI
Cell/Area Zone - Levels 0–2
Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN
(Lines, Machines, Skids, Equipment)
Linear/Bus/Star Topology
Autonomous Wireless LAN
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4-5
Rockwell Automation®
Stratix® 5000/ Stratix® 8000
Layer 2 Access Switch
Industrial Zone
Levels 0–3
(Plant-wide Network)
Core
Switches
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
Ring Topology - Resilient Ethernet Protocol (REP)
I/O
Plant Firewalls
• Active/Standby
• Inter-zone traffic segmentation
• ACLs, IPS and IDS
• VPN Services
• Portal and Remote Desktop Services proxy
Safety
I/O
Servo
Drive
Instrumentation
Level 3 - Site Operations
(Control Room)
HMI
Active
AP
SSID
5 GHz
WGB
Safety
I/OController
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Drive
Distribution
Switch Stack
Wide Area Network (WAN)
Data Center - Virtualized Servers
• ERP - Business Systems
• Email, Web Services
• Security Services - Active Directory (AD), Identity Services (AAA)
• Network Services – DNS, DHCP
• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Internet
Access
Switches
Access
Switches
IFW
IFW

Logical Framework
Operational Technology
EtherNet/IP (Industrial Protocol),
Real-time Control and Information,
Industrial Security Policies,
Wired and Wireless LANs
(Unified and Autonomous WLAN),
Fast Network Resiliency,
Traffic Segmentation, Data Prioritization
Ease of Use
Secure Application and Data Share,
Inter-zone Segmentation,
Access Control, Threat Protection
Industrial IT
Industrial Security Policies,
Site Operations, Network Resiliency,
Virtualization, Traffic Segmentation, Routing,
Network and Security Management
Information Technology
Enterprise Security Policies,
Collaboration Tools, Unified Wireless,
Business Application Optimization
• FactoryTalk® Application Servers
and
Services Platform
• Network & Security Services –
DNS,
AD, DHCP, Identity Services (AAA)
• Storage Array
Remote
Access
Server
• AV Server
Distribution
Switch Stack
HMI
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4-5
Stratix® 5000/Stratix® 8000
Industrial Zone
Levels 0–3
Core
Switches
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
I/O
Plant Firewalls
• Active/Standby
• VPN Services
Safety
I/O
Servo
Drive
Instrumentation
Level 3 - Site Operations
(Control Room)
HMI
Active
AP
SSID
5 GHz
WGB
Safety
I/O
Controller
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Standby
Wireless
LAN Controller
(WLC)
Cell/Area Zone
Levels 0–2
Cell/Area Zone
Levels 0–2
Drive
Distribution
Switch Stack
Data Center - Virtualized Servers
• ERP - Business Systems
• Email, Web Services
• Security Services - Active Directory (AD),
Identity Services (AAA)
• Network Services – DNS, DHCP
• Call Manager
Enterprise
Identity Services
Identity Services
External DMZ/
Firewall
Internet
Access
Switches
Access
Switches

Industrial Security Standards
 International Society of Automation
 IEC-62443 (Formerly ISA99), Industrial
Automation and Control Systems (IACS)
Security
 Zones and Conduits
 Defense-in-Depth
 IDMZ Deployment
 National Institute of Standards and
Technology
 NIST 800-82, Industrial Control System (ICS)
Security
 Cyber security Framework: Identify, Protect,
Detect, Respond, Recover
 IDMZ Deployment
 The Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT)
 Secure Architecture Design
 IDMZ Deployment
 Department of Homeland Security /
Idaho National Lab
 DHS INL/EXT-06-11478
 Control Systems Cyber Security: Defense-in-
Depth Strategies
 IDMZ Deployment

Industrial Network Security Framework
CPwE - Holistic Defense-in-Depth
MCC
Enterprise Zone: Levels 4-5
Soft
Starter
I/O
• AV Server
Level 0 - ProcessLevel 1 - Controller
Level 3 – Site Operations
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk
®
Client
Controller
Industrial Zone: Levels 0-3
LWAP
SSID
2.4 GHz
SSID
5 GHz
WGB
I/O
Active
Wireless LAN
Controller (WLC)
Standby
Core
Switches
Distribution
Switch Stack
Control System Engineers
in Collaboration with IT
Network Engineers
(Industrial IT)
IT Security Architects in
Collaboration with Control
Systems Engineers
Enterprise
Identity Services
External DMZ/
Firewall
Internet
IFW

15

IDMZ
MCC
Soft
Starter
I/O
• AV Server
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk
®
Client
Controller
LWAP
SSID
2.4 GHz
SSID
5 GHz
WGB
I/O
Active
Wireless LAN
Controller (WLC)
Standby
Core
Switches
Distribution
Switch Stack
in Collaboration with IT
Network Engineers
(Industrial IT)
IT Security Architects in
Collaboration with Control
Systems Engineers
Enterprise
Identity Services
External DMZ/
Firewall
Internet
IFW

Controlling Access to the Industrial Zone
CPwE Logical Model
CPwE Logical Model – Industrial Automation and Control System (IACS)
Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Desktop
Gateway Services
Patch
Management
AV
Server
Application
Mirror
Web Services
Operations
Reverse
Proxy
Enterprise Network
Site Business Planning and Logistics NetworkEmail, Intranet, etc.
FactoryTalk®
Application
Server
FactoryTalk®
Directory
Engineering
Workstation
Remote
Access
Server
FactoryTalk®
Client
Operator
Interface
FactoryTalk®
Client
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
Sensors Drives Actuators Robots
Enterprise Security
Zone
Levels 4-5
Industrial DMZ
Level 3.5
Industrial Security
Zone(s)
Levels 0-3
Cell/Area
Zones(s)
Levels 0-2
Web
Email
CIP
Firewall
Firewall
Site Operations
Area
Supervisory
Control
Basic Control
Process

What is an Industrial DMZ?
 A IDMZ, or industrial demilitarized zone, is a sub-network placed between
a trusted network (industrial) and an untrusted network (enterprise). The
IDMZ contains business facing assets that act as brokers between the
trusted and untrusted networks
 Traffic never travels directly across the IDMZ.
 A properly designed IDMZ can be unplugged if compromised and still allow
the industrial network to operate without disruption.

Demilitarized Zone (DMZ)
 Sometimes referred to a perimeter network that exposes an organizations
external services to an untrusted network. The purpose of the DMZ is to
add an additional layer of security to the trusted network
UNTRUSTED
TRUSTED
BROKER
Internet
Web
Proxy

 Sometimes referred to a perimeter network that exposes an organizations external services
to an untrusted network. The purpose of the IDMZ is to add an additional layer of security
to the trusted network
TRUSTED?
UNTRUSTED?
TRUSTED
BROKER
Enterprise
Security
Zone
Industrial
DMZ
Industrial
Security
Zone

IDMZ – Replicated Data and Services
Firewalls
(Active/Standby)
MCC
Enterprise Zone
Levels 4-5
IO
Level 3
Site Operations
Drive
Industrial
Demilitarized zone
(IDMZ)
Industrial Zone
Levels 0-3
FactoryTalk®
Client
WGB
WLC
(Active)
ISE
WLC
(Standby)
LWAP
PACPAC
PAC
Levels 0-2
Cell/Area Zone
Core
switches
Distribution
switch
Core
switches
WLC (Enterprise)
ISE (Enterprise)
• FactoryTalk® Application Servers
& Services
• Network Services – e.g. DNS,
AD, DHCP, AAA
• Call Manager
• Storage Array
Remote
Access Server
VantagePoint®
Plant Manager
Remote
Access
Untrusted
Untrusted
Block
Block
Permit
Remote
Desktop
Gateway
Permit
Web
Reports
Web
Proxy
Firewall (Inspect Traffic)
Physical or Virtualized
Servers
• AV Server
• Remote Desktop
Gateway Server
Physical or Virtualized
Servers
• ERP, Email
• Active Directory (AD),
AAA – Radius
• Call Manager
Permit Secure
Remote Access
to Industrial
Assets
Permit Data
from the
Industrial Zone
to Enterprise
Stakeholders
Block Untrusted Access to
Industrial Zone
Block Untrusted Access to
Enterprise Zone
Engineer

Design Tenants – Best practices
 All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not
directly traverse the IDMZ
 Only path between zones
 No common protocols in each logical firewall
 No control traffic into the IDMZ, CIP stays home
 No primary services are permanently
housed in the IDMZ
 IDMZ shall not permanently house data
 Application data mirror to move data
into and out of the Industrial Zone
 Limit outbound connections from the IDMZ
 Be prepared to “turn-off” access
via the firewall
No Direct
Traffic
Enterprise
Security
Zone
Industrial
Security
Zone
Disconnect Point
Disconnect Point
IDMZReplicated
Services
Trusted? Untrusted?
Trusted

 Set-up functional sub-zones in the
IDMZ to segment access to data and
services (e.g. Partner zone,
Operations, IT)
 If the IDMZ is compromised, it will be
the buffer between the Enterprise
and Industrial Zone
 Most attacks will attempt to pivot to
other machines on the same network
 Use the Firewall, Intrusion Detection
and Intrusion Prevention to stop the
“pivot”
Disconnect Point
Disconnect Point
Terminal
Services
Patch
Management
Historian
Mirror
Web Services
Operations
Application
Server
Multiple
Functional
Subzones
AV
Server
IDMZ
No Direct
Traffic
Enterprise Zone
Industrial Zone
Trusted? Untrusted?
Trusted
Block

One Size Does Not Fit All
Recommended – Depending on end users standards, security policies and procedures, risk tolerance, and alignment with
applicable IACS Security Standards
Not Recommended
Enterprise-wide Network
Plant-wide Network
Figure 1
Plant-wide Network
Figure 2
Plant-wide Network
Figure 3
Plant-wide Network
Switch
with VLANs
Figure 4
Plant-wide Network
Firewall
GoldFigure 6
Plant-wide Network
IDMZ
PlatinumFigure 7
Plant-wide Network
Router
(Zone Based FW)
SilverFigure 5

“Typical” Systems We’ve Seen Involved
in IDMZ Designs
Historian Domain
Controller
Web
Reports
Remote
Desktop
Client
O.S Patch
Anti Virus
Update
Secure File
Transfer
User Wants
Historian Data
and Reports
Use Case
Firewall (Inspect)
Firewall (Inspect)
PI to PI
Connector
Domain
Controller
Reverse Web
Proxy
Remote
Desktop
Gateway
Anti Virus &
WSUS Server
Secure File
Transfer
Gateway
Historian Domain
Controller
Web
Servers
Terminal
Server
Servers,
Desktops,
Laptops
Ind. Zone
NTP
Server
File Server
12
Domain
Controller
Replication
User Wants Web
Reports
User Wants to
Send / Retrieve
Files
Configure,
Troubleshoot Industrial
Zone Asset
Update AV and
Install O.S
Patches
NTP
Master
Server
IDMZ NTP
Server
Synchronized
Time Across All
Zones

FactoryTalk® Historian Data Transfer
1) Controller data is sent to
Historian SE database via RSLinx®
Enterprise
2 & 3) Data is sent from the
Industrial Zone Historian SE to the
Enterprise Historian SE through the
PI to PI connector
4) FactoryTalk® VantagePoint®
(VP) gathers preconfigured data
from the Enterprise Historian SE to
generate reports.
5) A FactoryTalk® VantagePoint®
client requests a web report based
on the data collected from the
Enterprise Historian SE data.
Enterprise
WAN
Firewalls
(Active/Standby)
MCC
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Distribution
switch
Core
switches
Historian SE
RSLinx® Enterprise
FactoryTalk® Live
Data
PI to PI
Historian SE (Enterprise)
VantagePoint® Server
Historian / VP Client
Data Request
1
2
3
5
ISE
Core
switches
WLC (Enterprise)
ISE (Enterprise)
FactoryTalk® Directory
4

Remote Desktop Gateway
 Remote Desktop Gateway (RD Gateway),
formerly Terminal Services Gateway (TS
Gateway), is a role in the Remote Desktop
Services server role included with Windows
Server® 2008 R2
 Enables authorized remote users to
connect to resources on an internal
corporate or private network, from any
Internet-connected device that can run the
Remote Desktop Connection (RDC) client.
 RD Gateway transmits RDP traffic to port 443 by
using an HTTP Secure Sockets Layer/Transport
Layer Security (SSL/TLS) tunnel.
 RD Gateway takes advantage of this network
design to provide remote access connectivity
across multiple firewalls
http://technet.microsoft.com/en-us/library/cc731150.aspx
Active Directory
Server
Historian ServerApplication Server(s)
Window Server 2008 R2
HTTPS
RDP
(3389)
Enterprise Zone
IDMZ
Industrial Zone
Remote Desktop Clients

Remote Desktop Session Host CALs
 Anyone who wants to connect to a Remote Desktop Session Host (Terminal Server)
must have a Client Access License (CAL)
Consult Microsoft to Validate your CAL questions
http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx

Remote Desktop Gateway: 1 of 2
Al Admin
Group = ProdAdmins
Ed Engineer
Group = Engineers
Actor = Matt Maint
Group = Maintenance
Joe Oemone
Group = OEM One
Bob Oemtwo
Group = OEM Two
Remote
Desktop
Gateway
Terminal
Server
Asset Group User
Direct Access Via
Remote Desktop
Gateway
Access Via IACS
Terminal Server
Studio
5000®
Project:
Open
Studio
5000®
Tag: Force
Studio 5000®
Firmware: Update
Terminal Server Operators Oscar Operator —
Maintenance Matt Maint x — x x
Engineers Ed Engineer x — x x x
ProdAdmins Al Admin x — x x x
OEM1 (Trusted Partner) Joe Oemone x — x
OEM2 (Trusted Partner) Bob Oemtwo x — x
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
Industrial Zone
Levels 0 - 3
Resource Authorization Policies (RAP) - Who can connect?
Connection Authorization Policies (CAP) – What can they connect to?

Remote Desktop Gateway: 2 of 2
Al Admin
Group = ProdAdmins
Ed Engineer
Group = Engineers
Actor = Matt Maint
Group = Maintenance
Joe Oemone
Group = OEM One
Bob Oemtwo
Group = OEM Two
Remote
Desktop
Gateway
Terminal
Server
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
Industrial Zone
Levels 0 - 3
Asset Group User
Direct Access Via
Remote Desktop
Gateway
Access Via IACS
Terminal Server
Studio
5000®
Project:
Open
Studio
5000®
Tag: Force
Studio 5000®
Firmware: Update
Engineering Workstation Operators Oscar Operator
Maintenance Matt Maint x x x
Engineers Ed Engineer x x x x x
ProdAdmins Al Admin x x x x x
OEM1 (Trusted Partner) Joe Oemone x x
OEM2 (Trusted Partner) Bob Oemtwo x x
Engineering
Workstation
Resource Authorization Policies (RAP) - Who can connect?
Connection Authorization Policies (CAP) – What can they connect to?

FactoryTalk® View SE Server Via Remote
Desktop Gateway
1) VPN Session established with
customer site
2) Remote Desktop Connection
application is launched from
remote user’s computer. User
enters Industrial Zone Remote
Session Host’s address as the
target desktop and starts the
session
3) The Remote Desktop Gateway
server in the IDMZ validates the
SSL certificate and the User
Name and Password.
4) The Remote Session Host’s
desktop is now presented to the
remote desktop user
Enterprise
WAN
Firewalls
(Active/Standby)
MCC
I/O
Level 3
Site Operations
Drive
FactoryTalk® Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Distribution
switch
Core
switches
View SE Server
RSLinx® Enterprise
FactoryTalk® Live
Data
Remote Desktop
Client
4
2
ISE
Core
switches
WLC (Enterprise)
ISE (Enterprise)
View SE Client
Terminal
Server
FactoryTalk® Directory
1
2
3

FactoryTalk® View SE Server Via Cisco ASA
RDP Plug-in
Enterprise
WAN
Firewalls
(Active/Standby)
MCC
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Distribution
switch
Core
switches
View SE Server
RSLinx® Enterprise
FactoryTalk® Live
Data
4
3
ISE
Core
switches
WLC (Enterprise)
ISE (Enterprise)
Cisco ASA
RDP Plug-in
Remote Client
View SE Client
Terminal
ServerFactoryTalk® Directory
1) VPN Session established with
customer site
2) User enter ASA Firewall URL in
Internet browser and is authenticated
to ASA Firewall
3) The ASA portal presents the pre-
configured URL’s to the Industrial
Zone Terminal Server.
4) The Remote Session Host’s
desktop is now presented to the
remote desktop user
2
1
2

Web Proxies
Application Server(s)
Reverse Web
Proxy
Forward Web
Proxy
Internet
Requesting
Clients
Forward Proxies
“Hide” the Clients
Reverse Proxies
“Hide” the Servers

Reverse Web Proxy in the IDMZ
FactoryTalk® Metrics
Server
Reverse Web
Proxy
Requesting
Clients
Same concept, Reverse Web Proxy
“Hide” the FactoryTalk® web servers
VantagePoint® Server
FactoryTalk®
ViewPoint Server
Enterprise Zone IDMZ Industrial Zone

Reverse Web Proxy Operation
Enterprise
Enterprise Zone
Industrial Demilitarized
Zone (IDMZ)
Industrial Zone
HTTPS
to Proxy URL
Web Application
Server(s)
(ProdWebServer)
Reverse Web Proxy
(ProdWebServerProx)
HTTP/HTTPS
to Server URL
1
2
3
4
5
6 1) Enterprise client requests Web Report from
https:ProdWebServerProxMain.html - Reverse Web Proxy
2) Reverse Web Proxy rewrites the URL to
https:ProdWebServerMain.html
3) Sends request to ProdWebServer for main.html
4) ProdWebServer receives request and sends Main.html web
page to ProdWebServerProx.
5) ProdWebServerProx receives Main.html web page and
forwards the web page content but rewrites the URL to
https:ProdWebServerProxMain.html
6) Enterprise client displays the content of Main.html and the
URL reads http:ProdWebServerProxMain.html
Now Supported

Secure File Transfer
Enterprise
WAN
Firewalls
(Active/Standby)
MCC
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Distribution
switch
Core
switches
Secure File
Transfer Gateway
1
3
ISE
Core
switches
WLC (Enterprise)
ISE (Enterprise)
Manual File
Transfer
Manual File
Transfer
4
6
1) A manual file transfer is initiated from the
Industrial Zone.
2) The user is authenticated on the Secured
File Transfer Gateway and file is transferred,
inspected and saved
3) The Enterprise user logs onto the Secure
File Transfer Gateway and retrieves the file
4) The Enterprise user wants to transfer a
file to the Industrial Zone. The Enterprise
user initiates a manual file transfer
5) The user is authenticated on the Secured
File Transfer Gateway and file is transferred,
inspected and saved
6) The Industrial Zone user logs onto the
Secure File Transfer Gateway and retrieves
the file
2 5

Network Time Protocol(NTP)
Enterprise
WAN
Firewalls
(Active/Standby)
MCC
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
ISE
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Core
switches
Distribution
switch
Core
switches
WLC (Enterprise)
ISE (Enterprise)
Corporate Master
NTP Server
IDMZ NTP Server
Industrial Zone
NTP Server
1
2
1) The Corporate Master NTP
Server sends NTP time to the
IDMZ NTP Server.
2) The Corporate Master NTP
Server sends NTP time to the
Industrial Zone NTP Server.

Domain Controller – Bi-directional
Replication
Enterprise
WAN
Firewalls
(Active/Standby)
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
ISE
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Core
switches
Distribution
switch
Core
switches
WLC (Enterprise)
ISE (Enterprise)
Enterprise Zone
Domain Controller
Industrial Zone
Domain Controller
1
2
1) The Enterprise Domain
Controller replicates any
changes to the Industrial Zone
Domain Controller.
2) The Industrial Domain
Controller replicates any
changes to the Enterprise Zone
Domain Controller.

Firewalls in the CPwE Framework
Firewall Technology
39

Industrial Firewall Design & Implementation Guide
Available for Download
 Deploying Industrial Firewalls within a
CPwE Architecture DIG outlines the
concepts, requirements and
technology solutions for application
use cases that were tested, validated
and documented by Cisco and
Rockwell Automation® to help support
a hardened and converged plant-wide
EtherNet/IP IACS architecture
Design Guide: http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td002_-en-p.pdf
White Paper: http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp011_-en-p.pdf

What’s in the Industrial Firewall Design &
Implementation Guide?
The following is a summary of the CPwE IFW CVD content:
 Industrial Firewalls Technology Overview
 Modes of operation
 Inline Transparent mode
 Inline Routed mode
 Passive Monitor-only mode
 Network Protection (Cisco Adaptive Security Appliance) [Firewall]
 Intrusion Prevention and Detection (Cisco FirePOWER) Deep Packet
Inspection (DPI) of the Common Industrial Protocol (CIP)

What’s in the Industrial Firewall Design &
Implementation Guide?
 Application use cases
 Equipment/Machine/Skid Protection
 Cell/Area Zone Protection
 Redundant Star Topology, Ring Topology
 Cell/Area Zone Monitoring
 Management Use Cases
 Local Management
 Command Line Interface (CLI)
 Adaptive Security Device Manager
 Centralized Management
 Migration from local to centralized management of industrial firewalls

Stratix® 5950 Security Appliance
Firewall & Intrusion Detection / Prevention Technology
43

DIN rail mount
offers increased
design flexibility
Industrially-hardened for
high temperature
demands (-40°C to
60°C)
Deep Packet Inspection technology
provides the visibility and controls
needed for implementing policies
around access, applications and
protocols on the plant floor
Maintain your protection
against threats and control
your assets with
subscription based
licensing
Cisco ASA firewall and
FirePOWER technology
provide prevention services to
identify, log or block potentially
malicious traffic
Two Models:
2-port Copper and 2-port SFP
or
4 Port Copper
SFP slots enable flexibility by allowing multiple
options for fiber connectivity

Stratix® 5950 Software Architecture
& Management Software
FireSIGHT Management Center
FirePOWER
Stratix® 5950 Hardware
FirePOWER
Application & Threat Control
Adaptive Security Appliance
(ASA)
Firewall, ACL, NAT & VPN
Cisco Security
Manager (CSM)
Firewall
Adaptive Security Device Manager (ASDM)
Firewall & FirePOWER Management
Centralized
Management
Local Management
Firewall, ACL,
NAT & VPN
IPS - Application &
Threat control
On Board the Stratix® 5950

Hardware Bypass
 The Stratix® 5950
provides an
“Availability” function
known as hardware
bypass.
 If a power loss or
other catastrophic
disruption occurs,
the copper ports can
be configured to
connect directly to
one another
immediately,
bypassing the
device while it is
down
When Hardware Bypass is
triggered, the circuit is closed
This Option is Configurable

Performance
 Inline Transparent Mode
 Sustain a throughput in the range of 10 to 170 Mbps (13,000 to 186,000 packets per second)
and may introduce additional latency in the range of 0.17 to 23 ms, depending on several
factors including:
 Traffic type: CIP Class 1 (implicit) or Class 3 (explicit)
 Whether the Stratix® 5950 has the CIP inspection features enabled or not
 Average packet size
 Inline Routed Mode
 Sustain throughput in the range of 15 to 150 Mbps (15,000 to 147,000 packets per second)
and may introduce additional latency in the range of 0.23 to 12.8 ms, depending on several
factors including:
 Traffic type: CIP Class 1 (implicit) or Class 3 (explicit)
 Whether the Stratix® 5950 has the CIP inspection features enabled or not
 Average packet size

Policies in the CPwE Framework
48

What is a Security Policy?
 A security policy is a general statement produced by management or a security board to dictate
security governance as it relates to organizational policy, an issue-specific policy or a system-
specific policy.
 Policies are written in simple and easy-to-understand language that describes the purpose of the
policy and defines who must follow the policy and the system(s) involved with the policy.
 Because policies are written in very general manner, they are typically supported with
procedures, standards and guidelines to provide the detail on how the policy will be implemented,
enforced and monitored.
 Companies will commonly create security policies and then focus on the technologies that
enforce the policies, whether they are technical controls such as a firewall or a non-technical
controls such as a procedure.
 A firewall policy is a system-specific policy that describes how the firewall will handle application
traffic such as Industrial automation control systems (IACS). web, or email.

Stratix® 5950 Enables Granular Security
to Meet Differing Security Policies
Ent.
Security
Policy
Cell B
Security
Policy
Ent.
Security
Policy
Level 3
Security
Policy
Cell B
Security
Policy
Level 3
Security
Policy
Different Security
policies for
different zones
Cell/Area Zone - Levels 0-2 Cell/Area Zone - Levels 0-2
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4-5
Industrial Zone
Levels 0-3
Cell/Area Zone - Levels 0-2
Enterprise
Level 3 - Site
Operations
(Control Room)
Internet
IES IES
IESIES
IES IES
IES
IES IES
IES
IES IES
IES IES
Security Zone Security Zone
Security Zone
Security
Zone
Security Zone
Security Zone
Security
Zone
Security
Zone
Security
Zone
Security
ZoneIES
IFW IFW IFW
IFW

Before You Implement, Assess!
 Before a firewall policy is created, the organization should perform some form of
risk analysis that is based on the organization's security stance and that results
in a list of the traffic types needed by the organization.
 Traffic types should then be categorized as to how they must be secured-
including which types of traffic can traverse a firewall under what circumstances.
 This risk analysis should be based on an evaluation of threats, vulnerabilities and
countermeasures in place to mitigate vulnerabilities and the impact if IACS
applications or data are compromised.
 More information regarding risk analysis can be found in the Guidelines on
Firewalls and Firewall Policy at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

Firewall Technology
52

Firewalls
 A firewall is a software or hardware device
whose primary function is to permit or deny
traffic as it attempts to enter or leave the
network based on explicit preconfigured
policies or rules
 Preconfigured rules are called Access
Control Lists (ACLs)
 ACLs are a collection of Permit and Deny
statements.
 Each permit and Deny Statement is referred to as an
Access Control Entry (ACE)
Firewall
ACL
Inside
Interface
Outside
Interface
10.10.30.10 192.168.10.100
ACE
Allow ICMP(ping) Traffic
To 10.10.30.10
ACE
Allow HTTPS Traffic
To 10.10.30.10
ACE
Block All Other Traffic

Firewalls
 Most firewalls are capable of inspecting the following
elements of a packet – often called 5 Tuple Firewalls:
 Source MAC or IP address
 Destination MAC or IP address
 Source TCP or UDP Port
 Destination TCP or UDP Port
 Protocol – Layer 2,3,4 or 7

Typical Firewall Rule as seen from ASDM
Source
IP address
Destination
IP address
Ports /
Protocol(s)
Interface

Firewalls
 Most firewall’s are capable of inspecting the
following elements of a packet (5 Tuple Firewalls)
 Source MAC or IP address
To look deeper into the packet requires DPI

Firewalls
 Most firewalls are capable of inspecting the
following elements of a packet (5 Tuple Firewalls)
 Source MAC or IP Address
To look deeper into the packet requires DPI
Note: a firewall may inspect traffic for
conformance with proper protocol behavior and
drop non-compliant traffic but it will not have deep
knowledge of the protocol like DPI

Stateful
 Firewalls keep track of “legitimate” connections (syn, syn ack, ack)
 Firewalls reject attempted connections from sources without a syn, syn ack, ack connection history
 If you use a packet crafting tool in an attempt to gain access through the firewall, the firewall will reject packets
who’s sequence numbers are out of range
Firewall10.10.30.10 192.168.10.100
SYN
SYN ACK
ACK
10.10.30.06
Destination 192.168.10.100
Seq # 123456
Inside
Interface
Outside
Interface

Stateful – The Importance of Connections
 Firewalls keep track of “legitimate” connections (syn, syn ack, ack)
 Firewalls reject attempted connections from sources without a syn, syn ack, ack connection history
 If you use a packet crafting tool in an attempt to gain access through the firewall, the firewall will reject packets
who’s sequence numbers are out of range
Firewall10.10.30.10 192.168.10.100
SYN
SYN ACK
ACK
10.10.30.06
Destination 192.168.10.100
Seq # 123456
Inside
Interface
Outside
Interface
If you are changing firewall rules and there is an existing
connection, the new rule will not take affect until you
flush the connection or “flows” 
This will bite you if you start applying “Deny” rules with
existing connections.
Knowing how a Firewall works is important!!!

MCC
Soft
Starter
I/O
• AV Server
Controller
Drive
Level 2:
Area Supervisory Control
FactoryTalk
®
Client
Industrial
FirewallController
Authentication, Authorization and Accounting (AAA)
LWAP
SSID
2.4 GHz
SSID
5 GHz
WGB
I/O
Active
Wireless LAN
Controller (WLC)
Standby
Core
Switches
Distribution
Switch Stack
Enterprise
External DMZ/
Firewall
Internet
IDMZ Firewalls create a security boundary between the
Enterprise and Industrial Zone
Industrial Firewall(s) can
create security boundaries
between Cell/Area/Zones and
even provide a granular
security boundary on
machines or skids.

Firewalls – Question to the Audience
I often hear the statement :
“I have a firewall for security so I’m secure”
Question to the Audience: Let’s pretend I
have the following firewall rule applied to the
outside interface of the firewall:
access-list 101 permit TCP host 10.10.30.10
host 192.168.10.100
Firewall
Inside
Interface
Outside
Interface
10.10.30.10 192.168.10.100

I often hear the statement:
Question to the Audience: Let’s pretend I
have the following firewall rule applied to the
outside interface of the firewall:
host 192.168.10.100
Firewall
Inside
Interface
Outside
Interface
10.10.30.10 192.168.10.100
What happens if host 10.10.30.10 gets compromised?
Does the firewall provide security?

I often hear the statement:
Question to the Audience: If I have the
following firewall rule applied to the outside
interface of the firewall:
host 192.168.10.100
What happens if host 10.10.30.10 gets
compromised? Does the firewall provide
security?
Firewall
Inside
Interface
Outside
Interface
10.10.30.10 192.168.10.100
Okay, open ended question 
The firewall will not block unwanted
conversations between the two hosts if a firewall
rule permits the traffic. It is possible to send
unwanted traffic on “allowed” ports
as a means of getting through the firewall !!
The reason I bring this up is that end
host protection is still paramount, even with
firewalls.

Question to the Audience: If Host “A”
192.168.10.100 and Host “B” 192.168.10.101
are on the same network as shown in the
diagram and Host “B” gets compromised, will
the firewall save you? Firewall
Inside
Interface
Outside
Interface
10.10.30.10
Host A
192.168.10.100
Host B
192.168.10.101

Question to the Audience: If Host “A”
192.168.10.100 and Host “B” 192.168.10.101
are on the same network as shown in the
diagram and Host “B” gets compromised, will
the Firewall save you? Firewall
Inside
Interface
Outside
Interface
10.10.30.10
Host A
192.168.10.100
Host B
192.168.10.101
Okay, another loaded question 
We don’t really know. If Host “B”’ is compromised in such
a manner to attack Host “A”, then no the firewall won’t save
you. If Host “B” tries to connect beyond the firewall,
maybe to some off-site command and control server,
you may be able to catch the anomalous behavior.
I’m going with “No, the firewall won’t save you”

Firewall Summary
 Firewalls are good security boundary appliances
 Your firewall is only as good as your rules
 We see a lot of “permit any any” rules because creating thorough rules
can tedious
 If a rule permits traffic from a host on one side of the firewall to the other
side of the firewall, a compromised host is very hard to detect
 Look up netcat and netcat listeners
 Deep Packet Inspection (DPI) is a good compliment to the firewall
functionality

CIP Deep Packet Inspection (DPI)
67

Firewalls and Deep Packet Inspection
 Deep Packet Inspection extends upon firewalls’ capabilities
 Provides granular protection per protocol (ex. CIP, Modbus, DNP3) in the Industrial Zone *
 Giving the visibility and control to help prevent erroneous or malicious activity down to the
Cell / Area zone level
 Intrusion Prevention uses DPI
 What you want to do after you have inspected the packet?
1.) After inspecting the packet using DPI, achieve granular control through security rules
that act on matched network traffic
2.) Do we allow this application or command, or is this a known threat?
*Note: Modbus and DNP3 were not tested and validated as part of the IFW DIG

IPS – IDS – Firewall Comparison
• Inspects traffic flowing through a network
and is capable of blocking what it determines to be malicious
Intrusion Prevention
System (IPS)
• Inspects traffic flowing through a network but does not affect traffic flows in any way;
only logs or alerts on malicious traffic
Intrusion Detection
Systems (IDS)
• Helps prevent or allow traffic between interfaces based on policies
• Often use network address translation (NAT) to isolate private network addresses from public
ones
• May inspect traffic for conformance with proper protocol behavior
Firewall

CIP Deep Packet Inspection
 The ASA FirePOWER module has a software component in addition to the Network
Analysis Policy rules engine called a preprocessor.
 The preprocessor is to handle the interpretation of the packet before being handled by the
rules engine.
 Common Industrial Protocol (CIP) DPI has been added to the Stratix® 5950
 It is common for a standard to be extended by a vendor to support the vendor-specific
requirements not covered in the open standard. These are often proprietary extensions,
which is why additional preprocessors are required for vendor-specific protocol
extensions.
 Two types of CIP DPI rule categories:
 CIP Generic – related to the CIP standard
 Rockwell Automation® specific CIP

Generic CIP Categories
Categories Description Application(s) Usage
CIP Admin
ODVA-specified commands
that change the state of a
device
CIP Admin
Block tools or commands
to reset or change the state
of a generic CIP device
CIP Read
that read data from a device
CIP Infrastructure,
CIP Read
that read generic CIP data
from a device
CIP Write
that write data into a device
CIP Write
that write generic CIP data
to a device

Rockwell Automation® Specific
CIP Categories
Categories Description Application(s) Usage
CIP RA Admin
Rockwell Automation® specified
commands that change the
state of a device
CIP Admin
CIP RAAdmin Download
CIP RAAdmin Firmware Update
CIP RAAdmin Other
Block ControlFlash or any tool that updates Rockwell
Automation® Firmware
Blocks Rockwell Automation® Logix Designer from
Downloading programs
Using RSLinx® to change a module’s Networking
properties, such as: IP address, Netmask, Gateway, DNS
server, Domain name, host name, Speed, Duplex Mode,
Interface Speed
Using any tool to reset a device
CIP RA Read
commands that read data from
a device
CIP Infrastructure
CIP Read
CIP RA Infrastructure
CIP RA Read Tag
CIP Read Tag Other
Any general read action. Example: RSLinx® browsing, HMI
reading a tag
CIP Write
commands that write data into a
device
CIP Write
CIP RA Write Tag
CIP RA Write Tag Other
Block tools or commands that sets values via CIP.
Example: HMI setting a tag value, RSLinx® changing
various properties of a device (properties that don’t fall
under CIP RAAdmin)

Firewall to DPI Logical Flow
IFW
Outside Inside
ASA Firewall
Firewall
Policy
FirePOWER
DPI
Inspection
ASA FirePOWER
Firewall
DPI
Stratix® 5950
 Traffic enters the
firewall (ASA)
 Firewall policies are
applied
 If DPI rule
configured for
interesting traffic,
then packet is sent
to the ASA
FirePOWER
2
1
2
1
3
3

What Types of CIP Traffic can be used
with DPI?
 Class 3 CIP Traffic (port 44818)
 Examples
 HMI Reads and Writes
 RSLinx® to Controller
 RSLogix™ downloading
 Changing IP address of
Ethernet Module
 What isn’t supported, CIP class 1
(port 2222)
 Examples
 Controller to I/O
 Produce / Consume

IFW
Outside Inside
ASA Firewall
Firewall
Policy
FirePOWER
DPI
Inspection
ASA FirePOWER
Firewall
DPI
Stratix® 5950
 The ASA
FirePOWER
module applies its
security policy to
the traffic and takes
the appropriate
action
2
4
1
3
4

IFW
Outside Inside
ASA Firewall
Firewall
Policy
FirePOWER
DPI
Inspection
ASA FirePOWER
Firewall
DPI
Stratix® 5950
 Valid traffic is sent
back to the firewall.
Note: FirePOWER
may block some traffic
according to the
security policy. 2
5
1
3
4
5
Block

IFW
Outside Inside
ASA Firewall
Firewall
Policy
FirePOWER
DPI
Inspection
ASA FirePOWER
Firewall
DPI
Stratix® 5950
 Traffic exits the ASA
firewall
2
6
1
3
4
5
6

Configuring CIP DPI with ASDM
Generic and Rockwell Automation® Specific
 The ASA FirePOWER software denotes CIP Generic rules within the Application Categories as “CIP”
while Rockwell Automation® specific CIP extensions are denoted as “CIP RA”
CIP Generic
Specific

CIP DPI – Categories and Applications
 Some of the CIP and CIP RA categories that require multiple applications have been preconfigured
to include all of the proper applications.
Category
Available
Applications

CIP DPI – Categories and Applications
 Some of the CIP and CIP RA categories that require multiple applications have been preconfigured
to include all of the proper applications.
 When creating rules, select the “Category” in the left most column and then select “Add to Rule”. Do
not select individual “Available Applications” in the middle column to create the rule but rather only
select the “Category”.
Category
Available
Applications

Block with Reset
 It is recommended to only use “Block with reset” CIP Access Control Policy rules to block specific
CIP traffic, rather than using “permit” rules.
 Instead of having the inspection engine examine all the permitted traffic, it is best to configure
the IFW with blocking only rules.

Stratix® 5950 Normal Traffic Flow
IES
IES
FirePOWER rule
Block with Reset CIP RAAdmin
Description: this rule will block any IP address change
requests from 10.10.10.145 to 10.10.10.130
Studio 5000®
Go Online
Stratix® 5950
CLX1
Studio 5000®
Go Online
Studio 5000®
Go Online
CIP RA Admin
Block ControlFlash,
Block Studio 5000®
Download,
Block IP address
Changes
1) Engineering Workstation uses Studio 5000® to go
online with CLX1
2) Stratix® 5950 FirePOWER CIP RAAdmin rule
does not prohibit Engineering Workstation from
going online
3) Engineering Workstation goes online with CLX1
Engineering Workstation
1
2
3
Packet Remains Unchanged
IP address 10.10.10.145 BVI Address 10.10.10.5 IP address 10.10.10.130
IFW

Stratix® 5950 Block with Reset - Slide 1 of 2
IES
IES
RSLinx® Change
CLX1 IP address
Stratix® 5950
CLX1
Studio 5000®
Go Online
CIP RA Admin
Block ControlFlash,
Block Studio 5000®
Download,
Block IP address
Changes
ARP-
Who Has
10.10.10.130
Source (BVI)
10.10.10.5
ARP
Response
from
10.10.10.130
1) Engineering Workstation uses RSLinx® to attempt CLX1 IP
address change
2) Stratix® 5950 FirePOWER CIP RAAdmin rule prohibits IP
address Changes to CLX1
3) Stratix® 5950 security appliance sends an ARP request to obtain
MAC ID of CLX1
4) ControlLogix® controller responds to Stratix® 5950 with MAC ID
1
2
3
FirePOWER rule
Description: this rule will block any IP address change requests from
10.10.10.145 to 10.10.10.130
4
Stratix® 5950 changes the packet when it blocks the
packet and sends a TCP Reset to the end device
IFW

IES
IES
RSLinx® Change
CLX1 IP address
Stratix® 5950
CLX1
Studio 5000®
Go Online
CIP RA Admin
Block ControlFlash,
Block Studio 5000®
Download,
Block IP address
Changes
Reset
TCP
Connection
Reset
Acknowledge
Message
Sent to
Stratix® 5950
FirePOWER rule
Description: this rule will block any IP address
change requests from 10.10.10.145 to 10.10.10.130
5) Stratix® 5950 sends Reset TCP
connection to CLX1
6) CLX1 sends an acknowledgement
to Stratix® 5950 security appliance
5
6
Stratix® 5950 changes the packet when it blocks the
packet and sends a TCP Reset to the end device
Stratix® 5950 Block with Reset - Slide 2 of 2
IFW

Stratix® 5950 Block with Reset with NAT
Slide 1 of 2
IES
IES
RSLinx® Change
CLX1 IP address
Stratix® 5950
CLX1
IP address
192.168.1.130
Studio 5000®
Go Online
CIP RA Admin
Block ControlFlash,
Block Studio 5000®
Download,
Block IP address
Changes
ARP-
Who Has
10.10.10.130
Source (BVI)
10.10.10.5
ARP
Response
from
192.168.1.130
1) Engineering Workstation uses RSLinx® to attempt CLX1 IP address change
2) Stratix® 5950 FirePOWER CIP RAAdmin rule prohibits IP address Changes to CLX1
3) Stratix® 5950 security appliance sends an ARP request to obtain MAC ID of CLX1
4) CLX1 Responds to ARP request
5) No NAT translation exists for Stratix® 5950 security appliance so NAT device drops the
ARP request
1
2
3
4
NAT Translation
Public IP address 10.10.10.130
Private IP address 192.168.1.130
Public Private
Where is 10.10.10.5
I don’t have a NAT
Translation for that IP
address = Drop Packet
5
Drop Packet
IP address 10.10.10.145 BVI Address 10.10.10.5
IFW

Stratix® 5950 Block with Reset with NAT
Slide 2 of 2
IES
IES
RSLinx® Change
CLX1 IP address
Stratix® 5950
CLX1
ARP-
Who Has
10.10.10.130
Source (BVI)
10.10.10.5
ARP
Response
from
192.168.1.130
1 4
NAT Translation
Private IP address 192.168.1.130
Public Private
5
IP address 10.10.10.145 BVI Address 10.10.10.5 Private
ADD NAT Translation
1) Engineering Workstation uses RSLinx® to attempt CLX1 IP address change
2) Stratix® 5950 FirePOWER CIP RAAdmin rule prohibits IP address Changes to CLX1
3) Stratix® 5950 security appliance sends an ARP request to obtain MAC ID of CLX1
4) CLX1 Responds to ARP request
5) NAT translation exists for Stratix® 5950 security appliance so ARP reply is successful
IFW
Studio 5000®
Go Online
CIP RA Admin
Block ControlFlash,
Block Studio 5000®
Download,
Block IP address
Changes
2
3

CIP DPI – High Level Recommendations
 Specifically use “Block with reset” for CIP actions like CIP Reads, CIP Writes, CIP
Administration, RA CIP Read, RA CIP Writes and RA CIP Administration are
recommended instead of “permit”
 CIP DPI rules are written to include host addresses but is not granular to a block a user
 Good Example: Operator Workstation (10.10.30.10 ) block Firmware download to
ControlLogix® 192.168.1.10 by applying CIP RA Admin rule
 Bad Example: Bill on Operator Workstation (10.10.30.10) block Firmware download
by applying CIP RA Admin rule but permit Jeff on Operator Workstation
(10.10.30.10) to ControlLogix® 192.168.1.10
 Make sure to understand the NAT translations of devices within your infrastructure
 Include Stratix® 5950 Bridged Virtual Interface (BVI) IP addresses

in the CPwE Framework
88

Architecture Modes
IFW
Inline
Transparent Mode
Traffic Traffic
IFW
Inline
Routed Mode
Traffic Traffic
IFW
Packet
Packet
Copy of
the
Packet
Network A Network A
Same Network Addresses on Ingress and Egress Interfaces Different Network Addresses on Ingress and Egress Interfaces
Think “router”
Network A Network B
Passive
Monitor Mode
Out of Box

IFW for Machine / Skid Protection
Inline Transparent Mode
The machine/skid
protection use case is used
to segment a machine, skid
or unit from the Cell/Area
Zone network. This may be
to support different security
requirements between the
larger IACS network and
the machine/skid or to
restrict ingress and egress
traffic.
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
Cell/Area Zones - Levels 0 - 2
Ring Topology, Redundant Star Topology
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Equipment
Industrial Zone
Levels 0 - 3
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Cisco Security Manager
Transparent
Mode
Core
Switches
Transparent
Mode
IFW
IFWIFWTransparent
Mode

IFW for Machine / Skid Protection
Inline Routed Mode
 The inline routed mode, the
Stratix® 5950 security appliance is
placed between the distribution
network and one or more groupings
of automation equipment that act as
machines, skids or units to both
protect and route traffic between
each unit.
 In each case, the Stratix® 5950
security appliance acts as an
ingress and egress point to a
production line containing these
machines/skids where traffic can be
monitored or controlled through
firewall or DPI security policies.
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Machine
Industrial Zone
Levels 0 - 3
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Routed
Mode
Core
Switches
IFW
IES IES

Redundant Star Cell/Area Zone Protection
 When a redundant star
network configuration is
required to meet
redundancy requirements,
the IFW can be
architected in a manner to
support redundant Layer 2
EtherChannel links.
 For this use case, the IFW
is placed between the
distribution switch and the
plant floor equipment.
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Equipment
Industrial Zone
Levels 0 - 3
Transparent
Mode
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Transparent
Mode
Core
Switches
Transparent
Mode
IFW
IFWIFWTransparent
Mode
IES IES

Ring Cell/Area Zone Protection
 The Ring Cell/Area Zone protection use
case is used to monitor and apply security
policies to a ring.
 Two transparent mode IFWs are placed
between the distribution switches and the
ring. The IFWs are not acting as an
active/standby firewall pair in this
configuration; they are simply providing
firewall and possibly DPI functionality on
both ingress points of the network ring
 While it is a valid use case, implementing
this use case is not recommended because
of architectural limitations of this
deployment
 Any persistent connections that
were established via the disrupted
IFW will need to time out, then re-
establish via the remaining IFW,
resulting in communication
downtime
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Equipment
Industrial Zone
Levels 0 - 3
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Transparent
Mode Transparent
Mode
Core
Switches
IFW IFW
IES IES

Cell/Area Zone Monitoring
Passive Monitor Mode 1 of 2
 The Cell/Area Zone
monitoring mode use case
is used to monitor traffic of
interest without placing the
Stratix® 5950 security
appliance directly inline of
a controller, skid, machine
or Cell/Area Zone of
interest
 A span session or port
mirror is created to send
the traffic of interest to the
Stratix® 5950 security
appliance
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Equipment
Industrial Zone
Levels 0 - 3
Transparent
Mode
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Monitor Mode
Transparent
Mode
Transparent
Mode Transparent
Mode
Core
Switches
Transparent
Mode
IFW
IFW
IFW
IFW
IFW
IFW
IFW

Cell/Area Zone Monitoring
Passive Monitor Mode 2 of 2
 The Stratix® 5950 security
appliance currently supports
logging only the first and last
packets of a persistent TCP
connection between endpoints, not
the individual packets within that
connection. For example, the first
time that RSLinx® establishes a
connection and for the duration of
that session, only one event will be
logged.
 Therefore, if this level of granularity
is desired when monitoring ingress
and egress traffic for the Cell/Area
Zone, this deployment is not
recommended.
Distribution
Switch
HMI
Soft
Starter
Drive
IES
IESIES
IES
IESIES
IESIES
IES
Machine
IESIES
IES
Skid
IESIES
IES
Skid IESIES
IES
Equipment
Industrial Zone
Levels 0 - 3
Transparent
Mode
Industrial
Ethernet
Switch
Controller
Industrial
Demilitarized Zone
(IDMZ)
Monitor Mode
Transparent
Mode
Transparent
Mode Transparent
Mode
Core
Switches
Transparent
Mode
IFW
IFW
IFW
IFW
IFW
IFW
IFW

CPwE Industrial Firewall Configurations
Chapter 3
96

CPwE Industrial Firewall Configurations
 Chapter 3 describes how to configure the Industrial
Firewall within the CPwE architecture based on the
design considerations and recommendations of the
previous chapter. The included configurations have
been validated during the testing effort.
 Initial Setup
 Configuring Inline Transparent Mode
 Configuring Inline Routed Mode
 Configuring Monitor-only Mode
 Configuring Central Management
 Includes Firewall and FirePOWER configurations
 Include GUI and CLI configurations
interface GigabitEthernet1/1
nameif outside1
bridge-group 1
security-level 0
!
interface GigabitEthernet1/2
nameif inside1
bridge-group 1
security-level 100

License Options
98

Subscription Based License
 The Subscription License to update security signature content on each Stratix® 5950 Security
Appliance is priced per unit.
 There is an onboard device management interface that allows you to manage that interaction per unit.
However, if your customer is looking to manager several Stratix® 5950 units, there is the option to
purchase centralized management called Cisco’s Security Manager software, that is sold only from
Cisco.
 The license is a joint CSM/CVB catalog number, where there is TechConnect℠ support associated
with each Subscription License as a base offering, and an upgrade to full 24/7 TechConnect℠ support
is purchasable.
 No permanent outbound internet connection is required to deliver subscription license content.
Customers have the option to download content ad-hoc from the Software Downloads website for use
on the Stratix® 5950 security appliance.

Identity Services Engine (ISE)
100

Secure Access
Consolidating access for employee/contractors/vendors
Who?
When?
Where?
How?
What?
Employee Attacker Guest
Personal Device Company Asset
Wired Wireless VPN
@ plant 1, zone 2 Headquarters
Weekends (8:00am – 5:00pm) PST

ISE – Unifying policy for all mediums
VPN
Wi-Fi
Lan
Zone 2
VPN
Louise
Plant tech
Kevin
LOB Engr
ISE AD

ISE Overview
NETWORK / USER
CONTEXT
How
WhatWho
WhereWhen
DEVICE PROFILING FEED
SERVICE
REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF
SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN
Employee
Access
Contractor +
Vendor
Guest
Access

ISE Personas/Roles
ISE
Policy ServiceMonitoringAdmin
Persona—one or
more of:
• Administration
• Monitoring
• Policy service
Single ISE node
(appliance or VM)
 Policy Administration Node (PAN)
 Interface to configure policies
 Monitoring and Troubleshooting Node (MnT)
 Interface for logging, reporting, and
troubleshooting
 Policy Service Node (PSN)
 Engine that makes policy decisions
 This is the workhorse of the personas.
 Responsible for AAA, profiling, posture,
Guest

Figure 1 - CPwE Industrial Network
Security Framework
Remot
e
Access
Server
Catalyst 3750X
StackWise
Switch Stack
Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
HMI
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
ASA 5500
Industrial Zone
Levels 0 - 3
Catalyst
6500/4500
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
I/O
Plant Firewalls
• VPN Services
Enterprise
Safety
I/O
Servo
Drive
Instrumentation
Site Operations
Level 3
External DMZ/
Firewall
HMI
Primary
WLC
AP
SSID
5 GHz
WGB
Safety
I/O
Controlle
r
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Secondary
WLC
UCS
Catalyst
2960
Cell/Area Zone
Levels 0-2
Cell/Area Zone
Levels 0-2
Drive
ISE ADMIN
ISE
PSN
Employee
Remote Access
Internet
FIRE FIRE

Distributed ISE Setup
Enterprise
WAN
Firewalls
(Active/Standby)
I/O
Level 3
Site Operations
Drive
FactoryTalk®
Client
Internet
External
DMZ / Firewall
WGB
WLC
(Active)
WLC
(Standby)
LWAP
PACPAC
PACLevels 0-2
Cell/Area Zone
Core
switches
Distribution
switch
Core
switches
WLC (Enterprise)
ISE MnT
1) The Enterprise ISE PAN/PSN
synchronizes its policy
configurations with the
Industrial ISE PSN.
2) The Enterprise and Industrial
ISE PSNs send detailed logs to
the Enterprise ISE MnT.
ISE PAN/PSN
ISE PSN
2
1
2

Adding ISE to CPwE
Remot
e
Access
Server
Catalyst 3750X
StackWise
Switch Stack
Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
HMI
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
ASA 5500
Industrial Zone
Levels 0 - 3
Catalyst
6500/4500
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
I/O
Plant Firewalls
• VPN Services
Enterprise
Safety
I/O
Servo
Drive
Instrumentation
Site Operations
Level 3
External DMZ/
Firewall
HMI
Primary
WLC
AP
SSID
5 GHz
WGB
Safety
I/O
Controlle
r
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Secondary
WLC
UCS
Catalyst
2960
Cell/Area Zone
Levels 0-2
Cell/Area Zone
Levels 0-2
Drive
ISE ADMIN
ISE
PSN
Employee
Remote Access
Internet
FIRE FIRE
NOTES
1) All endpoints must
authenticate before being
allowed on the network.
2) Centralizing
authentication for all
three mediums (wired,
wireless, remote access)
3) Centralizing your network
policy/privileges
4) Full reporting capability
on every endpoint
accessing the network.
-- Device type
-- Username/MAC/IP
-- Where they Auth’d from

Employee Access Example - Wired
Catalyst 3750X
StackWise
Switch Stack
Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
HMI
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
ASA 5500X
Catalyst
6500/4500
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
I/O
Plant Firewalls
• VPN Services
Enterprise
Safety
I/O
Servo
Drive
Instrumentation
Site Operations
Level 3
External DMZ/
Firewall
HMI
Primary
WLC
AP
SSID
5 GHz
WGB
Safety
I/O
Controlle
r
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
LWAP
SSID
2.4 GHz
Secondary
WLC
UCS
Catalyst
2960
Cell/Area Zone
Levels 0-2
Drive
ISE ADMIN
ISE
PSN
Internet
FIRE FIRE
AD
AD
RAS RDP - Studio5000
NOTES
1. Employee endpoint is
examined by ISE
2. ISE sends back a
dACL allowing access
to that zone, but denies
communication to other
zones.
3. Employee has Studio
5000® on laptop, and
receives direct access
to controller
Employee
Remote Access

Contractor/Vendor example – Wireless
Catalyst 3750X
StackWise
Switch Stack
Link
for Failover
Detection
Firewall
(Active)
Firewall
(Standby)
HMI
Redundant Star Topology
Industrial
Demilitarized Zone
(IDMZ)
Enterprise Zone
Levels 4 and 5
Layer 2 switch
ASA 5500X
RDP – Mgmt Software
Catalyst
6500/4500
Phone
Controller
Camera
Safety
Controller
Robot
Soft
Starter
Ring Topology -
I/O
Safety
I/O
Servo
Drive
Instrumentation
Site Operations
Level 3
External DMZ/
Firewall
HMI
AP
SSID
5 GHz
WGB
Safety
I/O
Controlle
r
WGB
LWAP
SSID
5 GHz
WGB
LWAP
Controller
SSID
2.4 GHz
WLC
UCS
Catalyst
2960
Drive
ISE ADMIN
ISE
PSN
Enterprise Internet
FIRE FIRE
PKI
AD
RASdACL
AP
NOTES
Contractor /Vendor
access restricted to
devices via RDP
machine
AD
Employee
Remote Access

Cyber Security Framework

Industrial Security Quips
Some humor and wisdom if you’re feeling overwhelmed
 "Good enough" security now, is better than "perfect" security ... never (Tom
West, Data General)
 Security ultimately relies - and fails - on the degree to which you are
thorough. People don't like to be thorough. It gets in the way of being done
(Dave Piscitello)
 Your absolute security is only as strong as your weakest link
 Concentrate on known, probable threats
 Security is not a static end state, it is an interactive process

NIST – Cyber Security Framework
Video
A video from NIST, the National Institute of Standards and Technology: Cyber security Framework Shared
https://cdnapisec.kaltura.com/index.php/extwidget/preview/partner_id/684682/uiconf_id/31013851/entry_id/1_oflxj19
k/embed/dynamic
30% of U.S. Companies use the
NIST cyber security Framework
The NIST cyber security Framework
is so successful because…..
it can be used for small and medium
businesses, large organizations…

What is the Cyber Security
Framework?

Industrial Control System (ICS) included

Framework Core

Framework Core
Identify, Protect, Detect, Respond and Recover

Framework Core Element Definitions

Framework Tier

Framework Tiers Defined

Framework Profiles

How to use the Framework 1 of 2

How to use the Framework 2 of 2

Framework Core - Categories

Example Category/ Subcategory/
References

Additional Material

Network Architecture Icon Key
Layer 2 Access Link (EtherNet/IP Device Connectivity)
Layer 2 Interswitch Link/802.1Q Trunk
Layer 3 Link
Layer 2 Access Switch, Catalyst 2960
Multi-Layer Switch - Layer 2 and Layer 3,
Stratix® 8300, Stratix® 5700, Stratix® 5400, Stratix® 5410
Layer 3 Router, Stratix® 5900
Autonomous Wireless Access Point (AP),
Stratix® 5100 switch as Autonomous AP
Layer 2 IES with NAT, Stratix® 5700, Stratix® 5400
Layer 2 IES with NAT and Connected Routing,
Stratix® 5700, Stratix® 5400
NAT
NAT - CR
Layer 3 Distribution Switch Stack,
Catalyst 3750-X, Catalyst 3850
Layer 3 Core Switch,
Catalyst 4500, 4500-X, 6500, 6800
Layer 3 Core Switch with Virtual Switching System (VSS)
Catalyst 4500-X, 6500, 6800
Firewall, Adaptive Security Appliance (ASA) 55xx
Wireless workgroup bridge (WGB),
Stratix® 5100 switch as workgroup bridge
(WGB)
Unified Wireless Lightweight Access Point (LWAP),
Catalyst 3602E LWAP
Unified Wireless LAN Controller (WLC), Cisco 5508 WLC
Unified Computing System (UCS), UCS-C series
Identity Services Engine (ISE) for Authentication,
ISE - PAN/PSN/MnT
Layer 2 Access, Industrial Ethernet Switch (IES),
Stratix® 5700, Stratix® 5400, Stratix® 8000IES IFW
Layer 3 Router with Zone-based Firewall, Stratix® 5900
Industrial Firewall, Stratix® 5950

Additional Material
CPwE Architectures - Cisco and Rockwell Automation®
 CPwE website
 Overview Documents
 Alliance Profile
 Top 10 Recommendations for
Plant-wide EtherNet/IP
Deployments
 Design Considerations for
Securing Industrial Automation
and Control System Networks

Additional Material
Deploying Industrial Firewalls within a CPwE Architecture ENET-TD002A-EN-P ENET-WP011B-EN-P

 Ethernet Design Considerations
Reference Manual
 ENET-RM002C-EN-P
 EtherNet/IP Overview, Ethernet
Infrastructure Components, EtherNet/IP
Protocol
 EtherNet/IP IntelliCENTER®
Reference Manual (MCC-RM001)
 The OEM Guide to Networking
 ENET-RM001A-EN-P
 Intended to help OEMs understand
relevant technologies, networking
capabilities and other considerations that
could impact them as they develop
EtherNet/IP solutions for the machines,
skids or equipment they build
 Segmentation Methods Within the
Cell/Area Zone ENET-AT004B-EN-E
Additional Material

 Integrated Architecture® Builder (IAB)
 Updates and additions to better-reflect
CPwE structure, hierarchy and best
practices
 Improved Switch Wizard for distribution
(e.g. Stratix® 5410) and access (e.g.
Stratix® 5700)
 Easier to create a large EtherNet/IP
network with many topologies
 CIP traffic is measured per segment, not
just controller scanner and adapter centric
 EtherNet/IP Capacity Tool
 Popular Configuration Drawings (PCDs)
 Updates and additions to better reflect
CPwE recent enhancements
Additional Material

Training Resources

Training Resources
Education - Industrial IoT / Industrial IT (Bridging OT-IT)
 A ‘go-to’ resource for training and educational
information on standard Internet Protocol (IP),
security, wireless and other emerging technologies
for industrial applications
 Led by Cisco, Panduit, and Rockwell Automation®
 Receive monthly e-newsletters with
articles and videos on the latest trends
 Scenario-based training on topics such as: logical
topologies, protocols, switching, routing, wireless and
physical cabling
Network Design eLearning course available at promotional price for TechEd Attendees!
Earn PDHs by signing up today at www.industrial–ip.org with code “EVENTS2017”

Training Resources
Four eLearning courses cover key aspects of implementing networked, industrial
control systems. 20-30 minute interactive, scenario-based courses cover automation
controls and physical infrastructure considerations.

Training Resources
Education - Industrial IoT / Industrial IT (Bridging OT-IT)
 Courses 1 and 2: Designing for the Cell/Area Zone
 Design secure, robust, future-ready networks for cells, machines, skids and other functional
units by implementing reference architectures and standard IP.
 Course 3: Designing for the Industrial Zone
 Learn design principles on line integration, high-availability networks and wireless architectures
to optimize plant networks.
 Course 4: IT/OT Integration
 Understand how to effectively converge a smart manufacturing facility with IT and OT
stakeholders.
EtherNet/IP Topologies Security Wireless

Training Resources
• Cisco Industrial Networking
Specialist Training and
Certification
– Classroom training
• Managing Industrial Networks with
Cisco Networking Technologies
(IMINS)
– Exam: 200-401 IMINS
– CPwE Design Considerations
and Best Practices
CCNA Industrial Training and
Certification
– Classroom training
• Managing Industrial Networks for
Manufacturing with Cisco
Technologies (IMINS2)
– Exam: 200-601 IMINS2
– CPwE Design Considerations
and Best Practices

Training Resources
Industrial Networking Specialist
Module 1
Industrial Networking Solutions and
Products
Module 2
Industrial Network Documentation and
Deployment Considerations
Module 3
Installing Industrial Network Switches,
Routers, and Cabling
Module 4 Deploying Industrial Ethernet Devices
Module 5
Maintaining Industrial Ethernet
Networks
Module 6
Troubleshooting Industrial Ethernet
Networks
CCNA Industrial
Module 1
Industrial Networking Concepts and
Components
Module 2 General Troubleshooting Issues
Module 3 EtherNet/IP
Module 4 Troubleshooting EtherNet/IP
Module 5 PROFINET
Module 6 Configuring PROFINET
Module 7 Troubleshooting PROFINET
Module 8 Exploring Security Concerns
Module 9 802.11 Industrial Ethernet Wireless Networking

Training Resources
Rockwell Automation® - Webinars
 Industrial Automation Webinars
 On Demand Webinars
 Introduction to Building a Robust, Secure and Future-ready Network
Infrastructure
 Increase Business Agility by Converging Manufacturing and Business
Systems
 The Power of Building a Secure Network Infrastructure
 Design Considerations for Building a Secure Network Infrastructure

Please take a moment to complete the brief session survey
on our mobile app and let us know how we’re doing!
Username: Last name
Password: Email address used to register
 Locate the session in the “Schedule” icon
 Click on the “Survey” icon in the lower right corner of the session details
 Complete survey & submit
 Download the ROKTechED app and login:
Thank you!
Complete A Survey

Deploy Secure Network Architectures for The Connected Enterprise

More Related Content

What's hot (20)

Similar to Deploy Secure Network Architectures for The Connected Enterprise (20)

More from Rockwell Automation (20)

Recently uploaded (20)

Deploy Secure Network Architectures for The Connected Enterprise