SlideShare a Scribd company logo

Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf

S
sipteck

The document presents an overview of security policies and controls for industrial IoT networks, emphasizing the need for collaboration between IT and operations teams. It discusses various industrial communication protocols, network topologies, and the significance of asset visibility and vulnerability detection. Cisco's solutions for enhancing industrial security architecture, including integrations with technologies like ISE, Stealthwatch, and Firepower, are also outlined.

Business
1 of 84
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf
Daniel Behrens – Technical Marketing Engineer IoT Management and Security @danielrbehrens Sunil Maryala - Technical Marketing Engineer IoT Management and Security BRKIOT-2204 Leveraging Industrial device visibility and operational intent to inform security policies and controls
Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Events Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How 1 2 3 4 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Webex Teams • BRKIOT- 2204 3 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IT and Operations need to work together 4 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Why is Industrial Different? • Where do we start? • Identification of assets and application level communication • Architectural Considerations • Integration with Enterprise Security Portfolio • Macro to Micro segmentation • Cisco Firepower for Industrial Security Agenda 5 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Full configurations for integrations with ISE, Cisco DNA-C, Stealthwatch and Firepower Management Center • Full details related to ISE and Cisco DNA-C configuration for pushing security policies across the environment • Full details related to Stealthwatch configuration for receiving NetFlow information from across the architecture What we won’t cover 6 BRKIOT-2204
Why is Industrial Different?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Traffic - Ethernet/IP Engineering Laptop Industrial Application HMI HMI Drive Cell/Area Zone Cell/Area Zone Manufacturing Zone IDMZ Controller CIP Explicit - Informational control and administration Intra- and inter-cell/area zone traffic flow Non-critical administrative or data traffic using TCP ~1500 Bytes, infrequent Above 500 ms CIP Implicit - Producers & Consumer >80% local Cyclical I/O traffic, UDP unicast and multicast <500 Bytes, Frequent 0.5 to 10’s of ms, typically 20 ms IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K 8 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Traffic - Profinet • Component Based Automation • Built on DCOM (Distributed Component Object Model) and RPC (Remote Procedure Call) technologies • Object oriented approach to communications between distributed islands of automation • Provides a scalable architecture for dealing with complex distributed automation and control systems • Connection between distributed IO Devices and Controllers. • Defines three communication channels • PROFINET NRT – Non-Real-Time • PROFINET RT – Real-Time • PROFINET IRT – Isochronous Real-Time • IP application protocols for configuration and maintenance functions: DHCP, DCP, DNS, HTTP/S, etc PROFINET CBA PROFINET IO TCP/UDP/IP Ethernet UDP / Ethernet Time-Sync Ethernet HMI/SCADA, PROFINET CBA IT Applications PROFINET CBA/RT PROFINET IO PROFINET IRT Motion Control Non Real-time 100ms cycle Real-time 10ms cycle Isochronous Real-time <1ms cycle Standard (IT) Communications Response <100ms Factory Automation Response <10ms Motion Control Response <1ms 9 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Some common ethernet protocols in industrial environments Manufacturing • CIP - Ethernet/IP • Profinet – S7 • ModbusTCP • OPC ( DA, UA ) • CC Link • FINS Utilities • GOOSE / IEC 61850 • DNP3 • ModbusTCP Others • BACnet • MTConnect “IT” • DNS • AD • NTP 10 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Linear Ring Redundant Star Cabling Requirements Ease of Configuration Implementation Costs Bandwidth Redundancy and Convergence Disruption During Network Upgrade Readiness for Network Convergence Overall in Network TCO and Performance Worst OK Best Industrial Network Topologies Star/Bus Linear Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers IE5K (Distribution Switch) HMI Cisco Catalyst 2955 Cell/Area Zone Controllers, Drives, and Distributed I/O Cell/Area Zone HMI Controller Redundant Star Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers Rings IE5K (Distribution Switch) IE5K (Distribution Switch) IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K 11 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IP Addressing in Industrial Environments • Statically Addressed • Large layer 2 domains • Simplify assignment / replacement • Simplify communication configuration • Address Re-use as legacy equipment is migrated 12 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why Static IP Addressing? • IP Address used to configure communications 13 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why Resiliency Matters • Connection time in ranges from 2 to 750 ms • Default to unicast.. Now • Can fault controller ( Process stop ) 14 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ICS Network Typical Application Flows are local • Majority of traffic is East / West* • Advanced applications increasing North / South • Often never leaving Cell or Access switch 15 BRKIOT-2204
Getting Started
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Discover & Baseline Segment Detect Respond Most industrial customers don’t have accurate Asset Inventory Blind to what their assets are communicating with You cannot secure what you don’t know 17 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial IoT Security Architecture Identify Monitor Group and Policy Definition Enforce Comprehensive Industrial IoT Security Architecture 18 BRKIOT-2204 Segmentation Lifecycle
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Detect vulnerabilities Prevent malware from spreading Detect malicious intrusions Detect attempts to scan & modify OT assets Investigate and remediate threats Securing Industrial Networks with Cisco IoT Threat Intelligence Cyber Vision Vulnerability Detection Centralized Segmentation Policy Firepower IPS Zone Segmentation TrustSec Micro Segmentation Cyber Vision Anomaly Detection Cisco Threat Response Firepower / Cyber Vision Intrusion Detection AMP / Threat Grid Malware Detection Umbrella DNS & IP Security 19 BRKIOT-2204
Identification of assets and application level communication
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Typical ICS Visibility & Detection Solution 21 BRKIOT-2204 Server Appliance SPAN Traffic Industrial Switch Industrial Protocol DPI based passive monitoring SPAN traffic from industrial control network to a monitoring system Port Mirroring is not a scalable solution!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ICS visibility and detection solution types What is really going on under the hood SPAN all traffic to Server Single Server • DPI • Analytics • Visualization SPAN traffic to Sensors Metadata Midweight Sensor Server • DPI • Analytics • Additional Analytics • Visualization Industrial Control Network Metadata Lightweight Sensor Server • DPI • Analytics • Visualization SPAN traffic to Sensors 1 2 3 Cisco Metadata BRKIOT-2204 22
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Cyber Vision 23 BRKIOT-2204 Security that scales with your network infrastructure Network-Sensors (Deep Packet Inspection Built into Network Elements ) IE 3400 Switch Sensor IR 1101 Gateway Sensor Sensor IC3000 Industrial Compute Hardware-Sensor (To support brownfield ) Cisco Integrations ISE, Stealthwatch, Firepower, DNA-C Partner Integrations SIEM, CMDB ICS Vendor Software Cyber Vision Center (Centralized Analytics) Catalyst 9000 Switch Sensor Available Spring 2020 Shipping Shipping
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? ICS Network Purdue Level 3 Purdue Level 2 Purdue Level 0-1 Suboptimal Location Most control traffic is local to the cell Expensive Additional Hardware, cabling for out-of-band SPAN network DPI Location Matters! • Mirroring traffic in at the aggregation layer results in visibility to only North-South traffic • Mirroring traffic at the cell layer requires an expensive out-of-band SPAN network Sensor embedded in the network sees everything that attaches to it 24 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? RSPAN introduces Jitter! • Head-of-line blocking caused by Inline SPAN traffic negatively impacts time-sensitive control loop • RSPAN in LANs is detrimental to control system performance Sensor embedded in the network generates lightweight metadata that does not congest QoS queues ICS Network SPAN Traffic Control Traffic Purdue Level 3 Purdue Level 2 Purdue Level 0-1 25 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? 26 BRKIOT-2204 SPAN is expensive in WANs LTE ($$$) Monitoring Station Wireless Bandwidth is Expensive • Sending SPAN traffic over 3G/LTE WAN links is cost prohibitive • Installing an appliance per site is an expensive alternative • Sensor embedded in the network only generates lightweight Application-Flow metadata LTE ($$$)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? 27 BRKIOT-2204 SPAN is not feasible in FANs No place to house a standalone Sensor • Visibility into Field Area Network (FAN) traffic in distribution automation only possible if the DPI is performed on the DA router • Sending SPAN traffic over 3G/LTE links from DA router is too expensive • Sensor embedded DA router only generates lightweight Application-Flow Wireless Mesh Wireless Mesh LTE ($$$) DA Router
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility Using your Network Infrastructure The Cisco industrial network lets you see everything that connects to it Monitoring at the Edge • Cyber Vision Sensors embedded into industrial network equipment • No additional hardware needed • No need for an out-of-band monitoring network Easy deployment Low TCO Application-Flow Lightweight Metadata ICS Networ k Cyber Vision Center Sensor Sensor Sensor Sensor Sensor Sensor is the only vendor on the market with an edge strategy for OT cybersecurity
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Sensor IR Gateway IE Switch CGR Router Generation Transmission Sensor Sensor Sensor IE Switch Distribution Sensor Sensor ISA Firewall Cisco Cyber Vision for Utilities Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Upstream Midstream Downstream Sensor Sensor Sensor Sensor Cisco Cyber Vision for Oil & Gas IR Gateway IR Gateway IE Switch IW Access point Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Sensor Sensor IE Switch ISA Firewall IW Access Point Cisco Cyber Vision for Manufacturing Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Comprehensive Asset Inventory ■ Automatically maintain a detailed list of all OT & IT equipment ■ Immediate access to software & hardware characteristics ■ Track rack-slot components ■ Tags make it easily to understand asset functions and properties Track the industrial assets to protect throughout their life cycles BRKIOT-2204 32
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Track Application Flows ▪ Identify all relations between assets including application flows ▪ Spot unwanted communications & noisy assets ▪ Tags make it easily to understand the content of each communication flow ▪ View live information or go back in time Drive network segmentation and fine-tune configurations BRKIOT-2204 33
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Instantaneous Vulnerability Identification ▪ Automatically spot software vulnerabilities across all your industrial assets ▪ Access comprehensive information on vulnerability severities and solutions ▪ Built-in vulnerability database always up to date Enforce Cyber-Hygiene best practices
Integration with Enterprise Security Portfolio
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Security for Industrial IoT Cisco ISE Access Control Cisco Firepower Traffic Filtering Cisco Stealthwatch Network Flow Analysis Cisco DNA-C Network Management Cyber Vision Center Operational Insights Threat Detection Sensor Sensor Sensor Switch Gateway AP V I S I B I L I T Y Cyber Vision Sensors Deep Packet Inspection Built into Cisco Industrial Network Threat Intelligence T A L O S Threat Response C T R Comprehensive Industrial IoT Security Architecture
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco ISE Integration Extend security policies to your industrial network pxGrid Cisco ISE • ISE endpoints are enriched with context from Cyber Vision • Use ICS attributes (PLC, Siemens, Cell-1) to define profiling policy • Segment your network to prevent malware and ransomware from spreading Industrial Switching Industrial Wireless Industrial Routing IoT Gateways Mesh / LoRA Industrial Firewalls Embedded Cisco Industrial Network Provides Visibility and Enforces Security Policy TrustSec ICS Visibility BRKIOT-2204 37
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Asset Visibility in ISE through Cisco Cyber Vision Endpoint attributes in ISE populated by FTNM Asset Identity This is a CompactLogix Controller, manufactured by Rockwell Automation, has serial number xxx, running firmware abc, speaks CIP, attached to switch efg, and it it is in Cell-1 in the Austin Plant… BRKIOT-2204 38
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE profiling OT endpoints IOT Asset Attributes Attributes from IND Profiling a Rockwell PLC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Authorization Policy 40 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Authorization Profiles 41 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE TrustSec Policy 42 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Stealthwatch Integration Speed up incident response and forensics Cisco Stealthwatch • Stealthwatch flows enriched with context from Cyber Vision • Use ICS attributes (PLC, Siemens, Cell-1) to define host-group policy • Pinpoint ICS assets when Stealthwatch raises alarms at Level- 3 for north-south traffic from industrial network to the Enterprise REST API PLC IO DRIVE CONTROLLER ICS Visibility BRKIOT-2204 43
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Integrating Industrial Asset Visibility in Stealthwatch Asset Identity The source is a Rockwell Automation HMI, in Cell-1, speaking CIP, to Rockwell Automation Controller in Cell- 2 BRKIOT-2204 44
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Segmentation Monitoring with StealthWatch Define communication policy between zones Monitor for violations Engineering Laptop Network Management HMI HMI Drive Cell-1 Cell-2 Manufacturing Zone IDMZ Controller IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K NO ACCESS HTTP CIP BRKIOT-2204 45
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Policy Modeling and Monitoring When a new flow is generated between devices in different segment an alarm is generated
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Firepower Integration OT context for creating rules, remediation, and impact assessment Cisco Firepower • Map ICS device IP to named objects (PLC, IO, Drive) in Firepower for use in access policy* • Map ICS device vulnerabilities to Hosts in Firepower for use in correlation policy* • Identify anomalous flows in Cyber Vision and kill FTD Firewall sessions PLC IO DRIVE CONTROLLER ICS Visibility * Spring 2020 BRKIOT-2204 47
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Asset Context in FMC 48 BRKIOT-2204
Macro to Micro segmentation
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Components Industrial DMZ • Access control lists (ACLs) • Intrusion detection systems (IDS) and intrusion prevention systems (IPS) • VPN services • Portal and remote desktop services • Application and data mirrors Industrial zone • AAA identity services • Network management • Asset inventory • Anomaly detection • Plant-wide services • Traffic enforcement (plant to IDMZ, north/south) Area zone • Traffic Enforcement (Cell to Cell, East/West ) • QoS Prioritization • SXP • Netflow Inter-cell (ISA3000) • Industrial deep packet inspection (DPI) • Stateful firewall and intrusion prevention (IPS) • Hardware bypass Cell zone • PoE/PoE+ • Layer 2 NAT • 802.1X • MAC Authentication Bypass (MAB) • Quality of Service marking • Netflow (IE3x00 and IE4000 only) • TrustSec tagging (IE3x00 and IE4000 only) • Edge compute (IE3x00 only) Converged Industrial Architectures Industrial Zone Purdue Level 3 Area Zone Purdue Level 2 Cell Zone Purdue Level 0-1 Cyber Vision Center Cisco NGFW and IPS solutions Industrial core ISA3000 IT network IT core DMZ Enterprise Zone Purdue Level 4-5 User Access RESTful API (HTTPS) SIEM (Syslog) ISE/DNA-C (PxGrid) ISA3000 Sensor Sensor Sensor Sensor Sensor IC3000 SPAN/RSPAN IE3x00 PLC/RTU/IED SIS SCADA/HMI HISTORIAN MES Sensor Sensor BRKIOT-2204 50
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Scalable Tags in Industrial Environments Industrial Zone Purdue Level 3 Area Zone Purdue Level 2 Cell Zone Purdue Level 0-1 Cyber Vision Center Cisco NGFW and IPS solutions Industrial core ISA3000 IT network IT core DMZ Enterprise Zone Purdue Level 4-5 User Access RESTful API (HTTPS) SIEM (Syslog) ISE/DNA-C (PxGrid) ISA3000 Sensor Sensor Sensor Sensor Sensor IC3000 SPAN/RSPAN IE3x00 PLC/RTU/IED SIS SCADA/HMI HISTORIAN MES Sensor Sensor Destination Source ▪ Scalable Group Tag (SGT) a 16 bit value that the Cisco ISE assigns to the endpoint’s session upon login ▪ SGT is applied to the endpoint’s traffic ▪ Centralized Policy – ISE ▪ Cell to Cell Enforcement at Area Switch Plant to IT Enforcement at IDMZ FW
Industrial Security and Firewalls
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewalls what and where? First Level – Secured Connectivity Second Level – Secured Visibility & Control Third Level – Converged Security & Depth Level 5 Level 4 Level 3 Level 2 Level 1 Enterprise Network Site Business Planning & Logistics Network Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Site Manufacturing Operations and Control Area Supervisory Control Basic Control Process Sensors Drives Actuators Robots FactoryTalk Client HMI Magelis HMI Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control FactoryTalk App Server FactoryTalk Directory Engineering Workstation Domain Controller Terminal Server RDP Server App Server Patch Mgmt. E-Mail, Intranet, etc. Zone Segmentation Controlled Conduits Application Control Threat Control Policy Driven Response Deeper Vision / Control Level 0
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall Features for Firepower devices 54 BRKIOT-2204 • Deployment modes - Out of Band, Inline - Active, Passive • Industrial Application Detection • Industrial protocol command detection • SCADA IPS rules • Reliable operation - HW Bypass, Dual power inputs (ISA-3000) • Industrial Infrastructure Integration - DC Power, Alarm Input/output pins (ISA-3000)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Firepower Industrial protocol support OT Protocol Application Description Verticals BACNet A Data Communication Protocol for Building Automation and Control Networks. Buillding Automation COSEM COTP Connection Oriented Transport Protocol (ICCP) Multiple verticals DNP3 DNP3 is based on the standards of the International Electrotechnical Commission (IEC) Technical Committee 57, DNP3 has been selected as a Recommended Practice by the IEEE C.2 Task Force; RTU to IED Communications Protocol. Utilities Emission Control Protocol Registered with IANA as IP Protocol 14. Fujitsu Device Control A system that controls devices within a house. GOOSE Generic Object Oriented Substation Events (GOOSE) Utilities GSE Generic Substation events Utilities Honeywell Control Station/NIF Server Honeywell Protocol Detector for Control station Multiple verticals Honeywell Experion DSA Server Monitor Honeywell Protocol Detector for Experion DSA server. Multiple verticals IEC 104 IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. Utilities ISO MMS Manufacturer Messaging Specification, the ISO session-layer protocol. Utilities Modbus Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers (PLCs). Multiple verticals OPC-UA OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, Multiple verticals Q.931 SRC IBM System Resource Controller facilitates the management and control of complex subsystems. The SRC is a subsystem controller. TPTK Multiple verticals CIP Common Industrial Protocol Manufacturing 55 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Firepower Industrial protocol detectors 56 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling Industrial protocol detection Access Control rule to detect Industrial protocols Application Visibility
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 BRKIOT-2204 Host Attributes from Cisco Cyber Vision
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enforce security using Cyber Vision data 59 BRKIOT-2204 Cyber Vision Asset Data FMC defining correlation policy based on Cyber Vision data Check if an OT Asset generates non-OT traffic
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall deployment modes Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers Rings RSPAN Out of Band Inline • Out of Band • Visibility • Limited Impact - copy of traffic is inspected • In-Line • Visibility • Enforce 60 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Out of Band configuration Cisco FTD passive mode configuration
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall deployment Default Config: • Transparent mode • Default Allow ALL • Passive detection Enable HW Bypass Mostly Layer2 – Ring & Linear Topologies No change required in Network layout or configuration Continuity of operations on device/power failure “Availability” is the Key Firewall deployment modes 62 BRKIOT-2204
Cisco Firepower for Industrial Security
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Rule to detect PLC restart, open/close Modbus data required to restart a PLC • Modbus unit • Modbus command = Write Single Register • Register Address (2560) • Register value (0xFFFF) Register check Register check Register value check
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Robot Arm in a Manufacturing Plant Industrial Firewall Safe Operation of ICS- Stopping a Dangerous Misconfiguration of a Robot Arm On the Factory Floor Invalid parameters Valid parameters 65 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public DNP3 IPS rule options DNP3 command inspection • DNP - Distributed Network protocol. • For communication between components in process automation systems. • Mainly used in Utilities such as Electric and Water • DNP3 is transported over TCP using port 2000 66 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public DNP3 inspection pre-processor options 67 BRKIOT-2204 DNP3 Functions "confirm" "read" "write" "select" "operate" "direct_operate" "direct_operate_nr" "immed_freeze" "immed_freeze_nr" "freeze_clear" "freeze_clear_nr" "freeze_at_time" "freeze_at_time_nr" "cold_restart" "warm_restart" "initialize_data" "initialize_appl" "start_appl" "stop_appl" "save_config" "enable_unsolicited" "disable_unsolicited" "assign_class" "delay_measure" "record_current_time" "open_file" "close_file" "delete_file" "get_file_info" "authenticate_file" "abort_file" "activate_config" "authenticate_req" "authenticate_err" "response" "unsolicited_response" "authenticate_resp" DNP3 Internal Indicators flags present in a DNP3 Application Response Header "all_stations" "class_1_events" "class_2_events" "class_3_events" "need_time" "local_control" "defice_trouble" "device_restart" "no_func_code_support" "object_unknown" "parameter_error" "event_buffer_overflow" "already_executing" "config_corrupt" "reserved_2" "reserved_1"
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling SCADA pre-processors Network Analysis policy Enable scada pre-processors SCADA pre- processor configuration
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IEC-60870-5-104 inspection support IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. The TCP protocol is used for connection- oriented secure data transmission. Mostly used in Europe. There are 2 types of devices – Controlling station(PC) & Controlled devices(RTU) IEC-104 protocol is used to exchange commands & information between controlled and controlling devices Firepower software supports detection of information, command exchange between the devices. Firepower provides built-in Intrusion rules for IEC-104 protocol based on DPI (Deep packet Inspection) by SNORT engine. Firepower built-in Intrusion rules for IEC-104
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IEC-61850 MMS inspection support Firepower built-in Intrusion rules for IEC-61850 MMS IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. Components of IEC61850 are • MMS (Manufacturing message specification) • GOOSE (Generic object oriented substation event) • SMV (Sample measured values) Firepower software supports detection of information, command exchange between the devices using MMS. Firepower provides built-in Intrusion rules for MMS protocol based on DPI (Deep packet Inspection) by SNORT engine. Latency sensitive 70 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Built-in IPS signatures for OT –? IPS Signature 71 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • 400+ built-in Signatures for OT protocols and endpoints • Based on Vulnerabilities discovered in protocols, devices • Protection against Known/Unknown threats. • Updated regularly IPS signatures for OT/SCADA protocols 72 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Protecting the Platform How do you protect underlying Platform? 800+ IPS rules for Windows OS What about the Infrastructure? • Authentication - Active Directory, LDAP • DNS • Switches • Routers 73 BRKIOT-2204
Anomaly Detection
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Cyber Vision Threat Detection: Behavioral Analytics ■ Create Baselines to define normal behaviors and configurations ■ Behavior modeling automatically triggers alerts on deviations to the baselines ■ Import IoC to detect known malicious behaviors ■ Continuously improve detection with classification of new events Detect unknown attacks and malfunctions BRKIOT-2204 75
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Correlation Intrusion rules are uni-dimensional & static • Based on single parameter • No anomaly detection • No automatic response What if Modbus Slave sends a “Write” request? What if Modbus Master(infected) sending data collection requests at a higher rate than Normal? Answer : Correlation Correlation Rules allow for boolean decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions. Value: • Automate Security Decisions • Track Business Outcome • Trigger Automated Response to specific conditions BRKIOT-2204 76
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection 77 Host sending a request it should not send - Modbus slave sending a request like Write single coil Creating custom Host attributes What do you need to detect this Anomaly? • Device type = Modbus Slave • Intrusion event = “Write_single_coil” Add custom host attributes here BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection 78 Adding Host custom attributes BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection When an intrusion even t is detected that a device is sending a Modbus command “write_single_coil” If the device type is a Modbus Slave? Send an email when the Anomaly is detected
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public OT Network Security and Availability 80 Deep packet inspection comes with cost, you can minimize it • Number of packets to allow in the event queue. • Enable or disable inspection of packets that will be rebuilt into larger streams. • Override default match and recursion limits on PCRE that are used in intrusion rules to examine packet payload content. • Elect to have the rules engine log more than one event per packet or packet stream when multiple events are generated, allowing you to collect information beyond the reported event. Measures the total elapsed time taken to process a packet by applicable decoders, preprocessors, and rules, and ceases inspection of the packet if the processing time exceeds threshold. Measures the elapsed time each rule takes to process an individual packet, suspends the violating rule along with a group of related rules for a specified time if the processing time exceeds the rule latency threshold a configurable consecutive number of times, and restores the rules when the suspension expires. BRKIOT-2204
Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Related sessions Walk-In Labs Demos in the Cisco Showcase Meet the Engineer 1:1 meetings Continue your education 82 BRKIOT-2204
Thank you Thank you
Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf

More Related Content

PDF
PSOIOT-1151.pdf
AlekseySolomin
 
PPTX
6TiSCH + RPL @ Telecom Bretagne 2014
Pascal Thubert
 
PDF
BRKIOT-2108.pdf
JokaTek
 
PPTX
Cisco Impresa40 - Trends, Vision, Solutions
Matteo Masi
 
PDF
Internet of things
RoutecoMarketing
 
PDF
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada
 
PDF
Routeco cyber security and secure remote access 1 01
RoutecoMarketing
 
PDF
El IoT y la gestión de las empresas del futuro, IGNASI ERRANDO, CISCO
Domotys
 
PSOIOT-1151.pdf
AlekseySolomin
 
6TiSCH + RPL @ Telecom Bretagne 2014
Pascal Thubert
 
BRKIOT-2108.pdf
JokaTek
 
Cisco Impresa40 - Trends, Vision, Solutions
Matteo Masi
 
Internet of things
RoutecoMarketing
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Canada
 
Routeco cyber security and secure remote access 1 01
RoutecoMarketing
 
El IoT y la gestión de las empresas del futuro, IGNASI ERRANDO, CISCO
Domotys
 

Similar to Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf (20)

PDF
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco Canada
 
PDF
Unified industrial wireless networks (cisco)
Luis Atencio
 
PDF
Brksec 2048-demystifying aci-security
Cisco
 
PDF
BRKCRS-2110.pdf
Asif Qureshi
 
PDF
Networking Security Mitigation BRKENS-2602.pdf
tsmohitsingh360
 
PDF
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Cisco Russia
 
PPTX
Discrete MFG IoT Factory of the Future
Mainstay
 
PDF
Scaling the Internet of Things at IoT & WSN Berlin 2014
Rafael Maranon
 
PPTX
Cisco-Security & Survelliance Ürünleri
cem lale
 
PDF
Mfg workshop security
Robert Albach
 
PDF
Industry 4.0 Security
Duncan Purves
 
PDF
101 Use Cases for IoT
Cisco Canada
 
PPTX
1. How will the IoT help your business - cisco
MITEF México
 
PDF
Steps to Scale Internet of Things (IoT)
Rafael Maranon
 
PPTX
InternetOfEveryting_Industry40_SchniderXperienceEfficiency
Matteo Masi
 
PDF
Application Centric Infrastructure (ACI), the policy driven data centre
Cisco Canada
 
PPTX
Internet of everything #IoE
Matteo Masi
 
PDF
Cisco Connect Ottawa 2018 the intelligent network with Cisco Meraki
Cisco Canada
 
PDF
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada
 
PDF
The Changing Data Center Landscape
Cisco Canada
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco Canada
 
Unified industrial wireless networks (cisco)
Luis Atencio
 
Brksec 2048-demystifying aci-security
Cisco
 
BRKCRS-2110.pdf
Asif Qureshi
 
Networking Security Mitigation BRKENS-2602.pdf
tsmohitsingh360
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Cisco Russia
 
Discrete MFG IoT Factory of the Future
Mainstay
 
Scaling the Internet of Things at IoT & WSN Berlin 2014
Rafael Maranon
 
Cisco-Security & Survelliance Ürünleri
cem lale
 
Mfg workshop security
Robert Albach
 
Industry 4.0 Security
Duncan Purves
 
101 Use Cases for IoT
Cisco Canada
 
1. How will the IoT help your business - cisco
MITEF México
 
Steps to Scale Internet of Things (IoT)
Rafael Maranon
 
InternetOfEveryting_Industry40_SchniderXperienceEfficiency
Matteo Masi
 
Application Centric Infrastructure (ACI), the policy driven data centre
Cisco Canada
 
Internet of everything #IoE
Matteo Masi
 
Cisco Connect Ottawa 2018 the intelligent network with Cisco Meraki
Cisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Canada
 
The Changing Data Center Landscape
Cisco Canada
 
Ad

Recently uploaded (20)

PDF
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PDF
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PDF
Digital Marketing & E-commerce Certificate Glossary.pdf.................
RoobaV2
 
PPTX
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
PDF
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
PPTX
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PPTX
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 
PDF
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
IFRS Notes in your pocket for study all the time
jjj81507
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
Business Management - unit 1 and 2
anithak410
 
Outsourced Audit & Assurance in USA Why Globus Finanza is Your Trusted Choice
Globus finanza
 
Amazon (Business Studies) management studies
AbhirupVerma
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Digital Marketing & E-commerce Certificate Glossary.pdf.................
RoobaV2
 
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
svnfcksanfskjcsnvvjknsnvsdscnsncxasxa saccacxsax
ergvedfvef sdvsfvdvd
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
3. HISTORICAL PERSPECTIVE UNIIT 3^..pptx
ZAMANYousufzai1
 
Deliverable file - Regulatory guideline analysis.pdf
Quan Risk
 
Ad

Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf

  • 2. Daniel Behrens – Technical Marketing Engineer IoT Management and Security @danielrbehrens Sunil Maryala - Technical Marketing Engineer IoT Management and Security BRKIOT-2204 Leveraging Industrial device visibility and operational intent to inform security policies and controls
  • 3. Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Events Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How 1 2 3 4 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Webex Teams • BRKIOT- 2204 3 BRKIOT-2204
  • 4. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IT and Operations need to work together 4 BRKIOT-2204
  • 5. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Why is Industrial Different? • Where do we start? • Identification of assets and application level communication • Architectural Considerations • Integration with Enterprise Security Portfolio • Macro to Micro segmentation • Cisco Firepower for Industrial Security Agenda 5 BRKIOT-2204
  • 6. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Full configurations for integrations with ISE, Cisco DNA-C, Stealthwatch and Firepower Management Center • Full details related to ISE and Cisco DNA-C configuration for pushing security policies across the environment • Full details related to Stealthwatch configuration for receiving NetFlow information from across the architecture What we won’t cover 6 BRKIOT-2204
  • 7. Why is Industrial Different?
  • 8. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Traffic - Ethernet/IP Engineering Laptop Industrial Application HMI HMI Drive Cell/Area Zone Cell/Area Zone Manufacturing Zone IDMZ Controller CIP Explicit - Informational control and administration Intra- and inter-cell/area zone traffic flow Non-critical administrative or data traffic using TCP ~1500 Bytes, infrequent Above 500 ms CIP Implicit - Producers & Consumer >80% local Cyclical I/O traffic, UDP unicast and multicast <500 Bytes, Frequent 0.5 to 10’s of ms, typically 20 ms IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K 8 BRKIOT-2204
  • 9. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Traffic - Profinet • Component Based Automation • Built on DCOM (Distributed Component Object Model) and RPC (Remote Procedure Call) technologies • Object oriented approach to communications between distributed islands of automation • Provides a scalable architecture for dealing with complex distributed automation and control systems • Connection between distributed IO Devices and Controllers. • Defines three communication channels • PROFINET NRT – Non-Real-Time • PROFINET RT – Real-Time • PROFINET IRT – Isochronous Real-Time • IP application protocols for configuration and maintenance functions: DHCP, DCP, DNS, HTTP/S, etc PROFINET CBA PROFINET IO TCP/UDP/IP Ethernet UDP / Ethernet Time-Sync Ethernet HMI/SCADA, PROFINET CBA IT Applications PROFINET CBA/RT PROFINET IO PROFINET IRT Motion Control Non Real-time 100ms cycle Real-time 10ms cycle Isochronous Real-time <1ms cycle Standard (IT) Communications Response <100ms Factory Automation Response <10ms Motion Control Response <1ms 9 BRKIOT-2204
  • 10. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Some common ethernet protocols in industrial environments Manufacturing • CIP - Ethernet/IP • Profinet – S7 • ModbusTCP • OPC ( DA, UA ) • CC Link • FINS Utilities • GOOSE / IEC 61850 • DNP3 • ModbusTCP Others • BACnet • MTConnect “IT” • DNS • AD • NTP 10 BRKIOT-2204
  • 11. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Linear Ring Redundant Star Cabling Requirements Ease of Configuration Implementation Costs Bandwidth Redundancy and Convergence Disruption During Network Upgrade Readiness for Network Convergence Overall in Network TCO and Performance Worst OK Best Industrial Network Topologies Star/Bus Linear Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers IE5K (Distribution Switch) HMI Cisco Catalyst 2955 Cell/Area Zone Controllers, Drives, and Distributed I/O Cell/Area Zone HMI Controller Redundant Star Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers Rings IE5K (Distribution Switch) IE5K (Distribution Switch) IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K 11 BRKIOT-2204
  • 12. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IP Addressing in Industrial Environments • Statically Addressed • Large layer 2 domains • Simplify assignment / replacement • Simplify communication configuration • Address Re-use as legacy equipment is migrated 12 BRKIOT-2204
  • 13. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why Static IP Addressing? • IP Address used to configure communications 13 BRKIOT-2204
  • 14. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why Resiliency Matters • Connection time in ranges from 2 to 750 ms • Default to unicast.. Now • Can fault controller ( Process stop ) 14 BRKIOT-2204
  • 15. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ICS Network Typical Application Flows are local • Majority of traffic is East / West* • Advanced applications increasing North / South • Often never leaving Cell or Access switch 15 BRKIOT-2204
  • 17. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Discover & Baseline Segment Detect Respond Most industrial customers don’t have accurate Asset Inventory Blind to what their assets are communicating with You cannot secure what you don’t know 17 BRKIOT-2204
  • 18. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial IoT Security Architecture Identify Monitor Group and Policy Definition Enforce Comprehensive Industrial IoT Security Architecture 18 BRKIOT-2204 Segmentation Lifecycle
  • 19. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Detect vulnerabilities Prevent malware from spreading Detect malicious intrusions Detect attempts to scan & modify OT assets Investigate and remediate threats Securing Industrial Networks with Cisco IoT Threat Intelligence Cyber Vision Vulnerability Detection Centralized Segmentation Policy Firepower IPS Zone Segmentation TrustSec Micro Segmentation Cyber Vision Anomaly Detection Cisco Threat Response Firepower / Cyber Vision Intrusion Detection AMP / Threat Grid Malware Detection Umbrella DNS & IP Security 19 BRKIOT-2204
  • 21. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Typical ICS Visibility & Detection Solution 21 BRKIOT-2204 Server Appliance SPAN Traffic Industrial Switch Industrial Protocol DPI based passive monitoring SPAN traffic from industrial control network to a monitoring system Port Mirroring is not a scalable solution!
  • 22. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ICS visibility and detection solution types What is really going on under the hood SPAN all traffic to Server Single Server • DPI • Analytics • Visualization SPAN traffic to Sensors Metadata Midweight Sensor Server • DPI • Analytics • Additional Analytics • Visualization Industrial Control Network Metadata Lightweight Sensor Server • DPI • Analytics • Visualization SPAN traffic to Sensors 1 2 3 Cisco Metadata BRKIOT-2204 22
  • 23. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Cyber Vision 23 BRKIOT-2204 Security that scales with your network infrastructure Network-Sensors (Deep Packet Inspection Built into Network Elements ) IE 3400 Switch Sensor IR 1101 Gateway Sensor Sensor IC3000 Industrial Compute Hardware-Sensor (To support brownfield ) Cisco Integrations ISE, Stealthwatch, Firepower, DNA-C Partner Integrations SIEM, CMDB ICS Vendor Software Cyber Vision Center (Centralized Analytics) Catalyst 9000 Switch Sensor Available Spring 2020 Shipping Shipping
  • 24. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? ICS Network Purdue Level 3 Purdue Level 2 Purdue Level 0-1 Suboptimal Location Most control traffic is local to the cell Expensive Additional Hardware, cabling for out-of-band SPAN network DPI Location Matters! • Mirroring traffic in at the aggregation layer results in visibility to only North-South traffic • Mirroring traffic at the cell layer requires an expensive out-of-band SPAN network Sensor embedded in the network sees everything that attaches to it 24 BRKIOT-2204
  • 25. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? RSPAN introduces Jitter! • Head-of-line blocking caused by Inline SPAN traffic negatively impacts time-sensitive control loop • RSPAN in LANs is detrimental to control system performance Sensor embedded in the network generates lightweight metadata that does not congest QoS queues ICS Network SPAN Traffic Control Traffic Purdue Level 3 Purdue Level 2 Purdue Level 0-1 25 BRKIOT-2204
  • 26. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? 26 BRKIOT-2204 SPAN is expensive in WANs LTE ($$$) Monitoring Station Wireless Bandwidth is Expensive • Sending SPAN traffic over 3G/LTE WAN links is cost prohibitive • Installing an appliance per site is an expensive alternative • Sensor embedded in the network only generates lightweight Application-Flow metadata LTE ($$$)
  • 27. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Why is a network-sensor important? 27 BRKIOT-2204 SPAN is not feasible in FANs No place to house a standalone Sensor • Visibility into Field Area Network (FAN) traffic in distribution automation only possible if the DPI is performed on the DA router • Sending SPAN traffic over 3G/LTE links from DA router is too expensive • Sensor embedded DA router only generates lightweight Application-Flow Wireless Mesh Wireless Mesh LTE ($$$) DA Router
  • 28. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility Using your Network Infrastructure The Cisco industrial network lets you see everything that connects to it Monitoring at the Edge • Cyber Vision Sensors embedded into industrial network equipment • No additional hardware needed • No need for an out-of-band monitoring network Easy deployment Low TCO Application-Flow Lightweight Metadata ICS Networ k Cyber Vision Center Sensor Sensor Sensor Sensor Sensor Sensor is the only vendor on the market with an edge strategy for OT cybersecurity
  • 29. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Sensor IR Gateway IE Switch CGR Router Generation Transmission Sensor Sensor Sensor IE Switch Distribution Sensor Sensor ISA Firewall Cisco Cyber Vision for Utilities Security that can be deployed at scale
  • 30. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Upstream Midstream Downstream Sensor Sensor Sensor Sensor Cisco Cyber Vision for Oil & Gas IR Gateway IR Gateway IE Switch IW Access point Security that can be deployed at scale
  • 31. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Sensor Sensor IE Switch ISA Firewall IW Access Point Cisco Cyber Vision for Manufacturing Security that can be deployed at scale
  • 32. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Comprehensive Asset Inventory ■ Automatically maintain a detailed list of all OT & IT equipment ■ Immediate access to software & hardware characteristics ■ Track rack-slot components ■ Tags make it easily to understand asset functions and properties Track the industrial assets to protect throughout their life cycles BRKIOT-2204 32
  • 33. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Track Application Flows ▪ Identify all relations between assets including application flows ▪ Spot unwanted communications & noisy assets ▪ Tags make it easily to understand the content of each communication flow ▪ View live information or go back in time Drive network segmentation and fine-tune configurations BRKIOT-2204 33
  • 34. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Visibility: Instantaneous Vulnerability Identification ▪ Automatically spot software vulnerabilities across all your industrial assets ▪ Access comprehensive information on vulnerability severities and solutions ▪ Built-in vulnerability database always up to date Enforce Cyber-Hygiene best practices
  • 36. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Security for Industrial IoT Cisco ISE Access Control Cisco Firepower Traffic Filtering Cisco Stealthwatch Network Flow Analysis Cisco DNA-C Network Management Cyber Vision Center Operational Insights Threat Detection Sensor Sensor Sensor Switch Gateway AP V I S I B I L I T Y Cyber Vision Sensors Deep Packet Inspection Built into Cisco Industrial Network Threat Intelligence T A L O S Threat Response C T R Comprehensive Industrial IoT Security Architecture
  • 37. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco ISE Integration Extend security policies to your industrial network pxGrid Cisco ISE • ISE endpoints are enriched with context from Cyber Vision • Use ICS attributes (PLC, Siemens, Cell-1) to define profiling policy • Segment your network to prevent malware and ransomware from spreading Industrial Switching Industrial Wireless Industrial Routing IoT Gateways Mesh / LoRA Industrial Firewalls Embedded Cisco Industrial Network Provides Visibility and Enforces Security Policy TrustSec ICS Visibility BRKIOT-2204 37
  • 38. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Asset Visibility in ISE through Cisco Cyber Vision Endpoint attributes in ISE populated by FTNM Asset Identity This is a CompactLogix Controller, manufactured by Rockwell Automation, has serial number xxx, running firmware abc, speaks CIP, attached to switch efg, and it it is in Cell-1 in the Austin Plant… BRKIOT-2204 38
  • 39. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE profiling OT endpoints IOT Asset Attributes Attributes from IND Profiling a Rockwell PLC
  • 40. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Authorization Policy 40 BRKIOT-2204
  • 41. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE Authorization Profiles 41 BRKIOT-2204
  • 42. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public ISE TrustSec Policy 42 BRKIOT-2204
  • 43. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Stealthwatch Integration Speed up incident response and forensics Cisco Stealthwatch • Stealthwatch flows enriched with context from Cyber Vision • Use ICS attributes (PLC, Siemens, Cell-1) to define host-group policy • Pinpoint ICS assets when Stealthwatch raises alarms at Level- 3 for north-south traffic from industrial network to the Enterprise REST API PLC IO DRIVE CONTROLLER ICS Visibility BRKIOT-2204 43
  • 44. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Integrating Industrial Asset Visibility in Stealthwatch Asset Identity The source is a Rockwell Automation HMI, in Cell-1, speaking CIP, to Rockwell Automation Controller in Cell- 2 BRKIOT-2204 44
  • 45. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Segmentation Monitoring with StealthWatch Define communication policy between zones Monitor for violations Engineering Laptop Network Management HMI HMI Drive Cell-1 Cell-2 Manufacturing Zone IDMZ Controller IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K IE2K / IE4K NO ACCESS HTTP CIP BRKIOT-2204 45
  • 46. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Policy Modeling and Monitoring When a new flow is generated between devices in different segment an alarm is generated
  • 47. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Firepower Integration OT context for creating rules, remediation, and impact assessment Cisco Firepower • Map ICS device IP to named objects (PLC, IO, Drive) in Firepower for use in access policy* • Map ICS device vulnerabilities to Hosts in Firepower for use in correlation policy* • Identify anomalous flows in Cyber Vision and kill FTD Firewall sessions PLC IO DRIVE CONTROLLER ICS Visibility * Spring 2020 BRKIOT-2204 47
  • 48. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Asset Context in FMC 48 BRKIOT-2204
  • 50. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Components Industrial DMZ • Access control lists (ACLs) • Intrusion detection systems (IDS) and intrusion prevention systems (IPS) • VPN services • Portal and remote desktop services • Application and data mirrors Industrial zone • AAA identity services • Network management • Asset inventory • Anomaly detection • Plant-wide services • Traffic enforcement (plant to IDMZ, north/south) Area zone • Traffic Enforcement (Cell to Cell, East/West ) • QoS Prioritization • SXP • Netflow Inter-cell (ISA3000) • Industrial deep packet inspection (DPI) • Stateful firewall and intrusion prevention (IPS) • Hardware bypass Cell zone • PoE/PoE+ • Layer 2 NAT • 802.1X • MAC Authentication Bypass (MAB) • Quality of Service marking • Netflow (IE3x00 and IE4000 only) • TrustSec tagging (IE3x00 and IE4000 only) • Edge compute (IE3x00 only) Converged Industrial Architectures Industrial Zone Purdue Level 3 Area Zone Purdue Level 2 Cell Zone Purdue Level 0-1 Cyber Vision Center Cisco NGFW and IPS solutions Industrial core ISA3000 IT network IT core DMZ Enterprise Zone Purdue Level 4-5 User Access RESTful API (HTTPS) SIEM (Syslog) ISE/DNA-C (PxGrid) ISA3000 Sensor Sensor Sensor Sensor Sensor IC3000 SPAN/RSPAN IE3x00 PLC/RTU/IED SIS SCADA/HMI HISTORIAN MES Sensor Sensor BRKIOT-2204 50
  • 51. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Scalable Tags in Industrial Environments Industrial Zone Purdue Level 3 Area Zone Purdue Level 2 Cell Zone Purdue Level 0-1 Cyber Vision Center Cisco NGFW and IPS solutions Industrial core ISA3000 IT network IT core DMZ Enterprise Zone Purdue Level 4-5 User Access RESTful API (HTTPS) SIEM (Syslog) ISE/DNA-C (PxGrid) ISA3000 Sensor Sensor Sensor Sensor Sensor IC3000 SPAN/RSPAN IE3x00 PLC/RTU/IED SIS SCADA/HMI HISTORIAN MES Sensor Sensor Destination Source ▪ Scalable Group Tag (SGT) a 16 bit value that the Cisco ISE assigns to the endpoint’s session upon login ▪ SGT is applied to the endpoint’s traffic ▪ Centralized Policy – ISE ▪ Cell to Cell Enforcement at Area Switch Plant to IT Enforcement at IDMZ FW
  • 53. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewalls what and where? First Level – Secured Connectivity Second Level – Secured Visibility & Control Third Level – Converged Security & Depth Level 5 Level 4 Level 3 Level 2 Level 1 Enterprise Network Site Business Planning & Logistics Network Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Site Manufacturing Operations and Control Area Supervisory Control Basic Control Process Sensors Drives Actuators Robots FactoryTalk Client HMI Magelis HMI Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control FactoryTalk App Server FactoryTalk Directory Engineering Workstation Domain Controller Terminal Server RDP Server App Server Patch Mgmt. E-Mail, Intranet, etc. Zone Segmentation Controlled Conduits Application Control Threat Control Policy Driven Response Deeper Vision / Control Level 0
  • 54. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall Features for Firepower devices 54 BRKIOT-2204 • Deployment modes - Out of Band, Inline - Active, Passive • Industrial Application Detection • Industrial protocol command detection • SCADA IPS rules • Reliable operation - HW Bypass, Dual power inputs (ISA-3000) • Industrial Infrastructure Integration - DC Power, Alarm Input/output pins (ISA-3000)
  • 55. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Firepower Industrial protocol support OT Protocol Application Description Verticals BACNet A Data Communication Protocol for Building Automation and Control Networks. Buillding Automation COSEM COTP Connection Oriented Transport Protocol (ICCP) Multiple verticals DNP3 DNP3 is based on the standards of the International Electrotechnical Commission (IEC) Technical Committee 57, DNP3 has been selected as a Recommended Practice by the IEEE C.2 Task Force; RTU to IED Communications Protocol. Utilities Emission Control Protocol Registered with IANA as IP Protocol 14. Fujitsu Device Control A system that controls devices within a house. GOOSE Generic Object Oriented Substation Events (GOOSE) Utilities GSE Generic Substation events Utilities Honeywell Control Station/NIF Server Honeywell Protocol Detector for Control station Multiple verticals Honeywell Experion DSA Server Monitor Honeywell Protocol Detector for Experion DSA server. Multiple verticals IEC 104 IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. Utilities ISO MMS Manufacturer Messaging Specification, the ISO session-layer protocol. Utilities Modbus Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers (PLCs). Multiple verticals OPC-UA OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, Multiple verticals Q.931 SRC IBM System Resource Controller facilitates the management and control of complex subsystems. The SRC is a subsystem controller. TPTK Multiple verticals CIP Common Industrial Protocol Manufacturing 55 BRKIOT-2204
  • 56. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Firepower Industrial protocol detectors 56 BRKIOT-2204
  • 57. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling Industrial protocol detection Access Control rule to detect Industrial protocols Application Visibility
  • 58. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 BRKIOT-2204 Host Attributes from Cisco Cyber Vision
  • 59. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enforce security using Cyber Vision data 59 BRKIOT-2204 Cyber Vision Asset Data FMC defining correlation policy based on Cyber Vision data Check if an OT Asset generates non-OT traffic
  • 60. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall deployment modes Cell/Area Zone Controllers, Drives, and Distributed I/O HMI Controllers Rings RSPAN Out of Band Inline • Out of Band • Visibility • Limited Impact - copy of traffic is inspected • In-Line • Visibility • Enforce 60 BRKIOT-2204
  • 61. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Out of Band configuration Cisco FTD passive mode configuration
  • 62. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Industrial Firewall deployment Default Config: • Transparent mode • Default Allow ALL • Passive detection Enable HW Bypass Mostly Layer2 – Ring & Linear Topologies No change required in Network layout or configuration Continuity of operations on device/power failure “Availability” is the Key Firewall deployment modes 62 BRKIOT-2204
  • 64. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Rule to detect PLC restart, open/close Modbus data required to restart a PLC • Modbus unit • Modbus command = Write Single Register • Register Address (2560) • Register value (0xFFFF) Register check Register check Register value check
  • 65. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Robot Arm in a Manufacturing Plant Industrial Firewall Safe Operation of ICS- Stopping a Dangerous Misconfiguration of a Robot Arm On the Factory Floor Invalid parameters Valid parameters 65 BRKIOT-2204
  • 66. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public DNP3 IPS rule options DNP3 command inspection • DNP - Distributed Network protocol. • For communication between components in process automation systems. • Mainly used in Utilities such as Electric and Water • DNP3 is transported over TCP using port 2000 66 BRKIOT-2204
  • 67. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public DNP3 inspection pre-processor options 67 BRKIOT-2204 DNP3 Functions "confirm" "read" "write" "select" "operate" "direct_operate" "direct_operate_nr" "immed_freeze" "immed_freeze_nr" "freeze_clear" "freeze_clear_nr" "freeze_at_time" "freeze_at_time_nr" "cold_restart" "warm_restart" "initialize_data" "initialize_appl" "start_appl" "stop_appl" "save_config" "enable_unsolicited" "disable_unsolicited" "assign_class" "delay_measure" "record_current_time" "open_file" "close_file" "delete_file" "get_file_info" "authenticate_file" "abort_file" "activate_config" "authenticate_req" "authenticate_err" "response" "unsolicited_response" "authenticate_resp" DNP3 Internal Indicators flags present in a DNP3 Application Response Header "all_stations" "class_1_events" "class_2_events" "class_3_events" "need_time" "local_control" "defice_trouble" "device_restart" "no_func_code_support" "object_unknown" "parameter_error" "event_buffer_overflow" "already_executing" "config_corrupt" "reserved_2" "reserved_1"
  • 68. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling SCADA pre-processors Network Analysis policy Enable scada pre-processors SCADA pre- processor configuration
  • 69. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IEC-60870-5-104 inspection support IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. The TCP protocol is used for connection- oriented secure data transmission. Mostly used in Europe. There are 2 types of devices – Controlling station(PC) & Controlled devices(RTU) IEC-104 protocol is used to exchange commands & information between controlled and controlling devices Firepower software supports detection of information, command exchange between the devices. Firepower provides built-in Intrusion rules for IEC-104 protocol based on DPI (Deep packet Inspection) by SNORT engine. Firepower built-in Intrusion rules for IEC-104
  • 70. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public IEC-61850 MMS inspection support Firepower built-in Intrusion rules for IEC-61850 MMS IEC 61850 is an international standard defining communication protocols for intelligent electronic devices at electrical substations. Components of IEC61850 are • MMS (Manufacturing message specification) • GOOSE (Generic object oriented substation event) • SMV (Sample measured values) Firepower software supports detection of information, command exchange between the devices using MMS. Firepower provides built-in Intrusion rules for MMS protocol based on DPI (Deep packet Inspection) by SNORT engine. Latency sensitive 70 BRKIOT-2204
  • 71. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Built-in IPS signatures for OT –? IPS Signature 71 BRKIOT-2204
  • 72. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • 400+ built-in Signatures for OT protocols and endpoints • Based on Vulnerabilities discovered in protocols, devices • Protection against Known/Unknown threats. • Updated regularly IPS signatures for OT/SCADA protocols 72 BRKIOT-2204
  • 73. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Protecting the Platform How do you protect underlying Platform? 800+ IPS rules for Windows OS What about the Infrastructure? • Authentication - Active Directory, LDAP • DNS • Switches • Routers 73 BRKIOT-2204
  • 75. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Cyber Vision Threat Detection: Behavioral Analytics ■ Create Baselines to define normal behaviors and configurations ■ Behavior modeling automatically triggers alerts on deviations to the baselines ■ Import IoC to detect known malicious behaviors ■ Continuously improve detection with classification of new events Detect unknown attacks and malfunctions BRKIOT-2204 75
  • 76. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Correlation Intrusion rules are uni-dimensional & static • Based on single parameter • No anomaly detection • No automatic response What if Modbus Slave sends a “Write” request? What if Modbus Master(infected) sending data collection requests at a higher rate than Normal? Answer : Correlation Correlation Rules allow for boolean decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions. Value: • Automate Security Decisions • Track Business Outcome • Trigger Automated Response to specific conditions BRKIOT-2204 76
  • 77. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection 77 Host sending a request it should not send - Modbus slave sending a request like Write single coil Creating custom Host attributes What do you need to detect this Anomaly? • Device type = Modbus Slave • Intrusion event = “Write_single_coil” Add custom host attributes here BRKIOT-2204
  • 78. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection 78 Adding Host custom attributes BRKIOT-2204
  • 79. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Anomaly detection When an intrusion even t is detected that a device is sending a Modbus command “write_single_coil” If the device type is a Modbus Slave? Send an email when the Anomaly is detected
  • 80. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public OT Network Security and Availability 80 Deep packet inspection comes with cost, you can minimize it • Number of packets to allow in the event queue. • Enable or disable inspection of packets that will be rebuilt into larger streams. • Override default match and recursion limits on PCRE that are used in intrusion rules to examine packet payload content. • Elect to have the rules engine log more than one event per packet or packet stream when multiple events are generated, allowing you to collect information beyond the reported event. Measures the total elapsed time taken to process a packet by applicable decoders, preprocessors, and rules, and ceases inspection of the packet if the processing time exceeds threshold. Measures the elapsed time each rule takes to process an individual packet, suspends the violating rule along with a group of related rules for a specified time if the processing time exceeds the rule latency threshold a configurable consecutive number of times, and restores the rules when the suspension expires. BRKIOT-2204
  • 81. Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 BRKIOT-2204
  • 82. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Related sessions Walk-In Labs Demos in the Cisco Showcase Meet the Engineer 1:1 meetings Continue your education 82 BRKIOT-2204