Handout Vortrag Manfred Bauer Cisco

8/10/2019 Handout Vortrag Manfred Bauer Cisco

http://slidepdf.com/reader/full/handout-vortrag-manfred-bauer-cisco 1/23

Internet of Things - ja mitSicherheit

Manfred BauerIOT Sales Lead Germany

September 2014



© 2013-2014 Cisco and/or its affiliates. All rights reserved.

The Internet of Everything (IoE)

Networked Connection of People, Process, Data, Things

PeopleConnecting People in MoreRelevant, Valuable Ways

ProceDeliverinto the Riat the Rig

DataLeveraging Data into

More Useful Information forDecision Making

ThingPhysicalConnectEach OthDecision

IoE




Smart Factory as Internet of Things

Connection between

products, machinesand Internet

Collecinformspecial

Networking betweenmachines andproducts within the

shop floor

Situational offer formservices




Example: Building the Factory of the Future

FactorySecurity

ConvergedNetwork Platforms

ConnectedFactory Applications

IndustrialIdentity Services

Industrial DeepPacket Inspection IP Cameras

E

n

o

vty

Things TorqSensors Asset Tags IP HD

CameraRobots Parts

RuggedizedWirelessAccessPoints

Industrial Routersand Switches

Hardened MobileM2M Gateway

Real Time SupplyChain

AssetUtilization

Accelerated NPI New BusinessModels

Productivity

Flexible mfg• Flexible controls• Flexible networks

Resiliency (REP)Integrated managementNear Zero Downtime

DistributedCompute

Machine-as-a-ServiceRemote Asset Mgmt

Mobility• 2.4/5Ghz• Clean air




Industrie 4.0 Demands Cross Domain Data Manageme

Data CenterIT Clients

Plants

Internet

Classical IT Responsibility

NetworkDevices

PortPeople Locations

Machines

Classical OT ResponsibilityEnd to End Secure Connectivity and Computing Demands Seamless Network Conce

Machines

ThingsProcessData

The secure entity management reach a new magnitude of scale




Industrie 4.0 Demands World Wide Connectivity

Primary DC

Backup DC

Plant 1

Supplier 1

Plant 2

Internet and Intranet needs s,scalable and reliable networfunctions based on trusted de

Selective feature choice betwtechnologies like Multi-ProtoLabel-Switching (MPLS) anencryption based accesstechnologies (like IPSEC)

Context based Security in thcomplete value chain withmanageable rules handled byTrustSec based profiles

DMZ




The Main Problem with separated OT/IT Networks

Data CenterIT Clients

Plants

Internet

IT Controlled Security Isolated/confuse world of O

MachinesRemoteExpert

Secure ThirdParty Access

Global Location Routingseparated from Intra

Intranet

Plant wide selectiveAccess to Machine

SelectivFuncti

DMZGlobal IT

DMZPlant IT

Isolated orIndus. FW

SelectiveAuthenticationAuthorization

SelectiveAuthenticationAuthorization

Authorization




IT/OT Converged Security Model

IT

DMZ

OT

Enterprise Network

Control, Automation

Demilitarized Zone

Process, Supervisory

Cloud OT Partners & Services

Internet

Ruggedized FirewallRuggedized IDS / IPSSegmentation: VLANs, VRFs, ACLs

Plant Edge (VPN, IPS Remote AccesStateful Firewall, NGFWAccess Control

Cloud-based Threat ProtectionNetwork-wide Policy EnforcementSecurity Information Event Managem

SIEM, Remote Services PlatformOT Policy Mgmt, SW, Config, AV AsCyber Physical Access Control Syste

Enterprise Edge (VPN, IPS, NGFW)Anti-Virus, Malware DetectionCorporate Directory, Web Email Secu




Priority shifts in IoT

Security Policies IT Network IoT Network

Focus Protecting Intellectual Property and

Company Assets24/7 Operations, High OEE, Safety,

Priorities1. Conf identiality2. Integrity3. Availability

1. Availabilit2. Integrity3. Confidenti

Types of Data Traffic Converged Network of Data,Voice and Video (Hierarchical)

Converged Network of Data, CoInformation, Safety and Motion (P2

Implications of a

Device FailureContinues to Operate Could Stop Processes, Impact Ma

Harm

Threat Protection Shut Down Access toDetected Threat and Remediate

Potentially Keep Opwith a Detected Th

Upgrades and Patch Mgmt ASAPDuring Uptime

ScheduledDuring Downti

Infrastructure Life Cycle Equipment upgrades and refresh <5yr Avoid Equipment upgrades (lifespan 1

Deployment conditions Controlled physical environments Harsh environments (temp, v

Security in IoT networks is crucial as people, communitiefinancial systems could be negatively impacted by

cyber/physical security breaches

Top priorities are availability, safety, and ease-of-us

Biggest pain point is the management of who, what, whwhen, and how (people, data, evi es , and pro




Access Control• User and Device Identity• Authentication, Authorization & Accounting

Data Confidentiality and Data Privacy• Network Segmentation• Secure Connectivity

Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility

Device and Platform Integrity• Device Hardening and Secure Platform• Configuration Assurance

IoT Security Principles

P ol i c

y M

an

a g em

en

t wi t h

OT

/ I T

C

onv er g

en

c e & E

a s e of

U s e

O p er a

t i onR

el i a

b i l i

t y & S af e

t y




IT/OT Converged Security Model – Manufacturing

Web Apps DNS FTP

Internet

Gbps Link forFailover

Detection

Firewall(Active)

Firewall(Standby)

Factory Application

Servers

Access Switch

Network Services

CoreSwitches

AggregationSwitch

Patch Mgmt.Terminal Services

Application Mirror AV Server

Cell/Area #1(Redundant Star Topology)

DriveController

HMI DistributedI/O

Controller

DriveDrive

HMI

Distributed I/O

HMI

Cell/Area #2(Ring Topology)

Cell/Area #3(Linear Topology)

Layer 2 Access Switch

Controller

Cell/Area ZoneLevels 0 2

Manufacturing ZoneLevel 3

Demilitarized ZoneLevel 3.5

Enterprise NetworkLevels 4 5

Ruggedized Firewall

Ruggedized Intrusion Prot

Remote Monitoring / Surv

SW, Config Asset Mgm

VPN Remote Access Se

Next-Generation Firewall

Intrusion Prevention (IPS

Cloud-based Threat ProteNetwork-wide Policy EnfAccess Control (applicatio

Stateful Firewall

Intrusion Protection/DetecPhysical Access Control S

ISE




Let’s do some maintenance!

Enterprise Network

VPN

DMZ

Supervisory Network

Control System Network

RemoteFacility

IEDs, PLCs,Sensors,

Actuators

Historian

SCADA/DCS Historian

Cloud Systems

App ServerWeb Server

I ,,

I ,,

I ,,I , ,

RemoteServices

VPN

Field NetworkActuators Se

Internet

IoE Cyber Security: Protection

ApplicationVisibility,IPS/IDSIdentityServices

Engine

Switching

VideoSurveillance

Manager

Routers

Firewalls AccessPoints

Network SecurityMgmt.

Onion LayersSecure Zones

Cells Zones Plants

Segmented Access(Role-Based)

Security Policy, AAAand Identity Services

Industrial Cyber Security

Security Monitoring,Threat Detection, Incidentand Event Monitoring

Physical SecuritySmart, Programmable Cameras




IT/OT Converged Security Model – Transportation

PTC

IPICSVSMS / VSOM

IP/MPLSDomain

UCS

WAN / Core

Control Center

Trackside

Ruggedized Firewall

Ruggedized Intrusion D

Remote Monitoring / Su

SW, Config Asset Mg

VPN Remote Access

Next-Generation Firewa

Intrusion Prevention (IP

Cloud-based Threat ProNetwork-wide Policy EApplication-Level Acce

Stateful Firewall

Intrusion Detection (IDPhysical Access Contro

Process Control &Safety Networks

Offload

VSMS

PTC 3000

TMC

On-boardMultiservice Networks




Cloud &Services

LightingPoles

Municipal Command& Control Center

SmartGrid

BuildingOptimization

CityWiFi

Home EnergyMgmnt

Traffic FloOptimizati

FactoryOptimization

AutomatedCar SystemIntelligent Digital

Signage

ConnectedAmbulances

Parking

INTELLIGENTCITY INTELLIGENT

Building INTELLIGENTHIGHWAY

Example Smart City




IoE Application Centric Architecture

Network Automation(APIC SDN Controller)

Application Ena(Fog Compu

IOx Analytic

APIs

Cisco ONE Platform

SmartLED lighting

WasteSensors

IP HDCamera

ParkingSensors

WaterSensors

APIs

Routing/Config QoS Security

Things

DataCenter AccessWAN

Application PolicyInfrastructure ControllerApplications to Programthe Networks• Auto Config• QoS• Security

Cisco and 3 rd Party Apps

Fog ComputingBusiness Applicationsthat run on the network• Hosted Bus Apps• App Store• App Management

IOxDistributed Computeand Storage• IOS + Linux• BYOA• BYOI

SASOSIsoft RoOx

Hardened Edge Platforms: Embedded Storage and Com

IOSLinu

Distributed AppIOx SD

ApplicationManagement

ApplS

Cisco IoT Strateg is Working!




Cisco IoT Strategy is Working!

Whole Offer

Security

Application Enablement

Management / “Ease of Use”

+Ruggedized platformsIndustrial featuresProtocol translation

Converged networkingIoT Gateway/AggregationMobility

Foundation Differentiation

Auto discovery / auto configurationZero touch deploymentVideo management at scaleVisualization

Ruggedized security - IPS/FW/VPNSingle policy managementIndustrial signatures

Application data processingDistributed controlVideo analytics at the edge

Third-party interfaces



Thank you.

IoTG Extended Security Products Portfolio




IoTG Extended Security Products Portfolio

Industrial FirewallIndustry leading firewall, intrusion prevention, VPN,remote access, and other services. features

Industrial IPSDefense against complex industrial network attacks

WirelessIncrease mobility without compromising security with threat-protected WLAN services

Cisco Security Policy Mgmt andEnforcementPolicy-based access control, identity-aware networking, and data

integrity

Secure RouterProvides secure remote access and zone

segmentation for most IoT use cases

ProductsTechnologies/Use Cases

A

Cisco WLC, PI, M

IE switches, ASA

f l d f




The Sourcefire security platform has 3 main components:

• L2-L7 Firewall

•

Next Generation IPS (Intrusion Prevention System) • AMP (Advanced Malware Protection)

Able to manage security threats during the full attack continuum – Before, DuAfter

Sourcefire Can Be Applied for OT Environments

NGFW NGIPS AMP




Sourcefire value in process control

NGFW

NGIPS

• Passively discover ICSassets & create context

• Layer 2-7 firewall• Application discovery,

monitoring and control

• Detect and preventintrusions

• Wrap SCADA protocols

• Monitor

client-siHMIs• Network

mapping• Retrospe

& quara

ISE C B A li d f OT E i




Typical OT use cases for ISE as a common policy platform:

• Local User Access Wired Connection on the Mfg Plant Floor or Utility Substaex.

• Local User Access Wireless Connection, similar OT locations as above

• Remote User Access – Employee or Contractor needs to access HMI or OT contsystem remotely

When the endpoints attempt network access, they will be dynamically profiled, andprovided the appropriate access privileges based on their identity.

Change of Authorization (CoA) can be enforced by the network infrastructure in (3) w

1. VLAN swap,

2. downloadable ACL (dACL), and

3. Security Group Tag (SGT).

ISE Can Be Applied for OT Environments

ISE Employee and Contractor using assets on plant/zone flo




Demilitarized Zo(DMZ) Firewalls

Enterprise Networ

Levels 4 –5

ISE - Employee and Contractor using assets on plant/zone flo

Gbps Link forFailoverDetection

Firewall(Active)

Firewall(Standby)Cisco

ASA 5500

Cisco

CatalystSwitch

Network Services

Cisco Catalyst

6500/4500

Cisco Cat. 3750X

Patch Management,

Terminal Services,Application Mirrors, AVServers

Industrialnet#2

Industrialnet#1

CISCO IE2K/3K

AD MDMDNS FTP

Internet

ISE PSN

ISE ADMIN

3cont

assetby ISE

is dCisc

enforc

Enforcement forzone 2 done here

MULTI-AUTH

Contractor Employee

Contractor Employee

Cisco IE3K/2KEnforcement

pushed to IE3K, soenforcement is done

within zone

3 rd Party Switch

Cisco Ind stri l Portfolios (IoT B siness Unit)




Cisco Industrial Portfolios (IoT Business Unit)

• Wireless• Gateway

Router

• Embedded

• WirelessAccess Point

• EthernetSwitching

Documents

Handout Vortrag Manfred Bauer Cisco