Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Welten wachsen zusammen und ermöglichen Industrie 4.0
Security in IT & Automatisierung
Manfred Bauer
April 2015
Verfügbarkeit,
Verlässlichkeit
Automati-
sierung
Schutz von
Mensch und Material
Menschen
Maschinen
Sicherheit von
Informationen
Informations
Technologie
Das Security Problem
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
Policy IT Network OT Network
Focus Protecting Intellectual Property and
Company Assets 24/7 Operations, High Overall
Equipment Effectiveness Priorities 1. Confidentiality
2. Integrity
3. Availability
1. Availability
2. Integrity
3. Confidentiality Types of Data
Traffic Converged Network of Data, Voice
and Video Converged Network of Data, Control,
Information, Safety and Motion Access Control Strict Network Authentication,
Strict Access Policies Strict Physical Access, Simple Network
Device Access Implications of a
Device Failure Continues to Operate Could Stop Operation
Threat Protection Shut Down Access to Detected
Threat Keep Operating with a Detected Threat
and Manage Upgrades ASAP During Uptime Scheduled During Downtime
IP Addressing Dynamic Static
Prioritäten in IT und Automatisierung
Security in IoT networks is crucial as people,
communities, and financial systems could be negatively
impacted by cyber/physical security breaches
Top priorities are availability, safety, and ease-of-use
Biggest pain point is the management of who, what,
where, when, and how (people, data, devices, and
processes)
Access Control
Data Confidentiality and Privacy
Threat Detection and Mitigation
Device and Platform Integrity
Polic
y M
anag
em
ent
Opera
tion R
elia
bility
& S
afe
ty
Security bedeutet
Wir müssen Security ganzheitlich betrachten
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
Was müssen wir ändern?
Data Center
IT Clients
Plants
Internet
IT Controlled Security Isolated world of OT
Machines Remote
Expert
Secure Third
Party Access Global Location Routing
separated from Intra
Intranet
Plant wide selective
Access to Machine Selective Access to
Function Devices
DMZ
Global IT
DMZ
Plant IT
Isolated or
Indus. FW
Fu
nctio
n
De
vic
es
Selective
Authentication
Authorization
Selective
Authentication
Authorization
Authorization A process
of days
End to End Secure Connectivity and Computing Demands Seamless Network Concepts Rechenzentrum Zentrale Zweigstelle Anlage Vor Ort
Informationstechnologie (IT) Automatisierung (OT)
End2End Security Architecture
The Main Problem with separated OT/IT Networks
Data Center
IT Clients
Plants
Internet
IT Controlled Security Isolated/confuse world of OT
Machines Remote
Expert
Secure Third
Party Access Global Location Routing
separated from Intra
Intranet
Plant wide selective
Access to Machine Selective Access to
Function Devices
DMZ
Global IT
DMZ
Plant IT
Isolated or
Indus. FW
Fu
nctio
n
De
vic
es
Selective
Authentication
Authorization
Selective
Authentication
Authorization
Authorization A process
of days
Demands Cross Domain Data Management
Data Center
IT Clients
Plants
Internet
Classical IT Responsibility
Network
Devices Ports
People Locations Machines
Classical OT Responsibility
End to End Secure Connectivity and Computing Demands Seamless Network Concepts
Machines
Things Function
Devices
Process Data
The secure entity management reach a new magnitude of scale
Ein Beispiel – die vernetzte Fabrik
Web Apps DNS FTP
Internet
Gbps Link for Failover
Detection
Firewall (Active)
Firewall (Standby)
Factory Application
Servers
Access Switch
Network Services
Core Switches
Aggregation Switch
Patch Mgmt. Terminal Services Application Mirror AV Server
Cell/Area #1 (Redundant Star Topology)
Drive
Controller
HMI Distributed I/O
Controller
Drive Drive
HMI
Distributed I/O
HMI
Cell/Area #2 (Ring Topology)
Cell/Area #3 (Linear Topology)
Layer 2 Access Switch
Controller
Cell/Area Zone Levels 0–2
Manufacturing Zone Level 3
Demilitarized Zone Level 3.5
Enterprise Network Levels 4–5
Ruggedized NG Firewall
Ruggedized NG Intrusion Protection (IPS)
Remote Monitoring / Surveillance
SW, Config & Asset Mgmt
VPN & Remote Access Services
Next-Generation Firewall
NG Intrusion Prevention (IPS)
Advanced Malware Protection
Cloud-based Threat Protection
Network-wide Policy Enforcement
Context based Access Control
(application-level, who, when, where)
Stateful Firewall
NG Intrusion Protection/Detection (IPS/IDS)
Physical Access Control Systems
Ide
nti
ty S
erv
ice
s
Ad
va
nce
d T
hre
at
Dete
cti
on
& R
es
po
nse
ISE
All devices support all functions with highlighted features are normally covered from central functions
Cisco Cross Domains Firewall Solutions
Plant
HQ / DC
Machine
Internet
Intranet
LAN
ASA 5585X ASA
5512-5555X
Network Firewall
Ad. Malware Protection
Intrusion Prevention
URL Filtering
ISA 4000 ASA 5506
ASA 5506H
Data
Center
IT Env.
Internet
VPN
IT Env.
Shop Floor
Indus. Env.
VPN
Branch /
Thing
Mod. Env.
ISA3000
Intranet
IT Env.
VPN
Thing
Indus. Env.
Thing
Indus. Env.
IT Environmental:
- Air Condition (5 - 40C)
- Clean
Moderately Environmental:
- Room Air (0 - 50C)
- Commodity Conditions
Industrial Environmental:
- Ext. Temp. (-20 - 65C)
- Shop Floor Conditions
- Vibration / Pollutant
Apr. 2015 Oct. 2015
Management & Analytic
FireSIGHT
Apr. 2015
Einheitliche Architektue für die Automatisierung
(ruggedized Industrial Ethernet, OT) und IT
(Enterprise IT Network network)
End-2-End Architektur, speziell designed,
getestet und validiert für IT und die
Automatisierung
Verbinden von Business Applikationen mit
Industriellen Systemen
Auf Standards basierte Industrie Ethernet
Switching und Security Services
Einbinden von Unified Communication,
Wireless und Rechenzentrumstechnologie
Cisco Connected Factory Lösung
Beispiel Fernwartung Service and Support Maschinenbauer/Anlagenbauer
Produktion
Visualisierung
Kommunikation
Cisco
Unified Communication und WEBEX
Second and Third Level
Support Abteilung Inter/Intra
Net
Beispiel Identity Management
Data Center
IT Clients
Plants
Identity Services Engine
Cisco ISE
Clear Business
Outcomes
Simple to order
and buy
Whole Offer
Go-to-Market
Remote Assets
Management
Integration
Platform
ROI Customer
POC
+
+ CVD
+ Accelerate
Starter kits
+ Cisco +
azeti
Networks
Channel
Partners
+
Asset
Optimization
Downtime
reduction
Safety and
Security Risk
Management
Solution
SKUs
Starter
Kits
EMEA IoT
Sales
Support
Coverage
First planned
application
for DSX in
openBerlin
First 3rd party
IoT
applications
to run on
Cisco Cloud
Services
Beispiel Remote Site Management
Cisco Internet of Things Portfolio
1
6
Oil and Gas Energy-Utility Transportation Mining Manufacturing City SP/M2M Defense
Management
IoT Security
Application Enablement [Fog Computing/IOx]
Connected Factory Connected Train City Safety and Security Energy Distribution Automation Connected Well
IE 2000 IE 3000 CGS2000
Industrial Switching
IP67 IE 4000
IE 5000
Industrial Routing
CGR 2000
ASR 903
Industrial Wireless
Field AP - 1552
Industrial AP (Rockwell)
Field AP - IW 3700 802.11ac
Positive Train Control
Field Network
CGR 1000
819H
809H
IR910
IR 509
829H
Embedded Networks
5900 ESR, ESS 2020 Switches
5921 ESR Software Router
Connected Safety & Security
Video Surveillance Manager and IP Cameras
Physical Access Manager
Digital Media
DMM Digital Media Manager
Digital Media Processors
Innovation
Für Ihren Erfolg
Security
Use Cases
http://www.cisco.com/web/offers/lp/2015-annual-security-report/index.html