Welten wachsen zusammen und ermöglichen Industrie 4.0

Security in IT & Automatisierung

Manfred Bauer

manbauer@cisco.com

April 2015

Verfügbarkeit,

Verlässlichkeit

Automati-

sierung

Schutz von

Mensch und Material

Menschen

Maschinen

Sicherheit von

Informationen

Informations

Technologie

Das Security Problem

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

Policy IT Network OT Network

Focus Protecting Intellectual Property and

Company Assets 24/7 Operations, High Overall

Equipment Effectiveness Priorities 1. Confidentiality

2. Integrity

3. Availability

1. Availability

2. Integrity

3. Confidentiality Types of Data

Traffic Converged Network of Data, Voice

and Video Converged Network of Data, Control,

Information, Safety and Motion Access Control Strict Network Authentication,

Strict Access Policies Strict Physical Access, Simple Network

Device Access Implications of a

Device Failure Continues to Operate Could Stop Operation

Threat Protection Shut Down Access to Detected

Threat Keep Operating with a Detected Threat

and Manage Upgrades ASAP During Uptime Scheduled During Downtime

IP Addressing Dynamic Static

Prioritäten in IT und Automatisierung

Security in IoT networks is crucial as people,

communities, and financial systems could be negatively

impacted by cyber/physical security breaches

Top priorities are availability, safety, and ease-of-use

Biggest pain point is the management of who, what,

where, when, and how (people, data, devices, and

processes)

Access Control

Data Confidentiality and Privacy

Threat Detection and Mitigation

Device and Platform Integrity

Polic

y M

anag

em

ent

Opera

tion R

elia

bility

& S

afe

ty

Security bedeutet

Wir müssen Security ganzheitlich betrachten

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous

Was müssen wir ändern?

Data Center

IT Clients

Plants

Internet

IT Controlled Security Isolated world of OT

Machines Remote

Expert

Secure Third

Party Access Global Location Routing

separated from Intra

Intranet

Plant wide selective

Access to Machine Selective Access to

Function Devices

DMZ

Global IT

DMZ

Plant IT

Isolated or

Indus. FW

Fu

nctio

n

De

vic

es

Selective

Authentication

Authorization

Selective

Authentication

Authorization

Authorization A process

of days

End to End Secure Connectivity and Computing Demands Seamless Network Concepts Rechenzentrum Zentrale Zweigstelle Anlage Vor Ort

Informationstechnologie (IT) Automatisierung (OT)

End2End Security Architecture

The Main Problem with separated OT/IT Networks

Data Center

IT Clients

Plants

Internet

IT Controlled Security Isolated/confuse world of OT

Machines Remote

Expert

Secure Third

Party Access Global Location Routing

separated from Intra

Intranet

Plant wide selective

Access to Machine Selective Access to

Function Devices

DMZ

Global IT

DMZ

Plant IT

Isolated or

Indus. FW

Fu

nctio

n

De

vic

es

Selective

Authentication

Authorization

Selective

Authentication

Authorization

Authorization A process

of days

Demands Cross Domain Data Management

Data Center

IT Clients

Plants

Internet

Classical IT Responsibility

Network

Devices Ports

People Locations Machines

Classical OT Responsibility

End to End Secure Connectivity and Computing Demands Seamless Network Concepts

Machines

Things Function

Devices

Process Data

The secure entity management reach a new magnitude of scale

Ein Beispiel – die vernetzte Fabrik

Web Apps DNS FTP

Internet

Gbps Link for Failover

Detection

Firewall (Active)

Firewall (Standby)

Factory Application

Servers

Access Switch

Network Services

Core Switches

Aggregation Switch

Patch Mgmt. Terminal Services Application Mirror AV Server

Cell/Area #1 (Redundant Star Topology)

Drive

Controller

HMI Distributed I/O

Controller

Drive Drive

HMI

Distributed I/O

HMI

Cell/Area #2 (Ring Topology)

Cell/Area #3 (Linear Topology)

Layer 2 Access Switch

Controller

Cell/Area Zone Levels 0–2

Manufacturing Zone Level 3

Demilitarized Zone Level 3.5

Enterprise Network Levels 4–5

Ruggedized NG Firewall

Ruggedized NG Intrusion Protection (IPS)

Remote Monitoring / Surveillance

SW, Config & Asset Mgmt

VPN & Remote Access Services

Next-Generation Firewall

NG Intrusion Prevention (IPS)

Advanced Malware Protection

Cloud-based Threat Protection

Network-wide Policy Enforcement

Context based Access Control

(application-level, who, when, where)

Stateful Firewall

NG Intrusion Protection/Detection (IPS/IDS)

Physical Access Control Systems

Ide

nti

ty S

erv

ice

s

Ad

va

nce

d T

hre

at

Dete

cti

on

& R

es

po

nse

ISE

All devices support all functions with highlighted features are normally covered from central functions

Cisco Cross Domains Firewall Solutions

Plant

HQ / DC

Machine

Internet

Intranet

LAN

ASA 5585X ASA

5512-5555X

Network Firewall

Ad. Malware Protection

Intrusion Prevention

URL Filtering

ISA 4000 ASA 5506

ASA 5506H

Data

Center

IT Env.

Internet

VPN

IT Env.

Shop Floor

Indus. Env.

VPN

Branch /

Thing

Mod. Env.

ISA3000

Intranet

IT Env.

VPN

Thing

Indus. Env.

Thing

Indus. Env.

IT Environmental:

- Air Condition (5 - 40C)

- Clean

Moderately Environmental:

- Room Air (0 - 50C)

- Commodity Conditions

Industrial Environmental:

- Ext. Temp. (-20 - 65C)

- Shop Floor Conditions

- Vibration / Pollutant

Apr. 2015 Oct. 2015

Management & Analytic

FireSIGHT

Apr. 2015

Einheitliche Architektue für die Automatisierung

(ruggedized Industrial Ethernet, OT) und IT

(Enterprise IT Network network)

End-2-End Architektur, speziell designed,

getestet und validiert für IT und die

Automatisierung

Verbinden von Business Applikationen mit

Industriellen Systemen

Auf Standards basierte Industrie Ethernet

Switching und Security Services

Einbinden von Unified Communication,

Wireless und Rechenzentrumstechnologie

Cisco Connected Factory Lösung

Beispiel Fernwartung Service and Support Maschinenbauer/Anlagenbauer

Produktion

Visualisierung

Kommunikation

Cisco

Unified Communication und WEBEX

Second and Third Level

Support Abteilung Inter/Intra

Net

Beispiel Identity Management

Data Center

IT Clients

Plants

Identity Services Engine

Cisco ISE

Clear Business

Outcomes

Simple to order

and buy

Whole Offer

Go-to-Market

Remote Assets

Management

Integration

Platform

ROI Customer

POC

+

+ CVD

+ Accelerate

Starter kits

+ Cisco +

azeti

Networks

Channel

Partners

+

Asset

Optimization

Downtime

reduction

Safety and

Security Risk

Management

Solution

SKUs

Starter

Kits

EMEA IoT

Sales

Support

Coverage

First planned

application

for DSX in

openBerlin

First 3rd party

IoT

applications

to run on

Cisco Cloud

Services

Beispiel Remote Site Management

Cisco Internet of Things Portfolio

1

6

Oil and Gas Energy-Utility Transportation Mining Manufacturing City SP/M2M Defense

Management

IoT Security

Application Enablement [Fog Computing/IOx]

Connected Factory Connected Train City Safety and Security Energy Distribution Automation Connected Well

IE 2000 IE 3000 CGS2000

Industrial Switching

IP67 IE 4000

IE 5000

Industrial Routing

CGR 2000

ASR 903

Industrial Wireless

Field AP - 1552

Industrial AP (Rockwell)

Field AP - IW 3700 802.11ac

Positive Train Control

Field Network

CGR 1000

819H

809H

IR910

IR 509

829H

Embedded Networks

5900 ESR, ESS 2020 Switches

5921 ESR Software Router

Connected Safety & Security

Video Surveillance Manager and IP Cameras

Physical Access Manager

Digital Media

DMM Digital Media Manager

Digital Media Processors

Innovation

Für Ihren Erfolg

Security

Use Cases

http://www.cisco.com/web/offers/lp/2015-annual-security-report/index.html

manbauer@cisco.com

Manfred Bauer

IOT Sales Lead Germany