Industrial Network Security Architecture
Industrial Network Security Architecture
Industrial Network Security Architecture
Industrial Network
Security Architecture
Evolution
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKIOT-1315
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Security risks increase the potential for disruption to control system
uptime, safe operation, and a loss of intellectual property.
This session will examine the evolution of industrial network design from
a security perspective, outlining leading network design patterns and
Cisco technologies.
Abstract
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Industry Models and Security
Design Patterns
• Security Prime Directive
• Production Systems Attacks
• Production Network Design
Models for Security
• Applying Security via Workflow
Integration
• Industrial Network Security
Evolution
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Icon Key
SDA Fabric Border Node – A Fabric device
Layer 2 Switch (e.g. Core) that connects External Layer 3
network(s) to the SDA Fabric
Smart Lighting
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Icon Key
Router
Firewall
ISE
Clustered Firewalls
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
“There is no such thing as
perfect security, only varying
levels of insecurity.”
Salman Rushdie, Author
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Industry Models and
Security Design Patterns
Purdue Enterprise Reference Architecture/ISA-951
Scheduling and Control Hierarchy Levels in Industrial Companies
Business Planning and Logistics
Level 3 - The activities of work flow to produce the end products that are executed by the MES and
MES-related systems. Timeframe – shifts, hours, minutes, seconds.
Manufacturing
Level 2 - The activities of monitoring and controlling the physical processes that are executed by the
PLC, the HMI, and the Area and Unit Operations portion of the Supervisory Control and
Data Acquisition (SCADA) system.
Level 1 - Activities involved in sensing and manipulating the physical processes executed by valves,
sensors, motors, etc.
Level 0 - The actual physical processes
Source: http://www.pharmpro.com/article/2012/07/manufacturing-execution-systems
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IEC-62443 (formerly ISA-99)
Security
Not addressed in
IEC-62443
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
NIST Special Publication 800-82 revision 2
Guide to Industrial Control Systems (ICS) Security
• Overview of Industrial Control Systems
• ICS Risk Management and Assessment
• ICS Security Program Development and Deployment
• ICS Security Architecture
• Applying Security Controls to ICS
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
NIST 800-82 (Revision 2)1
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics
Network Level 4
Process Level 0
1DMZ also defined in USA Department of Homeland Security INL/EXT-06-11478
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Industrial Network Models – IEC-62443-3-2
Security Risk Assessment and System Design
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics Network Level 4
Controlled Conduit
Area Control Level 2
IEC-62443-3-2
Zone A
Zone B
Cell/Area Zone Basic Control Level 1
Process Level 0
#CLMEL BRKIOT-1315
BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Industrial Network Models – ISA-62443-3-2 +
DMZ
Enterprise Network Zone E Level 5
Enterprise Zone
Controlled Conduit
Site Business Planning and Logistics Network Level 4
DMZ
Manufacturing Zone
Demilitarised Zone —
X
Shared Access, “Jump Zone”
Zone A
Cell/Area Zone Basic Control Level 1
Process Level 0
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Industrial Network Models – DMZ
Enterprise Network Zone Contractor
Level 5
Remote
Enterprise Zone
HTTPS
CC
Site Business Planning and Logistics Network Level 4
Zone
DMZ Demilitarised Zone Terminal
Services
CC
RDP
Manufacturing Zone Site Manufacturing Operations and Control Level 3
Process Level 0
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Security Prime Directive
in Production Systems
Security Goals in Production Systems
Attack Continuum
Maintain
Sustain
Safe Production
Production
Environments
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Security Challenges in Industrial Environments
Lack of Visibility
Antiquated Systems What’s out there, who is talking
Unpatched, legacy to who, what are they saying
systems Access Control
Access needs evolving
Insecure Design
Lack of segmentation Change Control
24/7/365 Operations
OT Security Skills
IT sec Ops knowledge Business Needs
Real-time Information, no
downtime, quick access
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Domains of Responsibility?
Operations Centres
Network Security
• Group
Operations Operations
• Division
Centre Centre
• Site
Datacentre
WAN • Group LAN Production
• Group • Division • Site Control Network
• Division • Site • Wired and Wireless
Enterprise Enterprise
Enterprise Services LAN
Datacentre
Services WAN
PCN Core,
Industrial Process Control
Internet Inter-site Distribution,
Datacentre LAN
PCN WAN Access Switches
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Common Security
Issues, and …
Obligatory Scary Slides
2017 and 2018 Security News
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Threat Landscape for Industrial Automation
Systems in H1 2018
Kaspersky Labs data from Industrial Windows Computers
• Ransomware (Petya, Wannacry) and Malware (NotPetya) attacks crossing from IT to OT systems
Attack vector is common operating systems and database platforms upon which OT systems are built
• Active monitoring
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
More and More Porous Boundaries …
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Production Network
Design Models
for Security
Protect the Network – Hygiene Factors
• Cisco SAFE Design Guides
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
• Network Element Hardening
Deploy trusted platform security, implement secure protocols, disable unused services, limit access to
necessary ports and protocols, enforce via authentication, authorisation and accounting (AAA) with two factor
authentication, and control plane policing
• Routing
Packet filtering, restricting routing-protocol membership, and controlling the propagation and learning of routing
information
• Switching
Restricting broadcast domains, STP security, ARP inspection, anti-spoofing, disabling unused ports, and
following VLAN best practices
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Protect On-Network Services
• DNS
Patch management and the hardening of the DNS servers, using firewalls to control DNS queries and zone
traffic, implementing IPS to identify and block DNS-based attacks, etc.
• NTP
Implement NTP peer authentication, the use of access control lists, and device hardening, etc.
• DHCP
Server hardening and use of DHCP security features available on switches such as DHCP snooping and port
security, etc.
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Implement Leading Practice Design for Security
• Time synchronise all network elements - NTP
• Employ QoS to accurately classify and prioritise control and management traffic
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Production Network Topology
WAN Datacentre
Separate IT and
Industrial
Applications/Services
Core • Physical
• Segmented
• Partitioned
Separate or converged
IT and Industrial
Distribution backbone networks
Access
Separate or
Converged Access
and Control Layer
switches
Control
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Flow Visibility
• We cannot effectively secure that which we cannot see!
• Compiles system and network profile baselines
• Feeds security model planning and development
• Feeds network planning
• Feeds network forensics, detecting:
Abnormalities
Malicious activity
Anomalous activity
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
You cannot secure that which you cannot see!
Virtual • Flow Correlation
Enterprise Enterprise Switches • Flow Collectors
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Visibility Through NetFlow
NetFlow Provides
• A trace of every conversation in Flow Information Packets
your network SOURCE ADDRESS 10.1.8.3
10.1.8.3
• An ability to collect records DESTINATION ADDRESS 172.168.134.2
everywhere in your network
(switch, router, or firewall) SOURCE PORT 47321
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Stitching Context to Provide User Transaction
Visibility
Use Cases Cisco StealthWatch
Internal User Network Network
Insider Threat Firewall Planning Segmentation TrustSec
Monitoring Operations Visualisation
Visibility
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Visibility with StealthWatch:
Connection Records of Behavioural Models
SECURITY ALARM
EVENTS (94 +) CATEGORY RESPONSE
Addr_Scan/tcp Concern
Addr_Scan/udp Alarm table
Bad_Flag_ACK**
COLLECT AND Beaconing Host Recon
ANALYSE FLOWS Bot Command Control Server
Bot Infected Host - Attempted Host snapshot
Bot Infected Host - Successful C&C
Flow_Denied
.
. Exploitation Email
FLOWS
ICMP Flood
.
.
Data hoarding
Max Flows Initiated Syslog / SIEM
Max Flows Served
.
Exfiltration
Suspect Long Flow
Mitigation
Suspect UDP Activity DDoS target
SYN Flood
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Two Approaches to Flow Monitoring Architecture
Active Monitoring by Switches Tap/SPAN Traffic to Parallel Monitoring Infrastructure
Design NetFlow enabled on all production site switches, Passive optical taps or active spanning to packet monitors
e.g. with centralised flow correlation and analysis.
• Cisco Catalyst 9000 Core and Distribution • Distributed packet monitors connected to separate
switches segments (e.g. VLANs) on production switches
• Cisco Industrial Ethernet 4000 and 5000 • Or Distributed monitors connected to dedicated
switches monitoring network across the production site
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Common Production Network Design
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Internet
Often No Separate
Industrial Datacentre
Switches
Firewalls Provide
Core Large Layer 2 Topology Spans “North-South” Control Only
⤫ Tromboning inter-
processor traffic
VLAN-based Segmentation PCN ➜ Enterprise Services
via external
PCN ➜ Industrial DC
switches
⤫ PCN Zone ⬌ PCN Zone
Distribution ⤫
⤫
Large Spanning Tree Domains
Difficult to Scale ⤫ Firewall Scale (Virtual
⤫ Large broadcast domains Contexts)
⤫ Complexity leads to
configuration errors
Access Non-Managed Control Layer
Switches
⤫ Difficult to Manage
Control ⤫ No Visibility of Control Traffic
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Segmentation for Security
100’s
Network Segmentation
Mechanisms
E.g. Call Manager,
E.g. Site Historian,
“The capability to segment
VSOM Server, Group Based Policy*
SCADA Server, Unified Communications, Security
Packaging Line 4, Physical Safety and Security, Groups TrustSec SGT
a network in order to Conveyer,
Etc.
Network Management,
Etc.
Dynamic ACL
achieve data plane Production Service Permission
Filters Stateful ACL
Zones Zones
isolation over physical and Static ACL
Routing
DHCP Scope
Security Network
Network Zones Constructs VLAN
Physical
Segmentation
Mechanisms E.g. Cisco ACI End Point Groups within a datacentre
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Layer 2 Issues
• Network stability is compromised as a result of slow response to network
failures (slow convergence.) Spanning Tree Protocols are not built to
accommodate frequent link-flapping conditions, high error rates,
unidirectional failures or non-report of loss of signal
• Packet flooding and MAC address learning behaviours
• Broadcast storms, if uncontrolled, can result in network–wide outages
• Lack of visibility into packet paths for debugging
• There are many counter-measures and switch features that assist in
remediating these issues, but the poor degree of feature standardisation
and implementation differences make network designs based upon
extensive Layer 2 networking difficult to manage and debug
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Switching Security Leading Practice (Access
Layer)
• Restrict broadcast domains
• Spanning Tree Protocol (STP) Security - Implement Rapid Per-VLAN Spanning Tree
(Rapid PVST+), BPDU Guard, and STP Root Guard to protect against inadvertent
loops
• DHCP Protection - Implement DHCP snooping on access VLANs to protect against
DHCP starvation and rogue DHCP server attacks
• IP Spoofing Protection - Implement IP Source Guard on access ports
• ARP Spoofing Protection - Implement dynamic ARP inspection (DAI) on access
VLANs
• MAC Flooding Protection - Enable Port Security on access ports
• Broadcast and Multicast Storm Protection - Enable storm control on access ports
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
VLAN Leading Practices
• Restrict VLANs to a single switch
• Configure separate VLANs for voice and data
• Configure all user-facing ports as non-trunking (DTP off)
• Disable VLAN dynamic trunk negotiation trunking on user ports
• Explicitly configure trunking on infrastructure ports rather than auto-
negotiation
• Use VTP transparent mode
• Disable unused ports and place in unused VLAN
• Do not use VLAN 1 for anything
• Use all tagged mode for native VLAN on trunks
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Restrict Layer 2 Switching to Control and
Datacentre Layers
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Internet
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VRF • Associates to one or more interfaces (Privatise an L3 Interface)
• Each VRF has its own
Forwarding table (CEF, RIB)
Routing process (EIGRP, OSPF, ISIS, BGP)
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
VRF Scaling
100’s
Hardware Platform Number of VRFs Supported
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Example Production Network VRFs
• Production Control Network – PCN
• Industrial Datacentre
• Industrial DMZ
• Production Services
• Infrastructure (Wireless Access Points)
• Physical Safety and Security
• Unified Communications (Voice and Video)
• Enterprise (Services)
• Production Network Management
• Control Centre
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Firewalls
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Virtual Firewalls perform
Internet inter-VM/process security
Performance / Cost?
100’s – 1,000’s
Control
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Fusion Routers Allow Centralised Clustered
Firewalls H Historian
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
TrustSec Concepts
Classification
(Destination)
Classification
ISE ISE Directory
(Source)
Users, Devices Enforcement
Enforcement
IP 5 IP 5
Router DC FW DC Switch
• Firewalls, routers and switches use Security Groups to make filtering decisions
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Where does the Scalable Group Tag reside?
MACsec Frame Cisco MetaData Ethernet Frame Dynamically Classified Statically Classified
Destination MAC CMD EtherType Destination MAC • 802.1X Authentication • IP Address
0x8909
Source MAC Source MAC • Web Authentication • Subnets
Version
IEEE 802.1AE • MAC Auth. Bypass • L2 Interface
IEEE 802.1Q
Header Length • Passive identity [AD] • L3 Interface
CMD
IEEE 802.1Q SGT Opt Type • Remote Access • Port
128 or 256 bit
Encrypted *
AES-GCM
EtherType
CMD SGT Value • Profiling, Posture, MDM • VLANs
16-bit Payload
EtherType • VPN
Other CMD CRC • ACI (Application Centric
Payload Options
Infrastructure)
IEEE 802.1AE
Header SGT Value • Virtual Port Profiles
16-bit
CRC
Other
• QinQ
Cisco TrustSec Software-Defined Segmentation Platform
* Encrypted field by MACsec • DMVPN (IKEv2) and Capability Matrix
(Optional – Capable Hardware) • GRE https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
• IPSec (IKEv2) networks/trustsec/software-platform-capability-matrix.pdf
• GETVPN
• VXLAN #CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Network Segmentation with TrustSec
Enforcement
Security Group: Manager Switches
Username: johnd Routers
Segmentation based on RBAC Group: Store Firewall
• Independent from address based topology Managers DC Switch
Location: Store Office Hypervisor SW
Role based on context Time: Business Hour
• AD, LDAP attributes, device type, location, time,
access methods, etc…
AUTHORIZED
Use Tagging technology PERSONNEL
ONLY
• To represent logical group (Classification)
• To enforce policy on switch, router, and firewall
Software Defined
• Policy managed centrally TAG
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network
dynamically
Resource
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
TrustSec
Traditional Security Policy
ISE Directory
Identity and
Security Policy Network Elements only
Security Group ACLs are receive policies for Security
Packaging Line 4
SCADA Server
Lists Network
Source
SCADA Server
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Historian SCADA PNM
VRFs + SGTs
AD
H
HMI
S
HMI
ISE
Internet
SGACL
SGACL
SGACL
Fusion Router
SGT
SGT 45666
333
SGT ⟷ 90
⟷ -333
1491Permit CIPCIP
- Permit Class
– Implicit 3 3
Class
Deny
Route
Prefix PS
Leaking
Core Across PCN
VRFs
Production VRFs
Distribution • Production Control Network
– PCN
• Industrial Datacentre
• Industrial DMZ (IDMZ)
Production Services (PS)
Access •
• Infrastructure (Wireless 45
Access Points)
• Physical Safety and Security SGACL
• Unified Communications
(Voice and Video)
SGT 45 ⟷ 90 - Permit CIP Class 3
90 Operator
Control • Enterprise (Services)
333
333 SCADA
HIST
• Production Network
Management (PNM) Packaging PLSPLC PL4PLC Packaging Lines
• Control Centre Line 4 Sequencing
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
TrustSec-ACI Integration
What Policy integration example – Campus to Data Centre
Integration of TrustSec and ACI policy
groups enables customers to address Campus / Branch Datacentre
breach, segmentation & compliance TrustSec Policy Domain TrustSec SGTs mapped to and from ACI EPGs APIC-DC ACI Policy Domain
challenges by sharing policy groups
between TrustSec-enabled networks ISE
and ACI Data Centres. Production
Campus
Benefits Networks
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
StealthWatch Aware of ACI Groups
Inter-Campus/Datacentre SGT-aware
StealthWatch
Policy Mapping
Integration of TrustSec and ACI policy SGTs in
groups allows us to make NetFlow NetFlow
aware of Groups from the DC Records APIC-DC
ISE
StealthWatch then receives NetFlow
ACI Group
with SGT information based on the DC
Info
groups from ACI
ACI Info
shared
using
Security
Group
www
Unified Non- Employee Control Physical
Tags
Coms. Compliant Systems Safety Industrial MES SCADA Site Database
And Network App App Historian
Security Director App
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
An Integrated Model
WWW
NG Firewalls
3.5 hours
Multi-Factor & Intrusion
Authentication Protection
Endpoint
Advanced
AnyConnect Malware
VPN NetFlow Protection
PxGrid StealthWatch
Anomaly Based
Directory Integrated Response Detection
Partner Ecosystem
Identity Services Engine SIEM, MDM, NBA,
Wired Wireless
#CLMEL VPN BRKIOT-1315 © 2019 Cisco and/or its IPS, IPAM,
affiliates. All rights etc.
reserved. Cisco Public 58
“Fools ignore complexity.
Pragmatists suffer it. Some can
avoid it. Geniuses remove it.”
Alan Perlis, American Scientist
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco Industrial Network Director – For OT users
Network management, device location, and visibility
Native industrial
protocol support REST APIs for integration
with automation systems
Plug-and-play day-0
configuration OT intent-driven security
workflows through ISE integration
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Operations user intent driven policy updates
Putting Operations Personnel in the driver’s seat
Switch
Port
Industrial Network Director PLC
Topology UI PxGrid attribute “Zone-
1” matches profiling
Tag policy-X and triggers
assets as Authorisation policy-Y dACL
Zone-1 NEW
pxGrid NEW
SGT
Update
Zone-
1 Industrial
OT User ISE
Network NEW
Director
VLAN
OT personnel use with IND UI to express intent pxGrid update results in automatic policy update
IT manages ISE. Operations use IND to express intent to influence Security Policy
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Network Security
Evolution
Cloud Services Example
Telemetry Aggregation Analytics Analytics
Server Service Service
VM
VM
ISA-95 (Purdue) Model
VM
Datacentre
VLAN 24
VLAN 24
Enterprise
Network Level 5
VLAN 54
WAN Site Business Planning
and Logistics Network Level 4
Distribution Computing
Packaging
Area Control Level 2
Zone P
Access Level 1
Basic Control
Control
Process Level 0
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Intent-Based Networking
Policy
Domain Controller
Provision Intent Services
Create a new Packaging Line (virtual) network.
Set SCADA traffic IP priority to DSCP 27.
Allow boiler PLC <–> Historian OPC/UA traffic.
Orchestration Platform Network
Design
Users + Devices + Things
Assurance
Assurance
Network Telemetry Analytics
Management
Network Visibility
Assurance APIs Security
Device Management
Network Services Intrusion Detection
Automation
Data Flow Visibility Scalable Group Tagging Clocking
Classification
VRF Connectivity, Forwarding
VLAN Tunnel and Pathing
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Secure segmentation and on-boarding
Simplicity
Group 1 Group 2
Users • No VLAN, ACLs, or IP address
Employee virtual network management required
• Single network fabric
• Define one consistent policy
Devices Group 3 Group 4
to apply Security
Apps
• Simplified microsegmentation
Group 5 Group 6
• Policy enforcement
Contractor virtual network
TLS
External Gateways Site Business Planning
Internet Cisco and Logistics Network Level 4
DNA External
Center Demilitarised Zone1
B B Shared Access, “Jump Zone” Level 3.5
Site Manufacturing
C Level 3
Operations and Control
Telemetry Servers
DMZ
Area Control Level 2
Network
Fabric Identity
Services
Basic Control Level 1
Engine
Packaging Zone P
Process Level 0
Production
Telemetry
Packaging Zone P Application on VM1
Robots <-> Telemetry <->
Application on Analytics Cloud Service
Virtual Machine VM1 over Encrypted Tunnel T
Using HTTP Using HTTPS
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
IoT Switching portfolio
Aggregation
Access
Best in Class
IE5000
IE 3400 IE4000 IE4010
• Designed for all
industries
• For all industries
IE 3300 • Layer 2 • For all industries • Layer 2 or 3
IE 3200 • Layer 2 or 3
Feature
10/100M 1G 10G
‘*’ –Selected Models
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Extending Intent-Based Networking to IoT
IE 3200, IE 3300, IE 3400 SD-Access extended nodes
Cisco DNA Center
Automation
Policy Automation Analytics
Consistent policy across the
extended enterprise with
Cisco DNA Center and SDA Extension
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Catalyst IE3x00 Rugged Series – Extended Enterprise
Intent based Networking for IoT Edge to Multi-cloud
IE 3200 IE 3300 IE 3400 Warehouses
(basic) (flexible) (advanced)
Manageability
IBN – Cisco DNA Center management
and assurance*
Distribution centres
Redesigned, updated GUI – WEBUI
Stealthwatch with Netflow
Security
NG Secure Operating System IOS-XE Parking lots
IBN – enterprise fabric extension
IBN – enterprise fabric
Cisco TrustSec*
Airports
Differentiators
Advanced networking - Network Advantage*
Power over Ethernet - High density
* Post-FCS
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Industrial Network Architecture Evolution
Today Future
CPwE CPwE (2013) + CPwE v5.1 TrustSec + VRF SDA for Industrial
Leading (TrustSec)
• IT ⬌ OT • Centralised • Fabric Network
Separation
Practice • Centralised
Dec.
2018 Firewalls • Centralised Firewalls
• North ⬌ South Network Design Firewalls • Fusion Routers • Fusion Routers
Firewalling • North ⬌ South • VRF ⬌ VRF • VRF ⬌ VRF Firewalling
• Centralised
Firewalling Firewalling • Zone ⬌ Zone RBACLs
• VLAN Firewalls
• East – West Zone • Zone ⬌ Zone • Intent-Based Networking
Segmentation • Fusion Routers
SGACLs SGACLs • Policy Controlled Security
• Zone ⬌ Zone
Complex and • Policy Controlled • Policy Controlled
Firewalling • VRF Segmentation with
Inflexible Security Security
VNI+SGT (VXLAN
Limited Security • VLAN + VRF
• SGT • VRF Networks encapsulation) Zones
Segmentation
Segmentation with SGT Zones • Simplifies and automates
VLAN + VRF No East-West within VRFs network and security
scalability issues Segmentation provisioning
Zone Stateful
Firewalling Flexible, but rigid Future for Industrial
design
methodology
required
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Industrial Network Security Hierarchy
Embedded Processes Driven Security
Leadership
Production Team Systems Workflows Drive
security • APIs
• Customised Tools for non-security/network/operations staff
Better
Traffic Flow Telemetry,
Adopt Centralised Policy Control Secure Visibility and Control
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Q&A
#CLMEL
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via
the Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Thank you
#CLMEL
#CLMEL
References
• Cisco SAFE Design Guides
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
• Cisco VRF-Lite
Cisco Network Virtualisation - Path Isolation Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
References – Cisco Design Guides
• December 2018 – Deploying Network Security within a Converged
Plantwide Ethernet Architecture – Joint Cisco Systems and
Rockwell Automation design guide
https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/5-1/Network_Security/DIG/CPwE-5-1-
NetworkSecurity-DIG.html
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
References
• Kaspersky Lab Report – Pierre Audoin Consultants (PAC), CXP
Group, The State of Industrial Cybersecurity 2019
https://ics.kaspersky.com/media/2019-Kaspersky-ICS-Whitepaper.pdf
https://www.cert.gov.au/news/cyber-security-challenges-2019
https://acsc.gov.au/publications/protect/essential-eight-explained.htm
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Industrial Control Systems Training
• USA Department of Homeland Security ICS-CERT Virtual Learning
Portal (VLP) FREE
https://ics-cert-training.inl.gov/learn
• Good Reads
Industrial Cybersecurity, Pascal Ackerman
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78839-515-1
www.packtpub.com
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Acronyms
AAA – Authentication, Authorisation, Accounting
ACI – (Cisco) Application Centric Infrastructure
ACK – Acknowledgement
ACL – Access Control List
AD – (Microsoft) Active Directory
API – Application Programming Interface
APIC – (Cisco) Application Policy Infrastructure Controller
APIC-DC – (Cisco) Application Policy Infrastructure Controller – DataCentre
ARP – Address Resolution Protocol
ASIC – Application-Specific Integrated Circuit
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Acronyms
BGP – Border Gateway Protocol
BPDU – Bridge Protocol Data Unit
CoPP – Control Plane Policing
C&C – Command and Control
CC – Controlled Conduit
CEF – Cisco Express Forwarding
CIP – Common Industrial Protocol (ODVA)
CMD – Command
COS – Class Of Service
CPwE – Cisco Plantwide Ethernet
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Acronyms
CRC – Cyclic Redundancy Check
CTS – Cisco TrustSec
dACL – Dynamic Access Control List
DAI – Dynamic ARP Inspection
DC – Datacentre
DDOS – Distributed Denial of Service
DHCP – Dynamic Host Configuration Protocol
DLR – Device Level Ring
DMVPN – Dynamic Multipoint Virtual Private Network
DMZ – Demilitarised Zone
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Acronyms
DLR – Device Level Ring
DNS – Domain Name Service
DNA – (Cisco) Digital Network Architecture
DNA E/A/P – (Cisco) Digital Network Architecture Essentials/Advanced/Premium
Licensing
DSCP – (IP) Differentiated Services Code Point
DTP – (Cisco) Dynamic Trunking Protocol
EIGRP – Exterior Interior Gateway Routing Protocol
EPG – End Point Group
ERP – Enterprise Resource Planning
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Acronyms
ERSPAN – Encapsulated Remote Switched Port Analyser
ETA – (Cisco) Encrypted Traffic Analytics
FNF – Flexible NetFlow
GPS – Global Positioning System
GE – Gigabit Ethernet
GETVPN – Group Encrypted Transport Virtual Private Network
GRE – Generic Routing Encapsulation
GUI – Graphical User Interface
HMI – Human Machine Interface
HR – Human Relations
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Acronyms
HSR – High-availability Seamless Redundancy (Ring)
HTTP – Hypertext Transfer Protocol
HTTPS – Hypertext Transfer Protocol Secure
HW – Hardware
IACS – Industrial Automation and Control Systems
IBN – Intent-Based Networking
ICMP – Internet Control Message Protocol
ICS – Internet Control System
IE – Industrial Ethernet
IEC – International Electrotechnical Commission
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Acronyms
IDS – Intrusion Detection System
IDMZ – Industrial De-Militarised Zone
IEEE – Institute of Electrical and Electronics Engineers
IETF – Internet Engineering Task Force
IKEv2 – Internet Key Exchange Version 2
IND – Industrial Network Director (Cisco)
IOS – (Cisco) Internet Operating System
IOS-XE – “XE” train of the (Cisco) Internet Operating System
IOx – Application environment for Cisco Networking Equipment
IP – Internet Protocol
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Acronyms
IPAM – Internet Protocol Address Management
IPS – Intrusion Prevention System
IPSec – Internet Protocol Security (protocol suite)
ISA – International Society of Automation
ISE – Identity Services Engine (Cisco)
ISIS – Intermediate System to Intermediate System (Routing Protocol)
IND – (Cisco) Industrial Network Director
IOC – Indicators of Compromise
IRIG-B – Inter-Range Instrumentation Group time code “B”
IT – Internet Technology
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Acronyms
ITSec – Internet Technology Security
L2 – (ISO Model) Layer 2
L3 – (ISO Model) Layer 3
LAN – Local Area Network
LDAP – Lightweight Directory Access Protocol
LIMS – Laboratory Information Management System
LSP – Label Switch Path
LTE – Long-Term Evolution (4G mobile communications standard)
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Acronyms
NAT – Network Address Translation
MAB – MAC Authentication Bypass
MAC – Medium Access Control
MACsec – IEEE MAC Security Standard (IEEE 802.1AE)
MDM – Mobile Device Management
MES – Manufacturing Execution System
MRP – Media Redundancy Protocol
NAT – Network Address Translation
NBA – Network Behaviour Analysis
NTP – Network Time Protocol
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Acronyms
ODVA – Open DeviceNet Vendor Association
OPC – Open Platform Communications (OPC Foundation)
OPC UA – OPC Unified Architecture
OPS – Operations
OSPF – Open Shortest Path First (Routing Protocol)
OT – Operations Technology
pxGrid – Platform Exchange Grid
PCN – Process Control Network
PLC – Programmable Logic Controller
POE – Power Over Ethernet
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Acronyms
POE+ – Power Over Ethernet Plus
PRP – Parallel Redundancy Protocol
PTP – Precision Time Protocol
PVST+ – (Cisco) Rapid per VLAN Spanning Tree Plus
PROFINET – Process Field Net
PROFINET RT – PROFINET Real-Time
PROFINET IRT – PROFINET Isochronous Real-Time
QoS – Quality of Service
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Acronyms
RADIUS – Remote Authentication Dial-In User Service
RBAC – Roll-Based Access Control
RBACL – Roll-Based Access Control List
RDP – Remote Desktop Protocol
REP – Resilient Ethernet Protocol
RIB – Routing Information Base
RSPAN – Remote Switch Port Analyser
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Acronyms
SCADA – Supervisory Control And Data Acquisition
SDA – (Cisco) Software Defined Access
SGACL – Scalable Group Access Control List
SGT – Scalable Group Tag
SIEM – Security Information and Event Management
SNMP – Simple Network Management Protocol
SPAN – Switch Port Analyser
SPT – Spanning Tree
STP – Spanning Tree Protocol
SW – Software
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Acronyms
TOD – Time Of Day
TCP – Transport Control Protocol
TLS – Transport Layer Security
TSN – Time Sensitive Networking
UADP – (Cisco ASIC) Unified Access Data Plane
UDP – User Datagram Protocol
USB – Universal Serial Bus
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Acronyms
VoIP – Voice Over IP
VLAN – Virtual Local Area Network
VM – Virtual Machine
VN – Virtual Network
VXLAN – Virtual Extensible Local Area Network
VNI – VXLAN Network Identifier
VPN – Virtual Private Network
VRF – Virtual Routing and Forwarding
VSOM – (Cisco) Video Surveillance Operations Manager
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Acronyms
VSS – Virtual Switching System
VTP – (Cisco) VLAN Trunking Protocol
VXLAN – Virtual Extensible Local Area Network
WAN – Wide Area Network
WEBUI – World Wide Web User Interface
WWW – World Wide Web
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97