Internet of Things - ja mit

Sicherheit!
Manfred Bauer
IOT Sales Lead Germany

September 2014

The Internet of Everything (IoE)

People

Process

Connecting People in More

Relevant, Valuable Ways

Delivering the Right Information

to the Right Person (or Machine)
at the Right Time

IoE
Data

Leveraging Data into

More Useful Information for
Decision Making

Things

Physical Devices and Objects

Connected to the Internet and
Each Other for Intelligent
Decision Making

Networked Connection of People, Process, Data, Things

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Smart Factory as Internet of Things

Collection from
information in a
special context

Connection between
products, machines
and Internet

Situational offer form

services
Networking between
machines and
products within the
shop floor

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Example: Building the Factory of the Future

Real Time Supply
Chain

Asset
Utilization

Flexible mfg
Flexible controls
Flexible networks

Resiliency (REP)
Integrated management
Near Zero Downtime

Accelerated NPI

New Business
Models

Distribute
d
Compute

Machine-as-aService
Remote Asset Mgmt

Productivity

Energy
Management

Mobility
2.4/5Ghz
Clean air

Machine energy
visibility reporting
and analytics

Enabling Connectivity

Connected
Factory Applications
Factory
Security

Industrial
Identity Services

Converged
Network Platforms

Ruggedized
Wireless
Access
Points

Things

2013-2014 Cisco and/or its affiliates. All rights reserved.

Parts

Robots

Industrial Deep
Packet Inspection

IP Cameras

Video
Surveillance
Management

Industrial Routers
and Switches

Hardened Mobile
M2M Gateway

Ruggedized
Optical
transceivers

Torq
Sensors

Asset Tags

IP HD
Camera

Drives

Cisco Confidential

Industrie 4.0 Demands Cross Domain Data Management

People

Locations
Data

Process

Things
Machines

Network
Devices

Ports

Function
Devices

Internet

Data Center
IT Clients

Classical IT Responsibility

Plants

Machines

Classical OT Responsibility

End to End Secure Connectivity and Computing Demands Seamless Network Concepts

The secure entity management reach a new magnitude of scale

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Industrie 4.0 Demands World Wide Connectivity

Internet and Intranet needs secure
,scalable and reliable network
functions based on trusted devices
Plant 1

DMZ

Supplier 1

Primary DC

Plant 2

2013-2014 Cisco and/or its affiliates. All rights reserved.

Backup DC

Selective feature choice between

technologies like Multi-ProtocolLabel-Switching (MPLS) and
encryption based access
technologies (like IPSEC)
Context based Security in the
complete value chain with
manageable rules handled by
TrustSec based profiles
Cisco Confidential

Internet

Remote
Expert

Function
Devices

The Main Problem with separated OT/IT Networks

Intranet

Data Center
IT Clients

Secure Third
Party Access

Machines

Plants

Global Location Routing

separated from Intra

Plant wide selective

Access to Machine

Selective Access to
Function Devices

DMZ
Global IT

DMZ
Plant IT

Isolated or
Indus. FW

Selective
Authentication
Authorization

Selective
Authentication
Authorization

Authorization

IT Controlled Security
2013-2014 Cisco and/or its affiliates. All rights reserved.

A
process
of days

Isolated/confuse world of OT
Cisco Confidential

IT/OT Converged Security Model

Cloud

OT Partners & Services

IT

Enterprise Network

Anti-Virus, Malware Detection

Corporate Directory, Web & Email Security
Plant Edge (VPN, IPS & Remote Access )

OT

Demilitarized Zone

Stateful Firewall, NGFW

Access Control

Process, Supervisory

SIEM, Remote Services Platform

OT Policy Mgmt, SW, Config, AV & Asset Mgmt.

Cyber & Physical Access Control Systems

Ruggedized Firewall

Control, Automation
2013-2014 Cisco and/or its affiliates. All rights reserved.

Data Privacy
Device Integrity

DMZ

Access Control
Threat Detection

Internet

Cloud-based Threat Protection

Network-wide Policy Enforcement
Security Information & Event Management (SIEM)
Enterprise Edge (VPN, IPS, NGFW)

Ruggedized IDS / IPS

Segmentation: VLANs, VRFs, ACLs

Cisco Confidential

Priority shifts in IoT

Security Policies
Focus

Priorities

IT Network

IoT Network

Protecting Intellectual Property and

Company Assets

24/7 Operations, High OEE, Safety, and Ease of Use

Security in IoT networks is crucial as people, communities, and

1.
Confidentiality
1.
Availability
financial systems could be negatively
impacted by
2.
Integrity
2.
Integrity
cyber/physical security breaches
3.

Types of Data Traffic

Availability

Converged Network of Data,

Voice and Video (Hierarchical)

3.

Confidentiality

Converged Network of Data, Control Protocols,

Information, Safety and Motion (P2P & Hierarchical)

Top priorities are availability,

safety,
and ease-of-use
Could Stop
Processes,
Impact Markets, Physical

Implications of a
Device Failure

Continues to Operate

Threat Protection

Shut Down Access to

Detected Threat and Remediate

Potentially Keep Operating

with a Detected Threat

ASAP
During Uptime

Scheduled
During Downtime

Controlled physical environments

Harsh environments (temp, vibration, etc)

Upgrades and Patch Mgmt

Infrastructure Life Cycle
Deployment conditions
2013-2014 Cisco and/or its affiliates. All rights reserved.

Harm

Biggest pain point is the management of who, what, where,

Equipment upgrades
Avoid devices,
Equipment upgrades
(lifespan 15+ yrs)
when, and
andrefresh
how <5yr
(people, data,
and processes)
Cisco Confidential

IoT Security Principles

Access Control

Network Segmentation
Secure Connectivity

Threat Detection and Mitigation

Security Zones
Intrusion Prevention; Application Visibility

Device and Platform Integrity

Device Hardening and Secure Platform
Configuration Assurance
2013-2014 Cisco and/or its affiliates. All rights reserved.

Operation Reliability & Safety

Data Confidentiality and Data Privacy

Policy Management with OT/IT

Convergence & Ease of Use

User and Device Identity

Authentication, Authorization & Accounting

From use cases

to requirements
Guide solution
development
Trusted solution
provider

Cisco Confidential

10

IT/OT Converged Security Model Manufacturing

Interne
t

Enterprise Network
Levels 45

Web

Firewall
(Active)

Manufacturing Zone
Level 3

Factory
Application
Servers

Gbps Link for

Failover
Detection

FTP

VPN & Remote Access Services

Firewall
(Standby)

Patch Mgmt.
Terminal Services
Application Mirror
AV Server

Access Switch

Core
Switches
Aggregation
Switch

ISE

Drive
Controller
HMI Distributed
I/O
Cell/Area
2013-2014 Cisco
and/or its#1
affiliates. All rights reserved.
(Redundant Star Topology)

Controller

Cell/Area #2
(Ring Topology)

Intrusion Prevention (IPS)

Stateful Firewall

Intrusion Protection/Detection (IPS/IDS)

Network Services

Physical Access Control Systems

Cell/Area Zone
Levels 02
Layer 2
Access Switch

Next-Generation Firewall

HMI

Controller

Drive
Distributed I/O

Cell/Area #3
(Linear Topology)

Ruggedized Firewall
Ruggedized Intrusion Protection (IPS)

HMI
Drive

Identity Services

Demilitarized Zone
Level 3.5

Apps DNS

Cloud-based Threat Protection

Network-wide Policy Enforcement
Access Control (application-level)

Remote Monitoring / Surveillance

SW, Config & Asset Mgmt

Cisco Confidential

11

IoE Cyber Security: Protection

Onion Layers

Enterprise Network

Secure Zones

VPN
VPN
VPN

VPN

Internet
Internet
Cells Zones
Plants
Internet

Web
Server
Web
Web Server
Server

Supervisory
SupervisoryNetwork
Network
Network

DMZ
Web Server

Cloud Systems

Remote
Services
App
Server
App
Server
App
Server
VPN
DMZ
Web Server

Cloud Systems

Physical SecurityLets do some

VPN

DMZ
DMZ
DMZ

Internet
Enterprise Network

Internet
Security Policy,
AAA
and Identity Services
Cloud Systems

SCADA/DCS

App Server
SCADA/DCS
SCADA/DCS

App Server

Database

Historian
Historian

Historian

Field
Network
Field
Network
Field
FieldNetwork
Network

Remote Facility
Historian
Control System
Network

Historian

VPN

Field
Network Sensors
Actuators
Actuators
Sensors
Actuators
Sensors
Actuators
Sensors
Actuators
Sensors

Historian
Historian
Historian
Historian

IEDs, PLCs,

Control
System Network
Sensors,
IEDs, PLCs
IEDs,
IEDs,
PLCs
Sensors,
Sensors,
Actuators
Sensors,
Actuators
Actuators
Actuators

Remote Facility
VPN

Control
Network
Control
System
Network
ControlSystem
System Network

Industrial Cyber Security

VPN
VPN
VPN
VPN

Database

Supervisory Network
SCADA/DCS

Remote
Remote
Facility
Remote Facility
Facility
Remote
Facility

Database
Database
Database

Historian
Supervisory Network
SCADA/DCS

Smart, Programmable Cameras

maintenance!

2013-2014

Remote
Services

Enterprise Network

Segmented Access
Cloud Systems
Systems
Cloud
(Role-Based)
Cloud
Systems

Security Monitoring,
Threat Detection, Incident
and Event Monitoring

Remote
Remote
Remote
Remote
Services
Services
Services
Services

Enterprise
Enterprise Network
Network

Field Network
IEDs, PLCs
Historian Sensors,
Actuators

Actuators

Sensors

IEDs, PLCs
Sensors,
Actuators

Application
Visibility,
IPS/IDS
Identity
Services
Cisco
and/or its affiliates. All rights reserved.
Engine

Switchin
g
Video
Surveillance
Manager

Routers
Firewalls

Network and
Security
Mgmt.
Access
Points

Cisco Confidential

12

IT/OT Converged Security Model Transportation

Control Center
VSMS / VSOM

IPICS

UCS

PTC
WAN / Core

Cloud-based Threat Protection

Network-wide Policy Enforcement
Application-Level Access Control
VPN & Remote Access Services
Intrusion Prevention (IPS)

IP/MPLS
Domain

Trackside

Identity Services

Next-Generation Firewall

Stateful Firewall
Intrusion Detection (IDS)
Physical Access Control Systems
On-board

Process Control &

Safety Networks

Offload

Multiservice Networks
PTC 3000
TMC

2013-2014 Cisco and/or its affiliates. All rights reserved.

VSMS

Ruggedized Firewall
Ruggedized Intrusion Detection (IDS)
Remote Monitoring / Surveillance
SW, Config & Asset Mgmt.

Cisco Confidential

13

Example Smart City

Factory
Optimization

Municipal Command
& Control Center

Smart
Grid

Lighting
Poles

Building
Optimization

Logistics
Optimization

Home Energy
Mgmnt
Traffic Flow
Optimization

City
WiFi

INTELLIGENT
CITY

Parking

Cloud &
Services

INTELLIGENT
Building
Connected
Ambulances

2013-2014 Cisco and/or its affiliates. All rights reserved.

INTELLIGENT
HIGHWAY
Automated
Intelligent Digital
Car System
Signage

INTELLIGENT
Community
Traffic
Cameras

Source:14 Intel

Cisco Confidential

IoE Application Centric Architecture

rd
Application Cisco and 3 Party Apps
Application
Management
Store Joulex
OSIsoft SAS Rockwell

IOx

Linux

APIs

IOS

Fog Computing
Application
Policy
Business
Applications
Infrastructure Controller
that
run on the
Applications
to network
Program
Cisco ONE
Platform
the
Networks
Hosted Bus Apps
App
AutoStore
Config
App
QoS Management
APIs
Security

Network Automation
(APIC SDN Controller)
Routing/
Config

QoS

Security

Distributed
ApplicationApplications
Enablement
(Fog Computing)

IOx SDK

IOx

Analytics

Device
Directory

Hardened Edge Platforms: Embedded Storage and Compute

IOx
Data

Fog

WAN
Access
Distributed
Compute
Center
and Storage

IOS + Linux
Things
BYOA
BYOI

2013-2014 Cisco and/or its affiliates. All rights reserved.

Parking
Sensors

Smart
LED lighting

Waste
Sensors

IP HD
Camera

Water
Sensors

Air Q
Sensors

IP

Cisco Confidential

15

Cisco IoT Strategy is Working!

Foundation

Differentiation

Security
Ruggedized security - IPS/FW/VPN
Single policy management
Industrial signatures

Whole Offer
Ruggedized platforms
Industrial features
Protocol translation
Converged networking
IoT Gateway/Aggregation
Mobility

Application Enablement
Application data processing
Distributed control
Video analytics at the edge
Third-party interfaces

Management / Ease of Use

Auto discovery / auto configuration
Zero touch deployment
Video management at scale
Visualization

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16

Thank you.

IoTG Extended Security Products Portfolio

Technologies/Use Cases

Rockwell
Stratix 5900/819

Products

Secure Router

Provides secure remote access and zone

segmentation for most IoT use cases

CGR 2010

Industrial Firewall

Industry leading firewall, intrusion prevention, VPN,

remote access, and other services. features

Industrial IPS

Defense against complex industrial network attacks

Hyperlite(future)
ASA/FirePower(future)

Wireless

Cisco WLC, PI, MSE

Cisco Security Policy Mgmt and

Enforcement

IE switches, ASA, ISE

Increase mobility without compromising security with threatprotected WLAN services

Policy-based access control, identity-aware networking, and data

integrity

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

Sourcefire Can Be Applied for OT Environments

The Sourcefire security platform has 3 main components:
L2-L7 Firewall
Next Generation IPS (Intrusion Prevention System)
AMP (Advanced Malware Protection)

NGFW

NGIPS

AMP

Able to manage security threats during the full attack continuum Before, During and
After

2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Sourcefire value in process control

NGFW

Detect and prevent

intrusions
Wrap SCADA protocols

AMP

Passively discover ICS

assets & create context
Layer 2-7 firewall
Application discovery,
monitoring and control
2013-2014 Cisco and/or its affiliates. All rights reserved.

NGIPS

Monitor and prevent

client-side attacks in
HMIs
Network trajectory
mapping
Retrospective analysis
& quarantining
Cisco Confidential

21

ISE Can Be Applied for OT Environments

Typical OT use cases for ISE as a common policy platform:
Local User Access Wired Connection on the Mfg Plant Floor or Utility Substation for

ex.

Local User Access Wireless Connection, similar OT locations as above

Remote User Access Employee or Contractor needs to access HMI or OT control

system remotely

When the endpoints attempt network access, they will be dynamically profiled, and
provided the appropriate access privileges based on their identity.
Change of Authorization (CoA) can be enforced by the network infrastructure in (3) ways:
1. VLAN swap,

2. downloadable ACL (dACL), and

Cisco and/or its affiliates. All rights reserved.
3. 2013-2014
Security
Group Tag (SGT).

Cisco Confidential

22

ISE - Employee and Contractor using assets on plant/zone floor

Internet

Enterprise Network

ISE ADMIN

Levels 45
AD MDM DNS

Patch Management,
Terminal Services,
Application Mirrors, AV
Servers

FTP

Gbps Link for

Failover
Detection
Firewall
(Active)

ISE PSN

(DMZ) Firewalls

Firewall
(Standby
)Cisco
ASA 5500

Cisco Catalyst

Cisco

6500/4500

Catalyst
Switch

Cisco Cat. 3750X

Enforcement for
zone 2 done here
MULTI-AUTH

Network Services

Manufacturing Zone
Level 3
Distribution / Core

3rd Party Switch

Cisco IE3K/2K
Enforcement
pushed to IE3K, so
enforcement is done
within zone

CISCO IE2K/3K

Contractor

2013-2014 Cisco and/or its affiliates. All rights reserved.

Demilitarized Zone

Employe
e

Industrial
net#1

Contractor

Employe
e

Industrial
net#2

3rd Party Switch

contractor/employee
assets are still profiled
by ISE, but enforcement
is done upstream at
Cisco switch so no
enforcement within zone

Cisco Confidential

23

Cisco Industrial Portfolios (IoT Business Unit)

Ethernet
Switching

Embedded

2013-2014 Cisco and/or its affiliates. All rights reserved.

Wireless
Access Point

Wireless
Gateway
Router

Cisco Confidential

24