Beruflich Dokumente
Kultur Dokumente
Sicherheit!
Manfred Bauer
IOT Sales Lead Germany
September 2014
Process
IoE
Data
Things
Cisco Confidential
Connection between
products, machines
and Internet
Cisco Confidential
Asset
Utilization
Flexible mfg
Flexible controls
Flexible networks
Resiliency (REP)
Integrated management
Near Zero Downtime
Accelerated NPI
New Business
Models
Distribute
d
Compute
Machine-as-aService
Remote Asset Mgmt
Productivity
Energy
Management
Mobility
2.4/5Ghz
Clean air
Machine energy
visibility reporting
and analytics
Enabling Connectivity
Connected
Factory Applications
Factory
Security
Industrial
Identity Services
Converged
Network Platforms
Ruggedized
Wireless
Access
Points
Things
Parts
Robots
Industrial Deep
Packet Inspection
IP Cameras
Video
Surveillance
Management
Industrial Routers
and Switches
Hardened Mobile
M2M Gateway
Ruggedized
Optical
transceivers
Torq
Sensors
Asset Tags
IP HD
Camera
Drives
Cisco Confidential
Locations
Data
Process
Things
Machines
Network
Devices
Ports
Function
Devices
Internet
Data Center
IT Clients
Classical IT Responsibility
Plants
Machines
Classical OT Responsibility
End to End Secure Connectivity and Computing Demands Seamless Network Concepts
Cisco Confidential
DMZ
Supplier 1
Primary DC
Plant 2
Backup DC
Internet
Remote
Expert
Function
Devices
Data Center
IT Clients
Secure Third
Party Access
Machines
Plants
Selective Access to
Function Devices
DMZ
Global IT
DMZ
Plant IT
Isolated or
Indus. FW
Selective
Authentication
Authorization
Selective
Authentication
Authorization
Authorization
IT Controlled Security
2013-2014 Cisco and/or its affiliates. All rights reserved.
A
process
of days
Isolated/confuse world of OT
Cisco Confidential
IT
Enterprise Network
OT
Demilitarized Zone
Process, Supervisory
Control, Automation
2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Privacy
Device Integrity
DMZ
Access Control
Threat Detection
Internet
Priorities
IT Network
IoT Network
Availability
3.
Confidentiality
Implications of a
Device Failure
Continues to Operate
Threat Protection
ASAP
During Uptime
Scheduled
During Downtime
Harm
Network Segmentation
Secure Connectivity
Cisco Confidential
10
Enterprise Network
Levels 45
Web
Firewall
(Active)
Manufacturing Zone
Level 3
Factory
Application
Servers
FTP
Firewall
(Standby)
Patch Mgmt.
Terminal Services
Application Mirror
AV Server
Access Switch
Core
Switches
Aggregation
Switch
ISE
Drive
Controller
HMI Distributed
I/O
Cell/Area
2013-2014 Cisco
and/or its#1
affiliates. All rights reserved.
(Redundant Star Topology)
Controller
Cell/Area #2
(Ring Topology)
Network Services
Cell/Area Zone
Levels 02
Layer 2
Access Switch
Next-Generation Firewall
HMI
Controller
Drive
Distributed I/O
Cell/Area #3
(Linear Topology)
Ruggedized Firewall
Ruggedized Intrusion Protection (IPS)
HMI
Drive
Identity Services
Demilitarized Zone
Level 3.5
Apps DNS
Cisco Confidential
11
Enterprise Network
Secure Zones
VPN
VPN
VPN
VPN
Internet
Internet
Cells Zones
Plants
Internet
Web
Server
Web
Web Server
Server
Supervisory
SupervisoryNetwork
Network
Network
DMZ
Web Server
Cloud Systems
Remote
Services
App
Server
App
Server
App
Server
VPN
DMZ
Web Server
Cloud Systems
VPN
DMZ
DMZ
DMZ
Internet
Enterprise Network
Internet
Security Policy,
AAA
and Identity Services
Cloud Systems
SCADA/DCS
App Server
SCADA/DCS
SCADA/DCS
App Server
Database
Historian
Historian
Historian
Field
Network
Field
Network
Field
FieldNetwork
Network
Remote Facility
Historian
Control System
Network
Historian
VPN
Field
Network Sensors
Actuators
Actuators
Sensors
Actuators
Sensors
Actuators
Sensors
Actuators
Sensors
Historian
Historian
Historian
Historian
IEDs, PLCs,
Control
System Network
Sensors,
IEDs, PLCs
IEDs,
IEDs,
PLCs
Sensors,
Sensors,
Actuators
Sensors,
Actuators
Actuators
Actuators
Remote Facility
VPN
Control
Network
Control
System
Network
ControlSystem
System Network
VPN
VPN
VPN
VPN
Database
Supervisory Network
SCADA/DCS
Remote
Remote
Facility
Remote Facility
Facility
Remote
Facility
Database
Database
Database
Historian
Supervisory Network
SCADA/DCS
2013-2014
Remote
Services
Enterprise Network
Segmented Access
Cloud Systems
Systems
Cloud
(Role-Based)
Cloud
Systems
Security Monitoring,
Threat Detection, Incident
and Event Monitoring
Remote
Remote
Remote
Remote
Services
Services
Services
Services
Enterprise
Enterprise Network
Network
Field Network
IEDs, PLCs
Historian Sensors,
Actuators
Actuators
Sensors
IEDs, PLCs
Sensors,
Actuators
Application
Visibility,
IPS/IDS
Identity
Services
Cisco
and/or its affiliates. All rights reserved.
Engine
Switchin
g
Video
Surveillance
Manager
Routers
Firewalls
Network and
Security
Mgmt.
Access
Points
Cisco Confidential
12
IPICS
UCS
PTC
WAN / Core
IP/MPLS
Domain
Trackside
Identity Services
Next-Generation Firewall
Stateful Firewall
Intrusion Detection (IDS)
Physical Access Control Systems
On-board
Offload
Multiservice Networks
PTC 3000
TMC
VSMS
Ruggedized Firewall
Ruggedized Intrusion Detection (IDS)
Remote Monitoring / Surveillance
SW, Config & Asset Mgmt.
Cisco Confidential
13
Municipal Command
& Control Center
Smart
Grid
Lighting
Poles
Building
Optimization
Logistics
Optimization
Home Energy
Mgmnt
Traffic Flow
Optimization
City
WiFi
INTELLIGENT
CITY
Parking
Cloud &
Services
INTELLIGENT
Building
Connected
Ambulances
INTELLIGENT
HIGHWAY
Automated
Intelligent Digital
Car System
Signage
INTELLIGENT
Community
Traffic
Cameras
Source:14 Intel
Cisco Confidential
IOx
Linux
APIs
IOS
Fog Computing
Application
Policy
Business
Applications
Infrastructure Controller
that
run on the
Applications
to network
Program
Cisco ONE
Platform
the
Networks
Hosted Bus Apps
App
AutoStore
Config
App
QoS Management
APIs
Security
Network Automation
(APIC SDN Controller)
Routing/
Config
QoS
Security
Distributed
ApplicationApplications
Enablement
(Fog Computing)
IOx SDK
IOx
Analytics
Device
Directory
IOx
Data
Fog
WAN
Access
Distributed
Compute
Center
and Storage
IOS + Linux
Things
BYOA
BYOI
Parking
Sensors
Smart
LED lighting
Waste
Sensors
IP HD
Camera
Water
Sensors
Air Q
Sensors
IP
Cisco Confidential
15
Differentiation
Security
Ruggedized security - IPS/FW/VPN
Single policy management
Industrial signatures
Whole Offer
Ruggedized platforms
Industrial features
Protocol translation
Converged networking
IoT Gateway/Aggregation
Mobility
Application Enablement
Application data processing
Distributed control
Video analytics at the edge
Third-party interfaces
Cisco Confidential
16
Thank you.
Rockwell
Stratix 5900/819
Products
Secure Router
CGR 2010
Industrial Firewall
Industrial IPS
Hyperlite(future)
ASA/FirePower(future)
Wireless
Cisco Confidential
19
NGFW
NGIPS
AMP
Able to manage security threats during the full attack continuum Before, During and
After
Cisco Confidential
20
NGFW
AMP
NGIPS
21
ex.
system remotely
When the endpoints attempt network access, they will be dynamically profiled, and
provided the appropriate access privileges based on their identity.
Change of Authorization (CoA) can be enforced by the network infrastructure in (3) ways:
1. VLAN swap,
Cisco Confidential
22
Enterprise Network
ISE ADMIN
Levels 45
AD MDM DNS
Patch Management,
Terminal Services,
Application Mirrors, AV
Servers
FTP
ISE PSN
(DMZ) Firewalls
Firewall
(Standby
)Cisco
ASA 5500
Cisco Catalyst
Cisco
6500/4500
Catalyst
Switch
Enforcement for
zone 2 done here
MULTI-AUTH
Network Services
Manufacturing Zone
Level 3
Distribution / Core
Cisco IE3K/2K
Enforcement
pushed to IE3K, so
enforcement is done
within zone
CISCO IE2K/3K
Contractor
Demilitarized Zone
Employe
e
Industrial
net#1
Contractor
Employe
e
Industrial
net#2
Cisco Confidential
23
Embedded
Wireless
Access Point
Wireless
Gateway
Router
Cisco Confidential
24