Sie sind auf Seite 1von 96

#CLMEL

Industrial Network
Security Architecture
Evolution

Michael Boland, Distinguished Systems Engineer


BRKIOT-1315

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKIOT-1315

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Security risks increase the potential for disruption to control system
uptime, safe operation, and a loss of intellectual property.

Changes in Control and IT technologies, extended digital supply chains


and evolving organisational structures are demanding security is not just
a set of enforcement point solutions.

Indeed security must be integrated end-to-end throughout IT and


industrial network architectures to reduce cyber security and operations
impact risks.

This session will examine the evolution of industrial network design from
a security perspective, outlining leading network design patterns and
Cisco technologies.

Abstract

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Industry Models and Security
Design Patterns
• Security Prime Directive
• Production Systems Attacks
• Production Network Design
Models for Security
• Applying Security via Workflow
Integration
• Industrial Network Security
Evolution

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Icon Key
SDA Fabric Border Node – A Fabric device
Layer 2 Switch (e.g. Core) that connects External Layer 3
network(s) to the SDA Fabric

Layer 3 Switch SDA Control Plane Nodes – Map System


that manages Endpoint to Device
relationships
PLC
SDA Fabric Edge Nodes – A Fabric device
(e.g. Access or Distribution) that connects
Remote I/O Wired Endpoints to the SDA Fabric

HMI SDA Fabric Enabled Wireless Controller

Surveillance Camera SDA Fabric Enabled Wireless Access Point

Smart Lighting
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Icon Key
Router
Firewall

ISE
Clustered Firewalls

Directory Server Layer 3 Virtual


(Microsoft Active Directory, LDAP) Switch
e.g. VSS, Horizontal Stacking
Wireless LAN Controller

Wireless Access Point StealthWatch

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
“There is no such thing as
perfect security, only varying
levels of insecurity.”
Salman Rushdie, Author

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Industry Models and
Security Design Patterns
Purdue Enterprise Reference Architecture/ISA-951
Scheduling and Control Hierarchy Levels in Industrial Companies
Business Planning and Logistics

Plant production scheduling, Level 4


Operational management, etc.
Defines the interfaces between
Enterprise activities and
Control activities.
Manufacturing Operations and Control
Level 3
Dispatching production, detailed production
Provides standard models and Scheduling, reliability assurance, etc.
terminology for describing the
interfaces between the business
Area Control Levels 2, 1 & 0
systems of an Enterprise and its
manufacturing-control systems. Cell/Line supervision, operations and process
control functions
Batch Continuous Discrete
ISA-88 Standard Control Control Control
1 ISA95 #CLMEL
- International Standard from the International Society of Automation BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ISA-95 Computer-Integrated Manufacturing Levels
Level 4 - The business-related activities needed to manage a manufacturing organisation that are
executed by enterprise-level software and systems to include:
• Plant scheduling - material use, delivery, and shipping
• Determining inventory levels
• Delivery of materials to the right place on time for production
• Timeframe – Months, weeks, days, shifts

Level 3 - The activities of work flow to produce the end products that are executed by the MES and
MES-related systems. Timeframe – shifts, hours, minutes, seconds.
Manufacturing

Level 2 - The activities of monitoring and controlling the physical processes that are executed by the
PLC, the HMI, and the Area and Unit Operations portion of the Supervisory Control and
Data Acquisition (SCADA) system.
Level 1 - Activities involved in sensing and manipulating the physical processes executed by valves,
sensors, motors, etc.
Level 0 - The actual physical processes
Source: http://www.pharmpro.com/article/2012/07/manufacturing-execution-systems
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IEC-62443 (formerly ISA-99)

Security

Not addressed in
IEC-62443

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
NIST Special Publication 800-82 revision 2
Guide to Industrial Control Systems (ICS) Security
• Overview of Industrial Control Systems
• ICS Risk Management and Assessment
• ICS Security Program Development and Deployment
• ICS Security Architecture
• Applying Security Controls to ICS

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
NIST 800-82 (Revision 2)1
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics
Network Level 4

DMZ Demilitarisd Zone — Shared Access, “Jump Zone”

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Area Control Level 2

Cell/Area Zone Basic Control Level 1

Process Level 0
1DMZ also defined in USA Department of Homeland Security INL/EXT-06-11478
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Industrial Network Models – IEC-62443-3-2
Security Risk Assessment and System Design
Enterprise Network Level 5
Enterprise Zone
Site Business Planning and Logistics Network Level 4

DMZ Demilitarised Zone — Shared Access, “Jump Zone”

Manufacturing Zone Site Manufacturing Operations and Control Level 3

Controlled Conduit
Area Control Level 2
IEC-62443-3-2

Zone A

Zone B
Cell/Area Zone Basic Control Level 1

Process Level 0

#CLMEL BRKIOT-1315
BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Industrial Network Models – ISA-62443-3-2 +
DMZ
Enterprise Network Zone E Level 5
Enterprise Zone

Controlled Conduit
Site Business Planning and Logistics Network Level 4

DMZ

Manufacturing Zone
Demilitarised Zone —

X
Shared Access, “Jump Zone”

Site Manufacturing Operations and Control Level 3

Area Control Level 2

Zone A
Cell/Area Zone Basic Control Level 1

Process Level 0

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Industrial Network Models – DMZ
Enterprise Network Zone Contractor
Level 5
Remote
Enterprise Zone

HTTPS

CC
Site Business Planning and Logistics Network Level 4

Zone
DMZ Demilitarised Zone Terminal
Services

CC

RDP
Manufacturing Zone Site Manufacturing Operations and Control Level 3

Area Control HMI Level 2


Zone C

Cell/Area Zone Basic Control Level 1

Process Level 0

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Security Prime Directive
in Production Systems
Security Goals in Production Systems
Attack Continuum
Maintain
Sustain
Safe Production
Production
Environments

BEFORE DURING AFTER


Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Security Challenges in Industrial Environments

Lack of Visibility
Antiquated Systems What’s out there, who is talking
Unpatched, legacy to who, what are they saying
systems Access Control
Access needs evolving
Insecure Design
Lack of segmentation Change Control
24/7/365 Operations
OT Security Skills
IT sec  Ops knowledge Business Needs
Real-time Information, no
downtime, quick access

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Domains of Responsibility?
Operations Centres
Network Security
• Group
Operations Operations
• Division
Centre Centre
• Site

Datacentre
WAN • Group LAN Production
• Group • Division • Site Control Network
• Division • Site • Wired and Wireless

Enterprise Enterprise
Enterprise Services LAN
Datacentre
Services WAN

PCN Core,
Industrial Process Control
Internet Inter-site Distribution,
Datacentre LAN
PCN WAN Access Switches

Internet Industrial Physical Safety PCN Control


IoT
DMZ DMZ and Security LAN Switches
PCN WAN

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Common Security
Issues, and …
Obligatory Scary Slides
2017 and 2018 Security News

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Threat Landscape for Industrial Automation
Systems in H1 2018
Kaspersky Labs data from Industrial Windows Computers

• Supervisory control and data acquisition


(SCADA) servers
• Data storage servers (Historian) Percentage of ICS computers attacked, H1 2017 – H1 2018

• Data gateways (OPC)


• Stationary workstations of engineers and
operators
• Mobile workstations of engineers and
operators
• Human Machine Interface (HMI) Main sources of threats blocked on ICS computers (percentage
of computers attacked during half-year periods), H1 2017 H1
2018

Source: Kaspersky LAB ICS CERT, September 2018


https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2018/87913/
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Types of Attacks in 2018 and 2019
• Production systems targeted with sophisticated modular malware
Calls home to report findings, receive further instructions and provide a 2nd backdoor
Maps network/devices/protocols
Trashes the joint - issuing fake control commands
Erasing registry keys and overwriting systems to bar

• Ransomware (Petya, Wannacry) and Malware (NotPetya) attacks crossing from IT to OT systems
Attack vector is common operating systems and database platforms upon which OT systems are built

• Common Tactics, Techniques and Procedures1 include …


Spear-phishing emails (from compromised legitimate account)
Watering-hole domains
Credential gathering
Open-source and network reconnaissance
Host-based exploitation
Targeting industrial control system (ICS) infrastructure

1US-CERT TA18-074A https://www.us-cert.gov/ncas/alerts/TA18-074A


#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Root remediation observations
• Human factors – HR systems immediately remove access rights to terminated employees, anti-
phishing, block USB drives
• Control systems software patching

• IT systems software patching

• Timely System backups

• IT/OT systems separation

• Compromised Credentials - Multi Factor Authentication

• Email and WWW attachment scanning/control

• Whitelist DNS from Industrial Networks to prevent “calling-home”

• Active monitoring

• Morphing threats – Automated Threat Updates

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
More and More Porous Boundaries …

• Machine builders want access to


machine telemetry

• Requesting direct machine-to-


cloud connectivity

• In some cases machines come


LTE with embedded LTE networking
which is outside operations control
Backdoor

• Presents a security “backdoor”


problem

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Production Network
Design Models
for Security
Protect the Network – Hygiene Factors
• Cisco SAFE Design Guides

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
• Network Element Hardening
Deploy trusted platform security, implement secure protocols, disable unused services, limit access to
necessary ports and protocols, enforce via authentication, authorisation and accounting (AAA) with two factor
authentication, and control plane policing

• Network Element Services


Disable unnecessary services and enable only services that are needed

• Routing
Packet filtering, restricting routing-protocol membership, and controlling the propagation and learning of routing
information

• Switching
Restricting broadcast domains, STP security, ARP inspection, anti-spoofing, disabling unused ports, and
following VLAN best practices

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Protect On-Network Services
• DNS
Patch management and the hardening of the DNS servers, using firewalls to control DNS queries and zone
traffic, implementing IPS to identify and block DNS-based attacks, etc.

• NTP
Implement NTP peer authentication, the use of access control lists, and device hardening, etc.

• DHCP
Server hardening and use of DHCP security features available on switches such as DHCP snooping and port
security, etc.

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Implement Leading Practice Design for Security
• Time synchronise all network elements - NTP

• Enable logging for all network elements - syslog

• Partition (and filter) the network management address space

• Employ QoS to accurately classify and prioritise control and management traffic

• Enable Control Plane Policing (CoPP)

• Implement IEEE 802.1AE (MACsec where supported) to protect network traffic,


detect and prevent unauthorised LAN connections

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Production Network Topology

WAN Datacentre
Separate IT and
Industrial
Applications/Services
Core • Physical
• Segmented
• Partitioned

Separate or converged
IT and Industrial
Distribution backbone networks

Access
Separate or
Converged Access
and Control Layer
switches
Control

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Network Flow Visibility
• We cannot effectively secure that which we cannot see!
• Compiles system and network profile baselines
• Feeds security model planning and development
• Feeds network planning
• Feeds network forensics, detecting:
Abnormalities
Malicious activity
Anomalous activity

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
You cannot secure that which you cannot see!
Virtual • Flow Correlation
Enterprise Enterprise Switches • Flow Collectors

WAN Services WAN Services LAN


Datacentre
Intra and Inter-server flow
Internet monitoring required

Core IDS/IPS in traditional industrial network


designs only provides visibility of North-
South traffic
Flow monitoring should be ⤫ No East-West PCN Zone ⬌ PCN Zone
enabled at all industrial visibility
Distribution network layers – including ⤫ No intra-server flow visibility
the industrial datacentre …
… centrally correlated and
monitored
Access
NetFlow on core-only switches
Control alone only provides visibility of
North-South traffic

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Visibility Through NetFlow
NetFlow Provides
• A trace of every conversation in Flow Information Packets
your network SOURCE ADDRESS 10.1.8.3
10.1.8.3
• An ability to collect records DESTINATION ADDRESS 172.168.134.2
everywhere in your network
(switch, router, or firewall) SOURCE PORT 47321

• Network usage measurements DESTINATION PORT 443

• An ability to find north-south as Switches


INTERFACE Gi0/0/0
well as east-west communication
IP TOS 0x00
• Lightweight visibility compared to
IP PROTOCOL 6
Switched Port Analyser (SPAN)- Routers
based traffic analysis NEXT HOP 172.168.25.1

• Indications of compromise (IOC) TCP FLAGS 0x1A

• Security group information SOURCE SGT 100


IE 4000, IE 4010 and IE 5000 Now : :
with Full Flexible NetFlow - Cisco IOS Internet 172.168.134.2
APPLICATION NAME NBAR SECURE-HTTP
Release 15.2(6)E1

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Stitching Context to Provide User Transaction
Visibility
Use Cases Cisco StealthWatch
Internal User Network Network
Insider Threat Firewall Planning Segmentation TrustSec
Monitoring Operations Visualisation

Event Data Security Events Behavioural Analytics

Session Data | 100% network accountability


Client Server Translation Service User Application Traffic Group Mac SGT

1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10

Visibility

User Interface TrustSec Threat Feed Group / NAT/Proxy LAYER 7 Cloud


Information Information Segment

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Visibility with StealthWatch:
Connection Records of Behavioural Models
SECURITY ALARM
EVENTS (94 +) CATEGORY RESPONSE

Addr_Scan/tcp Concern
Addr_Scan/udp Alarm table
Bad_Flag_ACK**
COLLECT AND Beaconing Host Recon
ANALYSE FLOWS Bot Command Control Server
Bot Infected Host - Attempted Host snapshot
Bot Infected Host - Successful C&C
Flow_Denied
.
. Exploitation Email
FLOWS
ICMP Flood
.
.
Data hoarding
Max Flows Initiated Syslog / SIEM
Max Flows Served
.
Exfiltration
Suspect Long Flow
Mitigation
Suspect UDP Activity DDoS target
SYN Flood

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Two Approaches to Flow Monitoring Architecture
Active Monitoring by Switches Tap/SPAN Traffic to Parallel Monitoring Infrastructure

Design NetFlow enabled on all production site switches, Passive optical taps or active spanning to packet monitors
e.g. with centralised flow correlation and analysis.

• Cisco Catalyst 9000 Core and Distribution • Distributed packet monitors connected to separate
switches segments (e.g. VLANs) on production switches
• Cisco Industrial Ethernet 4000 and 5000 • Or Distributed monitors connected to dedicated
switches monitoring network across the production site

Centralised NetFlow Collectors and StealthWatch


Advantages  Common integrated management model  Architecture supports the monitoring of legacy serial
 Catalyst 9000 switch UADP hardware allows industrial control buses
for the analysis of Encrypted industrial traffic  Complete separation of flow monitoring from control
flows (ETA – Encrypted Traffic Analytics) network infrastructure
 Forwards total packet to analysis systems – application
layer stateful analysis
Disadvantages ⤫ New switching hardware may be required at ⤫ Must monitor all ingress and egress ports to a switch
the Access and Control layers to capture all flows – physical port tapping or on-
⤫ Only looks at packet headers – not application switch port spanning
payload ⤫ Cost of replicating a parallel network for monitoring

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Common Production Network Design
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Internet

Often No Separate
Industrial Datacentre
Switches
Firewalls Provide
Core Large Layer 2 Topology Spans “North-South” Control Only
⤫ Tromboning inter-
processor traffic
VLAN-based Segmentation  PCN ➜ Enterprise Services
via external
 PCN ➜ Industrial DC
switches
⤫ PCN Zone ⬌ PCN Zone
Distribution ⤫

Large Spanning Tree Domains
Difficult to Scale ⤫ Firewall Scale (Virtual
⤫ Large broadcast domains Contexts)
⤫ Complexity leads to
configuration errors
Access Non-Managed Control Layer
Switches

⤫ Difficult to Manage
Control ⤫ No Visibility of Control Traffic

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Segmentation for Security
100’s

Network Segmentation
Mechanisms
E.g. Call Manager,
E.g. Site Historian,
“The capability to segment
VSOM Server, Group Based Policy*
SCADA Server, Unified Communications, Security
Packaging Line 4, Physical Safety and Security, Groups TrustSec SGT
a network in order to Conveyer,
Etc.
Network Management,
Etc.
Dynamic ACL
achieve data plane Production Service Permission
Filters Stateful ACL
Zones Zones
isolation over physical and Static ACL

virtual networks” VRF

Routing

DHCP Scope
Security Network
Network Zones Constructs VLAN

Segmentation Address – MAC / IP /


Subnet

Physical

Segmentation
Mechanisms E.g. Cisco ACI End Point Groups within a datacentre

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Layer 2 Issues
• Network stability is compromised as a result of slow response to network
failures (slow convergence.) Spanning Tree Protocols are not built to
accommodate frequent link-flapping conditions, high error rates,
unidirectional failures or non-report of loss of signal
• Packet flooding and MAC address learning behaviours
• Broadcast storms, if uncontrolled, can result in network–wide outages
• Lack of visibility into packet paths for debugging
• There are many counter-measures and switch features that assist in
remediating these issues, but the poor degree of feature standardisation
and implementation differences make network designs based upon
extensive Layer 2 networking difficult to manage and debug
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Switching Security Leading Practice (Access
Layer)
• Restrict broadcast domains
• Spanning Tree Protocol (STP) Security - Implement Rapid Per-VLAN Spanning Tree
(Rapid PVST+), BPDU Guard, and STP Root Guard to protect against inadvertent
loops
• DHCP Protection - Implement DHCP snooping on access VLANs to protect against
DHCP starvation and rogue DHCP server attacks
• IP Spoofing Protection - Implement IP Source Guard on access ports
• ARP Spoofing Protection - Implement dynamic ARP inspection (DAI) on access
VLANs
• MAC Flooding Protection - Enable Port Security on access ports
• Broadcast and Multicast Storm Protection - Enable storm control on access ports

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
VLAN Leading Practices
• Restrict VLANs to a single switch
• Configure separate VLANs for voice and data
• Configure all user-facing ports as non-trunking (DTP off)
• Disable VLAN dynamic trunk negotiation trunking on user ports
• Explicitly configure trunking on infrastructure ports rather than auto-
negotiation
• Use VTP transparent mode
• Disable unused ports and place in unused VLAN
• Do not use VLAN 1 for anything
• Use all tagged mode for native VLAN on trunks
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Restrict Layer 2 Switching to Control and
Datacentre Layers
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Internet

IP Routing to the Access


Layer assists with scale

Core Require another


virtualisation mechanism
– VRFs?

Distribution VLANs restricted to


Access/Control layers

Spanning Tree Protocols


Access only implemented on
Control Layer switches

Control Extending Control Layer


Fibre fibre where Layer 2
networking is required

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
VRF • Associates to one or more interfaces (Privatise an L3 Interface)
• Each VRF has its own
Forwarding table (CEF, RIB)
Routing process (EIGRP, OSPF, ISIS, BGP)

“Virtual Routing and • Interconnect options


Forwarding is a Control IEEE 802.1Q, LSPs, GRE, L2 circuits, physical cables
Plane technology that
allows a router (Layer 3
switch) to have multiple, VRF blue
partitioned, instances of VRF global

routing tables concurrently” VRF green

VRF router ospf 100 vrf green


router eigrp 100
!
network 11.0.0.0 0.255.255.255 area 0 address-family ipv4 vrf blue autonomous-system 100
no passive-interface vlan 2001 network 12.0.0.0 0.255.255.255
no auto-summary
exit-address-family

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
VRF Scaling
100’s
Hardware Platform Number of VRFs Supported

IE4000 and IE5000 26 E.g. Site Historian,


E.g. Call Manager,
VSOM Server,
SCADA Server,
Industrial Ethernet Packaging Line 4,
Unified Communications,
Physical Safety and Security,
Conveyer,
Switches Etc.
Network Management,
Etc.

Catalyst 9300 and 256 Production Service


IE3400 Access Switches Zones Zones

ASR 1000 WAN 8,000


(boundary) router
Security
Zones
“As a rule of thumb for VRF-Lite End-to-End it is usually
recommended in average-sized networks when not more than
10-15 distinct VRFs are needed”
Cisco Network Virtualisation - Path Isolation Design Guide Segmentation
Mechanisms
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_V
irtualization/PathIsol.html

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Example Production Network VRFs
• Production Control Network – PCN
• Industrial Datacentre
• Industrial DMZ
• Production Services
• Infrastructure (Wireless Access Points)
• Physical Safety and Security
• Unified Communications (Voice and Video)
• Enterprise (Services)
• Production Network Management
• Control Centre

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Firewalls
Enterprise Enterprise Industrial
WAN Services WAN Services LAN Services
Datacentre
Virtual Firewalls perform
Internet inter-VM/process security

Performance / Cost?

Application Firewalls can


2-4 perform IDS/IPS functions
Core
Centralised Firewalls can
be clustered for High
8 - 16 Availability
Distribution
Distributed Firewalls difficult
to scale/manage
32 – 100’s
Access Cost may be justified by a
risk analysis

100’s – 1,000’s
Control

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Fusion Routers Allow Centralised Clustered
Firewalls H Historian

Enterprise Enterprise Industrial


WAN Services WAN Services LAN Services
Datacentre
Internet
Centralised Fusion Routers
interconnect VRFs. Forces
Fusion Router Fusion Router all inter-VRF traffic via
Route central clustered Firewalls
Prefix PS
Leaking
Core Across PCN
VRFs
Enables inter-VRF IDS/IPS
Production VRFs
Distribution
• Production Control Network – PCN
• Industrial Datacentre
• Industrial DMZ (IDMZ) All intra-VRF traffic flows via
• Production Services (PS) the least-cost routed path
Access • Infrastructure (Wireless Access
Points)
• Physical Safety and Security
• Unified Communications (Voice and
Video)
Control •

Enterprise (Services)
Production Network Management
But how to we secure intra-VRF flows at scale?
• Control Centre

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
TrustSec Concepts
Classification
(Destination)
Classification
ISE ISE Directory
(Source)
Users, Devices Enforcement
Enforcement

IP 5 IP 5

Router DC FW DC Switch

Sharing Group Information


• Classify systems/users based on context (user role, device, location etc.)

• Context or role expressed as a Security Group

• Firewalls, routers and switches use Security Groups to make filtering decisions

• Classify once – reuse Security Group anywhere on network

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Where does the Scalable Group Tag reside?
MACsec Frame Cisco MetaData Ethernet Frame Dynamically Classified Statically Classified
Destination MAC CMD EtherType Destination MAC • 802.1X Authentication • IP Address
0x8909
Source MAC Source MAC • Web Authentication • Subnets
Version
IEEE 802.1AE • MAC Auth. Bypass • L2 Interface
IEEE 802.1Q
Header Length • Passive identity [AD] • L3 Interface
CMD
IEEE 802.1Q SGT Opt Type • Remote Access • Port
128 or 256 bit

Encrypted *
AES-GCM

EtherType
CMD SGT Value • Profiling, Posture, MDM • VLANs
16-bit Payload
EtherType • VPN
Other CMD CRC • ACI (Application Centric
Payload Options
Infrastructure)
IEEE 802.1AE
Header SGT Value • Virtual Port Profiles
16-bit
CRC
Other
• QinQ
Cisco TrustSec Software-Defined Segmentation Platform
* Encrypted field by MACsec • DMVPN (IKEv2) and Capability Matrix
(Optional – Capable Hardware) • GRE https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
• IPSec (IKEv2) networks/trustsec/software-platform-capability-matrix.pdf
• GETVPN
• VXLAN #CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Network Segmentation with TrustSec
Enforcement
Security Group: Manager Switches
Username: johnd Routers
Segmentation based on RBAC Group: Store Firewall
• Independent from address based topology Managers DC Switch
Location: Store Office Hypervisor SW
Role based on context Time: Business Hour
• AD, LDAP attributes, device type, location, time,
access methods, etc…
AUTHORIZED
Use Tagging technology PERSONNEL
ONLY
• To represent logical group (Classification)
• To enforce policy on switch, router, and firewall
Software Defined
• Policy managed centrally TAG
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network
dynamically
Resource
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878

Software Defined Segmentation with Cisco


access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

TrustSec
Traditional Security Policy

• Security Control Automation


• Simplified Access Management
• Improved Security Efficacy

ISE Directory
Identity and
Security Policy Network Elements only
Security Group ACLs are receive policies for Security
Packaging Line 4

SCADA Server

EGRESS only SGACL


Site Historian

TrustSec Role-Based Groups that have attached


Destination

Security Policy Access Control


PLC
HMI

Lists Network

Source

Packaging Line 4 PLC


Switch Router Wireless Firewall DC Switch
Permit OPC DA
HMI
permit TCP dst eq 135 Flexible and Scalable Policy Enforcement
deny all log
Site Historian

SCADA Server
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Historian SCADA PNM
VRFs + SGTs
AD

H
HMI
S
HMI

Enterprise Enterprise Industrial


WAN Services WAN Services LAN Services 666 1491

ISE
Internet
SGACL
SGACL
SGACL
Fusion Router
SGT
SGT 45666
333
SGT ⟷ 90
⟷ -333
1491Permit CIPCIP
- Permit Class
– Implicit 3 3
Class
Deny

Route
Prefix PS
Leaking
Core Across PCN
VRFs

Production VRFs
Distribution • Production Control Network
– PCN
• Industrial Datacentre
• Industrial DMZ (IDMZ)
Production Services (PS)
Access •
• Infrastructure (Wireless 45

Access Points)
• Physical Safety and Security SGACL
• Unified Communications
(Voice and Video)
SGT 45 ⟷ 90 - Permit CIP Class 3
90 Operator
Control • Enterprise (Services)
333
333 SCADA
HIST

• Production Network
Management (PNM) Packaging PLSPLC PL4PLC Packaging Lines
• Control Centre Line 4 Sequencing
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
TrustSec-ACI Integration
What Policy integration example – Campus to Data Centre
Integration of TrustSec and ACI policy
groups enables customers to address Campus / Branch Datacentre
breach, segmentation & compliance TrustSec Policy Domain TrustSec SGTs mapped to and from ACI EPGs APIC-DC ACI Policy Domain
challenges by sharing policy groups
between TrustSec-enabled networks ISE
and ACI Data Centres. Production
Campus
Benefits Networks

Cohesive security policy


leveraging user roles and device Unified Non-
Coms. Compliant
Employee Control Physical
ACI
Systems Safety
type together with application And www
context Security Fabric
Industrial MES SCADA Site Database
Simplified security management Network
Director
App App Historian
App
Complementary group-based policy
approaches simplify security design,
operations and compliance
Capabilities
Consistent security policy groups can be shared between TrustSec and ACI domains:
End-to-end segmentation
Achieve consistent segmentation • Campus security groups can be used in ACI policies: ACI learns TrustSec Scalable Group Tags (SGTs), and
across the datacentre, branches, these SGTs are available for use by the APIC policy
users and devices • Endpoint Groups (EPGs) can be used in campus policies: ISE retrieves EPGs and creates SGTs
• Can also map groups between TrustSec-enabled Data Centres and ACI Data Centres

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
StealthWatch Aware of ACI Groups

Inter-Campus/Datacentre SGT-aware
StealthWatch
Policy Mapping
Integration of TrustSec and ACI policy SGTs in
groups allows us to make NetFlow NetFlow
aware of Groups from the DC Records APIC-DC
ISE
StealthWatch then receives NetFlow
ACI Group
with SGT information based on the DC
Info
groups from ACI

ACI Info
shared
using
Security
Group
www
Unified Non- Employee Control Physical
Tags
Coms. Compliant Systems Safety Industrial MES SCADA Site Database
And Network App App Historian
Security Director App

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
An Integrated Model
WWW

Threat Feeds and Security Intelligence


Cisco Web
DNS Security
Cisco Umbrella
Email
Security
Time to detection:
as little as

NG Firewalls
3.5 hours
Multi-Factor & Intrusion
Authentication Protection
Endpoint
Advanced
AnyConnect Malware
VPN NetFlow Protection
PxGrid StealthWatch
Anomaly Based
Directory Integrated Response Detection

Partner Ecosystem
Identity Services Engine SIEM, MDM, NBA,
Wired Wireless
#CLMEL VPN BRKIOT-1315 © 2019 Cisco and/or its IPS, IPAM,
affiliates. All rights etc.
reserved. Cisco Public 58
“Fools ignore complexity.
Pragmatists suffer it. Some can
avoid it. Geniuses remove it.”
Alan Perlis, American Scientist

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco Industrial Network Director – For OT users
Network management, device location, and visibility

Dashboard for monitoring Plug-and-play server for


alarms, system health, and zero-touch switch commissioning
traffic statistics

APIs for integration with Improved industrial asset visibility


automation systems and and network troubleshooting
security platforms with automation context

Native industrial
protocol support REST APIs for integration
with automation systems

Plug-and-play day-0
configuration OT intent-driven security
workflows through ISE integration

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Operations user intent driven policy updates
Putting Operations Personnel in the driver’s seat
Switch
Port
Industrial Network Director PLC
Topology UI PxGrid attribute “Zone-
1” matches profiling
Tag policy-X and triggers
assets as Authorisation policy-Y dACL
Zone-1 NEW

pxGrid NEW
SGT
Update
Zone-
1 Industrial
OT User ISE
Network NEW
Director
VLAN

OT personnel use with IND UI to express intent pxGrid update results in automatic policy update

IT manages ISE. Operations use IND to express intent to influence Security Policy

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Network Security
Evolution
Cloud Services Example
Telemetry Aggregation Analytics Analytics
Server Service Service
VM

VM
ISA-95 (Purdue) Model
VM
Datacentre
VLAN 24

VLAN 24
Enterprise
Network Level 5

VLAN 54
WAN Site Business Planning
and Logistics Network Level 4

Analytics Vendor X VRF


Telemetry Aggregation Server
Core Packaging VRF Demilitarised Zone1
Shared Access, “Jump Zone” Level 3.5
VM

Site Manufacturing Example of


Operations and Control Level 3
Fog
VLAN 14

Distribution Computing
Packaging
Area Control Level 2
Zone P

Access Level 1
Basic Control

Control
Process Level 0

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Intent-Based Networking
Policy
Domain Controller
Provision Intent Services
Create a new Packaging Line (virtual) network.
Set SCADA traffic IP priority to DSCP 27.
Allow boiler PLC <–> Historian OPC/UA traffic.
Orchestration Platform Network
Design
Users + Devices + Things
Assurance
Assurance
Network Telemetry Analytics
Management
Network Visibility
Assurance APIs Security
Device Management
Network Services Intrusion Detection
Automation
Data Flow Visibility Scalable Group Tagging Clocking

Network Firewalling VPNs Network Filters


Egress Queue / Schedule Quality of Service
Fabric Congestion Control

Technology Frequency Time


Marking
Segmentation
-Centric Policing / Shaping

Classification
VRF Connectivity, Forwarding
VLAN Tunnel and Pathing

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Secure segmentation and on-boarding

Simplicity
Group 1 Group 2
Users • No VLAN, ACLs, or IP address
Employee virtual network management required
• Single network fabric
• Define one consistent policy
Devices Group 3 Group 4

Drag policy Production virtual network

to apply Security
Apps
• Simplified microsegmentation
Group 5 Group 6
• Policy enforcement
Contractor virtual network

Completely automated | Policy follows identity | Reduces lateral threat movement


#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco Software Defined Access
Simplifying Campus Networking with Cisco Digital Network Architecture

Analytics ISA-95 (Purdue) Model


Service
Enterprise Analytics
Level 5 Service
Network

TLS
External Gateways Site Business Planning
Internet Cisco and Logistics Network Level 4

DNA External
Center Demilitarised Zone1
B B Shared Access, “Jump Zone” Level 3.5

Site Manufacturing
C Level 3
Operations and Control
Telemetry Servers

DMZ
Area Control Level 2
Network
Fabric Identity
Services
Basic Control Level 1
Engine
Packaging Zone P

Process Level 0
Production
Telemetry
Packaging Zone P Application on VM1
Robots <-> Telemetry <->
Application on Analytics Cloud Service
Virtual Machine VM1 over Encrypted Tunnel T
Using HTTP Using HTTPS
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
IoT Switching portfolio
Aggregation
Access
Best in Class

IE5000
IE 3400 IE4000 IE4010
• Designed for all
industries
• For all industries
IE 3300 • Layer 2 • For all industries • Layer 2 or 3
IE 3200 • Layer 2 or 3
Feature

• 2 GE uplinks • Layer 2 or 3 (IP service)


• Up to 24 GE (IP service) (IP service) • 4 10 GE* uplinks
• Layer 2 ports • 4 GE uplinks • 4 GE uplinks • 24 GE downlinks
IE2000 IE2000U • Layer 2 • 2 GE uplinks • IEEE1588 PTP • Up to 20 GE • 28 total GE ports • IEEE1588 PTP
• 2 GE uplinks • Up to 24 GE • REP ports • IEEE1588 PTP (default and power
• 8 GE downlinks ports • IEEE1588 PTP (default and profiles)
• L2 or L3 (IP lite) • L2 or L3 (IP • IEEE1588 PTP • IEEE1588 PTP (default and
Roadmap power profiles) • Layer 2 NAT
• Small form factor services) Up to 8 power profiles)
IE1000 • IP30, IP67 • Small form factor

PoE/PoE+ ports
• Up to 16 • FNF
• Layer 2 NAT
• Layer 2 NAT • Up to 12 PoE/PoE+
PoE/PoE+ • PoE/PoE+ • Up to 12 or 24 • Dying gasp
• DLR (only Stratix) • PRP, REP • REP • REP • Up to 8 PoE /
• Layer 3 PoE/PoE+ • Cisco TrustSec
• MRP, REP • 1588 PTP PoE+ ports
• Lightly-managed • TrustSec® • Dying gasp SGT/SGACL
• Layer 2 NAT default and Roadmap Roadmap • Dying gasp
• Layer 2 only SGT/SGACL • Cisco TrustSec® • MACSec
• IEEE1588 PTP power profiles • FNF • FNF • Cisco® TrustSec
• 30 second • Layer 2 NAT, HW-ready • FNF
• Up to 8 PoE/PoE+ • Up to 4 • MACsec • Layer 3 SGT/SGACL
boot-up time • MACSec • MACSec HW- • TSN-ready
• Conformal PoE/PoE+ ports • Cisco DNA • MACSec • MACSec, FNF
• Web config tool • MRP, PRP, HSR ready • Stacking*
coating* Essentials • Profinet • Time-Sensitive
• Up to 8 • IOx • TSN-ready • Conformal coating*
• Cisco DNA • MRP Network (TSN)
PoE/PoE+ ports • TSN • IOx-ready • IOx-ready
Essentials • Cisco DNA E/A ready
• SDA FE • REP, PRP, HSR • REP, PRP, HSR
• Cisco DNA E/A • IOx • Cisco DNA E/A • Timing interfaces
• MRP, REP, PRP,
(IRIG-B, GPS, TOD)
HSR
• Cisco DNA E/A
• Cisco DNA E/A

10/100M 1G 10G
‘*’ –Selected Models
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Extending Intent-Based Networking to IoT
IE 3200, IE 3300, IE 3400 SD-Access extended nodes
Cisco DNA Center

Automation
Policy Automation Analytics
Consistent policy across the
extended enterprise with
Cisco DNA Center and SDA Extension

IoT device visibility and policy


ISE for IoT: Visibility of IoT devices
SDA extension SDA fabric
with 600+ device profiles across
manufacturing, healthcare,
Industrial/IoT building automation

Streamline business operations


User mobility Cisco Operational Insights to unlock
Policy stays with user, IoT data to streamline operations
Device, Service

Extended enterprise Integrated network


(IoT network)

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Catalyst IE3x00 Rugged Series – Extended Enterprise
Intent based Networking for IoT Edge to Multi-cloud
IE 3200 IE 3300 IE 3400 Warehouses
(basic) (flexible) (advanced)

Manageability
IBN – Cisco DNA Center management
and assurance*
Distribution centres
Redesigned, updated GUI – WEBUI
Stealthwatch with Netflow
Security
NG Secure Operating System IOS-XE Parking lots
IBN – enterprise fabric extension
IBN – enterprise fabric
Cisco TrustSec*
Airports
Differentiators
Advanced networking - Network Advantage*
Power over Ethernet - High density

* Post-FCS
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Industrial Network Architecture Evolution
Today Future

CPwE CPwE (2013) + CPwE v5.1 TrustSec + VRF SDA for Industrial
Leading (TrustSec)
• IT ⬌ OT • Centralised • Fabric Network
Separation
Practice • Centralised
Dec.
2018 Firewalls • Centralised Firewalls
• North ⬌ South Network Design Firewalls • Fusion Routers • Fusion Routers
Firewalling • North ⬌ South • VRF ⬌ VRF • VRF ⬌ VRF Firewalling
• Centralised
Firewalling Firewalling • Zone ⬌ Zone RBACLs
• VLAN Firewalls
• East – West Zone • Zone ⬌ Zone • Intent-Based Networking
Segmentation • Fusion Routers
SGACLs SGACLs • Policy Controlled Security
• Zone ⬌ Zone
 Complex and • Policy Controlled • Policy Controlled
Firewalling • VRF Segmentation with
Inflexible Security Security
VNI+SGT (VXLAN
 Limited Security • VLAN + VRF
• SGT • VRF Networks encapsulation) Zones
Segmentation
Segmentation with SGT Zones • Simplifies and automates
 VLAN + VRF  No East-West within VRFs network and security
scalability issues Segmentation provisioning
Zone Stateful
Firewalling  Flexible, but rigid  Future for Industrial
design
methodology
required
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Industrial Network Security Hierarchy
Embedded Processes Driven Security
Leadership
Production Team Systems Workflows Drive
security • APIs
• Customised Tools for non-security/network/operations staff

Layered Security Model (IT & OT),


Security Context Correlation across Layers,
Advanced Threat Security
Active Management with Dynamic Threat Updates
and Machine Learning,
Best Production ⬌ Enterprise ⬌ Cloud
NetOps and SecOps ➞ digital supply chain

Better
Traffic Flow Telemetry,
Adopt Centralised Policy Control Secure Visibility and Control

Map production/security Secure Network Environment


zones and traffic flows,
Whitelist Flows, Good • Apply Cisco Safe Guidelines
• Segment the Network into Production Zones
WWW/DNS/Email • Whitelist flow enforcement with logging

Baseline Exposed Network control plane, No AAA with multi-


factor Authentication, Flat Networks, Minimal
Production
Infrastructure and Inadequate Access Controls and Segmentation, No Web, Email
Systems or DNS security

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Q&A

#CLMEL
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via
the Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Thank you

#CLMEL
#CLMEL
References
• Cisco SAFE Design Guides
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

• Cisco VRF-Lite
Cisco Network Virtualisation - Path Isolation Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

• Cisco Network Virtualisation - Path Isolation Design Guide


https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

• Cisco TrustSec Software-Defined Segmentation Platform and


Capability Matrix
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-
capability-matrix.pdf

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
References – Cisco Design Guides
• December 2018 – Deploying Network Security within a Converged
Plantwide Ethernet Architecture – Joint Cisco Systems and
Rockwell Automation design guide
https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/5-1/Network_Security/DIG/CPwE-5-1-
NetworkSecurity-DIG.html

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
References
• Kaspersky Lab Report – Pierre Audoin Consultants (PAC), CXP
Group, The State of Industrial Cybersecurity 2019
https://ics.kaspersky.com/media/2019-Kaspersky-ICS-Whitepaper.pdf
https://www.cert.gov.au/news/cyber-security-challenges-2019
https://acsc.gov.au/publications/protect/essential-eight-explained.htm

• “Crash Override / Industoyer” = Ukraine Power Grid Attack


https://www.wired.com/story/crash-override-malware/
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
https://en.wikipedia.org/wiki/Industroyer

• ISA analysis of 2015 Ukrainian Power Grid Cyberattacks


https://www.isa.org/intech/20190406/

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Industrial Control Systems Training
• USA Department of Homeland Security ICS-CERT Virtual Learning
Portal (VLP) FREE

https://ics-cert-training.inl.gov/learn
• Good Reads
Industrial Cybersecurity, Pascal Ackerman
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78839-515-1
www.packtpub.com

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Acronyms
AAA – Authentication, Authorisation, Accounting
ACI – (Cisco) Application Centric Infrastructure
ACK – Acknowledgement
ACL – Access Control List
AD – (Microsoft) Active Directory
API – Application Programming Interface
APIC – (Cisco) Application Policy Infrastructure Controller
APIC-DC – (Cisco) Application Policy Infrastructure Controller – DataCentre
ARP – Address Resolution Protocol
ASIC – Application-Specific Integrated Circuit
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Acronyms
BGP – Border Gateway Protocol
BPDU – Bridge Protocol Data Unit
CoPP – Control Plane Policing
C&C – Command and Control
CC – Controlled Conduit
CEF – Cisco Express Forwarding
CIP – Common Industrial Protocol (ODVA)
CMD – Command
COS – Class Of Service
CPwE – Cisco Plantwide Ethernet
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Acronyms
CRC – Cyclic Redundancy Check
CTS – Cisco TrustSec
dACL – Dynamic Access Control List
DAI – Dynamic ARP Inspection
DC – Datacentre
DDOS – Distributed Denial of Service
DHCP – Dynamic Host Configuration Protocol
DLR – Device Level Ring
DMVPN – Dynamic Multipoint Virtual Private Network
DMZ – Demilitarised Zone
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Acronyms
DLR – Device Level Ring
DNS – Domain Name Service
DNA – (Cisco) Digital Network Architecture
DNA E/A/P – (Cisco) Digital Network Architecture Essentials/Advanced/Premium
Licensing
DSCP – (IP) Differentiated Services Code Point
DTP – (Cisco) Dynamic Trunking Protocol
EIGRP – Exterior Interior Gateway Routing Protocol
EPG – End Point Group
ERP – Enterprise Resource Planning

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Acronyms
ERSPAN – Encapsulated Remote Switched Port Analyser
ETA – (Cisco) Encrypted Traffic Analytics
FNF – Flexible NetFlow
GPS – Global Positioning System
GE – Gigabit Ethernet
GETVPN – Group Encrypted Transport Virtual Private Network
GRE – Generic Routing Encapsulation
GUI – Graphical User Interface
HMI – Human Machine Interface
HR – Human Relations
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Acronyms
HSR – High-availability Seamless Redundancy (Ring)
HTTP – Hypertext Transfer Protocol
HTTPS – Hypertext Transfer Protocol Secure
HW – Hardware
IACS – Industrial Automation and Control Systems
IBN – Intent-Based Networking
ICMP – Internet Control Message Protocol
ICS – Internet Control System
IE – Industrial Ethernet
IEC – International Electrotechnical Commission
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Acronyms
IDS – Intrusion Detection System
IDMZ – Industrial De-Militarised Zone
IEEE – Institute of Electrical and Electronics Engineers
IETF – Internet Engineering Task Force
IKEv2 – Internet Key Exchange Version 2
IND – Industrial Network Director (Cisco)
IOS – (Cisco) Internet Operating System
IOS-XE – “XE” train of the (Cisco) Internet Operating System
IOx – Application environment for Cisco Networking Equipment
IP – Internet Protocol
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Acronyms
IPAM – Internet Protocol Address Management
IPS – Intrusion Prevention System
IPSec – Internet Protocol Security (protocol suite)
ISA – International Society of Automation
ISE – Identity Services Engine (Cisco)
ISIS – Intermediate System to Intermediate System (Routing Protocol)
IND – (Cisco) Industrial Network Director
IOC – Indicators of Compromise
IRIG-B – Inter-Range Instrumentation Group time code “B”
IT – Internet Technology
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Acronyms
ITSec – Internet Technology Security
L2 – (ISO Model) Layer 2
L3 – (ISO Model) Layer 3
LAN – Local Area Network
LDAP – Lightweight Directory Access Protocol
LIMS – Laboratory Information Management System
LSP – Label Switch Path
LTE – Long-Term Evolution (4G mobile communications standard)

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Acronyms
NAT – Network Address Translation
MAB – MAC Authentication Bypass
MAC – Medium Access Control
MACsec – IEEE MAC Security Standard (IEEE 802.1AE)
MDM – Mobile Device Management
MES – Manufacturing Execution System
MRP – Media Redundancy Protocol
NAT – Network Address Translation
NBA – Network Behaviour Analysis
NTP – Network Time Protocol
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Acronyms
ODVA – Open DeviceNet Vendor Association
OPC – Open Platform Communications (OPC Foundation)
OPC UA – OPC Unified Architecture
OPS – Operations
OSPF – Open Shortest Path First (Routing Protocol)
OT – Operations Technology
pxGrid – Platform Exchange Grid
PCN – Process Control Network
PLC – Programmable Logic Controller
POE – Power Over Ethernet
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Acronyms
POE+ – Power Over Ethernet Plus
PRP – Parallel Redundancy Protocol
PTP – Precision Time Protocol
PVST+ – (Cisco) Rapid per VLAN Spanning Tree Plus
PROFINET – Process Field Net
PROFINET RT – PROFINET Real-Time
PROFINET IRT – PROFINET Isochronous Real-Time
QoS – Quality of Service

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Acronyms
RADIUS – Remote Authentication Dial-In User Service
RBAC – Roll-Based Access Control
RBACL – Roll-Based Access Control List
RDP – Remote Desktop Protocol
REP – Resilient Ethernet Protocol
RIB – Routing Information Base
RSPAN – Remote Switch Port Analyser

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Acronyms
SCADA – Supervisory Control And Data Acquisition
SDA – (Cisco) Software Defined Access
SGACL – Scalable Group Access Control List
SGT – Scalable Group Tag
SIEM – Security Information and Event Management
SNMP – Simple Network Management Protocol
SPAN – Switch Port Analyser
SPT – Spanning Tree
STP – Spanning Tree Protocol
SW – Software
#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Acronyms
TOD – Time Of Day
TCP – Transport Control Protocol
TLS – Transport Layer Security
TSN – Time Sensitive Networking
UADP – (Cisco ASIC) Unified Access Data Plane
UDP – User Datagram Protocol
USB – Universal Serial Bus

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Acronyms
VoIP – Voice Over IP
VLAN – Virtual Local Area Network
VM – Virtual Machine
VN – Virtual Network
VXLAN – Virtual Extensible Local Area Network
VNI – VXLAN Network Identifier
VPN – Virtual Private Network
VRF – Virtual Routing and Forwarding
VSOM – (Cisco) Video Surveillance Operations Manager

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Acronyms
VSS – Virtual Switching System
VTP – (Cisco) VLAN Trunking Protocol
VXLAN – Virtual Extensible Local Area Network
WAN – Wide Area Network
WEBUI – World Wide Web User Interface
WWW – World Wide Web

#CLMEL BRKIOT-1315 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97