《保护工业网络:从哪里开始?.pdf》由会员分享,可在线阅读,更多相关《保护工业网络:从哪里开始?.pdf(55页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveKevin Wood IIoT TSA Architecture LeaderKam Chumley IIoT TSABRKIOT-2026Practical Steps to SuccessSecuring Industrial Networks 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to
2、chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco
3、and/or its affiliates.All rights reserved.Cisco PublicBRKIOT-2026IntroductionAgenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicClarify Roles and ResponsibilitiesExisting Security SolutionsOT VisibilityNetwork SegmentationThreat RemediationConclusionBRKIOT-20265 2023 Cisco and/o
4、r its affiliates.All rights reserved.Cisco Public#CiscoLiveCommon Issues Across OT Environments6BRKIOT-2026Lack of OT Visibility1Vulnerable Assets2Lack of Segmentation3Limited OT Security Skill Sets4Access Control5Operational Inefficiencies6Roles and Responsibilities Across OT&Cyber 2023 Cisco and/o
5、r its affiliates.All rights reserved.Cisco Public#CiscoLiveOperational Priorities8BRKIOT-2026Avoid incidents to maximize uptime1Improve operational efficiency2Optimize costs3 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCybersecurity Priorities SANS 5 Critical Controls9
6、BRKIOT-2026ICS Incident Response1Defensible Architecture2ICS Networking Visibility and Monitoring3Secure Remote Access4Risk-Based Vulnerability Management5 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWho Manages Security in Operational Networks?Hint:It must be a team e
7、ffort!10BRKIOT-2026IT/NetSec TeamNetwork performance and security objectiveInfoSec/SecOps TeamThreat management and global cybersecurity objectiveOT/Engineering TeamProduction uptimeand profitability objectiveIndustrial NetworksInvestigation,remediation,and compliance expertiseKnowledge of industria
8、l assets and processesNetwork management and security expertiseThe Steps to OT Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePurdue Enterprise Reference Architecture ModelWSWSMail ServerMail ServerDNS ServerDNS ServerBusiness ComputerBusiness ComputerWeb ServerW
9、eb ServerPatch Management ServerPatch Management ServerJump HostJump HostApplication ServerApplication ServerHistorianHistorianMirrorMirrorEWSEWSHistorianHistorianSwitchSwitchSwitchSwitchActuatorActuatorSensorSensorActuatorActuatorSensorSensorActuatorActuatorWiWi-Fi FiHMIHMISCADASCADAPLCPLCPLCPLCPLC
10、PLCPLCPLCLevel 4/5:Level 4/5:EnterpriseLevel 3.5:Level 3.5:DMZLevel 3:Level 3:Operation&ControlLevel 2:Level 2:ControlLevel 1:Level 1:Basic ProcessLevel 0:Level 0:ProcessControl/IndustrialControl/IndustrialNetworkNetworkBusiness/EnterpriseBusiness/EnterpriseNetworkNetworkBRKIOT-202612 2023 Cisco and
11、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe 4-Step Journey to Securing Industrial NetworksBuild a Security Foundation1Integrated Incident Investigation4Gain Visibility&Device Posture2Segment Network into Smaller Zones of Trust3Cisco Cyber VisionCisco Identity Services EngineSens
12、orZONE 2SensorZONE 1SensorDefine the IT/OT boundary with Cisco Secure FirewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orchestrate response with Cisco XDRIDMZCisco Secure FirewallCisco XDRDetect,Protect,RespondIdentify,DetectSegment,Protect,
13、RespondInvestigate,RespondBRKIOT-202613OT Visibility 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive“You cant secure what you dont know about.”15BRKIOT-2026 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCritical Need for Visibility into Indust
14、rial NetworksIdentifying OT assets and their communicationsControlling remote accesses to engineering stationsDetecting intrusions and malicious trafficVisibility helps drive IT/OT collaboration by sharing a common understanding of the situationImproving network reliability and performanceTroublesho
15、oting asset configuration issuesBRKIOT-202616 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTypical Issues Found in Industrial NetworksMalware or Virus activitiesSecurity Patches not installed OT network fully connected to ITWindows XP SMBv1Unnecessary network communicat
16、ions DNS queries to AmazonDefault credentials to log into systemsDecommissioned assets still connectedFirmware uploaded over FTP without SignatureUnauthorized remote access by third partiesBuilding a reliable and secure industrial network is key to business performanceIPv6 traffic in IPv4 networksBa
17、d Firewall or Switch configurationUnknown devicesProgram Upload over VPN during the nightDevices in the wrong VLAN Multiple Time ServersBRKIOT-202617 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVisibilityAsset inventoryCommunication patternsSecurity PostureDevice vulne
18、rabilitiesRisk scoringOperational InsightsTrack process/device modificationsRecord control system eventsCisco Cyber VisionVisibility&Security Platform for the Industrial IoTContext and insights that are foundational to building reliable and secure OT networksBRKIOT-202618 2023 Cisco and/or its affil
19、iates.All rights reserved.Cisco Public#CiscoLiveNetwork-SensorsDeep Packet Inspection built into network-elements eliminating the need for SPANSecurity That Scales With Your InfrastructureIE3300 and IE3400 SwitchesSensorIE3400HD IP67 SwitchSensorIR1101 4G/5G RouterSensorCatalyst 9300/9400SensorIDSHa
20、rdware-SensorDPI via SPAN to support brownfieldIC3000 Industrial ComputeSensorIDSCyber Vision CenterCentralized Analytics&Data VisualizationLightweight MetadataSensorIDSIR8300 Multiservice RouterCatalyst IE9300 RuggedSensorAggregation SwitchesVisibility and threat detection built into your industria
21、l networkCisco IntegrationsThird Party IntegrationsBRKIOT-202619 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCollects Industrial Collects Industrial Network TrafficNetwork TrafficDecodes Industrial Decodes Industrial Protocols(DPI)Protocols(DPI)Understands most OT and
22、IT communication protocols to analyze packet payloads and extract meaningful information Captures industrial network flows(passive)and queries devices(active).Stores data locally in case the Center is not accessibleSends Metadata to theSends Metadata to theCyber Vision CenterCyber Vision CenterSends
23、 metadata to the Center for storage,analysis and visualization.This only adds 3 to 5%extra traffic to the networkThe Role of the Cyber Vision SensorBRKIOT-202620 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy is a network-sensor important?Most industrial network traff
24、ic is East-West,not North-SouthICSnetworkPurdue level 3Purdue level 2Purduelevel 0-1Non optimal location Most industrial control traffic is local to the production cellExpensiveAdditional hardware,cabling for out-of-band SPAN networkDPI location matters!Mirroring traffic at the aggregation layer res
25、ults in visibility to North-South traffic onlyMirroring traffic at the cell layer requires an expensive out-of-band SPAN networkSensors embedded in the network Sensors embedded in the network see everything that attaches to itsee everything that attaches to itBRKIOT-202621 2023 Cisco and/or its affi
26、liates.All rights reserved.Cisco Public#CiscoLiveSensor embedded in the network Sensor embedded in the network generates lightweight metadata that generates lightweight metadata that does not congest QoS queuesdoes not congest QoS queuesWhy is a network-sensor important?RSPAN is not a viable option
27、for control system networksRSPAN introduces Jitter&Latency!Head-of-line blocking caused by Inline SPAN traffic negatively impacts time-sensitive control loopRSPAN in LANs is detrimental to control system performanceICSnetworkSPANtrafficControltrafficPurdue level 3Purdue level 2Purduelevel 0-1BRKIOT-
28、202622 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy is a network-sensor important?Visibility you can deploy at scale without the need for costly SPAN networksSPAN based solutions SPAN based solutions incur huge additional incur huge additional hidden costshidden cos
29、tsOther solutionsOther solutionsPurdue level 3Purdue level 2Purduelevel 0-1ICSNetworkExpensiveExpensiveSPANSPANcablingcablingOutOut-ofof-BandBandSPAN SPAN collectioncollectionnetworknetworkMassiveMassiveincrease in increase in traffic due traffic due to SPANto SPANEasy deploymentLow TCOApplicationAp
30、plication-FlowFlowLightweightMetadataSensorSensorSensorSensorCyber Vision CenterICSnetworkNon-CiscoSwitchesCisco IC3000CiscoIE3400CiscoCat9KSensorBRKIOT-202623 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Cyber VisionCisco Cyber VisionCentralized active discovery
31、Centralized active discovery cannot see behind firewalls cannot see behind firewalls and NAT boundariesand NAT boundariesOther solutionsOther solutionsActive discovery by edge Active discovery by edge sensors can see moresensors can see moreNAT/Firewall BoundaryActive discovery requestsActive discov
32、ery requestsLightweightLightweightMetadataMetadataWhy is a network-sensor important?Distributed edge active discovery gives you 100%visibilityPLC/RTU/IEDNAT/Firewall BoundaryPLC/RTU/IEDSensorSensorBRKIOT-202624 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIT has no visi
33、bility below the Industrial IDFOperations&ControlOperations&ControlPurdue Level 3I I-DMZDMZIndustrial IDFWANIndustrial coreCisco Secure FirewallEnterprise ITEnterprise ITCisco CatalystDatacenterSecurity Operations CenterIndustrial SwitchZone-1Zone-2SISPLC/RTU/IEDPLC/RTU/IEDHMIHMIIndustrial SwitchMES
34、HistorianSCADAITOTIT/OTHow can IT leverage network equipment it owns to gain visibility into OT?ProcessProcessPurdue Level 0-2BRKIOT-202625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour Catalyst switches let you turn on the lights Operations&ControlOperations&Contro
35、lPurdue Level 3I I-DMZDMZIndustrial IDFWANIndustrial coreCisco Secure FirewallEnterprise ITEnterprise ITCisco CatalystDatacenterSecurity Operations CenterIndustrial SwitchZone-1Zone-2SISHMIHMIIndustrial SwitchMESHistorianSCADAITOTIT/OTStep-1:Cyber Vision Sensor on Catalyst 9300 gives you visibility
36、to North-South communications to identify key assetsCisco Catalyst 9300 with Cyber Vision SensorProcessProcessPurdue Level 0-2PLC/RTU/IEDPLC/RTU/IEDSensorSensorBRKIOT-202626 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGet OT buy-in by showing the benefits of visibility
37、Operations&ControlOperations&ControlPurdue Level 3I I-DMZDMZIndustrial IDFWANCisco Secure FirewallEnterprise ITEnterprise ITCisco CatalystDatacenterSecurity Operations CenterZone-1Zone-2SISHMIHMIMESHistorianSCADAITOTIT/OTStep-2:Work with OT to identify the critical industrial switches that connect t
38、hese key assetsCisco Catalyst 9300 with Cyber Vision Sensor?Industrial Switch?Industrial SwitchPLC/RTU/IEDPLC/RTU/IEDSensorSensorProcessProcessPurdue Level 0-2Industrial coreBRKIOT-202627 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGain full visibility to improve your
39、security postureOperations&ControlOperations&ControlPurdue Level 3I I-DMZDMZIndustrial IDFWANCisco Secure FirewallEnterprise ITEnterprise ITCisco CatalystDatacenterSecurity Operations CenterZone-1Zone-2SISHMIHMIMESHistorianSCADAITOTIT/OTStep-3:Replace critical switches with Cisco IE Switch running C
40、yber Vision sensor to see the entire OT networkCisco Catalyst 9300 with Cyber Vision SensorIE3400Industrial Switch with Cyber Vision SensorPLC/RTU/IEDPLC/RTU/IEDSensorSensorProcessProcessPurdue Level 0-2SensorSensorNote:You dont need to replace all industrial switches,just the ones connecting to PLC
41、s Industrial coreBRKIOT-202628 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCyber Vision gives you visibility on traffic that needs attention and potential reconfigurationBRKIOT-202629 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomatica
42、lly identify asset vulnerabilities&Assign ScoresBRKIOT-202630 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVisibility benefits security and operationsBuild collaborative workflow between IT and OTImprove network performanceReduce attack surfaceImprove operational effici
43、encyBRKIOT-202631Network Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegmentation is the key to protect OT assetsUse NIST and ISA/IEC 62443 Guidelines33BRKIOT-2026ISA/IEC 62443ConduitConduitConduitConduitEnterpriseDMZIndustrial Data CenterCell/AreaZone 1SI
44、SNIST Zero Trust Guidance 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Cyber Vision to Group Assets in Zones34BRKIOT-2026 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive Zone 1Zone 2PLCMESZone 1Zone 2PLCMESCyber Vision+ISE Simplifies Segm
45、entation35BRKIOT-2026Cyber Vision Map ViewCisco ISE Policy MatrixpxGrid update with asset endpoint identities and group Cell1 as custom attributeSGTdACLVLANOTITI can build security I can build security policies that will not policies that will not disrupt productiondisrupt productionSegmentation of
46、industrial networkI can group assets into I can group assets into zones that match my zones that match my industrial processindustrial processHMIPLC/RTU/IEDCell 1 SegmentCell 1 SegmentIndustrialSwitchHMIPLC/RTU/IEDCell 2 SegmentCell 2 SegmentIndustrialSwitchZone 1Zone 2Threat Remediation 2023 Cisco
47、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco ISEAccess ControlPolicy-based SegmentationCisco Secure FirewallTraffic FilteringCisco Secure AnalyticsNetFlow analysisV I S I B I L I T YV I S I B I L I T YCyber Vision SensorsDeep Packet Inspection built into your Cisco industria
48、l networkCisco SecureXCorrelate Threat IntelligenceOrchestrate RemediationCyber Vision extends IT security to OTCyber Vision CenterOT Application Flow AnalysisVisibility into OT assets and context shared across all your IT security toolsBRKIOT-202637 2023 Cisco and/or its affiliates.All rights reser
49、ved.Cisco Public#CiscoLiveBaselines highlight abnormal behaviorsCyber Vision behavior modeling automatically triggers alerts on deviations to the baselinesNew and modified assetsNew activities between assetsVariable changesProgram modificationsAccept changes to continuous monitoring or trigger alert
50、s to investigate changesProvide feedback on anomalies to give context to security analystsBRKIOT-202638 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSet advanced detection strategiesBaseline per sensor or group of devicesMonitor specific production lines,asset types,ind
51、ustrial sitesBaseline per behaviorRemote connectionsDNS activitiesSMB negotiationsEncrypted trafficOT devices detectedControl systems behaviorsor any other behavior tagged by DPIMinimize false positivesCreate different baselines for production and maintenance statesBRKIOT-202639 2023 Cisco and/or it
52、s affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Analytics+Cyber VisionCyber Vision helps Secure Analytics investigate and detect threats in industrial networksEnrich hosts information in Cisco Secure Analytics with rich context from Cyber VisionEasily identify flows mapped to ind
53、ustrial endpoints with Cyber Vision informed host-group attributesCreate alert policies to identify and alert on inter-zone communicationsBRKIOT-202640 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure FMC+Cyber VisionMap ICS device identity to Hosts in Firepowe
54、r for use in Secure Firewall correlation policyIdentify anomalous flows in Cyber Vision and kill FTD Firewall sessionsLeverage Host Attributes from Cyber Vision to alert on unexpected behaviorBRKIOT-202641 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Threat Def
55、ense(FTD)Kill SessionsCyber Vision detects eventBaseline changeNew componentNew activityNew variableSnort alertCyber Vision sends command to Firewall to kill associated sessionFirewall blocks sessionISA3000 firewallCyber VisionCenter123123IE SwitchHMIPLC/RTU/IEDSensorBRKIOT-202642 2023 Cisco and/or
56、its affiliates.All rights reserved.Cisco Public#CiscoLiveInvestigation&Orchestration with SecureXLeverage Cyber Vision Observables to:Create and manage incidents in SecureXCreate and orchestrate playbooksLaunch investigations in Talos,Umbrella,Secure Endpoint,Threat Grid,etc.SecureX Ribbon in Cyber
57、Vision for investigations and remediation orchestration BRKIOT-202643 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePromote Cyber Vision events to SecureX incidentsView events in Cyber VisionEvents generated in Cyber Vision for process anomalies,signatures and control sy
58、stem can be promoted Launch investigation is SecureXInvestigate the threat with enrichment from Cisco and 3rdparty security products Promote event to SecureX BRKIOT-202644 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecureX Ribbon on Cyber VisionUnify visibility and ac
59、celerate incidentresponse using Cyber Vision observablesBRKIOT-202645 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecureX threat investigationInvestigate in Cisco SecureX Threat Response leveraging information from Cyber VisionHolistic view across entire organizationBR
60、KIOT-202646 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScenario exampleSecureXCyber VisionSecure EndpointISESecure Firewall/UmbrellaSecure EmailAbnormal behavior detected from windows workstationCreateInvestigationAMP event was triggered on same machine earlier that d
61、ay with suspicious fileFile was detected on Cisco Secure Email and opened by BobWorkstation attempted to reach out to suspicious domain but was blocked by Secure FirewallQuarantine device by changing SGT/Perform Host IsolationGet Data from Integrated PortfolioSend Response ActionAdd File to investig
62、ation12333456BRKIOT-202647Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePractical Steps to Success:Key takeawaysBRKIOT-2026491Gaining visibility into your OT is the keyBeware of hidden costs.Only network sensors can scale.Leverage Cyber Vision in your industri
63、al network to get buy-in from OT.2Leverage visibility to demonstrate quick winsFix all low hanging fruits to improve security posture.Build collaboration with OT by showing you can improve network performance.3Extend IT security to your industrial operationsDrive network segmentation by using Cyber
64、Vision with ISE.Gain visibility on the global enterprise by sharing OT context with IT security tools.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNext steps50BRKIOT-2026Get all the us in the World of Solutions 2023 Cisco and/or its affiliates.All rights reserved.Cisco
65、Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!51BRKIOT-2026These points help you get on the leaderboard and increase your chances of winning daily and grand pr
66、izesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive educatio
67、n with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive54Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123454 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKIOT-2026#CiscoLive