Leveraging Industrial device visibility and operational intent to inform security policies and controls.pdf
sipteck
43 views
84 slides
Aug 12, 2024
Slide 1 of 84
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
About This Presentation
Leveraging Industrial device visibility and operational intent to inform security policies and controls
Slide Content
Daniel Behrens –Technical Marketing Engineer IoT Management and Security
@danielrbehrens
Sunil Maryala-Technical Marketing Engineer IoT Management and Security
BRKIOT-2204
Leveraging Industrial device visibility
and operational intent to inform
security policies and controls
@danielrbehrens
Sunil Maryala-Technical Marketing Engineer IoT Management and Security
BRKIOT-2204
Leveraging Industrial device visibility
and operational intent to inform
security policies and controls
Questions?
Use Cisco WebexTeams to chat
with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco WebexTeams
•BRKIOT-
2204
3BRKIOT-2204
Use Cisco WebexTeams to chat
with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco WebexTeams
•BRKIOT-
2204
3BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IT and Operations
need to work
together
4BRKIOT-2204
IT and Operations
need to work
together
4BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
•Why is Industrial Different?
•Where do we start?
•Identification of assets and application level communication
•Architectural Considerations
•Integration with Enterprise Security Portfolio
•Macro to Micro segmentation
•Cisco Firepower for Industrial Security
Agenda
5BRKIOT-2204
•Why is Industrial Different?
•Where do we start?
•Identification of assets and application level communication
•Architectural Considerations
•Integration with Enterprise Security Portfolio
•Macro to Micro segmentation
•Cisco Firepower for Industrial Security
Agenda
5BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
•Full configurations for integrations with ISE, Cisco DNA-C,
Stealthwatch and Firepower Management Center
•Full details related to ISE and Cisco DNA-C configuration for
pushing security policies across the environment
•Full details related to Stealthwatch configuration for receiving
NetFlow information from across the architecture
What we won’t cover
6BRKIOT-2204
•Full configurations for integrations with ISE, Cisco DNA-C,
Stealthwatch and Firepower Management Center
•Full details related to ISE and Cisco DNA-C configuration for
pushing security policies across the environment
•Full details related to Stealthwatch configuration for receiving
NetFlow information from across the architecture
What we won’t cover
6BRKIOT-2204
Why is Industrial Different?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Traffic -Ethernet/IP
Engineering Laptop
Industrial Application
HMIHMI
Drive Cell/Area Zone Cell/Area Zone
Manufacturing Zone
IDMZ
Controller
CIP Explicit -Informational control and
administration
Intra-and inter-cell/area zone traffic flow
Non-critical administrative or data traffic using
TCP
~1500 Bytes, infrequent
Above 500 ms
CIP Implicit -Producers & Consumer
>80% local
Cyclical I/O traffic, UDPunicast and multicast
<500 Bytes, Frequent
0.5 to 10’s of ms, typically 20 ms
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
8BRKIOT-2204
Industrial Traffic -Ethernet/IP
Engineering Laptop
Industrial Application
HMIHMI
Drive Cell/Area Zone Cell/Area Zone
Manufacturing Zone
IDMZ
Controller
CIP Explicit -Informational control and
administration
Intra-and inter-cell/area zone traffic flow
Non-critical administrative or data traffic using
TCP
~1500 Bytes, infrequent
Above 500 ms
CIP Implicit -Producers & Consumer
>80% local
Cyclical I/O traffic, UDPunicast and multicast
<500 Bytes, Frequent
0.5 to 10’s of ms, typically 20 ms
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
8BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Traffic -Profinet
•Component Based Automation
•Built on DCOM (Distributed Component Object
Model) and RPC (Remote Procedure Call)
technologies
•Object oriented approach to communications
between distributed islands of automation
•Provides a scalable architecture for dealing with
complex distributed automation and control systems
•Connection between distributed IO Devices and
Controllers.
•Defines three communication channels
•PROFINET NRT –Non-Real-Time
•PROFINET RT–Real-Time
•PROFINET IRT–Isochronous Real-Time
•IP application protocols for configuration and
maintenance functions: DHCP, DCP, DNS, HTTP/S, etc
PROFINET CBA PROFINET IO
TCP/UDP/IP Ethernet UDP / Ethernet Time-Sync Ethernet
HMI/SCADA, PROFINET CBA
IT Applications
PROFINET CBA/RT
PROFINET IO
PROFINET IRT
Motion Control
Non Real-time
100ms cycle
Real-time
10ms cycle
Isochronous Real-time
<1ms cycle
Standard (IT) Communications
Response <100ms
Factory Automation
Response <10ms
Motion Control
Response <1ms
9BRKIOT-2204
Industrial Traffic -Profinet
•Component Based Automation
•Built on DCOM (Distributed Component Object
Model) and RPC (Remote Procedure Call)
technologies
•Object oriented approach to communications
between distributed islands of automation
•Provides a scalable architecture for dealing with
complex distributed automation and control systems
•Connection between distributed IO Devices and
Controllers.
•Defines three communication channels
•PROFINET NRT –Non-Real-Time
•PROFINET RT–Real-Time
•PROFINET IRT–Isochronous Real-Time
•IP application protocols for configuration and
maintenance functions: DHCP, DCP, DNS, HTTP/S, etc
PROFINET CBA PROFINET IO
TCP/UDP/IP Ethernet UDP / Ethernet Time-Sync Ethernet
HMI/SCADA, PROFINET CBA
IT Applications
PROFINET CBA/RT
PROFINET IO
PROFINET IRT
Motion Control
Non Real-time
100ms cycle
Real-time
10ms cycle
Isochronous Real-time
<1ms cycle
Standard (IT) Communications
Response <100ms
Factory Automation
Response <10ms
Motion Control
Response <1ms
9BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some common ethernet protocols in industrial
environments
Manufacturing
•CIP -Ethernet/IP
•Profinet –S7
•ModbusTCP
•OPC ( DA, UA )
•CC Link
•FINS
Utilities
•GOOSE / IEC 61850
•DNP3
•ModbusTCP
Others
•BACnet
•MTConnect
“IT”
•DNS
•AD
•NTP
10BRKIOT-2204
Some common ethernet protocols in industrial
environments
Manufacturing
•CIP -Ethernet/IP
•Profinet –S7
•ModbusTCP
•OPC ( DA, UA )
•CC Link
•FINS
Utilities
•GOOSE / IEC 61850
•DNP3
•ModbusTCP
Others
•BACnet
•MTConnect
“IT”
•DNS
•AD
•NTP
10BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Linear Ring Redundant Star
Cabling Requirements
Ease of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance Worst OK Best
Industrial Network Topologies
Star/Bus Linear
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
IE5K (Distribution
Switch)
HMI
Cisco
Catalyst 2955
Cell/Area ZoneControllers, Drives, and Distributed I/O
Cell/Area Zone
HMI
Controller
Redundant Star
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
Rings
IE5K (Distribution
Switch)
IE5K (Distribution
Switch)
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
11BRKIOT-2204
Linear Ring Redundant Star
Cabling Requirements
Ease of Configuration
Implementation Costs
Bandwidth
Redundancy and Convergence
Disruption During Network Upgrade
Readiness for Network Convergence
Overall in Network TCO and Performance Worst OK Best
Industrial Network Topologies
Star/Bus Linear
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
IE5K (Distribution
Switch)
HMI
Cisco
Catalyst 2955
Cell/Area ZoneControllers, Drives, and Distributed I/O
Cell/Area Zone
HMI
Controller
Redundant Star
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
Rings
IE5K (Distribution
Switch)
IE5K (Distribution
Switch)
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
11BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Addressing in Industrial Environments
•Statically Addressed
•Large layer 2 domains
•Simplify assignment / replacement
•Simplify communication configuration
•Address Re-use as legacy equipment is migrated
12BRKIOT-2204
IP Addressing in Industrial Environments
•Statically Addressed
•Large layer 2 domains
•Simplify assignment / replacement
•Simplify communication configuration
•Address Re-use as legacy equipment is migrated
12BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Static IP Addressing?
•IP Address used to configure
communications
13BRKIOT-2204
Why Static IP Addressing?
•IP Address used to configure
communications
13BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Resiliency Matters
•Connection time in ranges from 2
to 750 ms
•Default to unicast.. Now
•Can fault controller ( Process stop )
14BRKIOT-2204
Why Resiliency Matters
•Connection time in ranges from 2
to 750 ms
•Default to unicast.. Now
•Can fault controller ( Process stop )
14BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ICS
Network
Typical Application Flows are local
•Majority of traffic is East / West*
•Advanced applications increasing North / South
•Often never leaving Cell or Access switch
15BRKIOT-2204
ICS
Network
Typical Application Flows are local
•Majority of traffic is East / West*
•Advanced applications increasing North / South
•Often never leaving Cell or Access switch
15BRKIOT-2204
Getting Started
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Discover & Baseline Segment Detect Respond
Most industrial customers don’t have accurate Asset Inventory
Blind to what their assets are communicating with
You cannot secure what you don’t know
17BRKIOT-2204
Discover & Baseline Segment Detect Respond
Most industrial customers don’t have accurate Asset Inventory
Blind to what their assets are communicating with
You cannot secure what you don’t know
17BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial IoT
Security
Architecture
Identify
Monitor
Group and
Policy Definition
Enforce
Comprehensive Industrial IoT Security Architecture
18BRKIOT-2204
Segmentation Lifecycle
Industrial IoT
Security
Architecture
Identify
Monitor
Group and
Policy Definition
Enforce
Comprehensive Industrial IoT Security Architecture
18BRKIOT-2204
Segmentation Lifecycle
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detect
vulnerabilities
Prevent
malware from
spreading
Detect
malicious
intrusions
Detect attempts
to scan & modify
OT assets
Investigate
and remediate
threats
Securing Industrial Networks with Cisco IoT
Threat Intelligence
Cyber Vision
Vulnerability Detection
Centralized
Segmentation Policy
Firepower IPS
Zone Segmentation
TrustSec
Micro Segmentation
Cyber Vision
Anomaly Detection
Cisco
Threat Response
Firepower / Cyber Vision
Intrusion Detection
AMP / Threat Grid
Malware Detection
Umbrella DNS & IP
Security
19BRKIOT-2204
Detect
vulnerabilities
Prevent
malware from
spreading
Detect
malicious
intrusions
Detect attempts
to scan & modify
OT assets
Investigate
and remediate
threats
Securing Industrial Networks with Cisco IoT
Threat Intelligence
Cyber Vision
Vulnerability Detection
Centralized
Segmentation Policy
Firepower IPS
Zone Segmentation
TrustSec
Micro Segmentation
Cyber Vision
Anomaly Detection
Cisco
Threat Response
Firepower / Cyber Vision
Intrusion Detection
AMP / Threat Grid
Malware Detection
Umbrella DNS & IP
Security
19BRKIOT-2204
Identification of
assets and
application level
communication
assets and
application level
communication
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Typical ICS Visibility & Detection Solution
21BRKIOT-2204
Server Appliance
SPAN
Traffic
Industrial
Switch
Industrial Protocol DPI based passive monitoring
SPAN traffic from industrial control network to a monitoring system
Port Mirroring is not a scalable solution!
Typical ICS Visibility & Detection Solution
21BRKIOT-2204
Server Appliance
SPAN
Traffic
Industrial
Switch
Industrial Protocol DPI based passive monitoring
SPAN traffic from industrial control network to a monitoring system
Port Mirroring is not a scalable solution!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ICS visibility and detection solution types
What is really going on under the hood
SPAN all traffic
to Server
Single Server
•DPI
•Analytics
•Visualization
SPAN traffic
to Sensors
Metadata
Midweight Sensor Server
•DPI
•Analytics
•Additional Analytics
•Visualization
Industrial Control Network
Metadata
Lightweight SensorServer
•DPI •Analytics
•Visualization
SPAN
traffic to
Sensors
1 2 3
Cisco
Metadata
BRKIOT-2204 22
ICS visibility and detection solution types
What is really going on under the hood
SPAN all traffic
to Server
Single Server
•DPI
•Analytics
•Visualization
SPAN traffic
to Sensors
Metadata
Midweight Sensor Server
•DPI
•Analytics
•Additional Analytics
•Visualization
Industrial Control Network
Metadata
Lightweight SensorServer
•DPI •Analytics
•Visualization
SPAN
traffic to
Sensors
1 2 3
Cisco
Metadata
BRKIOT-2204 22
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Cyber Vision
23BRKIOT-2204
Security that scales with your network infrastructure
Network-Sensors
(Deep Packet Inspection Built into Network Elements )
IE 3400 Switch
Sensor
IR 1101 Gateway
Sensor
Sensor
IC3000 Industrial Compute
Hardware-Sensor
(To support brownfield )
Cisco Integrations
ISE, Stealthwatch,
Firepower, DNA-C
Partner Integrations
SIEM, CMDB
ICS Vendor Software
Cyber Vision Center
(Centralized Analytics)
Catalyst 9000 Switch
Sensor
Available Spring 2020
Shipping
Shipping
Cisco Cyber Vision
23BRKIOT-2204
Security that scales with your network infrastructure
Network-Sensors
(Deep Packet Inspection Built into Network Elements )
IE 3400 Switch
Sensor
IR 1101 Gateway
Sensor
Sensor
IC3000 Industrial Compute
Hardware-Sensor
(To support brownfield )
Cisco Integrations
ISE, Stealthwatch,
Firepower, DNA-C
Partner Integrations
SIEM, CMDB
ICS Vendor Software
Cyber Vision Center
(Centralized Analytics)
Catalyst 9000 Switch
Sensor
Available Spring 2020
Shipping
Shipping
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is a network-sensor important?
ICS
Network
Purdue Level 3
Purdue Level 2
Purdue
Level 0-1
Suboptimal Location
Most control traffic is local
to the cell
Expensive
Additional Hardware, cabling
for out-of-band SPAN network
DPI Location Matters!
•Mirroring traffic in at the
aggregation layer results in visibility
to only North-South traffic
•Mirroring traffic at the cell layer
requires an expensive out-of-band
SPAN network
Sensor embedded in the network
sees everything that attaches to it
24BRKIOT-2204
Why is a network-sensor important?
ICS
Network
Purdue Level 3
Purdue Level 2
Purdue
Level 0-1
Suboptimal Location
Most control traffic is local
to the cell
Expensive
Additional Hardware, cabling
for out-of-band SPAN network
DPI Location Matters!
•Mirroring traffic in at the
aggregation layer results in visibility
to only North-South traffic
•Mirroring traffic at the cell layer
requires an expensive out-of-band
SPAN network
Sensor embedded in the network
sees everything that attaches to it
24BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is a network-sensor important?
RSPAN introduces Jitter!
•Head-of-line blocking caused by
Inline SPAN traffic negatively impacts
time-sensitive control loop
•RSPAN in LANs is detrimental to
control system performance
Sensor embedded in the network
generates lightweight metadata
that does not congest QoS queues
ICS
Network
SPAN
TrafficControl
Traffic
Purdue Level 3
Purdue Level 2
Purdue
Level 0-1
25BRKIOT-2204
Why is a network-sensor important?
RSPAN introduces Jitter!
•Head-of-line blocking caused by
Inline SPAN traffic negatively impacts
time-sensitive control loop
•RSPAN in LANs is detrimental to
control system performance
Sensor embedded in the network
generates lightweight metadata
that does not congest QoS queues
ICS
Network
SPAN
TrafficControl
Traffic
Purdue Level 3
Purdue Level 2
Purdue
Level 0-1
25BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is a network-sensor important?
26BRKIOT-2204
SPAN is expensive in WANs
LTE ($$$)
Monitoring
Station
Wireless Bandwidth is Expensive
•Sending SPAN traffic over 3G/LTE WAN links is
cost prohibitive
•Installing an appliance per site is an expensive
alternative
•Sensor embedded in the network only
generates lightweight Application-Flow
metadata
LTE ($$$)
Why is a network-sensor important?
26BRKIOT-2204
SPAN is expensive in WANs
LTE ($$$)
Monitoring
Station
Wireless Bandwidth is Expensive
•Sending SPAN traffic over 3G/LTE WAN links is
cost prohibitive
•Installing an appliance per site is an expensive
alternative
•Sensor embedded in the network only
generates lightweight Application-Flow
metadata
LTE ($$$)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is a network-sensor important?
27BRKIOT-2204
SPAN is not feasible in FANs
No place to house a standalone Sensor
•Visibility into Field Area Network (FAN) traffic in
distribution automation only possible if the DPI is
performed on the DA router
•Sending SPAN traffic over 3G/LTE links from DA router is
too expensive
•Sensor embedded DA router only generates lightweight
Application-Flow
Wireless
Mesh
Wireless
Mesh
LTE ($$$)
DA
Router
Why is a network-sensor important?
27BRKIOT-2204
SPAN is not feasible in FANs
No place to house a standalone Sensor
•Visibility into Field Area Network (FAN) traffic in
distribution automation only possible if the DPI is
performed on the DA router
•Sending SPAN traffic over 3G/LTE links from DA router is
too expensive
•Sensor embedded DA router only generates lightweight
Application-Flow
Wireless
Mesh
Wireless
Mesh
LTE ($$$)
DA
Router
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Using your Network Infrastructure
The Cisco industrial network lets you see everything that connects to it
Monitoring at the Edge
•Cyber Vision Sensors
embedded into industrial
network equipment
•No additional hardware needed
•No need for an out-of-band
monitoring network
Easy deployment
Low TCO
Application-Flow
Lightweight
Metadata
ICS
Networ
k
Cyber Vision Center
Sensor Sensor Sensor
Sensor Sensor
Sensor
is the only vendor on the market with an edge strategy for OT cybersecurity
Visibility Using your Network Infrastructure
The Cisco industrial network lets you see everything that connects to it
Monitoring at the Edge
•Cyber Vision Sensors
embedded into industrial
network equipment
•No additional hardware needed
•No need for an out-of-band
monitoring network
Easy deployment
Low TCO
Application-Flow
Lightweight
Metadata
ICS
Networ
k
Cyber Vision Center
Sensor Sensor Sensor
Sensor Sensor
Sensor
is the only vendor on the market with an edge strategy for OT cybersecurity
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sensor
IR Gateway
IE Switch
CGR Router
Generation
Transmission
Sensor
Sensor
Sensor
IE Switch
Distribution
Sensor
Sensor
ISA FirewallCisco Cyber Vision for Utilities
Security that can be deployed at scale
Sensor
IR Gateway
IE Switch
CGR Router
Generation
Transmission
Sensor
Sensor
Sensor
IE Switch
Distribution
Sensor
Sensor
ISA FirewallCisco Cyber Vision for Utilities
Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Upstream Midstream Downstream
Sensor
Sensor
Sensor
Sensor
Cisco Cyber Vision for Oil & Gas
IR Gateway
IR Gateway
IE Switch
IW Access point
Security that can be deployed at scale
Upstream Midstream Downstream
Sensor
Sensor
Sensor
Sensor
Cisco Cyber Vision for Oil & Gas
IR Gateway
IR Gateway
IE Switch
IW Access point
Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sensor
Sensor
IE Switch
ISA Firewall
IW Access Point
Cisco Cyber Vision for Manufacturing
Security that can be deployed at scale
Sensor
Sensor
IE Switch
ISA Firewall
IW Access Point
Cisco Cyber Vision for Manufacturing
Security that can be deployed at scale
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: Comprehensive Asset Inventory
■Automatically maintain a detailed list of all
OT & IT equipment
■Immediate access to software & hardware
characteristics
■Track rack-slot components
■Tags make it easily to understand asset
functions and properties
Track the industrial assets to protect
throughout their life cycles
BRKIOT-2204 32
Visibility: Comprehensive Asset Inventory
■Automatically maintain a detailed list of all
OT & IT equipment
■Immediate access to software & hardware
characteristics
■Track rack-slot components
■Tags make it easily to understand asset
functions and properties
Track the industrial assets to protect
throughout their life cycles
BRKIOT-2204 32
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: Track Application Flows
▪Identify all relations between assets including
application flows
▪Spot unwanted communications & noisy
assets
▪Tags make it easily to understand the content
of each communication flow
▪View live information or go back in time
Drive network segmentation and
fine-tune configurations
BRKIOT-2204 33
Visibility: Track Application Flows
▪Identify all relations between assets including
application flows
▪Spot unwanted communications & noisy
assets
▪Tags make it easily to understand the content
of each communication flow
▪View live information or go back in time
Drive network segmentation and
fine-tune configurations
BRKIOT-2204 33
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: Instantaneous Vulnerability
Identification
▪Automatically spot software vulnerabilities across all
your industrial assets
▪Access comprehensive information on vulnerability
severities and solutions
▪Built-in vulnerability database
always up to date
Enforce Cyber-Hygiene best practices
Visibility: Instantaneous Vulnerability
Identification
▪Automatically spot software vulnerabilities across all
your industrial assets
▪Access comprehensive information on vulnerability
severities and solutions
▪Built-in vulnerability database
always up to date
Enforce Cyber-Hygiene best practices
Integration with Enterprise
Security Portfolio
Security Portfolio
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Security for Industrial IoT
Cisco ISE
Access Control
Cisco Firepower
Traffic Filtering
Cisco Stealthwatch
Network Flow Analysis
Cisco DNA-C
Network Management
Cyber Vision Center
Operational Insights
Threat Detection
Sensor
Sensor
Sensor
Switch
Gateway
AP
V I S I B I L I T Y
Cyber Vision Sensors
Deep Packet Inspection Built into Cisco Industrial Network
Threat
Intelligence
T
A
L
O
S
Threat
Response
C
T
R
Comprehensive Industrial IoT Security Architecture
Cisco Security for Industrial IoT
Cisco ISE
Access Control
Cisco Firepower
Traffic Filtering
Cisco Stealthwatch
Network Flow Analysis
Cisco DNA-C
Network Management
Cyber Vision Center
Operational Insights
Threat Detection
Sensor
Sensor
Sensor
Switch
Gateway
AP
V I S I B I L I T Y
Cyber Vision Sensors
Deep Packet Inspection Built into Cisco Industrial Network
Threat
Intelligence
T
A
L
O
S
Threat
Response
C
T
R
Comprehensive Industrial IoT Security Architecture
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE Integration
Extend security policies to your industrial network
pxGrid
Cisco ISE
•ISE endpoints are enriched with context
from Cyber Vision
•Use ICS attributes (PLC, Siemens, Cell-1)
to define profiling policy
•Segment your network to prevent malware
and ransomware from spreading
Industrial Switching Industrial Wireless Industrial Routing IoT Gateways Mesh / LoRA Industrial Firewalls Embedded
Cisco Industrial Network Provides Visibility
and Enforces Security Policy
TrustSec
ICS Visibility
BRKIOT-2204 37
Cisco ISE Integration
Extend security policies to your industrial network
pxGrid
Cisco ISE
•ISE endpoints are enriched with context
from Cyber Vision
•Use ICS attributes (PLC, Siemens, Cell-1)
to define profiling policy
•Segment your network to prevent malware
and ransomware from spreading
Industrial Switching Industrial Wireless Industrial Routing IoT Gateways Mesh / LoRA Industrial Firewalls Embedded
Cisco Industrial Network Provides Visibility
and Enforces Security Policy
TrustSec
ICS Visibility
BRKIOT-2204 37
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Asset Visibility in ISE through Cisco
Cyber Vision
Endpoint attributes in ISE populated by FTNM
Asset Identity
This is a CompactLogix
Controller, manufactured
by Rockwell Automation,
has serial number xxx,
running firmware abc,
speaks CIP, attached to
switch efg, and it it is in
Cell-1 in the Austin
Plant…
BRKIOT-2204 38
Industrial Asset Visibility in ISE through Cisco
Cyber Vision
Endpoint attributes in ISE populated by FTNM
Asset Identity
This is a CompactLogix
Controller, manufactured
by Rockwell Automation,
has serial number xxx,
running firmware abc,
speaks CIP, attached to
switch efg, and it it is in
Cell-1 in the Austin
Plant…
BRKIOT-2204 38
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE profiling OT endpoints
IOT Asset AttributesAttributes from IND Profiling a Rockwell PLC
ISE profiling OT endpoints
IOT Asset AttributesAttributes from IND Profiling a Rockwell PLC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Authorization Policy
40BRKIOT-2204
ISE Authorization Policy
40BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Authorization Profiles
41BRKIOT-2204
ISE Authorization Profiles
41BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE TrustSecPolicy
42BRKIOT-2204
ISE TrustSecPolicy
42BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco StealthwatchIntegration
Speed up incident response and forensics
Cisco Stealthwatch
•Stealthwatch flows enriched with
context from Cyber Vision
•Use ICS attributes (PLC, Siemens,
Cell-1) to define host-group policy
•Pinpoint ICS assets when
Stealthwatch raises alarms at Level-
3 for north-south traffic from
industrial network to the Enterprise
REST
API
PLC IO DRIVE CONTROLLER
ICS Visibility
BRKIOT-2204 43
Cisco StealthwatchIntegration
Speed up incident response and forensics
Cisco Stealthwatch
•Stealthwatch flows enriched with
context from Cyber Vision
•Use ICS attributes (PLC, Siemens,
Cell-1) to define host-group policy
•Pinpoint ICS assets when
Stealthwatch raises alarms at Level-
3 for north-south traffic from
industrial network to the Enterprise
REST
API
PLC IO DRIVE CONTROLLER
ICS Visibility
BRKIOT-2204 43
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrating Industrial Asset Visibility in Stealthwatch
Asset Identity
The source is a Rockwell Automation HMI, in Cell-1,
speaking CIP, to Rockwell Automation Controller in Cell-
2
BRKIOT-2204 44
Integrating Industrial Asset Visibility in Stealthwatch
Asset Identity
The source is a Rockwell Automation HMI, in Cell-1,
speaking CIP, to Rockwell Automation Controller in Cell-
2
BRKIOT-2204 44
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation Monitoring with StealthWatch
Define communication
policy between zones
Monitor for violations
Engineering Laptop
Network
Management
HMIHMI
Drive Cell-1 Cell-2
Manufacturing Zone
IDMZ
Controller
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
NO ACCESS
HTTP
CIP
BRKIOT-2204 45
Segmentation Monitoring with StealthWatch
Define communication
policy between zones
Monitor for violations
Engineering Laptop
Network
Management
HMIHMI
Drive Cell-1 Cell-2
Manufacturing Zone
IDMZ
Controller
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
IE2K / IE4K
NO ACCESS
HTTP
CIP
BRKIOT-2204 45
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Modeling and Monitoring
When a new flow is generated between devices in
different segment an alarm is generated
Policy Modeling and Monitoring
When a new flow is generated between devices in
different segment an alarm is generated
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower Integration
OT context for creating rules, remediation, and impact
assessment
Cisco Firepower
•Map ICS device IP to named objects
(PLC, IO, Drive) in Firepower for use
in access policy*
•Map ICS device vulnerabilities to
Hosts in Firepower for use in
correlation policy*
•Identify anomalous flows in Cyber
Vision and kill FTD Firewall sessions
PLC IO DRIVE CONTROLLER
ICS Visibility
* Spring 2020
BRKIOT-2204 47
Cisco Firepower Integration
OT context for creating rules, remediation, and impact
assessment
Cisco Firepower
•Map ICS device IP to named objects
(PLC, IO, Drive) in Firepower for use
in access policy*
•Map ICS device vulnerabilities to
Hosts in Firepower for use in
correlation policy*
•Identify anomalous flows in Cyber
Vision and kill FTD Firewall sessions
PLC IO DRIVE CONTROLLER
ICS Visibility
* Spring 2020
BRKIOT-2204 47
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Asset Context in FMC
48BRKIOT-2204
Industrial Asset Context in FMC
48BRKIOT-2204
Macro to Micro
segmentation
segmentation
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Components
Industrial DMZ
•Access control lists (ACLs)
•Intrusion detection systems (IDS) and
intrusion prevention systems (IPS)
•VPN services
•Portal and remote desktop services
•Application and data mirrors
Industrial zone
•AAA identity services
•Network management
•Asset inventory
•Anomaly detection
•Plant-wide services
•Traffic enforcement (plant to IDMZ, north/south)
Area zone
•Traffic Enforcement (Cell to Cell, East/West )
•QoS Prioritization
•SXP
•Netflow
Inter-cell
(ISA3000)
•Industrial deep packet inspection (DPI)
•Stateful firewall and intrusion prevention (IPS)
•Hardware bypass
Cell zone
•PoE/PoE+
•Layer 2 NAT
•802.1X
•MAC Authentication Bypass (MAB)
•Quality of Service marking
•Netflow(IE3x00 and IE4000 only)
•TrustSec tagging (IE3x00 and IE4000 only)
•Edge compute (IE3x00 only)
Converged Industrial Architectures
Industrial
Zone
Purdue Level 3
Area Zone
Purdue Level 2
Cell Zone
Purdue Level 0-1
Cyber Vision
Center
Cisco NGFW
and IPS solutions
Industrial core
ISA3000
IT network
IT core
DMZ
Enterprise
Zone
Purdue Level 4-5
User Access
RESTful API
(HTTPS)
SIEM (Syslog)
ISE/DNA-C (PxGrid)
ISA3000
Sensor Sensor
Sensor
Sensor
Sensor
IC3000
SPAN/RSPAN
IE3x00
PLC/RTU/IEDSIS
SCADA/HMI
HISTORIAN MES
Sensor Sensor
BRKIOT-2204 50
Cisco Components
Industrial DMZ
•Access control lists (ACLs)
•Intrusion detection systems (IDS) and
intrusion prevention systems (IPS)
•VPN services
•Portal and remote desktop services
•Application and data mirrors
Industrial zone
•AAA identity services
•Network management
•Asset inventory
•Anomaly detection
•Plant-wide services
•Traffic enforcement (plant to IDMZ, north/south)
Area zone
•Traffic Enforcement (Cell to Cell, East/West )
•QoS Prioritization
•SXP
•Netflow
Inter-cell
(ISA3000)
•Industrial deep packet inspection (DPI)
•Stateful firewall and intrusion prevention (IPS)
•Hardware bypass
Cell zone
•PoE/PoE+
•Layer 2 NAT
•802.1X
•MAC Authentication Bypass (MAB)
•Quality of Service marking
•Netflow(IE3x00 and IE4000 only)
•TrustSec tagging (IE3x00 and IE4000 only)
•Edge compute (IE3x00 only)
Converged Industrial Architectures
Industrial
Zone
Purdue Level 3
Area Zone
Purdue Level 2
Cell Zone
Purdue Level 0-1
Cyber Vision
Center
Cisco NGFW
and IPS solutions
Industrial core
ISA3000
IT network
IT core
DMZ
Enterprise
Zone
Purdue Level 4-5
User Access
RESTful API
(HTTPS)
SIEM (Syslog)
ISE/DNA-C (PxGrid)
ISA3000
Sensor Sensor
Sensor
Sensor
Sensor
IC3000
SPAN/RSPAN
IE3x00
PLC/RTU/IEDSIS
SCADA/HMI
HISTORIAN MES
Sensor Sensor
BRKIOT-2204 50
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scalable Tags in Industrial Environments
Industrial
Zone
Purdue Level 3
Area Zone
Purdue Level 2
Cell Zone
Purdue Level 0-1
Cyber Vision
Center
Cisco NGFW
and IPS solutions
Industrial core
ISA3000
IT network
IT core
DMZ
Enterprise
Zone
Purdue Level 4-5
User Access
RESTful API
(HTTPS)
SIEM (Syslog)
ISE/DNA-C (PxGrid)
ISA3000
Sensor Sensor
Sensor
Sensor
Sensor
IC3000
SPAN/RSPAN
IE3x00
PLC/RTU/IEDSIS
SCADA/HMI
HISTORIAN MES
Sensor Sensor
Destination
Source
▪Scalable Group Tag (SGT) a 16 bit value that
the Cisco ISE assigns to the endpoint’s session
upon login
▪SGT is applied to the endpoint’s traffic
▪Centralized Policy –ISE
▪Cell to Cell Enforcement at Area Switch
Plant to IT Enforcement at IDMZ FW
Scalable Tags in Industrial Environments
Industrial
Zone
Purdue Level 3
Area Zone
Purdue Level 2
Cell Zone
Purdue Level 0-1
Cyber Vision
Center
Cisco NGFW
and IPS solutions
Industrial core
ISA3000
IT network
IT core
DMZ
Enterprise
Zone
Purdue Level 4-5
User Access
RESTful API
(HTTPS)
SIEM (Syslog)
ISE/DNA-C (PxGrid)
ISA3000
Sensor Sensor
Sensor
Sensor
Sensor
IC3000
SPAN/RSPAN
IE3x00
PLC/RTU/IEDSIS
SCADA/HMI
HISTORIAN MES
Sensor Sensor
Destination
Source
▪Scalable Group Tag (SGT) a 16 bit value that
the Cisco ISE assigns to the endpoint’s session
upon login
▪SGT is applied to the endpoint’s traffic
▪Centralized Policy –ISE
▪Cell to Cell Enforcement at Area Switch
Plant to IT Enforcement at IDMZ FW
Industrial Security and
Firewalls
Firewalls
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Firewalls what and where?
First Level –
Secured Connectivity
Second Level –
Secured Visibility &
Control
Third Level –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning &
Logistics Network
Enterprise
Zone
DMZ
Manufacturing
Zone
Cell/Area
Zone
Site Manufacturing Operations
and Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
Client
HMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
Application Control
Threat Control
Policy Driven
Response
Deeper Vision /
Control
Level 0
Industrial Firewalls what and where?
First Level –
Secured Connectivity
Second Level –
Secured Visibility &
Control
Third Level –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning &
Logistics Network
Enterprise
Zone
DMZ
Manufacturing
Zone
Cell/Area
Zone
Site Manufacturing Operations
and Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
Client
HMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
Application Control
Threat Control
Policy Driven
Response
Deeper Vision /
Control
Level 0
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Firewall Features for Firepower devices
54BRKIOT-2204
•Deployment modes -Out of Band, Inline -Active, Passive
•Industrial Application Detection
•Industrial protocol command detection
•SCADA IPS rules
•Reliable operation -HW Bypass, Dual power inputs (ISA-3000)
•Industrial Infrastructure Integration -DC Power, Alarm Input/output pins
(ISA-3000)
Industrial Firewall Features for Firepower devices
54BRKIOT-2204
•Deployment modes -Out of Band, Inline -Active, Passive
•Industrial Application Detection
•Industrial protocol command detection
•SCADA IPS rules
•Reliable operation -HW Bypass, Dual power inputs (ISA-3000)
•Industrial Infrastructure Integration -DC Power, Alarm Input/output pins
(ISA-3000)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Industrial protocol support
OT Protocol Application Description Verticals
BACNet A Data Communication Protocol for Building Automation and Control Networks. Buillding Automation
COSEM
COTP Connection Oriented Transport Protocol (ICCP) Multiple verticals
DNP3
DNP3 is based on the standards of the International Electrotechnical Commission (IEC) Technical Committee 57, DNP3 has
been selected as a Recommended Practice by the IEEE C.2 Task Force; RTU to IED Communications Protocol. Utilities
Emission Control Protocol Registered with IANA as IP Protocol 14.
Fujitsu Device Control
A system that controls devices within a house.
GOOSE Generic Object Oriented Substation Events (GOOSE) Utilities
GSE Generic Substation events Utilities
Honeywell Control Station/NIF Server Honeywell Protocol Detector for Control station Multiple verticals
Honeywell Experion DSA Server Monitor Honeywell Protocol Detector for ExperionDSA server. Multiple verticals
IEC 104 IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. Utilities
ISO MMS Manufacturer Messaging Specification, the ISO session-layer protocol. Utilities
Modbus
Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers
(PLCs). Multiple verticals
OPC-UA OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, Multiple verticals
Q.931
SRC
IBM System Resource Controller facilitates the management and control of complex subsystems. The SRC is a subsystem
controller.
TPTK Multiple verticals
CIP CommonIndustrial Protocol Manufacturing
55BRKIOT-2204
Firepower Industrial protocol support
OT Protocol Application Description Verticals
BACNet A Data Communication Protocol for Building Automation and Control Networks. Buillding Automation
COSEM
COTP Connection Oriented Transport Protocol (ICCP) Multiple verticals
DNP3
DNP3 is based on the standards of the International Electrotechnical Commission (IEC) Technical Committee 57, DNP3 has
been selected as a Recommended Practice by the IEEE C.2 Task Force; RTU to IED Communications Protocol. Utilities
Emission Control Protocol Registered with IANA as IP Protocol 14.
Fujitsu Device Control
A system that controls devices within a house.
GOOSE Generic Object Oriented Substation Events (GOOSE) Utilities
GSE Generic Substation events Utilities
Honeywell Control Station/NIF Server Honeywell Protocol Detector for Control station Multiple verticals
Honeywell Experion DSA Server Monitor Honeywell Protocol Detector for ExperionDSA server. Multiple verticals
IEC 104 IEC 60870-5-104 enables communication between control station and substation via a standard TCP/IP network. Utilities
ISO MMS Manufacturer Messaging Specification, the ISO session-layer protocol. Utilities
Modbus
Modbus is a serial communications protocol published by Modicon in 1979 for use with its programmable logic controllers
(PLCs). Multiple verticals
OPC-UA OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, Multiple verticals
Q.931
SRC
IBM System Resource Controller facilitates the management and control of complex subsystems. The SRC is a subsystem
controller.
TPTK Multiple verticals
CIP CommonIndustrial Protocol Manufacturing
55BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Industrial protocol detectors
56BRKIOT-2204
Firepower Industrial protocol detectors
56BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling Industrial protocol detection
Access Control rule to detect Industrial protocols
Application Visibility
Enabling Industrial protocol detection
Access Control rule to detect Industrial protocols
Application Visibility
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public58BRKIOT-2204
Host Attributes from Cisco Cyber Vision
Host Attributes from Cisco Cyber Vision
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforce security using Cyber Vision data
59BRKIOT-2204
Cyber Vision Asset Data FMC defining correlation policy based on Cyber Vision data
Check if an OT Asset generates non-OT traffic
Enforce security using Cyber Vision data
59BRKIOT-2204
Cyber Vision Asset Data FMC defining correlation policy based on Cyber Vision data
Check if an OT Asset generates non-OT traffic
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Firewall deployment modes
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
Rings
RSPAN
Out of Band
Inline
•Out of Band
•Visibility
•Limited Impact -
copy of traffic is
inspected
•In-Line
•Visibility
•Enforce
60BRKIOT-2204
Industrial Firewall deployment modes
Cell/Area Zone
Controllers, Drives, and Distributed I/O
HMI
Controllers
Rings
RSPAN
Out of Band
Inline
•Out of Band
•Visibility
•Limited Impact -
copy of traffic is
inspected
•In-Line
•Visibility
•Enforce
60BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Out of Band configuration
Cisco FTD passive mode configuration
Out of Band configuration
Cisco FTD passive mode configuration
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industrial Firewall deployment
Default Config:
•Transparent mode
•Default Allow ALL
•Passive detection
Enable HW Bypass
Mostly Layer2 –Ring &
Linear Topologies
No change
required in
Network layout
or configuration
Continuity of
operations on
device/power
failure
“Availability” is the Key
Firewall deployment modes
62BRKIOT-2204
Industrial Firewall deployment
Default Config:
•Transparent mode
•Default Allow ALL
•Passive detection
Enable HW Bypass
Mostly Layer2 –Ring &
Linear Topologies
No change
required in
Network layout
or configuration
Continuity of
operations on
device/power
failure
“Availability” is the Key
Firewall deployment modes
62BRKIOT-2204
Cisco Firepower
for Industrial
Security
for Industrial
Security
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rule to detect PLC restart, open/close
Modbus data required to restart a PLC
•Modbus unit
•Modbus command = Write Single Register
•Register Address (2560)
•Register value (0xFFFF)
Register
check
Register check
Register
value check
Rule to detect PLC restart, open/close
Modbus data required to restart a PLC
•Modbus unit
•Modbus command = Write Single Register
•Register Address (2560)
•Register value (0xFFFF)
Register
check
Register check
Register
value check
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Robot Arm in a
Manufacturing Plant
IndustrialFirewall
Safe Operation of ICS-Stopping a Dangerous
Misconfiguration of a Robot Arm
On the Factory
Floor
Invalid
parameters
Valid
parameters
65BRKIOT-2204
Robot Arm in a
Manufacturing Plant
IndustrialFirewall
Safe Operation of ICS-Stopping a Dangerous
Misconfiguration of a Robot Arm
On the Factory
Floor
Invalid
parameters
Valid
parameters
65BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNP3 IPS rule options
DNP3 command inspection
•DNP -Distributed Network
protocol.
•For communication
between components in
process automation
systems.
•Mainly used in Utilities such
as Electric and Water
•DNP3 is transported over
TCP using port 2000
66BRKIOT-2204
DNP3 IPS rule options
DNP3 command inspection
•DNP -Distributed Network
protocol.
•For communication
between components in
process automation
systems.
•Mainly used in Utilities such
as Electric and Water
•DNP3 is transported over
TCP using port 2000
66BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNP3 inspection pre-processor options
67BRKIOT-2204
DNP3 Functions
"confirm"
"read"
"write"
"select"
"operate"
"direct_operate"
"direct_operate_nr"
"immed_freeze"
"immed_freeze_nr"
"freeze_clear"
"freeze_clear_nr"
"freeze_at_time"
"freeze_at_time_nr"
"cold_restart"
"warm_restart"
"initialize_data"
"initialize_appl"
"start_appl"
"stop_appl"
"save_config"
"enable_unsolicited"
"disable_unsolicited"
"assign_class"
"delay_measure"
"record_current_time"
"open_file"
"close_file"
"delete_file"
"get_file_info"
"authenticate_file"
"abort_file"
"activate_config"
"authenticate_req"
"authenticate_err"
"response"
"unsolicited_response"
"authenticate_resp"
DNP3 Internal Indicators flags present
in a DNP3 Application Response
Header
"all_stations"
"class_1_events"
"class_2_events"
"class_3_events"
"need_time"
"local_control"
"defice_trouble"
"device_restart"
"no_func_code_support"
"object_unknown"
"parameter_error"
"event_buffer_overflow"
"already_executing"
"config_corrupt"
"reserved_2"
"reserved_1"
DNP3 inspection pre-processor options
67BRKIOT-2204
DNP3 Functions
"confirm"
"read"
"write"
"select"
"operate"
"direct_operate"
"direct_operate_nr"
"immed_freeze"
"immed_freeze_nr"
"freeze_clear"
"freeze_clear_nr"
"freeze_at_time"
"freeze_at_time_nr"
"cold_restart"
"warm_restart"
"initialize_data"
"initialize_appl"
"start_appl"
"stop_appl"
"save_config"
"enable_unsolicited"
"disable_unsolicited"
"assign_class"
"delay_measure"
"record_current_time"
"open_file"
"close_file"
"delete_file"
"get_file_info"
"authenticate_file"
"abort_file"
"activate_config"
"authenticate_req"
"authenticate_err"
"response"
"unsolicited_response"
"authenticate_resp"
DNP3 Internal Indicators flags present
in a DNP3 Application Response
Header
"all_stations"
"class_1_events"
"class_2_events"
"class_3_events"
"need_time"
"local_control"
"defice_trouble"
"device_restart"
"no_func_code_support"
"object_unknown"
"parameter_error"
"event_buffer_overflow"
"already_executing"
"config_corrupt"
"reserved_2"
"reserved_1"
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling SCADA pre-processors
Network Analysis policy
Enable scadapre-processors
SCADA pre-
processor
configuration
Enabling SCADA pre-processors
Network Analysis policy
Enable scadapre-processors
SCADA pre-
processor
configuration
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IEC-60870-5-104 inspection support
IEC 60870-5-104enables communication between
control station and substation via a standard TCP/IP
network. The TCP protocol is used for connection-
oriented secure data transmission.
Mostly used in Europe.
There are 2 types of devices –Controlling station(PC) &
Controlled devices(RTU)
IEC-104 protocol is used to exchange commands &
information between controlled and controlling devices
Firepower software supports detection of information,
command exchange between the devices.
Firepower provides built-in Intrusion rules for IEC-104
protocol based on DPI (Deep packet Inspection) by
SNORT engine.
Firepower built-in Intrusion rules for
IEC-104
IEC-60870-5-104 inspection support
IEC 60870-5-104enables communication between
control station and substation via a standard TCP/IP
network. The TCP protocol is used for connection-
oriented secure data transmission.
Mostly used in Europe.
There are 2 types of devices –Controlling station(PC) &
Controlled devices(RTU)
IEC-104 protocol is used to exchange commands &
information between controlled and controlling devices
Firepower software supports detection of information,
command exchange between the devices.
Firepower provides built-in Intrusion rules for IEC-104
protocol based on DPI (Deep packet Inspection) by
SNORT engine.
Firepower built-in Intrusion rules for
IEC-104
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IEC-61850 MMS inspection support
Firepower built-in Intrusion rules for IEC-61850 MMS
IEC 61850is an international standard
defining communication protocols
forintelligent electronic devicesatelectrical
substations.
Components of IEC61850 are
•MMS (Manufacturing message
specification)
•GOOSE (Generic object oriented
substation event)
•SMV (Sample measured values)
Firepower software supports detection of
information, command exchange between the
devices using MMS.
Firepower provides built-in Intrusion rules for
MMS protocol based on DPI (Deep packet
Inspection) by SNORT engine.
Latency
sensitive
70BRKIOT-2204
IEC-61850 MMS inspection support
Firepower built-in Intrusion rules for IEC-61850 MMS
IEC 61850is an international standard
defining communication protocols
forintelligent electronic devicesatelectrical
substations.
Components of IEC61850 are
•MMS (Manufacturing message
specification)
•GOOSE (Generic object oriented
substation event)
•SMV (Sample measured values)
Firepower software supports detection of
information, command exchange between the
devices using MMS.
Firepower provides built-in Intrusion rules for
MMS protocol based on DPI (Deep packet
Inspection) by SNORT engine.
Latency
sensitive
70BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Built-in IPS signatures for OT –?
IPS Signature
71BRKIOT-2204
Built-in IPS signatures for OT –?
IPS Signature
71BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
•400+ built-in Signatures for OT
protocols and endpoints
•Based on Vulnerabilities
discovered in protocols, devices
•Protection against
Known/Unknown threats.
•Updated regularly
IPS signatures for OT/SCADA protocols
72BRKIOT-2204
•400+ built-in Signatures for OT
protocols and endpoints
•Based on Vulnerabilities
discovered in protocols, devices
•Protection against
Known/Unknown threats.
•Updated regularly
IPS signatures for OT/SCADA protocols
72BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Protecting the Platform
How do you protect underlying
Platform?
800+ IPS rules for Windows OS
What about the Infrastructure?
•Authentication -Active Directory,
LDAP
•DNS
•Switches
•Routers
73BRKIOT-2204
Protecting the Platform
How do you protect underlying
Platform?
800+ IPS rules for Windows OS
What about the Infrastructure?
•Authentication -Active Directory,
LDAP
•DNS
•Switches
•Routers
73BRKIOT-2204
Anomaly Detection
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Cyber Vision Threat Detection:
Behavioral Analytics
■Create Baselines to define normal behaviors and
configurations
■Behavior modeling automatically triggers alerts on
deviations to the baselines
■Import IoCto detect known malicious behaviors
■Continuously improve detection with classification
of new events
Detect unknown attacks and malfunctions
BRKIOT-2204 75
Cisco Cyber Vision Threat Detection:
Behavioral Analytics
■Create Baselines to define normal behaviors and
configurations
■Behavior modeling automatically triggers alerts on
deviations to the baselines
■Import IoCto detect known malicious behaviors
■Continuously improve detection with classification
of new events
Detect unknown attacks and malfunctions
BRKIOT-2204 75
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation
Intrusion rules are uni-dimensional & static
•Based on single parameter
•No anomaly detection
•No automatic response
What if Modbus Slave sends a “Write” request?
What if Modbus Master(infected) sending data
collection requests at a higher rate than Normal?
Answer : Correlation
Correlation Rules allow for booleandecisions on
one or more sets of data within the Firepower
console.
Rules can then lead to Actions such as: Email,
Syslog, SNMP events or remediation actions.
Value:
•Automate Security Decisions
•Track Business Outcome
•Trigger Automated Response to
specific conditions
BRKIOT-2204 76
Correlation
Intrusion rules are uni-dimensional & static
•Based on single parameter
•No anomaly detection
•No automatic response
What if Modbus Slave sends a “Write” request?
What if Modbus Master(infected) sending data
collection requests at a higher rate than Normal?
Answer : Correlation
Correlation Rules allow for booleandecisions on
one or more sets of data within the Firepower
console.
Rules can then lead to Actions such as: Email,
Syslog, SNMP events or remediation actions.
Value:
•Automate Security Decisions
•Track Business Outcome
•Trigger Automated Response to
specific conditions
BRKIOT-2204 76
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anomaly detection
77
Host sending a request it should not send -Modbus slave sending a request like Write single coil
Creating custom Host attributes
What do you need to detect this Anomaly?
•Device type = Modbus Slave
•Intrusion event = “Write_single_coil”
Add custom host
attributes here
BRKIOT-2204
Anomaly detection
77
Host sending a request it should not send -Modbus slave sending a request like Write single coil
Creating custom Host attributes
What do you need to detect this Anomaly?
•Device type = Modbus Slave
•Intrusion event = “Write_single_coil”
Add custom host
attributes here
BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anomaly detection
78
Adding Host custom attributes
BRKIOT-2204
Anomaly detection
78
Adding Host custom attributes
BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anomaly detection
When an intrusion even t is detected that
a device is sending a Modbus command
“write_single_coil”
If the device type is a Modbus Slave?
Send an email when the Anomaly is detected
Anomaly detection
When an intrusion even t is detected that
a device is sending a Modbus command
“write_single_coil”
If the device type is a Modbus Slave?
Send an email when the Anomaly is detected
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
OT Network Security and Availability
80
Deep packet inspection comes with cost, you can minimize it
•Number of packets to allow in the event
queue.
•Enable or disable inspection of packets that
will be rebuilt into larger streams.
•Override default match and recursion limits on
PCRE that are used in intrusion rules to
examine packet payload content.
•Elect to have the rules engine log more than one
event per packet or packet stream when multiple
events are generated, allowing you to collect
information beyond the reported event.
Measures the total elapsed time taken to process a packet by applicable decoders,
preprocessors, and rules, and ceases inspection of the packet if the processing time
exceeds threshold.
Measures the elapsed time each rule takes to process an individual packet, suspends
the violating rule along with a group of related rules for a specified time if the
processing time exceeds the rule latency threshold a configurable consecutive number
of times, and restores the rules when the suspension expires.
BRKIOT-2204
OT Network Security and Availability
80
Deep packet inspection comes with cost, you can minimize it
•Number of packets to allow in the event
queue.
•Enable or disable inspection of packets that
will be rebuilt into larger streams.
•Override default match and recursion limits on
PCRE that are used in intrusion rules to
examine packet payload content.
•Elect to have the rules engine log more than one
event per packet or packet stream when multiple
events are generated, allowing you to collect
information beyond the reported event.
Measures the total elapsed time taken to process a packet by applicable decoders,
preprocessors, and rules, and ceases inspection of the packet if the processing time
exceeds threshold.
Measures the elapsed time each rule takes to process an individual packet, suspends
the violating rule along with a group of related rules for a specified time if the
processing time exceeds the rule latency threshold a configurable consecutive number
of times, and restores the rules when the suspension expires.
BRKIOT-2204
Complete your
online session
survey
•Please complete your session survey
after each session. Your feedback
is very important.
•Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
•All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalogonciscolive.com/emea.
Cisco Live sessions will be available for viewing on
demand after the event at ciscolive.com.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81BRKIOT-2204
online session
survey
•Please complete your session survey
after each session. Your feedback
is very important.
•Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
•All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalogonciscolive.com/emea.
Cisco Live sessions will be available for viewing on
demand after the event at ciscolive.com.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81BRKIOT-2204
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Related sessions
Walk-In Labs
Demos in the
Cisco Showcase
Meet the Engineer
1:1 meetings
Continue your education
82BRKIOT-2204
Related sessions
Walk-In Labs
Demos in the
Cisco Showcase
Meet the Engineer
1:1 meetings
Continue your education
82BRKIOT-2204
Thank you Thank you
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 43
- Slides 84
- Age 477 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views