思科（Cisco） ：工业自动化安全解决方案简报（英文版）（10页）.pdf

《思科（Cisco） ：工业自动化安全解决方案简报（英文版）（10页）.pdf》由会员分享，可在线阅读，更多相关《思科（Cisco） ：工业自动化安全解决方案简报（英文版）（10页）.pdf（10页珍藏版）》请在三个皮匠报告文库上搜索。

1、Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 1 of 10 Protecting manufacturing operations against cyber threats:Introduction to Cisco industrial network security Over the years,manufacturers around the world have been connecting their

2、 industrial environments to enterprise networks to automate production and gain operational advantages.Organizations are now deploying Internet of Things(IoT)technologies to migrate to Industry 4.0,optimize production,and build new generations of products and services.This deeper integration between

3、 IT,cloud,and industrial networks is creating many cybersecurity issues that are becoming the primary obstacle to industry digitization efforts.Media reports regularly highlight cyber attacks on manufacturers across all verticals,wreaking expensive havoc on operations.The growing number of cases sho

4、ws that industrial networks have become a target and securing them is now the key to ensuring production integrity,continuity,and safety.Benefits Improve industrial cybersecurity by:Discovering and inventorying assets Containing security incidents Detecting and preventing known attacks Protecting ag

5、ainst malware Integrating enterprise and operations security Cisco IoT Solution Brief Securing Industrial Networks Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 2 of 10 Cisco is a leader in securing enterprise networks.Cisco is also a

6、 leader in industrial networking.We are leveraging these unique portfolios of products and solutions,together with threat intelligence from Talos,one of the worlds largest security research teams,to make security inherent and embedded in the industrial network.To help industrial organizations secure

7、 their operations,Cisco Validated Designs(CVDs)provide the core network foundation of architectures that meet the needs of operations and IT.This solution brief is a high-level overview of the reference architecture described in the“Networking and Security in Industrial Automation Environments”CVD.I

8、t describes a security journey for an industrial network,starting with strong foundation-level security and then,as the organization matures,growing into a comprehensive full-spectrum security design.Securing the industrial network is a journey Industrial control networks connect devices that have b

9、een deployed over a period of many years sometimes even decades beginning back when cybersecurity wasnt a concern.When organizations attempt to secure their industrial IoT networks,they encounter three primary issues:A lack of visibility:Manufacturers often dont have an accurate inventory of whats o

10、n their industrial network.Without this,they have limited ability to build a secure communications architecture.A lack of control:A lack of visibility also means that manufacturers are often unaware of what devices are communicating,and where those communications are going.You cannot control what yo

11、u dont know about.A lack of collaboration:OT devices and processes are managed by the operations team.Cybersecurity is generally driven by the IT and security teams.All these stakeholders need to collaborate to build the specific security policies and enrich events with context so that security inci

12、dents do not disrupt production.Addressing these issues and building a secure industrial network will not happen overnight.To help ensure success,Cisco promotes a phased approach in which each phase builds the foundation for the next,so that you can enhance your security posture at your own pace and

13、 demonstrate value to all stakeholders when embarking on this journey.Key requirements Figure 1 depicts the key requirements for securing industrial networks and can guide the development of a security lifecycle process.Compliance standards often guide security needs as well.This security solution b

14、rief provides the blueprints for two designs to meet these requirements.Figure 1.Key requirements for securing industrial networks Asset visibility Application flows Discover Control access Segment and partition to contain and limit impact Segment Vulnerabilities Anomalies Intrusion Detect Investiga

15、te Remediate Improve Respond Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 3 of 10 Extending IT security to OT through effective collaboration To successfully secure the OT environment,all stakeholders must work together.Operations un

16、derstands the industrial environment the devices,the protocols,and the business processes.IT understands the IP network.And the security team understands threats and vulnerabilities.By working together,they can leverage existing security tools and expertise to protect the industrial network without

17、disrupting production safety and uptime.Cisco security solutions are built into the industrial networks to monitor operations,feed security platforms with OT context,and enable this crucial collaboration.Network managers will appreciate the unique simplicity and lower costs of Ciscos edge architectu

18、re when looking to deploy OT security at scale.Operations will gain real-time insight into the industrial processes,so they can maintain system integrity and production continuity.Security teams will have visibility into industrial assets and communications with context enriched by control engineers

19、.Taking a phased approach to industrial security Ciscos approach to deploying industrial cybersecurity includes three phases.Initially,there is a minimal level of security consisting of configuring an industrial demilitarized zone(IDMZ)to separate the industrial and enterprise networks.This is the m

20、andatory first step in industrial security,and we are assuming that all have already embraced it,so it will not be discussed in this brief.But as organizations connect more devices,enable more remote access,and build new applications,the airgap erodes and becomes insufficient.Industrial organization

21、s need to build on this minimal level of security to move to the Foundation and eventually Full Spectrum security models.This CVD is created to protect your investment while your security posture matures.Figure 2.Typical security journey Many industrial companies are at minimal security that is insu

22、fficient in todays cyber-security environment.Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 4 of 10 Design 1:Foundation security The Foundation security design is a blueprint for a secured,robust,and reliable industrial network.It pro

23、vides for industrial asset visibility,macro/zone segmentation,zone access control,intrusion detection,threat detection,and response.It enables coordination with information security for consistent access policy management and aggregation of industrial security events in the security operations cente

24、r(SOC).Figure 3.Foundation security design This design follows the Purdue model.Network management and other networking aspects such as redundancy,etc.,are described in detail in the CVD“Networking and Security in Industrial Automation Environments.”Foundation security features Asset visibility Macr

25、o/zone segmentation Zone access control Intrusion and malware protection Threat response 2 1 3 4 6 5 Cyber Vision Center:Centralized analytics platform Cyber Vision network sensor:Deep packet inspection(DPI)embedded in network infrastructure,eliminating the need for a separate SPAN network Cyber Vis

26、ion hardware sensor:Dedicated sensor appliance that performs DPI on SPAN traffic Application flow:Lightweight metadata streamed from Cyber Vision sensors to Cyber Vision Center Industrial asset metadata flow:Context,vulnerabilities,and events communicated to the SOC Industrial security appliance:Seg

27、ments,controls access,and detects and blocks intrusions and malware Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 5 of 10 Asset visibility Visibility into the security stance of industrial devices and communications is a key capabilit

28、y.Cisco Cyber Vision provides visibility into all industrial assets and creates inventories that have relevant details such as device type,firmware version,etc.Cyber Vision Center is deployed as a sitewide application.Cyber Vision sensors are embedded into the cell/area network equipment to discover

29、 devices,monitor communications,and pass security telemetry to Cyber Vision Center.These sensors inspect the packets and analyze them for asset details,communications,and industrial control system(ICS)process data.The Center visualizes this information and correlates vulnerability information.Invest

30、igations and patching activities can be driven from this.Cyber Vision connects to Cisco Firepower Management Center and Cisco SecureX to provide industrial asset information,enhancing context around devices for policy enforcement.Zone/macro segmentation and malware protection The industrial network

31、is segmented from the enterprise network by an IDMZ implemented by a Cisco next-generation firewall(NGFW).The various parts of the industrial network should also be segmented in a way that enables each segment to form a semiautonomous zone.The goal is to limit and contain security incidents within a

32、 zone.The ISA/IEC-62443 industrial cybersecurity standard describes how such an approach can be implemented by establishing communication conduits between zones,where access and communication is controlled.Zones are established by having separate LANs and/or VLANs,with conduits between zones enforce

33、d by the Cisco 3000 Series Industrial Security Appliances(ISA3000).The ISA3000 provides the access and communication control,as well as intrusion detection capabilities.The configuration,including access control lists(ACLs)and policies,is managed by Cisco Firepower Management Center.The ISA3000 and

34、Cisco NGFW can also include Cisco Advanced Malware Protection(AMP)to provide protection against malware.Threat investigation and response The design envisions a security operations center that consolidates security events and vulnerabilities across the entire organization and manages the response.Ci

35、sco SecureX threat response accelerates investigations by automating and aggregating threat intelligence and data across your security infrastructure both Cisco and third parties into one unified view.Solution introduction and operational considerations Cisco Cyber Vision is a software feature built

36、 into the network(Cisco Catalyst IE3400,1101 Industrial ISR,Catalyst 9300 Series,etc.).This makes it very easy to deploy at scale,as there is no additional hardware or switch port analyzer(SPAN)connection to deploy.Enabling industrial cybersecurity monitoring is just a Cisco 3000 Series Industrial S

37、ecurity Appliance Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 6 of 10 question of installing the central console and activating the software within the network.This reduces the risk of a production outage during deployment and needs

38、 very low overhead to coordinate with plant operations.To get the most out of this design,security,operations,and IT must set up an effective collaboration.There are fewer products,so operationally this design poses low overhead.Introducing the ISA3000 does need careful planning,as necessary communi

39、cations can be stopped and access to needed resources can be denied.Table 1.Foundation security features Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 7 of 10 Design 2:Full Spectrum security The Full Spectrum security design builds up

40、on the Foundation design.It is a blueprint for a highly digitized,centrally managed,secured,robust and reliable industrial network.In addition to the capabilities of the Foundation security design,it supports micro-segmentation,network anomaly detection,fine-grained access controls to the devices,ma

41、lware protection,and DNS security.The design integrates security operations across the enterprise and industrial networks.It brings more of the enterprise security capabilities into the industrial network.The SOC becomes enriched with additional insights into and controls over the industrial network

42、.Figure 4.Full Spectrum security design This design follows the Purdue model.Network management and other networking aspects such as redundancy,etc.,are described in detail in the CVD“Networking and Security in Industrial Automation Environments.”7 2 1 3 4 6 Cyber Vision Center:Centralized analytics

43、 platform Cyber Vision Network Sensor:Deep packet inspection(DPI)embedded in network infrastructure eliminating the need for a separate SPAN network Cyber Vision Hardware Sensor:Dedicated sensor appliance that performs DPI on SPAN traffic Application flow:Lightweight metadata streamed from Cyber Vis

44、ion Sensors to the Cyber Vision Center Industrial Asset Metadata Flow:Context,vulnerabilities and events communicated to the SOC Industrial Security Appliance:Segments,controls access and detects and blocks intrusions and malware Identity Services Engine(ISE):Provides capability for micro segmentati

45、on and TrustSec.Supports 802.1x Stealthwatch:Detects network anaomolies 5 8 Full Spectrum security features Foundation security features plus:Micro-segmentation(TrustSec)Network anomaly detection DNS security Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All

46、rights reserved.Page 8 of 10 Asset visibility and zone/macro segmentation You cannot protect what you cannot see.Cisco Cyber Vision provides this core capability.The macro-segmentation capability is provided by the Cisco ISA3000 Industrial Security Appliance.These Foundation security capabilities ar

47、e also available in Full Spectrum security.Device/micro segmentation Cisco Identity Services Engine(ISE)enables micro-segmentation to the device level,and fine-grained access control can be created per user and device.Consistent security policies can be created across the entire network based on con

48、text.Cisco ISE becomes the policy engine for users and assets that require access to the industrial network.Cisco ISE is depicted in the Full Spectrum security design,in which the Policy Administration Node(PAN)is in the SOC and the Policy Enforcement Node(PEN)is in the operations zone of the indust

49、rial network.ISE can also take in information from Cyber Vision through Cisco pxGrid to get specific device context.An example of this operation is when Cyber Vision detects a new industrial device in the network.Cyber Vision will send detailed information about this device to ISE,so that the approp

50、riate security policy can be applied based on the asset characteristics.Combining Cyber Vision and ISE is a great way to dynamically enforce zones and conduits.For instance,ISE can be configured to let an ICS controller communicate only with devices within its cell.Cisco ISE can reduce risks and con

51、tain threats to a device by dynamically controlling network access.It enables wireless device onboarding and provisioning with 802.1X.In an industrial environment that needs to capture telemetry data from sensors and other devices,a fine-grained or micro-segmentation capability can help make operati

52、ons secure.Network anomaly detection Cisco Stealthwatch improves threat defense with network visibility and security analytics.It helps gain situational awareness of all users,devices,and traffic on the network,so that threats can be responded to quickly and effectively.Stealthwatch leverages NetFlo

53、w data from network infrastructure devices.The data is collected and analyzed to provide a complete picture of network activity.Malware protection and DNS security Cisco Advanced Malware Protection(AMP)for Networks can be enabled on the NGFW to detect and protect against malware in content that is d

54、ownloaded into the industrial zone.AMP can also be enabled on the ISA3000.Cisco Umbrella is deployed for DNS security to block requests to malicious domains.Threat investigation and response In the Full Spectrum security design,the SOC can detect a wider variety of threats and respond in a more cohe

55、rent manner across enterprise and industrial networks.Cisco SecureX integrates intelligence from Firepower Management Center,Cyber Vision,ISE,Stealthwatch,AMP,and Umbrella.This seamless integration among Cisco security products makes deeper investigations very easy,and it also lets you take correcti

56、ve action directly from its interface without having to log in to another product.Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 9 of 10 Solution introduction and operational considerations Cyber Vision and Stealthwatch are built into

57、the network and are easy to introduce.They offer visibility and network anomaly detection capabilities.Introducing Cisco ISE,however,commands attention.Enabling micro-segmentation and Cisco TrustSec capabilities requires good planning and testing of the Scalable Group Tag(SGT)scheme to ensure that p

58、olicies are supporting manufacturing needs and are providing the targeted security cover.To get the most out of this design,security,operations,and IT must work together in a collaborative manner.The skill levels of the personnel need to be in step with these technologies,and operational processes n

59、eed to be fine-tuned in order to get the best from the large number of products in this design.Table 2.Full Spectrum security features Cisco IoT Solution Brief Securing Industrial Networks 2020 Cisco and/or its affiliates.All rights reserved.Page 10 of 10 Foundation to Full Spectrum security evoluti

60、on Manufacturing digitization is deepening and evolving.In order to support this evolution and keep your business protected,you need to enhance your security posture.Ciscos comprehensive portfolio of industrial network technologies and security tools lets you evolve from minimal security to Foundati

61、on security and to Full Spectrum security,while preserving your investments.These designs build on each other and maximize reuse of technology,processes,and people.Figure 5 illustrates the applicability of these designs.Minimal security is recommended in all cases.Foundation security can be used by

62、organizations that are digitizing their operations and need to implement a robust security posture.Full Spectrum security is intended to be deployed in organizations where the digitization is mature and the scale of operations has increased the threat surface.One example is when wireless devices bec

63、ome a part of the mainline production network and need 802.1X authentication.Figure 5.Evolution of security approaches Remote access Remote access has not been specifically addressed in this brief,as the recommendation is for remote workers and third-party contractors to follow the enterprise supported solution.Cisco provides a well-integrated solution with Cisco AnyConnect and NGFW that can also include multifactor authentication with Cisco Duo.This solution is described in other designs.