Mais conteúdo relacionado Semelhante a Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the internet of things - from threat vectors to the architectures (20) Mais de Cisco Canada (13) Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the internet of things - from threat vectors to the architectures1. A Phased Approach That Keeps Things Running
Robert Albach
ralbach@cisco.com
Securing the Internet of Things:
From Threat Vectors to Architecture
2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
@$2+B
Losses
Impacts
3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2018’s Top Security News
4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
April 2018:
Bad Headlines;
System Boundaries
5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2018
Malware Impacts
Continue
6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Software Update by your
Remote Maintenance Vendor
Use Case:
Software Update by your
Remote Maintenance Vendor
Challenge:
Remote Maintenance Vendor’s
Software was hacked
Customers Trust
Their Equipment
Suppliers
7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Security 101
8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Consumer
Primarily focused on the Industrial space
Internet
of
Things Enterprise
Industrial
Heavy Industries
Light Industries
Entertainment Home Automation Food Prep
Utilities Health & Wellness Automotive
Consumer on NW Physical Security
Data Center Building Mgmt.
Healthcare Retail
Manufacturing Energy/Utilities
Smart City Transportation
Current focus
9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Not Doing These >
10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Things”
e.g. Sensors, Motors, Robots, Heart Rate Monitor, Transformer, Water Meter
Control Layer
e.g. Workstations, Historians, Logic Controllers
Corporate IT
Traditional networking environment where Cisco is a market leader
Internet / Cloud
Industrial Technology Stack Simplified
11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where are We Today?
12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Matter of
Trust:
2015 Ukraine
Utility Attack
13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
0
20
40
60
80
100
120
140
160
180
200
1 - Wholly within the
OT group.
2 - IT owns the DMZ,
OT owns the rest.
3 - IT owns down to
the agregation layer.
4 - IT owns down to
the access layer.
5 - A hybrid IT team
reporting to OT.
6 - Unclear, still
sorting it out.
7 - I don't know as I
don't work there.
8 - Not applicable to
my situation.
Where does the security role for OT
reside in your organization?
Driven by OT Teams Driven by IT OT or IT or TBD?
IoT Sec Talks 2016 May – 620 respondents
Cisco: Multiple Paths to Secure the Plant
14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Vision of the Future – Connected Systems
From Cloud to Enterprise to Cell
Cloud HQ DMZ Factory
15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Stacks in Connected Manufacturing
16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quantifying Threats by Technology Stack
Vulnerabilities by Top 50 Vendors:
IT – 99.53%
IT Stack Vulns – 44%
[Web – 35%]OT – 0.47%
17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Good
18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Also Good
19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Challenge
20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flash:
The
Weakest
Link
21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application of Industrial
Security
• Deployment Priorities, Common Use Case Examples - Manufacturing
22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Evolve to Secure: Phased Security Architecture
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning &
Logistics Network
Enterprise
Zone
DMZ
Control
Zone
Cell/Area
Zone
Site Manuf acturing Operations
and Control
Area Superv isory
Control
Basic Control
ProcessSensors Drives Actuators Turbine
FactoryTalk
Client
HMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Level 0
v v
PWR CONINOUT
PoE
5 6
1 42 3
First Phase –
Secured Connectivity
Third Phase –
Converged Security &
Depth
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC
62443
NERC / NIST /
Application Control
Threat Control
ISA – 95,99 / IEC
62443
NERC / NIST /
Policy Driven
Response
Deeper Vision /
Control
ISO / IEC 27001:2013
Second Phase –
Secured Visibility &
Control
23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Built on Strong
Foundations:
Cisco Validated
Designs
24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chemical Facilities Anti-Terrorism Standards
Second Phase –
Secured Visibility & Control
Application
Control
Threat
Control
Zone
Segmentation
Controlled
Conduits
First Phase –
Secured Connectivity
25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
First Phase –
Secured Connectivity
Third Phase –
Converged Security &
Depth
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC
62443
NERC / NIST /
Application Control
Threat Control
ISA – 95,99 / IEC
62443
NERC / NIST /
Policy Driven
Response
Deeper Vision /
Control
ISO / IEC 27001:2013
Second Phase –
Secured Visibility &
Control
v
v
PWR CONINOUT
PoE
5 6
1 42 3
Evolve to Security: Phased Security Architecture
26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Built on Strong
Foundations:
Cisco Validated
Designs
27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Start: Secured / Connected Distribution
Security
Ready
Networking
Access /
Application
Control
NW Access
Control
28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Security to Legacy Power Systems
Challenges:
1. Non-Stop Environment
2. Older systems
3. Insecure design
4. Diverse providers
5. Diverse sub-systems
Our Approach – Phased Deployment:
1. Network modernization
2. Visibility and Controls – Apps / Threats
3. Integrated Controls
29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Evolve to Security: Phased Security Architecture
First Phase –
Secured Connectivity
Third Phase –
Converged Security &
Depth
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC
62443
NERC / NIST /
Application Control
Threat Control
ISA – 95,99 / IEC
62443
NERC / NIST /
Policy Driven
Response
Deeper Vision /
Control
ISO / IEC 27001:2013
Second Phase –
Secured Visibility &
Control
30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Driven Validated Designs
SmartConnectedUpstream
SmartConnectedPipelines
SmartConnectedDistribution
31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pipeline Data Retention Policy:
Where is it?
US Department of
Transportation:
Pipeline and
Hazardous Materials
Safety Administration
Part 192 Gas Transmission
Pipeline Integrity
Management Code
Section §192.947
32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Partnerships for Water Management
33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
American Water Works
Assoc.
Recommended
Security Guidelines
First Phase –
Secured Connectivity
Zone Segmentation
Controlled Conduits
Second Phase –
Secured Visibility &
Control
Application Control
Threat Control
35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secured Branch
Architecture:
Products
36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ventilation
IP Convergence Drives
Digital Ceiling Applications
Experiences
PBX
2005 Late 2000s 2010 20151995
Data
Network
IP Telephony Building Management
Systems Using
Low-Voltage PoE
IP Cameras IP Building
Systems on
low-voltage PoE
OpEx
Coax
BACnet
Lighting
Cloud
Management
and Analytics
Sensing
37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Digital Ceiling
Network Infrastructure
Cisco Switches
• CoAP, PoE, PoE+, UPOE
• Security with ISE
• Converge disparate networks (HVAC,
metering, lighting) into one IP network
Digital
Ceiling
Network
Infrastructure
Applications
Control
Systems
Intelligent
Driver
Sensors
Energy Management
Lighting
Control
API
Building
Management
Smart
Spaces
API
Wi-Fi
Access
Point
Sensors
(Light, Motion,
CO2, BTLE)
Lighting
Building
Automation
HVAC
IP Video
Surveillance
Camera
LED fixtures/
Components
38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Validated Designs with Security
39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Connected Car Security Architect Solution
Smart
Devices
Onboard
Wi-Fi Hotspot
Bluetooth
OEM DC
Telematics
& OTA
Content &
Application
Roadside Networks
(5G, LTE, Satellite)
Device &
Network
Management
Security
Management
Management DC
Vehicle-to-Vehicle
Communication
DSRCVehicle toInfrastructure (V2I)
Vehicle toVehicle (V2V)
DSRC
IVN Controller
IVN Controller
AutomotiveRouter, IDS, FW, Mgmt
IP/Ethernet Fabric
CAN2IP Gateway
CAN2IP, CAN IDS
ADAS, Automated Driving,
Infotainment, Analytics, Apps&
Services
E thernet Capable
De vices
Video Switch
TALOS
Identity
and NAC DNS Firewall
Umbrella
Shared
intelligence
Shared contextual
and
Response
Mitigation
Consistent policy
enforcement
41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenges:
Data Validity / Duplication
Trusted Inputs and Outputs
1.) Known spoofing practices;
2.) Vehicle GPS accuracy;
3.) Broadcast overlaps.
42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
42
E2E Security Features Summary
..
HTTP DNSLDAP NMS
Lighting
Mgmt
Building
Mgmt
Energy
Mgmt
Data Center
Metering
Analytics
802.1X (Authentication)
ECC Certificate
802.1AE (MACsec Encryption)
Key Management
IoT Edge Device
VLAN Traffic Segregation
Switch Port Security Features
IPv4/IPv6 Security Features
(ACL, Storm Control, Spanning
Tree, IPv6 MLD, IPv6 RA)
Device Classification
802.1X/AE Integration
IoT Gateway Node
Authentication Server
Integration
Key Management
Network Monitoring
ISE Profiling
Firewall
End-to-end Security for device authentication, privacy, and data integrity
43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy
Medical NAC
Discover, Control and Protect your Medical Devices
Users
IT/IoT Devices
Medical
Devices
1400+
300+
(Device Type fingerprint number)
ISE
pxGrid
Compliance
Vulnerability
Threat
Industry Specific
Visibility Tool
Control in the Network Fabric
Context directory,
aggregating context
from all sources, native
and external
Checkout our innovation with FDA GUDID @ Innovation Forum
44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case Themes
• Secure Connectivity
• Threat Control
• Safe Environment
• Secure Remote Access
• What can connect
• What can talk to what
• What is vulnerable
• Protect the vulnerable
• Network protection
• Device protections
• What are the controls for access
• How to secure access
45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Secure Connectivity
[Segmentation]
46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Everywhere
47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Original Designs Lack Security /
Or Security Eroded Over Time
48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Case for Purposeful Network Design
49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Network Segmentation
…and Application Segmentation and Control
50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Outside the Plant
ABB:
1 – Tech Support for my
pumps;
2 – Gathers telemetry data on
my pump.
GE Predix:
1 – Hosts operating efficiency
apps in cloud.
SAP:
Runs in my enterprise data
center. When will my 4200s be
built?
51. 51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
WHAT IS IT
CISCO VISION
CISCO PORTFOLIO
Purpose Built Network Devices
Network Connectivity
CISCO IOT
SYSTEM
Portfolio Depth:
Wired and Wireless, Routing and Switching
Customized
for Industries
Cloud to Fog
Comprehensive Portfolio
Cisco IoT System Network Connectivity
Industrial Switching
IE 2000, 3000
CGS2000
IP67 IE 4000
IE 5000
Industrial Wireless
Field
AP 1552
Manufacturing
WGB/AP
(Rockw ell)
Industrial AP
IW 3700 802.11ac
Mobile IP Gatew ay
Field Network
CGR
1000
819H
809H IR910
IR
509
829H
Industrial
Routing
CGR 2000
ASR 903
ASR 902
Embedded
Networks
5900 ESR
5921 Softw are
Router
ESS
Sw itches
52. Industrial Security Baseline *
HARDWARE
Mechanical & Sensors
HARDWARE
Processors & Electronics
SOFTWARE
Applications & Resources
Accelerometer
& Gyroscope
Input Alarm
for Digital Sensors
GPS Asset Tracking
& Geo Fencing
Sim Card
Locking Plate
Trust Anchor Module
(ACT2 Chipset)
Fast Hardw are
Based Encryption
Digital Signage
Validation
Code Signage
Application Level
Firew all
Secure Boot
Cisco Process
(CSDL, Vulnerability
Testing, PSIRT,
TALOS Group)
Hosted App
lifecycle security
w ith Cisco IOX*
* Variations may exist between IE and IR platforms
53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial IoT Segmentation: How To With What
Routing
Router / Switch
NGFW
IE
Switch
IPS
AppID
TrustSec
IND
ISE
StealthWatch
AnyConnect
CloudLock
OT Insights
54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• In summary, the following should be considered as recommended practice for general firewall rule sets:
• The base rule set should be deny all, permit none.
• Ports and services between the control network environment and the corporate network should be enabled and
permissions granted on a specific case-by-case basis. There should be a documented
business justification with risk analysis and a responsible person for each permitted incoming
or outgoing data flow.
• All “permit” rules should be both IP address and TCP/UDP port specific, and stateful if appropriate.
• All rules should restrict traffic to a specific IP address or range of addresses.
• Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic
should terminate in the DMZ.
• Any protocol allowed between the control network and DMZ should explicitly NOT be allowed between the DMZ
and corporate networks (and vice-versa).
• All outbound traffic from the control network to the corporate network should be
source and destination-restricted by service and port.
• Outbound packets from the control network or DMZ should be allowed only if those packets have a correct
source IP address that is assigned to the control network or DMZ devices.
• Control network devices should not be allowed to access the Internet.
• Control networks should not be directly connected to the Internet, even if
protected via a firewall.
• All firewall management traffic should be carried on either a separate, secured management network (e.g., out
of band) or over an encrypted network with two-factor authentication. Traffic should also be restricted by IP
address to specific management stations.
Firewall Rules
Recommendations
55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Threat Prevention
56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Intrusion Phase
• Reconnaissance
• Targeting
• Weaponization
• Develop / Test
• Delivery /
Exploit / Persist
• Install
• Modify Systems
• Command and
Control
• Attack
• Anti-Forensics
Kill Chain – ICS Variant
Attacks Start at the IT Side
57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attacks Can Break
Things…
58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
German Smelter Attack: Attack and Mitigations
Cloud Systems
• What is known:
• PhishingAttack
• Malware
• Access to ICS
System
• Shutdown
commands
• Damaged smelter
Email / Web
Protections
AMP
59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Filter
60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Filter
61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPNFilter
and
Water Supply
Attack
62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case:
Vulnerability Exploitation / Malware Protection
Sinapsis SQL
injection attempt
Petya Malware /
Ransomeware
63. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Security Appliance 3000 Overview
TransportationManufacturing Energy
Stateful inspection industrial firewall through ASA FW
Industrial protocol (DNP3, Modbus, IEC 60870, CIP)
visibility and rules for known vulnerabilities
Vulnerability protections for ICS, Windows, MES
components, OT applications, NW infrastructure
High-performanceVPN, DNS, DHCP, NAT
Hardware bypass, alarm I/O, dual-DC power, rapid set
up via SD card, PTP support in HW
Industrial protocol specific parsing, protocol abuse
control, detect set-point level changes
Certified for power substations, industrial, and railway
and helps meet NERC-CIP, ISA99, IEC 62443, KEMA
High Availability and latency controls
64. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Talos – ICS Research
<-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt(protocol-scada.rules)
<-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attemptdirectory traversal attempt(server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
<-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
<-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
<-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
<-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
<-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
<-> PROTOCOL-SCADA Siemens SIPROTEC V4.24 crafted packet denial of service attempt (protocol-scada.rules)
180+ ICS Vulnerability
Protection Rules in 2017
65. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos ICS Security Research
66. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Vuln
Discovery
Patch
Published
Patch
Applied?
Maintenance
Window
Operation
Maintenance
Window
Vulnerability
Protection Rule
Placed In-Line
Mitigations – When “Fix it” Has to Wait
67. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploying In-Line Security Slowly / Safely
First:
Learn Out of Band
– via span / Tap –
cycle through rules
Provide Flow to
Stealthwatch
Second:
Tune rules / see
what would hit and
potential impacts.
Use flow learning
for possible ACLs.
Third:
Move in-line but
with “alert” only.
Check latency and
other network
impacts.
Fourth:
Go live and active.
Sleep well.
68. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
70. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Application Visibility and
Control
[Safety / Security]
72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stopping Misconfiguration of a Robot Arm
73. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect Critical Infrastructure: Application Control
74. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Use Case: Protocol Aware Application Control
75. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A Modbus rule
to prevent a
set point
change
limit > 50 on
RTU-0122
OT Pre-Processors – Modbus command inspection
76. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Center Equipment
77. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cooling Power Fire
Data Centers: Connected or Disconnected Systems
78. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data
Center
UPS
Example:
APC /
Schneider
79. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
80. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case:
Remote Access
[A Brief Mention]
81. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility
And Control
Security Use Case: Remote Access
Cross Boundary Policy
Asset Access Control and QOS
Trusted
Contractor
maintains new
pump on floor
82. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remote
Access
Guidance
DHS
For Your
Reference
83. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Ver.10 XXXX Maintenance Support Agreement
• SERVICE AGREEMENT TERMS AND CONDITIONS
• XXXXX, a division of YYYYY North America Corporation (“ZZZZZ”) will perform the services (“Services”) listed below
and on the above pages of this service agreement and any exhibits ("Exhibits") attached to it (together, the
“Agreement”) under the following terms and conditions:
• 4. Customer’s Responsibility
• Throughout the term of this Service Agreement, Customer agrees to:
• c. provide suitable remote access to the System to enable ZZZZZ to perform its services hereunder, including but not
limited to VPN access to the System;
• d) REMOTE SERVICE. For on-site options, if remote Service is available, the Customer will allow NNN to keep
diagnostic and maintenance programs resident on Customer's system or site for the exclusive purpose of performing
diagnostics and repair. The Customer has no ownership interest in this software provided by NNN. NNN may remove
these programs and any NNN -loaned equipment upon termination of coverage. Customer's system must be
configured to permit access. For NNN to provide remote Service, the Customer must allow NNN remote access to
eligible NNN systems using the appropriate protocol and method supported by that system. The Customer must
provide the necessary equipment designated for that protocol and method of communication to provide remote access
to the eligible NNNNt system. NNN will advise the Customer what is required at the time of installation.
Remote Access in Contracts:
84. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Flowdown
DFARS 252.204-7012 (b) Adequate Security. The
Contractor shall provide adequate security on all
covered contractor information systems.
85. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Physical / Cyber
Relationship
86. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Physical Security
87. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial Station Security Stages:
Phy-Cyber Access
88. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Need More?
Services for Security
89. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services
DesignAssess risk Incident
response
Support
90. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Now What?
91. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3
• Get Help
• IT for IT technologies
• Look at design guides
• Consider external
services
• Act
• Commit to making
change
Third
1
• Update your network
• Gain a view of the
network and applications
• EstablishNW access
control that reflects the
applicationpaths
First
2
• Protect the FULL
technologystack
• From IDMZ to Cell
• From Factory to Cloud
• Determine what is truly
necessary
Second
92. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Industrial
Security
Newsletter
93. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Questions, Concerns?
ralbach@cisco.com