Rockwell Automation System Security Design Guidelines Reference Manual
System Security
Design Guidelines
Reference Manual |
Original Instructions |
Publication Title Reference Manual
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
2 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
|
Table of Contents |
|
|
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. .5 |
|
How Can I Get Help To Manage My Security Risk? . . . . . . . . . . . . . . |
5 |
|
Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
5 |
|
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
6 |
|
Chapter 1 |
|
Vulnerabilities |
How Rockwell Automation Handles Vulnerabilities . . . . . . . . . . . . . . |
8 |
|
Report a Suspected Product Vulnerability . . . . . . . . . . . . . . . . . . . . |
8 |
|
Public Vulnerability Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
9 |
|
Supply Chain Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
10 |
|
Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
10 |
|
Chapter 2 |
|
System Security |
Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
14 |
|
Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
15 |
|
Defense-in-Depth Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
15 |
|
Notifications That Rockwell Automation Provides. . . . . . . . . . . |
16 |
|
Security with Rockwell Automation Products . . . . . . . . . . . . . . . . . . . |
16 |
|
Standard Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
17 |
Secure Networks and
Communication
Chapter 3
Converged Plantwide Ethernet (CPwE). . . . . . . . . . . . . . . . . . . . . . . . . 19
Logical Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Network Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Industrial Demilitarized Zone (IDMZ) . . . . . . . . . . . . . . . . . . . . . . . . . 23
Control Access to the Industrial Zone. . . . . . . . . . . . . . . . . . . . . . . 24
Remote Desktop Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Industrial Firewall Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Stratix 5950 Security Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Control Device Communication Ports . . . . . . . . . . . . . . . . . . . . . . 27
Switch and Routing Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Stratix Managed Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
CIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
3 |
Table of Contents |
|
|
|
Chapter 4 |
|
Harden the Control System |
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
31 |
|
Microsoft Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
31 |
|
Product Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
32 |
|
Hardware Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
32 |
|
Software and Firmware Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
33 |
|
Workstation Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
34 |
|
FactoryTalk Directory Application . . . . . . . . . . . . . . . . . . . . . . . . . |
34 |
|
Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
35 |
|
Device Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
35 |
|
Digitally Signed Firmware and Software . . . . . . . . . . . . . . . . . . . . . |
35 |
|
High Integrity Add-On Instructions . . . . . . . . . . . . . . . . . . . . . . . . |
36 |
|
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
37 |
|
Chapter 5 |
|
Manage User Access |
FactoryTalk Services Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
40 |
|
Control Data Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
41 |
|
FactoryTalk Administration Console Software. . . . . . . . . . . . . . . |
41 |
|
Studio 5000 Logix Designer Application . . . . . . . . . . . . . . . . . . . . |
41 |
|
FactoryTalk Security Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
42 |
|
Policies and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
42 |
|
Centralized Security Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
43 |
|
Security Authority Identifier (SAID). . . . . . . . . . . . . . . . . . . . . . . . |
43 |
|
FactoryTalk View Site Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
44 |
|
Protect Controller Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
45 |
|
License-based Source and Execution Protection . . . . . . . . . . . . . . |
45 |
|
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
45 |
|
Chapter 6 |
|
Monitor and Recover |
Audit and Change Management with FactoryTalk AssetCentre |
|
|
Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
48 |
|
Backups via FactoryTalk AssetCentre Software . . . . . . . . . . . . . . . . . . |
49 |
|
Component Change Detection and Logging for Controllers . . . . . . |
50 |
|
Chapter 7 |
|
Disposal Guidelines |
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
51 |
|
Appendix A |
|
History of Changes |
SECURE-RM001D-EN-P, March 2020 . . . . . . . . . . . . . . . . . . . . . . . . |
53 |
|
SECURE-RM001C-EN-P, December 2019 . . . . . . . . . . . . . . . . . . . . . |
53 |
|
SECURE-RM001B-EN-P, April 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . |
53 |
4 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
Preface
How Can I Get Help To
Manage My Security Risk?
This publication provides guidelines for how to use Rockwell Automation products to improve the security of your industrial automation system.
For information on patch management options, security advisory details, and general news and awareness on industrial security from the Rockwell Automation Office of Product Safety and Security, see the Industrial Cybersecurity capabilities web page.
The Knowledgebase Technote Industrial Security Advisory Index points to specific product security alerts, advisories, and recommendations. Subscribe to this index to receive notifications.
To address specific concerns, or to report issues, contact us
at secure@ra.rockwell.com. Communicate securely via our PGP Public Key Block.
Rockwell Automation Network & Security Services consulting services are available to assist customers assess and improve the state of security of industrial control systems that use Rockwell Automation and other vendor control products. We provide a holistic approach to manage your network infrastructure and security throughout its lifecycle. For more information, see Industrial Cybersecurity Services.
Summary of Changes
This manual contains the following new information as indicated.
Topic |
Page |
|
|
New chapter on vulnerabilities, how to report suspected |
7 |
vulnerabilities, and how Rockwell Automation responds |
|
to reports. |
|
|
|
Updates to patch management |
31 |
|
|
Updates to version descriptions for software and |
33 |
firmware |
|
|
|
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
5 |
Preface
Additional Resources
These documents contain additional information concerning related products from Rockwell Automation.
Resource |
Description |
|
|
Security Configuration User Manual, SECURE-UM001 |
Describes how to configure and use Rockwell Automation products to improve the security |
|
of your industrial automation system. |
|
|
CIP Security with Rockwell Automation Products Application Technique, |
Describes how to implement the Common Industrial Protocol (CIP™) Security standard in |
SECURE-AT001 |
your control system. |
|
|
Converged Plantwide Ethernet (CPwE) Design and Implementation Guide, |
Provides guidelines for how to design, implement, and manage industrial Ethernet |
publication ENET-TD001 |
networks. |
|
|
Industrial Firewalls within a Converged Plantwide Ethernet Architecture White |
Provides guidelines for how to implement industrial firewalls. |
Paper, publication ENET-WP011 |
|
|
|
Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture |
Outlines use cases for how to design, deploy, and manage industrial firewalls. |
Design and Implementation Guide, publication ENET-TD002 |
|
|
|
Guidelines on Firewalls and Firewall Policy |
Recommendations of the National Institute of Standards and Technology |
|
|
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 |
Provides general guidelines for how to install a Rockwell Automation industrial system. |
|
|
Product Certifications website, |
Provides declarations of conformity, certificates, and other certification details. |
http://www.rockwellautomation.com/global/certification/overview.page |
|
|
|
You can view or download publications at
http://www.rockwellautomation.com/global/literature-library/overview.page.
To order paper copies of technical documentation, contact your local
Allen-Bradley distributor or Rockwell Automation sales representative.
6 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
Chapter 1
Vulnerabilities
A vulnerability is a flaw or weakness in a product or system that can be exploited to compromise product or system confidentiality, integrity, or availability.
Risk and vulnerability assessments are the starting point for any security policy implementation. Vulnerability assessments examine your situation from technologies, policies, procedures, and behaviors. An assessment provides a picture of your current security posture (current risk state) and what you need (mitigation techniques) to get to a preferred state (acceptable risk state). Rockwell Automation recommends the formation of a multi-discipline team of operations, engineering, IT, and safety representatives to collaborate in the development and deployment of your industrial security policy.
A vulnerability assessment provides, at a minimum:
•An inventory of existing devices and software.
•Detailed observation and documentation of intended system operation.
•Identification of possible vulnerabilities.
•Prioritization of each vulnerability based on the impact and exploitation potential.
The Common Vulnerability Scoring System (CVSS) is a free, open industry standard for assessing the severity of vulnerabilities. Rockwell Automation includes CVSS-based scores in Product Security Advisory notices to help customers assess their risk and exposure, including how prioritize responses and resources according to a specific threat. For more information, see Common Vulnerability Scoring System Specification Document.
The outcome of a vulnerability assessment can include mitigation techniques that bring an operation into an acceptable risk state.
Actions that are taken after a risk assessment can include the following:
•New firewall controls
•New switch ports to lock down
•Stronger password policies
•Removal of unused software programs
•Improved procedures for managing the connection of external devices, such as USB devices
•New or patched versions of firmware or software
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
7 |
Chapter 1 |
Vulnerabilities |
|
|
How Rockwell Automation
Handles Vulnerabilities
Rockwell Automation recognizes the importance of security in industrial control systems and is investing in its products, people, partnerships, and integrated consulting services (Network & Security Services – NSS) to enhance the security in our products and maintain productivity. Rockwell Automation provides detailed and actionable information about security vulnerabilities to help customers make informed decisions on what steps they need to take to improve their security.
Report a Suspected Product Vulnerability
Rockwell Automation encourages submissions of suspected vulnerabilities as soon as they are discovered. Rockwell Automation maintains a formalized process to identify, assess, and remediate reported vulnerabilities for those products that are in the Active or Active Mature state.
The Product Security Incident Response Team (PSIRT) at Rockwell Automation responds to suspected vulnerabilities within Rockwell Automation products. Reporters are strongly encouraged to file a vulnerability report with the PSIRT via email at secure@ra.rockwell.com.
The PSIRT works with reporters to understand and validate reports. The PSIRT:
•Requests that the reporter keep any communication confidential
•Assigns a tracking ID to the vulnerability report
•Reviews and responds, usually within two business days
•Advises the reporter of significant changes in the status of any vulnerability reported to the extent possible without revealing information provided to us in confidence
•Works to remediate reported vulnerabilities in a timely manner.
The Rockwell Automation PSIRT encourages the encryption of sensitive information prior to sharing over email. To request instructions on how to use our public key, contact us at secure@ra.rockwell.com.
The Rockwell Automation PSIRT may contact the reporter via email or an another agreed upon communications mechanism throughout the disclosure process.
8 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
Vulnerabilities |
Chapter 1 |
|
|
Public Vulnerability
Disclosure
The PSIRT asks that reporters adhere to the following:
•Play by the rules. This includes following the guidelines, as well as any other relevant agreements.
•Report any vulnerability discovered promptly.
•Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
•Use only our PSIRT email to discuss vulnerability information with us, unless otherwise agreed upon with the PSIRT.
•Keep the details of any discovered vulnerabilities confidential until Rockwell Automation identifies a resolution.
•If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required to demonstrate the issue. Cease testing and submit a report immediately if you encounter any user data during testing, such as personally identifiable information (PII), personal healthcare information (PHI), credit card data, or proprietary information.
•Only interact with test accounts you own or with explicit permission from the account holder.
•Do not engage in extortion.
•Comply with all applicable laws.
The PSIRT discloses vulnerability details, mitigations, and solutions via the Knowledgebase Technote Industrial Security Advisory Index.
You can find additional information on the Industrial Cybersecurity capabilities web page.
Rockwell Automation recognizes the hard work of reporters and provides recognition within the advisories, unless otherwise specified. We recognize reporters if they are the first to report a unique vulnerability and the report triggers a product change.
The Rockwell Automation Vulnerability Disclosure Policy draws on the United States Core Terms compiled by disclose.io, the vulnerability disclosure guidance set forth by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, and ISO 29147 and ISO 30111, which define standards for receiving and processing vulnerability reports. Rockwell Automation defines a reporter as an individual or organization that notifies a vendor or coordinator of a suspected product vulnerability. Coordinators, on the other hand, are defined as an individual or organization that coordinates vulnerability information to affected parties.
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
9 |
Chapter 1 |
Vulnerabilities |
|
|
When conducting vulnerability research according to this policy, Rockwell
Automation considers the research to be:
•Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws). Rockwell Automation will not initiate or support legal action against you for accidental, good faith violations of this policy.
•Exempt from the Digital Millennium Copyright Act (DMCA). Rockwell Automation will not bring a claim against you for circumvention of technology controls.
•Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research. Rockwell Automation waives those restrictions on a limited basis for work done under this policy.
•Lawful, helpful to the overall security of the Internet, and conducted in good faith.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email secure@ra.rockwell.com. before going any further.
Supply Chain Vulnerabilities Rockwell Automation also prioritizes supply-chain vulnerabilities, especially if a vulnerability affects more than one Rockwell Automation product. The
PSIRT accept reports regarding third-party components if the vulnerabilities are disclosed in a multi-party, coordinated effort supported by a third-party coordinator such as DHS CISA or the CERT/CC.
Threat Model
Threat modeling is a procedure to analyze network, application, and physical security. A threat model identifies objectives and vulnerabilities, and then defines countermeasures to mitigate the effects of threats to the system.
1.Describe the assets to protect.
Create classes of assets and information that you want to protect. For example, a controller, the controller configuration, or recipe data in the controller. Be as specific as possible. For example, include the following:
•serial number
•MAC ID
•IP address
•user access
•device dependencies
Prioritize the assets. Define the type of protection for each asset - confidentiality, integrity, or availability.
10 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
Vulnerabilities |
Chapter 1 |
|
|
2.Describe the policies that govern the assets
The policies are typically control-based in that they define who can do what to which asset. Other policies can define attributes such as asset availability, version control, or confidentiality requirements.
Because policies are written in a general manner, they are supported with procedures, standards, and guidelines to provide the details on how to implement, enforce, and monitor the policy.
3.Characterize the assets and their supporting systems
Examine the assets in their information systems and identify information flows that affect the assets. Characterize the systems and software that are part of the information flow.
•How are the assets accessed?
•Who can copy, move, or modify them?
•What methods can be used to interact with them?
•Do they exist in multiple locations?
•How are multiple copies synchronized?
4.Identify threats to the assets
For each asset, identify how and where to enforce the policy that governs the asset. Based on the type of protections for the asset, examine the information flows, systems characterizations, and enforcement mechanisms. Identify potential threats (such as threats to confidentiality, threats to integrity, and threats to availability).
For example:
•‘System goes off line’ is a threat to availability.
•‘Database synchronization fails’ is a threat to integrity.
5.Characterize the threats
For each threat, enumerate the mechanisms (vulnerabilities) that can cause the potential threat to become an actual threat. Keep the vulnerabilities as broad as possible in scope.
6.Visualize
Use a network diagram and overlay system information, asset locations, information flows, enforcement points, and vulnerabilities. Annotate the diagram with available resources (people, money, equipment).
Use this visualization as a method to divide the system into manageable pieces. This visualization also shows relationships and possible consequences when you make changes.
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
11 |
Chapter 1 |
Vulnerabilities |
|
|
7.Strategize
Use the visualization to find:
•Patterns that suggest enterprise-wide solutions rather than local or point solutions.
•Interactions of resources and ease of affecting the network.
•Possibilities of vulnerabilities being exploited.
•Develop backup and restore procedures.
Group vulnerabilities and their locations. Identify methods to address as many of the vulnerabilities as possible with one change or small set of changes.
Remember that not all vulnerabilities need new technology to address the issues. Proper configuration, privilege, and access control are key, and can often be improved without harming production facilities.
8.Verify
•Map every proposed change directly to a threat to an asset.
•Make sure that the change does not introduce a new threat to another asset.
Verify that no policy enforcement point can be circumvented.
12 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
Chapter 2
System Security
Just as the nature of manufacturing and industrial operations has changed, so have the security risks. More connected operations can create more potential entrance points for industrial security threats. Threats can come in many forms
– physical versus digital, internal versus external, or malicious versus unintentional.
Internet
Plant/Enterprise LAN |
|
Firewall |
|
Levels 4 and 5
Firewall
Firewall |
|
Process LAN |
|
||
|
|
|
Level 3
Levels 0…2
32791M
In the industrial automation and control system (IACS), follow common industry standards, such as the Purdue Enterprise Reference Architecture model, to define:
•Security zones - those assets that have the same security requirements
•Trusts within security zones - relationships between assets that support identification, authentication, accountability, and availability.
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
13 |
Chapter 1 System Security
Security Basics
Industrial security must address a wide range of concerns, including:
•Safeguard intellectual property and other valuable information.
•Safeguard operations from intrusions that could impact productivity, product quality, operator safety, or the environment.
•Maintain critical infrastructure systems, especially systems in regulated areas like energy and water/waster-water management.
•Maintain high-availability traffic policies for networks.
•Enable and control remote access to industrial operations.
Industrial security must be comprehensive. Extend security policies from the enterprise through the plant level and to end devices. Address risks across your people, processes, and technologies. Involve collaboration between IT and OT personnel for design, management, and regular communication on expected system functional requirements and policy compliance.
A robust approach to security includes the development and implementation of the appropriate activities to complete the following steps:
•Identify the cybersecurity risk to systems, assets, data, and capabilities.
•Protect critical infrastructure services.
•Detect cybersecurity events.
•Respond to a detected cybersecurity event.
•Recover from and restore any capabilities or services that were impaired due to a cybersecurity event.
Cybersecurity is the collection of technologies, processes and practices that help protect networked computer systems from unauthorized use or harm. Cybersecurity addresses cyberattacks, which are offensive in nature and emphasize network penetration techniques, and cyber-defenses, which are defensive in nature and emphasize counter-measures intended to help eliminate or mitigate cyberattacks.
The main goals of cybersecurity in an industrial setting:
•Availability: maintain and never give up control in a control system
•Confidentiality: protect proprietary information and only let individuals with a need-to-know have access to the information
•Integrity: ensure that the information flowing through the system has not been tampered with
14 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
System Security |
Chapter 1 |
|
|
Security Standards
There are a number of resources that organizations can use as a basis to manage security and risk within the IACS. These resources can help organizations develop a security management program.
Resource |
Description |
|
|
ISA/IEC 62443 Standard |
Industrial Automation and Control Systems (IACS) Security (formerly ISA-99) |
|
This standard addresses network and system security and defines the provision of multiple security protections, |
|
especially in layers, with the intent to delay, if not block, an attack. |
|
This standard also recommends password structures. |
|
|
NIST 800-82 |
Guide to Industrial Control Systems (ICS) Security |
Framework |
This framework provides recommendations for securing an IACS. The standard covers the use of firewalls, the |
|
creation of demilitarized zones and intrusion detection capabilities, along with effective security policies, training |
|
programs, and incident response mechanisms. |
|
|
NIST Cybersecurity |
This framework provides guidelines that help organizations align cybersecurity activities with business |
Framework |
requirements, risk tolerances, and resources. |
|
|
NCCIC Agency |
National Cybersecurity and Communications Integration Center |
|
This agency provides recommendations for secure architecture design. |
|
|
The United States Department of Homeland Security (DHS) includes the Cybersecurity & Infrastructure Security Agency (CISA). CISA manages a repository of alerts, advisories, and reports (ICS-CERT) for industrial control systems.
•Alerts: provide timely notification to critical infrastructure owners and operators concerning threats to critical infrastructure networks.
•Advisories: provide timely information about current security issues, vulnerabilities, and exploits.
•Reports: provide Technical Information Papers (TIPs), Annual Reports (Year in Review), and 3rd-party products applicable to industrial control system owners/operators.
•Newsletters: periodic publication of security news and information applicable to industrial control system owners/operators.
For more information, see Cybersecurity and Infrastructure Security Agency >
Industrial Control Systems.
Defense-in-Depth Security
Industrial security is best implemented as a complete system across your operations. Common to security standards is the concept of defense-in-depth (DiD). DiD security establishes multiple layers of protection based on diverse technologies through physical, electronic, and procedural safeguards. Just like a bank uses multiple security measures – such as video cameras, a security guard, and a vault – DiD helps make sure that threats encounter multiple lines of defense. DiD also assumes the implementation of cybersecurity policies that include operations planning, user training, and physical access security measures.
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
15 |
Chapter 1 System Security
Adefense-in-depth security approach consists of six main components:
•Policies and Procedures
•Physical
•Network
•Computer
•Application
•Device
Defense-in-depth employs a comprehensive approach to leverage multiple methods to mitigate risks. To apply defense-in-depth, understand the relationship of intruders (threats and threat actors) and vulnerabilities to the controls (standards, detection methods, and countermeasures).
A threat actor, through intent, capability, or opportunity, poses a threat to the IACS when the threat compromises operations, personnel, or technology and exploits an existing weakness or vulnerability. Base countermeasures on best practices, standards, and established company security policies. Countermeasures protect critical assets through multiple layers of defense. Organizations must constantly adjust and refine security countermeasures to maintain protection against known and emerging threats.
Notifications That Rockwell Automation Provides
Rockwell Automation provides these types of product notices.
|
|
Notification |
Description |
Customer Action |
|
|
|||
|
|
|
|
|
|
|
Product Safety Advisory (PSA) |
Issued when a product failure may result in significant loss of capital equipment, |
Required |
|
|
|||
|
|
|
personal injury, or death. |
|
|
|
|
|
|
|
|
Product Notice (PN) |
Issued when a product failure may result in significant commercial loss or customer |
Strongly Recommended |
|
|
|||
|
|
|
dissatisfaction. |
|
|
|
|
|
|
|
|
Product Security Advisory |
Issued for security alerts and security recommendations where such risks stem |
Strongly Recommended |
|
|
|||
|
|
|
from cyber-attacks. |
|
|
|
|
These advisories are intended to raise customer awareness of risks to affected |
|
|
|
|
product operation or performance and also supply relevant recommendations for |
|
|
|
|
how to reduce or remove the risk associated with a vulnerability. |
|
|
|
|
|
|
Security with Rockwell Automation Products
Security is not a static end state, it is an interactive process. No single product, methodology, or technology fully secures control networks. The remaining chapters in this reference manual highlight Rockwell Automation products that help manage:
•Identification, authentication, and user access
•Network segmentation and data flow
•Data confidentiality
•System integrity
•Resource availability and response to events
16 |
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
System Security Chapter 1
|
Standard Security Components |
|
In addition to the Rockwell Automation products described in this |
|
publication, there are also references to these additional technologies. |
|
|
Component |
Description |
|
|
Microsoft® Active Directory service |
Use Active Directory for authentication and authorization in a Windows domain. |
|
Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in |
|
most Windows Server operating systems as a set of processes and services. |
|
A server that runs the Active Directory Domain Services (AD DS) is called a domain controller. The domain controller |
|
authenticates and authorizes all users and computers in a Windows domain type network. The domain controller |
|
assigns and enforces security policies for all computers and software updates. |
|
|
RADIUS protocol |
You can use the Remote Authentication Dial-In User Service (RADIUS) protocol to manage access to the Internet or |
|
internal networks, wireless networks, and integrated email services. |
|
The RADIUS protocol is a network protocol that provides centralized authentication, authorization, and accounting |
|
(AAA) management for users. The RADIUS protocol is often used by Internet service providers (ISPs) and enterprises |
|
to manage access to the Internet or internal networks, wireless networks, and integrated email services. |
|
|
Cisco® TACACS+ protocol |
You can use the Cisco Terminal Access Controller Access-Control System Plus (TACACS+) to manage remote |
|
authentication for networked access control through a centralized server. |
|
The Cisco TACACS+ protocol manages authentication, authorization, and accounting (AAA) services. The TACACS+ |
|
protocol uses the Transmission Control Protocol (TCP). Since TCP is a connection-oriented protocol, TACACS+ does |
|
not have to implement transmission control. TACACS+ encrypts the full content of each packet. |
|
|
IEEE 802.1x authentication |
You can use 802.1x authentication to manage port-based access for devices that want to connect to a network. |
|
802.1x authentication secures communication between authenticated and authorized devices. You can connect this |
|
access control to the Active Directory to create a central administration connection for both network management |
|
and network access. This access control is the preferred method to create a central network access layer. |
|
|
Rockwell Automation Publication SECURE-RM001E-EN-P - March 2021 |
17 |
Loading...