Exprivia Apulia IoT Security Cisco DR Stangalino

Cybersecurity for the
Industrial Internet
Marco Stangalino
mstangal@cisco.com
Two Worlds Converging
Security is the Top Driver

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IT-OT collaboration is vital for securing ICS
Drives best practices
Fights cyber attacks
Industrial
Cybersecurity skills Network Industrial process skills
Network hygiene Operational events context
Security policies Traffic OT Asset criticality levels
Detection & Remediation IT Equipment configuration
Ensures production continuity

Defines behavioral baselines
Context is key to securing any environment
SecOps Security policies

lack implemented
context without context
4
to industrial cause
processes downtime
IEC 62443 architectural framework
Framework Nazionale
per la Cybersecurity e
la Data Protection
The 4-step journey to secure your industrial network
SOC
Environment Policies Live threat Integrated

discovery definition detection IT/OT SOC
Identify all your industrial Isolate networks to build Detect IT intrusions and Gain a holistic view on
assets to build the right zones and conduits to abnormal OT behaviors to security events to ease
security strategy avoid attacks to spread maintain process integrity investigation & remediation
Gain visibility on your OT to build and enforce the right security policies
Cisco’s product focus for IoT
Analytics
Applications
Security Data Control

across the Data Mgmt. Edge
and Control Computing
stack IoT Mgmt. and
Automation
Security Industrial IoT Gateways/ Industrial
Switching Compute Routing
Networking
Industrial Sensor Networking Industrial
Control Center Wireless (LoRa/Mesh) Security
Sensors/Devices
Foundational Components of Industrial Security
Cyber Vision ISA 3000 SecureX
Operational insights and Industrial Firewall
cyber threat detection
Threat Response
Threat investigation and remediation
Sensor
Sensor
OT asset inventory Prevent propagation of threats Enable IT-SOC to investigate industrial

Track industrial processes with best of breed threats through integration with
Detect attempts to modify assets Industrial Protocol IPS/IDS Cyber Vision and the ISA3000
Powered by Cisco TALOS threat intelligence
Cisco Cyber Vision
Security that scales with your network infrastructure
Cyber Vision Center
(Centralized Analytics)
Operational Insights Threat Detection

for OT for IT
Application
Flow
Sensor Sensor
Sensor Sensor Sensor
IC3000 Industrial Compute IE 3400 Switch IE 3400 Heavy Duty IR 1101 Gateway Catalyst 9000 Series Switch
Hardware-Sensor Network-Sensors
(SPAN based to support brownfield ) (Deep Packet Inspection built into network-elements eliminating the need for SPAN)
ISA3000 Industrial Security Appliance
Protect your industrial networks against increasingly complex threats
Benefit from industry- Leverage built-in, Streamline security policy Detect, investigate, and
leading, advanced comprehensive next- and device management remediate across IT-OT
threat intelligence generation IPS across your sites integrated security portfolio
Cisco Firepower Threat Defense technology packaged

in a ruggedized form factor built for OT use cases
SecureX Threat Response
• Cisco’s cloud platform
to accelerate threat
hunting and incident
response
• Detect, investigate, and

remediate across
multiple integrated
security technologies
• FREE with existing Cisco

Security licenses
Cisco Talos
Threat Incident
Intelligence Response
Cisco Talos Intelligence Group is one of Cisco Talos Incident Response provides a
the largest commercial threat full suite of proactive and reactive services
intelligence teams in the world, to help you prepare, respond and recover
comprised of world-class researchers, from a breach. With Talos IR, you have
analysts and engineers. direct access to the same threat
intelligence available to Cisco.
Foundation Security Architecture in Manufacturing
Purdue level 4 & 5
Enterprise Zone Security
Operations
FMC SecureX SIEM CGC Center
Discover
Industrial • Asset Visibility
De-Militarized NGFW • Application Flows
Zone (IDMZ)
Purdue level 3 Sensor Sensor

Manufacturing Cyber
Operations Zone Vision
Segment
Center • Control Access
Industrial Aggregation
• Create zones
Purdue level 0-2 Sensor Sensor

Cell/Area
Zone Detect
SCADA/HMI
• Vulnerabilities
ISA3000 ISA3000 • Anomalies
Firewall Firewall • Intrusion
Sensor
HMI Sensor HMI IC3000
IE Switch IE Switch SPAN Respond

• Investigate
PLC/RTU/IED
• Remediate
PLC/RTU/IED PLC/RTU/IED SIS PLC/RTU/IED
Foundational Security Architecture in Electric Utilities
Operations Center / Control Center
Security Operations Center Discover Segment

• Asset Visibility • Control Access
Sensor • Application Flows • Create zones
Cyber Vision FMC SecureX SIEM
SCADA App Servers

NGFW
Detect Respond
• Vulnerabilities • Investigate
• Anomalies • Remediate
• Intrusion
SP Cellular
Private WAN Backhaul
lo w
Transmission Grid o nF
Application Flow a ti
plic
Ap
Substation Substation
ISA3000 ISA3000
Firewall Firewall
Sensor
Distribution Grid
HMI IC3000 HMI Sensor
IE Switch SPAN IE Switch Sensor Sensor Sensor
IR1101 IR1101 IR1101
Bay Controller Bay Controller Bay Controller Bay Controller

SI CB VR
Feeder
RTU Relay IED MU RTU Relay IED MU
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Smart Inverter Capacitor Bank Voltage Regulator
Foundational Security Architecture in Oil and Gas
Operations Center / Control Center
OT Apps Security Operations Center

Discover Segment
Sensor • Asset Visibility • Control Access
• Application Flows • Create zones
Cyber Vision FMC SecureX SIEM
SCADA App Servers

1
Detect Respond
• Vulnerabilities • Investigate
SP Cellular LTE
• Anomalies • Remediate
WAN Backhaul
• Intrusion
Downstream Midstream Upstream
2 Plant/Refinery 3
ISA3000
Firewall Sensor Sensor Sensor
Switch Stack Switch Stack
SPAN IE3400 IR1101 IR1101
Sensor Sensor
Compressors/ Compressors/ Compressors/

Valves, Actuators, Sensors
IC3000 Industrial IE3400 pumps/valves pumps/valves pumps/valves
Switch
Cisco Industry Validated Designs
Simplicity Security Scalability
Manufacturing Power Utilities Energy Transportation Smart Cities
Industry Cisco Validated Designs (CVDs)

• Industrial Automation NEW • Substation Automation • Industrial Automation • Connected Rail • Lighting, Parking,
• Plant Wide Connectivity • Smart Metering • Connected Pipeline • Connected Mass Transit Environment, Safety
• Factory Security • Distribution Automation • Refinery and Process • Connected Roadways and Security
• Factory Wireless NEW Plants – Jan 2020 • Connected Communities
Infrastructure NEW
Extended Enterprise NEW
Remote and Mobile Assets NEW
Proven Integrations
Meeting Stakeholder Needs
Ensuring success from
POC to IoT scale deployments!
The Trifecta of Stakeholders
CSO IT OT
Chooses ICS Tasked with Must Approve what

Security Solution Deploying Solution gets deployed
Choice of security solution impacts all stakeholders
Meeting the needs of IT
Typical ICS detection solutions depend on SPAN
Hidden costs of port mirroring
Out-of-band SPAN requires an expensive

collection network
Industrial
switch
Inline SPAN causes jitter which impacts
SPAN
control system performance
traffic Server appliance
Sending SPAN traffic over 3G/LTE WAN

links is cost prohibitive
Industrial protocol DPI based passive monitoring of SPAN traffic
Space constrained locations cannot house

extra hardware sensors
Cisco Cyber Vision
Visibility built into your network infrastructure
Cyber Vision Center
Sensor
Cyber Vision Sensors embedded into

industrial network equipment
Sensor Sensor
No additional hardware needed
ICS
network
No need for an out-of-band monitoring Application-Flow
Lightweight
network Sensor Sensor Sensor
Metadata
No impact on performance
Reduce TCO by eliminating the need to invest in an ever-growing SPAN collection network
Visibility
Security deployed at scale built into your
network infrastructure
Leverage OT budget for

1 industrial network
Eliminate the need for IT

2 to invest in and maintain
SPAN collection network
Single solution for

SecOps to monitor
3 threats across
operational departments
Visibility


Single solution for

SecOps to monitor
3 threats across
Visibility


Single solution for

SecOps to monitor
3 threats across
Meeting the needs of OT
Cyber Vision understands ICS protocols you use
Cisco’s Deep Packet Inspection decodes standard and proprietary industrial protocols
Cisco industrial
Industrial networking enables
you to visually inspect
Application Sensor
Application
Flow
the activities in your
Sensor
industrial processes to
Visibility reduce downtime.
IE 3400 Switch IR 1101 Gateway
Cyber Vision Center
Gain Operational Insights
(Centralized analytics)
Dynamic communication map
Comprehensive asset inventory
Application
Flow
Sensor
Sensor
Detect changes in the control system
Sensor Track variable changes
Network-Sensors
(Built in Deep Packet Inspection)
Cyber Vision Center
A Flight Recorder for Troubleshooting
(Centralized analytics)
New component Dell workstation

detected on the network
Component Dell workstation detected

Siemens 192.168.105.150 vulnerable to Windows SMB Remote
Code Execution CVE-2017-0145
Application New Communication detected from

Flow Dell workstation to S7-400 PLC
Sensor
PLC_3 S7-400 station_1
PLC_1
Sensor Stop CPU command detected from
Dell workstation to S7-400 PLC
Program Download detected from Dell

workstation to S7-400 PLC
Sensor
Dell 192.168.105.241 Siemens 192.168.105.75

New Variable access Detected from
S7-400 PLC to HMI 192.168.105.75
Network-Sensors
(Built in Deep Packet Inspection)
Meeting the needs of SecOps
Cyber Vision Threat Detection
Threat Intelligence
Cyber Vision Cyber Vision Cyber Vision

Vulnerability Detection Intrusion Detection Behavioral Analytics
Patch vulnerabilities Detect malicious Detect attempts to

before they are intrusions & callbacks scan & modify OT
exploited to control servers assets
Easily track all threats to your industrial networks
• Security events
(authentication, vulnerabilities, port
scan, protocol exception…)
• Signature-based detection
(IDS)
• Control systems events

(variable changes, program uploads…)
• Asset inventory events

(new, modified asset…)
• Cyber Vision admin and

config events
Baselines highlight abnormal behaviors
• Cyber Vision behavior modeling
automatically triggers alerts on
deviations to the baselines
• New and modified assets
• New activities between assets
• Variable changes
• Program modifications
• Continuously improve detection with

classification of new events
• Accept changes to continuous

monitoring or trigger alerts to
investigate changes
• Provide feedback on anomalies to give

context to security analysts
Easily spot important IT security information
• Top / Rare DNS requests
• Top / Rare HTTP requests
• Top / Rare SMB usage
• Unclassified “strange” flows
Cyber Vision intrusion detection
• Snort subscriber rule set includes:

• Denial of Service
• C2 and Botnet Communication
• Lateral Movement through Windows exploits
• Malware traffic
• Browser Exploit
• PLC Exploits
• Curated for industrial environments
• Custom rule set support
ISA 3000 Industrial Threat Protection
Industrial Application Visibility & Control Industrial IPS Preprocessors
Regularly updated Signatures
from Cisco’s industry-leading
threat intelligence team
500+ Industrial IPS Signatures
Prebuilt industrial Preprocessors &

Application Detectors for the 1000+ Windows IPS Signatures
leading open source IPS/IDS Create custom detectors with OpenAppID
Open
Write your own custom
Application Detectors using open
source application layer plugin
Reduce the noise of Intrusion events
Impact of IPS events can be deduced Firepower recommendation can tune IPS
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act immediately, Event Corresponds to

1 Vulnerable
vulnerability mapped to
host
Relevant port open or

Investigate, Potentially
2 Vulnerable protocol in use but no
vuln mapped
Good to know, Currently Relevant port not open

3 Not available or protocol not in use
Good to know, Monitored network but

4 Unknown Target unknown host
Good to know,
0 Unknown Network Unmonitored network
Block Malware Using AMP for Networks
• Multiple methods of malware
detection:
• AV detection engines
Retrospective Behavioral File Threat • One-to-one signature matching
Detection IoCs Trajectory Hunting
• Machine Learning
• Fuzzy finger printing
• Sandboxing on device or cloud
Access
Firewalls CMDB SOC
Control
ISE Firepower NGFW Threat Response
Cyber Vision
integrates with your
existing security
platforms
FMC: Cyber Vision integration
Firepower Management + Cyber Vision
Identify anomalous flows in

Cyber Vision and kill FTD Firewall
sessions
Map ICS device identity to Hosts

in Firepower for use in FMC
correlation policy
Map ICS device IP to named

objects (PLC, IO, Drive) in
Firepower for use in access policy*
Integration available with Cyber Vision 3.1.0+

* Available in November 2020
ISE: Cyber Vision integration
Identity Services Engine + Cyber Vision
Enrich endpoint attributes in ISE

with rich context from Cyber Vision
Use custom attributes to map

industrial process context like Cells
and Zones for profiling endpoints
Enforce Network Access Control

through dynamic assignment of VLAN
and dACLs or micro-segmentation
with SGT / TrustSec
Stealthwatch: Cyber Vision integration
Stealthwatch + Cyber Vision
Enrich host-groups in
Stealthwatch with rich context
from Cyber Vision
Easily identify flows mapped to

industrial endpoints with host-group
attributes (Logix Controller made by
Rockwell Automation in Cell-3)
Use host-group attributes like Cells

and Zones to create alarms for inter
cell/zone traffic violations
CTR: Firepower integration
Cisco Threat Response + ISA 3000 Firewall

Investigate, identify and enrich
Firepower intrusion events with
context from integrations across
security products
Enrich all investigations with

network context from Firepower
devices
Automated triage and prioritization

of intrusion events through the
built-in Incident Manager
Integration available with FTD v6.3+
Investigate across IT-OT
integrated security technologies
pivot from Cyber Vision to CTR
to investigate observables
• Gather context from

Umbrella, FTD, Talos,
AMP, Stealthwatch, etc.
• Block/Unblock domains
in Umbrella
• Block/Unblock file
executives in AMP
IBM QRadar integration
Unified IT/OT security events management in SIEM
Syslog
ICS visibility
PLC IO DRIVE CONTROLLER
Splunk integration
Unified IT/OT security events management in SIEM
Syslog
ICS visibility
PLC IO DRIVE CONTROLLER
Meeting Stakeholder Needs
OT IT CSO
Reduce downtime with Reduce TCO by eliminating Protect your business against
Operational insights that the need to invest in an threats with the strongest suite
help track activities in your ever-growing SPAN of industrial application aware
industrial process collection network integrated security solutions
The bridge between the enterprise and the line of business
Kick-start your Industrial IoT security project
Cisco assessment service gives you a comprehensive picture of
your industrial security posture so you can build your project plan
Industrial Asset Vulnerability Communication Actionable Detailed

Inventory Detection Maps Insights Reports
Asset discovery and assessment service led by Cisco OT Security experts

Bring Cisco scale and simplicity to IIoT security
Cisco Industrial Cisco Cisco Cisco

Networks Security Validated Designs Customer Services
Connect anything Comprehensive IT/OT State-of-the-art Human skills to
anywhere cybersecurity architecture guides enable deployments
All working together for successful Industrial IoT security deployments

Exprivia Apulia IoT Security Cisco DR Stangalino

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exprivia Apulia IoT Security Cisco DR Stangalino

Uploaded by

Copyright:

Available Formats

Cybersecurity for the

Security is the Top Driver

Ensures production continuity

SecOps Security policies

Environment Policies Live threat Integrated

Security Data Control

OT asset inventory Prevent propagation of threats Enable IT-SOC to investigate industrial

Powered by Cisco TALOS threat intelligence

Operational Insights Threat Detection

Cisco Firepower Threat Defense technology packaged

• Detect, investigate, and

• FREE with existing Cisco

Purdue level 3 Sensor Sensor

Purdue level 0-2 Sensor Sensor

HMI Sensor HMI IC3000

IE Switch IE Switch SPAN Respond

PLC/RTU/IED PLC/RTU/IED SIS PLC/RTU/IED

Security Operations Center Discover Segment

Cyber Vision FMC SecureX SIEM

SCADA App Servers

IE Switch SPAN IE Switch Sensor Sensor Sensor

IR1101 IR1101 IR1101

Bay Controller Bay Controller Bay Controller Bay Controller

OT Apps Security Operations Center

SCADA App Servers

Downstream Midstream Upstream

SPAN IE3400 IR1101 IR1101

Compressors/ Compressors/ Compressors/

Manufacturing Power Utilities Energy Transportation Smart Cities

Industry Cisco Validated Designs (CVDs)

Extended Enterprise NEW

Remote and Mobile Assets NEW

Chooses ICS Tasked with Must Approve what

Choice of security solution impacts all stakeholders

Out-of-band SPAN requires an expensive

Sending SPAN traffic over 3G/LTE WAN

Space constrained locations cannot house

Cyber Vision Sensors embedded into

Leverage OT budget for

Eliminate the need for IT

Single solution for

Leverage OT budget for

Eliminate the need for IT

Single solution for

Leverage OT budget for

Eliminate the need for IT

Single solution for

Dynamic communication map

Comprehensive asset inventory

Sensor Track variable changes

New component Dell workstation

Component Dell workstation detected

Application New Communication detected from

Program Download detected from Dell

Dell 192.168.105.241 Siemens 192.168.105.75

Cyber Vision Cyber Vision Cyber Vision

Patch vulnerabilities Detect malicious Detect attempts to

• Control systems events

• Asset inventory events

• Cyber Vision admin and

• Continuously improve detection with

• Accept changes to continuous