SESAM Node-RED Webinar:

Infrastructure that allows you to connect

Mads Laier • Team Lead Domain Experts • Network & Security Consultant | 28 . 05 . 20

PUBLIC
 Connected Enterprise

the ZEN state of information…

…everything is accessible for anyone authorized, for any purpose
..KPI´s, documentation, operator, process control & optimization (real-time)…

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 2

Information Technology (IT) Operation Technology (OT) Connected Enterprise

Convergence

ERP/MES
Security and Application knowledge, Real-time data
experiences and expertise.

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 3

 Siloed
No Access
Real-time
Control
data

DIGITAL TWIN
Lacks
Innovation
Login
&
password
Security

Traditional IACS – “We’re safe because we’re air-gapped!”

▪ Rich industrial data kept in isolation
▪ “Air-gapped” false sense of security

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 4

Types of Threats Information Technology (IT)
Targets
Hacker penetrates
Breach and steals or causes
and Gains Access
unwanted events

External Threat Actor

Pivots
Stolen Intellectual Property/
Proprietary Information
Accidentally Infects

Opps ! Accidental download

Human error or
Accidental Threat
Pivots
Unscheduled Downtime

Breach and steals or causes

unwanted events
Malicious Insider
Gains Access

Internal Insider Threat

Loss of Safety Systems
Operation Technology (OT)
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 5
 Other CIP Security Publications
FTALK-GR001 “FactoryTalk Policy Manager Getting Results Guide”
▪ SECURE-AT001 “CIP Security with Rockwell
Automation Products Application Technique”

▪ SECURE-RM001 “System Security

Design Guidelines Reference
Manual”

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 6

CPwE CIP Security Design Guide
Publication ENET-TD022 “Design Guide, Deploying CIP Security within a CPwE Architecture”

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 7

 CPwE Industrial Security Framework
Internet
Enterprise Umbrella Cloud
External DMZ/
Firewall Cloud

Enterprise Zone: Levels 4-5 Identity Services

Industrial Demilitarized Zone (IDMZ)

Physical or Virtualized Servers
• Patch Management
• AV Server, TLS Proxy
• Application Mirror, Reverse Proxy
• Remote Desktop Gateway Server

Industrial Zone: Levels 0-3

Core
Switches
Active
Control System Wireless LAN
Controller (WLC)
Engineers (OT)
Standby
Distribution NetFlow
Control System Engineers Switch Stack

in Collaboration with IT Level 3 – Site Operations

Network Engineers NetFlow

(Industrial IT) FactoryTalk®

Client Stratix®
Level 2 – Area Supervisory Control
IT Security Architects in SSID
Collaboration with Control
LWAP
2.4 GHz
IFW

Systems Engineers SSID

5 GHz
WGB

I/O Soft
Starter MCC
Controller Controller
Level 1 - Controller Level 0 - Process I/O Drive
PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 8
The 9 steps
Securing your connected enterprise

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 9

The 9 steps
Securing your connected enterprise

▪ Assess and Inventory the System

▪ Segment your Enterprise from your Industrial Zone
▪ Segment your Network
▪ Build Access Control into the Application
▪ Physical Security
▪ Device Hardening
▪ Change Detection and Threat Detection
▪ Remote Access and Connectivity
▪ Incident Recovery

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 10

The 9 steps
Assess and Inventory the System

1 Assess and Inventory the System

• Automate asset inventory with FactoryTalk AssetCentre
• Conduct a holistic assessment using our Network & Security Services
• Guidance on implementing the recommended security solutions

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 11

The 9 steps
Securing your connected enterprise

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 12

The 9 steps
Segment your Enterprise from your Industrial Zone

2 Segment your Enterprise from your Industrial Zone

• Establish a perimeter using an Industrial Demilitarized Zone
• Implement validated network designs from Cisco and Rockwell Automation
• Leverage customized, pre-built solutions and management services, such as an Industrial Data Center
• Integrate enterprise ready security controls

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 13

The 9 steps
Segment your Network

3 Segment your Network (Cell/Area Zone)

• Extend security controls with managed switches, such as Stratix 5400 and Stratix 5700
• Confine broadcast traffic using VLAN segmentation
• Segment traffic based on policy with Access Control Lists (ACLs)
• Control network access with 802.1x, Identity Services Engineer (ISE) and port security
• Minimize Denial of Service (DoS) impacts with Quality of Service (QoS)
• Prevent tampering with message packets by using VPN communications in chassis 1756-EN2TSC and between cells/Areas

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 14

The 9 steps
Build Access Control into the Application

4 Build Access Control into the Application

• Control user permissions with FactoryTalk Security role based security
• Integrate management of user accounts with Active Directory
• Protect code from change with High integrity AOI
• Limit usage of tags with Data Access Control
• Block unwanted traffic in the network using Firewalls

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 15

The 9 steps
Physical Security

5 Physical Security
• Restricts access to authorized personnel only
• Implement port blocks, cable locks, and locking control panels from Panduit

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 16

The 9 steps
Device Hardening

6 Device Hardening
• Minimize risk of PC patching by leveraging our Microsoft Patch Qualification efforts
• Prevent unwanted applications from running on computers by using partner solutions like application whitelisting
• Ensure valid firmware with digital signatures
• Prevent configuration changes by putting controllers in Run Mode

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 17

The 9 steps
Change Detection and Threat Detection

7 Change Detection and Threat Detection

• Monitor user activities with FactoryTalk Audit
• Detect modification to device configurations with FactoryTalk AssetCentre
• Detect changes with Controller Change detection
• Identify and help mitigate network based threats with relevant hardware
• Leverage Deep Packet Inspection to implement protocol-level policy

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 18

The 9 steps
Remote Access and Connectivity

8 Remote Access and Connectivity

• Build secure remote access into your system with validated reference architectures from Rockwell
Automation and Cisco
• Leverage managed services for remote access

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 19

The 9 steps
Incident Recovery

9 Incident Recovery
• Automate and schedule the backup process for automation devices with FactoryTalk AssetCentre
• Schedule backup for directories on PCs
• Manage versions of key configuration files in a centralized repository with FactoryTalk AssetCentre

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 20

 Transform data into
information

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 21

Node-RED and Rockwell Automation

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 22

Node-RED and Rockwell Automation

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1091639

“logic” Node-RED “box”

PLC (could be RaspberryPi,
node Win/Linux PC,
Allen-Bradley CIP
node-red-contrib-cip-ethernet-ip
Android,
(implemented by node) cloud …)
“other nodes”
see Getting Started

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 23

Node-RED and Rockwell Automation

“logic” Node-RED “box”

PLC (could be RaspberryPi,
node Win/Linux PC,
Allen-Bradley CIP
node-red-contrib-cip-ethernet-ip
Android,
(implemented by node) cloud …)
“other nodes”
see Getting Started

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 24

Communications Portfolio
RA systems with 3rd party controllers &
RA controllers & software Data exchange with IT systems / cloud
software
▪ FactoryTalk® Linx™ is the data ▪ FactoryTalk® Linx™ Gateway (FT Linx GW) ▪ FactoryTalk® Linx™ Information Gateway allows
server for RA hardware and allows third-party software to interact with RA RA systems to exchange data with enterprise
software systems via an OPC Server and cloud systems
▪ FT Linx has OPC client capability ▪ Kepware allows third-party automation systems
to participate in an RA system

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 25

 FTIS
IOT AR Fit for Purpose Data Analytics Edge Computing Analytics and AI
Market-leading Industry-Leading A set of tools built on Self-service visual Data from real-time Solve complex
industrial innovation augmented reality top of our FactoryTalk analysis/ Data sources, with the Analytics, AI and
platform to drive digital development tools to ProductionCentre MES Discovery tool. With ability to store and Machine Learning
transformation for improve workforce Platform that target Insightful Storyboards forward data, reducing problems. Scalable
increased operational efficiency and training specific needs of may be saved and loss due to latency.
performance and Manufacturing shared that runs on Enables closed loop from on-premise
agility across all Operations: any form factor or feedback applications server to cloud based
factories Performance, Quality, device and provides infrastructures.
Production & advanced analytics in Handles big data and
Warehouse the “hardware stack unstructured data such
as text, imagery, audio,
etc.

CLOUD| HYBRID| ON-PREM

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 26

design
product • process • automation
Analytics
Alarms
An automation
system built with
information in mind Smart
Object-based data model
• Common data across the system
Object
• Re-use and library management
at the automation layer
• Automatic discovery by the
information layer
Real-time
• Modern foundation for application
Recipe & historical
development data

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 27

Smart Objects and FactoryTalk Linx Information Gateway
Adding and Preserving Context to Automation Data

Smart Objects FactoryTalk Linx Information Gateway

• Implemented as Logix Designer AOIs, includes the Logix • Discovers Smart Object in controllers
Designer Applet / Configuration Plug-In
• Associates Smart Objects with corresponding Edge
• Collect and store data with context as log arrays in the controller Applications
• Available to customers via Application Code Libraries • Can automatically publish definitions, instances and
• Backward compatible to support existing installed base organizational models into ThingWorx applications
• Streams data into ThingWorx applications

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 28

design
product • process • automation

Smart Mixer Filler Palletizer

Object

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 29

FactoryTalk Linx Information Gateway
Connecting OT to IT Systems

• Collects and preserves the context of the data in

the controller through Smart Objects (and other
data structures)
• Discovers Smart Objects and allows context to be
edited or created on the edge for 3rd Party, legacy Configuration UI

or controllers that can’t be changed

Security Service
• Usability targeted for the OT practitioner FactoryTalk Linx Information Gateway
Device

• UI / workflow / security aligned with our Management

Service

Automation tools Time

Series
Data

• May be sold standalone – or as an enabler to an Ingress Data Process / Local Egress

information solution – reducing the work required Model analyze Store
to organize and label data
• Designed to run packaged applications on the
edge, which include data collection, calculations,
even visualization of data (future, sold separately)

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 30

FT Linx Information Gateway (Summer 2020)
Data Sources Data Destinations

Smart
Object
Enabled

▪ Software only - Windows installer (i.e.1756-Compute, VersaView 5400 or equivalent)

▪ Use existing FactoryTalk activation method
▪ Local configuration and runtime UI
▪ Smart Tag support → data contextualization
Factory Talk ▪ Store and forward
Live Data

FactoryTalk Linx Information Gateway

Configuration UI

OPC DA for
3rd party
Security Service
connectivity to
KEPServer
Device
Management Ingress Data Data Local Egress
Service
Model Mapping Store
(future release)

(future release)

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 31

Converged IT & OT
Getting to the state of Connected Enerprise

▪ Remember your 9 steps - think in security & audit

▪ Use standard solutions – customize as little as possible
▪ Think big - start small, does it scale well?

PUBLIC | Copyright ©2020 Rockwell Automation, Inc. | 32

Thank you
www.rockwellautomation.com