Brksec 2111

Visibility and Segmentation:
first steps to securing

Industrial Networks
Francesca Martucci –
Technical Solutions Architect
CyberSecurity - EMEAR
BRKSEC-2111
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSEC-2111 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Who am I?
• Technical Solutions Architect

Cyber Security EMEAR
• In Cisco since 20 years (and few days)...

... And 3 countries
Main focus on
• Policy and Access
• Monitoring
• Segmentation
Digitalization and Industrial IoT (IIoT)
Traditional automation The Industrial Internet of Things
systems SMART
INDUSTRY
Energy, Manufacturing,
Transportation, Process
Industries
SMART
INDUSTRY 4.0 SMART CITIES
GRIDS
DISTRIBUTED DEVICES INTELLIGENT
BUILDINGS
Moving from proprietary networking technologies, to open standard networking such as

Ethernet, WiFi, IP, etc improves the accessibility of data and information:
 Increase of Innovation and Workforce Efficiency
 Improvement of business models and processes
(Safety enhancements, Predictive maintenance, Real-time quality detection, Asset tracking )
 Reduced costs
Security is Top-of-Mind for Industrial Customers
Downtime and Health & Safety issue
@ $2+ B in losses
77% of ICS/OT companies

consider cybersecurity as major priority
“1 in 6 CISO now medicate or

use alcohol to deal with stress”
Sources:
• Kaspersky Lab & PAC 2018
• Forbes
• OT vs. IT challenges
• Industrial Control Systems
Networks
• Practical approach for
securing industrial systems
Agenda •
•
Visibility and Monitoring
Secure Access
• Segmentation
• Incident response
• Conclusion
Network Convergence: challenges
IT vs. OT
 Different Priorities
 Different Knowledge
 Different Perspectives
 Different Concerns
OT/IT Requirements
 Security = Safety
 Reliability and Business
Continuity
OT Requirements  Easy to replace
 Simple to operate
 Security = Cyber Security

 Scalability IT Requirements
 Extensibility
 Simple to manage
OT/IT Actions for Collaboration
The Sooner the Better for Your Business—But Are You Ready?
• Be open to sharing
• Become familiar with OT
knowledge of processes
processes
and operations with IT
• Understand and address
• Understand the risks of OT concerns
connecting insecure
• Become “bilingual” (i.e. be
devices to your IP
able to speak the language
network
of both IT and OT)
• Be open to sharing Each team does what can do best
control with IT
• OT defines the intent
• IT deploys the intent
• OT remains self-sufficient
• OT/IT plan jointly
Industrial Control
Systems Networks
Purdue Model
A general architecture for IACS networks.
Level 5 Enterprise Network
Enterprise
Security
Level 4 E-Mail, Intranet, Site Business Planning and Logistics Network
Zone
etc.
Remote Patch Management AV Firewall

Gateway Server Web,
Services
Level 3.5 e-mail, Industrial
Application Web Services Application CIP DMZ
Mirror Operations Server
Firewall
FactoryTalk FactoryTalk Engineering Remote Site
Level 3
Application
Server Directory Workstation Access Server Operations Industrial
and Control Zone
SCADA SCADA Area
Level 2 Client
Operator
Client
Engineering
Operator Supervisory
Interface
Interface Workstation Control
Cell/Area
Level 1 Batch Discrete Drive
Continuous Safety Basic Control Zone
Process Control
Control Control Control Control
Level 0 Sensors Drives Actuators Robots Process
ISA-99 and IEC 62443 standards
IEC 62443/ISA-99: builds on existing

standards for security of IT systems,
identifying and addressing differences in
ICS.
NIST Cybersecurity Framework: Best

Practice guidline and not a requirement
standard.
Purdue model: provides a general

architecture for all types of IACS,
providing nomenclature and building
blocks. ISA-99 ≈ IEC 62443
Purdue Reference Model (simplified version)
Enterprise Network Level 5
Enterprise
Security
Zone
Site Business Planning and Logistics Network Level 4
Industrial Demilitarized Zone — Shared Access Level 3.5
Site Manufacturing Operations and Control Level 3
Firewall
Area
AreaControl
Control Level
Level22
Industrial
Zone
Level Cell/
Basic
BasicControl
Control Level11 Area
Zone
Process Level 0
Industrial Networks vs. Enterprise Networks
IT Networks: OT Networks:
• Many dynamic applications. • Continually operating.
• Interoperability unconstrained. • Availability and safety first!
• IT teams manage the data. • Few defined long conversations.
• Equipment are known, modern and • OT assets are very old.
controlled. • Attacks look like legitimate
• IT attacks can be identified. instructions.
The road of adding
Security to OT
Security Challenges in Industrial Environments
Lack of Visibility
Aging Systems of what’s out there
Unpatched, legacy
systems
Access Control
Flat Design Access needs evolving
Lack of segmentation
Change Control
24/7/365 Operations
OT Security Skills
IT sec  Ops knowledge
Business Needs
Real-time Information
Steps to successfully securing your infrastructure
Discover Baseline & Segment Detect Enforce

• Catalog Asset Inventory • Know who is talking to whom • Get alerts on violation to the • Automate enforcement to
• Find them on the network • Baseline normal behavior baseline quarantine misbehaving
• Patch their vulnerabilities • Create segments based on assets
communication patterns
Most customers are having trouble getting off the starting block:
They don’t have accurate Asset Inventory and are blind to what
their assets are communicating with
You cannot secure the “things” if you don’t know what they are!
Security Capabilities in Industrial Security
Visibility Recognition of zones, conduits, and their control

networks.
Secure Access Secure and manage partner and vendor plant floor
access
Segmentation Fault domain isolation. Differentiated Services. Security

zones
Control Ability to react to and isolate problems. Ensure stability

of infrastructure.
Compliance Having the audit trail
Threat Detection Continuously updated detection engines from world-

class security researchers. Available endpoint to core.
Visibility and
Monitoring
You cannot secure what you don’t know
Most customers don’t have Blind to what their assets are

accurate Asset Inventory communicating with
55% have no or low confidence that they ICS equipment deployed over the years
know all devices in their network without strict security policies
ISE + Cisco Cyber Vision Cisco Cyber Vision + Stealthwatch
Identity Services
Engine (ISE)
Endpoint Visibility based on context
Cisco Identity Services Engine (ISE) : a policy access control server
Identity Profiling Role-based policy Network

and Posture access Resources
Who Traditional TrustSec
Network
 What Guest Access
Door
 When
BYOD Access
 Where
Role-based Access
How
Compliant Secure Access

ISE pxGrid
Controller
Context
Context Is Everything
Context information allows implementation of Principle of Least Privilege
Poor context awareness Rich context awareness
IP Address: 192.168.2.101 Infusion Pump
Unknown Vendor
Unknown Building-A Floor-1
Unknown 10:30 AM EST on April 27
Unknown Unknown Wireless / Ethernet / Zigbee Known
Unknown No Threats / Vulnerabilities
ISE pxGrid
WSA NGIPS FMC NGFW Controller Stealthwatch AMP TrustSec
Cisco ISE Profiling
Profiling process:
1. Uses probes to collect device attributes
when they connect to the network
2. The attributes are matched against profile
policies (Signatures)
3. Device is classified against the profile
with the highest match
Cisco ISE
Feed Service
(Online/Offline)
ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD
DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

Network ACIDex
ANYCONNECT
External Tools pxGrid ISE data collection methods for Device profiling
Out-of-Box IoT Device Fingerprints
All new 700+ Automation and Control Profile Libraries

• Automation and Control
• Industrial / Manufacturing
• Building Automation
• Power / Lighting
• Transportation / Logistics
• Financial (ATM, Vending, PoS, eCommerce)
• IP Camera / Audio-Video / Surveillance and Access
Control
• Other (Defense, HVAC, Elevators, etc.)
• Windows Embedded
600+ Automation and Control Profiles
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Defining security policies without visibility is
complex
Security Platforms
Enterprise Assets Industrial Assets
Camera ?
??
Laptop
???
????
Printer
Phone
Camera Printer Laptop IP Phone
Sharing Industrial Asset Identity with ISE
Industrial Asset
Cisco ISE Asset Identity
Network Management
iotMacAddress
for OT users This is a…
iotIpAddress
• CompactLogix Controller…
iotName
• Manufactured by Rockwell
iotVendor
pxGrid iotProductId Automation …
iotSerialNumber • With serial number xxx …
Modbus iotDeviceType • Running firmware xxx …
PROFINET
iotSwRevision • Speaks CIP industrial protocol
CIP BACNet
iotHwRevision
…
iotProtocol
• Attached to switch xxx …
iotConnectedLinks
PLC IO DRIV CONTROL • and it it is in Cell-1 in the Austin
E LER iotCustomAttributes
Plant.
Example of parameters
shared by Cisco IND.
Might vary.
ICS Profile creation in ISE
IOT Asset Solutions that integrates with ISE
Industrial Network
Director (IND)
Cisco pxGrid Devnet Site: www.cisco.com/go/pxgridpartner

Cisco pxGrid Context-In: https://developer.cisco.com/docs/pxgrid/#!pxgrid-context-in
A new standard for profiling
MUD: Manufacturer Usage Descriptions
MUD File:
Access ISE/DNA-C
Device emits
Switch queries
a URL
forwards manufacturer
https://manufacturer.example.com/mydevice.json
Internet
Access MUD MUD File

Switch Manager https Server
DHCP, Radius
LLDP,
or 802.1X Enterprise Network
MUD is supported by NIST and IETF (RFC8520)

Manufacturer Usage Descriptions
Devices Enterprise Manufacturer

Segmented config created JSON file returned
Device
approved
Internet
Access MUD MUD File

Switch Manager Server
Radius https
Enterprise Network
MUD is supported by NIST and IETF (RFC8520)

Cisco Cyber Vision
What is Cisco Cyber Vision?
Cyber Vision provides cyber-resilience for Industrial Control Systems (ICS)
that integrates with your SOC.
1. Passively analyses industrial protocols Cyber Vision Center

and communications. Sensor
Level 3
2. Dynamically builds an inventory of all

components and a map of all
connections. Sensor Sensor
Level 2
3. Operational insight: extracts process

information from network flows to give Application-Flow
Lightweight
OT staff visibility on industrial events. Sensor Sensor Sensor
Metadata
Level 0-1
4. Provides advanced anomaly detection,
and real-time alerts for any threat to
operational continuity and system Cyber Vision Sensors embedded
integrity. in your industrial network equipment
Cyber Vision – Visibility
Uses DPI technology to extract meaningful information (data &
metadata) from OT networks using 100% passive sensors
Inventory: Process Control: Network:

• Devices, Modules; • System Messages; • Metadata;
• Programs; • Statistics.
• Firmware.
• Register IDs.
Monitoring
Cisco Cyber Vision – Activities and Flows
2 Flows list
Flows are listed for each

component or each 3 Flow details
activity
A Flow is characterized by its endpoints properties:

• MAC Address (Source & Destination)
• IP Address (Source & Destination)
• TCP port (Source & Destination)
Cyber Vision - Monitoring
Maps with all components and activities filtered Purdue Model map with components grouped
by the Preset parameters and by the time frame by Layer of the Purdue Model.
selected.
Cyber Vision – Anomalies Detection
Creates a baseline of traffic, correlating with known malicious behavior (IoC) and
Threat Intelligence feeds to detect abnormal events;
Uses machine learning to classify behaviors and continuously improve detection.
Fosters IT/OT collaboration

to raise doubts and pinpoint
the incident.
Stealthwatch
Transactional Telemetry NetFlow/IPFIX
Netflow/IPFIX is the detailed phone bill of the network.

Shows who is talking to whom for how long and when.
The network is your sensor.
eth0/1
eth0/2
Flow
10.2.2.2 Sensor
10.1.1.1
port 1024 port 80
Start Tim
Time Iterface
Interface I
Src IP Src
Src Dest
Dest IP
IP Dest Proto Pkts Bytes SGT DGT TCP Flags
Por
Port Port Sent Sent
Non-NetFlow enabled
10:20:12.221
10:20:12.221 eth0/1
eth0/1 10.2.2.2
10.2.2.2 1024
1024 10.1.1.1
10.1.1.1 80
80 TCP
TCP 5
5 1025
1025 100
100 101
1010 SYN,ACK,PSH
SYN,ACK,PSH equipment
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 101 100 SYN,ACK,FIN
Visibility and Anomalies
KNOW SEE Understand what is Be alerted to Respond to

every host every conversation NORMAL CHANGE THREATS quickly
Collect and Create a baseline Alarm on anomalies

analyze telemetry of normal behavior and behavioral changes
Comprehensive data set optimized Security events to detect anomalies Alarm categories for high-risk,
to remove redundancies and known bad behavior low-noise alerts for faster response
Anomaly detected
in host behavior
~100 Security Events
Threshold
Number of concurrent New flows Number of
flows created SYNs received
Packet Number of Rate of

per second SYNs sent connection resets
Duration
Bits per second Time of day
of the flow
Flows
Exchange Servers
Host Report - PLC
Flows in Stealthwatch are enriched with context from CyberVision
Flow Search - PLC
Visibility – Custom Security Events
?
IE Switching Portfolio Wall Mount Din-Rail Modular – Din-Rail Rackmount * Select Models
Aggregation
Access
IE5000
IE 3400 (H) IE4000 IE4010
• L2 or L3 (IP service)
• 4 10G* uplinks
IE 3300 • L2 • L2 or L3 (IP service) • L2 or L3 (IP service) • 24 GE downlinks
IE 3200 • L3 • 4 GE uplinks • 4 GE uplinks • Up to 12 PoE/PoE+
• PoE/PoE+ • Up to 20 GE ports • 28 total GE ports • Conformal coating*
• L2 • 2 GE uplinks • Up to 8 PoE / PoE+ • Up to 12 or 24
IE2000 IE2000U • L2 • • Up to 24 GE ports ports PoE/PoE+ • IEEE1588 PTP
Feature
L3
• 2 GE uplinks • 2 GE uplinks • IP30, IP67 • REP, PRP, HSR
• 8 GE downlinks • Up to 24 GE ports • IEEE1588 PTP • IEEE1588 PTP • FNF
• L2 or L3 (IP lite) • L2 or L3 (IP services) • Up to 8 PoE/PoE+ • Up to 16 PoE/PoE+ • IEEE1588 PTP • REP, PRP, HSR • REP, PRP, HSR • Layer 2 NAT
• 2 GE uplinks* • 2 GE uplinks* ports • REP • FNF • FNF • PROFINET, MRP
IE1000 • Up to 8 PoE/PoE+ • Up to 4 PoE/PoE+ • IEEE1588 PTP • FNF • Layer 2 NAT • Layer 2 NAT • Dying gasp
• Small form factor ports • IEEE1588 PTP • REP • MACSec • PROFINET, MRP • PROFINET, MRP • Cisco® TrustSec
• IP30, IP67 • Small form factor • REP • FNF • TrustSec® • Dying gasp • Dying gasp SGT/SGACL
• Lightly-managed • Conformal coating* • MACsec • MACSec SGT/SGACL* • Cisco® TrustSec • Cisco® TrustSec • MACSec
• Layer 2 only • IEEE1588 PTP • PROFINET, MRP • Layer 2 NAT • Layer 2 NAT SGT/SGACL SGT/SGACL • Time-Sensitive
•
•
2 GE uplinks*
30 second boot-up
• IEEE1588 PTP • REP, PRP • PROFINET, MRP • PROFINET, MRP • NetFlow
MACSec • MACSec Network (TSN)
HW-ready
• REP • Time-Sensitive • Time-Sensitive
time • Layer 2 NAT Network (TSN) Network (TSN) • Stacking*
• Web config tool • PROFINET, MRP • IOx HW-ready • IOx-ready
• Up to 8 PoE/PoE+
ports
•
•
Cisco DNA Essentials
DLR (only Stratix)
Rockwell Stratix Series do support Netflow aswell •• •
•
MRP, REP, HSR, PRP
Cisco DNA E/A
IOx-ready
Cisco DNA E/A
• Timing interfaces
(IRIG-B, GPS, TOD)
Stratix 5400 (IE-4000) 5410 (IE-5000) 5800 (IE-3400) • • SDA Extended Node SDA Extended Node •
•
Cisco DNA E/A
SDA Extended Node
10/100M 1G 10G
https://community.cisco.com/t5/security-documents/netflow-support-matrix/ta-p/3644638
General Cisco devices Netflow support matrix
Full visibility within the Network
Flow based Threat Detection Threat Intelligence
IT User Stealthwatch
Detect breaches, malware,
Enterprise data hoarding, exfiltration... Management
Console
Network
WAN Cyber Vision

Terminal Patch
Level 3.5 Server
RDP Server App Server
Mgmt. NetFlow
iDMZ
Flow
Level 3 SCADA Engineering Domain Collector
Historian
Operations & Control Server Workstation Controller
Level 2 SCADA Engineering

HMI
Operator
Supervisory Control Client Workstation Interface
ISA-3000 IE-3400
Sensor
Application Metadata
Level 1 Batch Discrete Drive Continuous Safety
Basic Control Control Control Control Process Control Control
Level 0
Sensors Drives Actuators Robots Sensor
Process Application Metadata
Architecture for Visibility and Monitoring
ISE Site Business Planning and Logistics Network

Level 4
Stealthwatch Level 3.5

Industrial Demilitarized Zone — Shared Access
Monitors North-
South traffic and
traffic anomalies Site Manufacturing Operations and Control Level 3 Firewall
Area
AreaControl
Control Level
Level22
CyberVision
Monitors mainly East Basic
BasicControl
Control Level
Level11
West Traffic in the
Cell-Area network Process Level 0
Secure Access
Authenticate everything…
...Even if with MAB...
 Centralize Access Control on a Policy Most IIOT devices will not have authentication
Server (ISE) capabilities and will rely on MAB
 Authenticate everything
 Implement Principle of Least Privilege 802.1X
for Differentiated Access Authenticator

Authentication
Server
Device Type: LAN

Controller
Vendor: Siemens
Location: Cell 1
No
AUTHORIZED
PERSONNEL
802.1X
ONLY
No access to
unknown devices
Resource
Industrial Asset Authentication
A device is Authenticated using profiling groups (e.g., IoTMAB or Siemens-

Device), then Authorization is applied assigning an Access Policy and permitting
Access
Authorization options
Industrial DMZ
DACL or Named ACL VLANs Scalable Group Tags
Cisco TrustSec
Downloadable ACL (Wired) Dynamic VLAN Assignments
Software Defined Segmentation Level 3 MES / DCS
Historian
Remediation
Level 0-2
Flat Layer-2 Network
OT User
Vision
I D PLC PLC Robot

Allow to keep the IP but they Difficult to use traditional 16 bit SGT assignment O Separation-
ri
Reforming-Zone
do not scale well, keeping VLANs because devices have and SGT based Access v
Zone
e
track of IPs static IPs, and those are Control
hardcoded into PLC programs.
Authentication and Authorization flow
IACS Device is Switches
attached to the authentictes the
network device
Device
Does it match How open
any ISE
authenticated Yes
profiling Yes should the
successfully
conditions? default policy
No No be?
Apply an
approrpiate
access policy
Apply dafult
access policy
Device is now ISE sends a

profiled via CoA to the
ISE or Cyber access
Vision device
Architecture for Secure Access
ISE Site Business Planning and Logistics Network

Level 4
Level 3.5
Industrial Demilitarized Zone — Shared Access
Area
AreaControl
Control Level
Level22
Basic
BasicControl
Control Level
Level11
Process Level 0
Segmentation
Why Segmentation?
Securing the environment to block/contain attacks
Segment infrastructure – Protect

inbound and outbound communications
and each other
Identity based access – Restrict

connection to known systems and
devices
Firewall and TrustSec
Industrial capabilities for NGFW
Cisco ISA3000 (Industrial
Firepower Security Appliance)
Identity Integration Segmentation Application control

• Industrial apps
• ISE • ISA/IEC-62443 • CIP, EtherNet/IP,
• pxGrid • IEC 61850 DNP3, Modbus
• HIPAA • Control of IDMZ
• VDI
Enforce standards and best
Target threats accurately practice
Analyze headers in more depth
Rate limiting Tunnel Policy

• Rule-based limits • Pre-filtering
• Reports • Priority policy
• QoS rules • Policy migration
Control application usage Block unwanted traffic
NGFW Industrial Protocol support
Protocol/App. detectors IDS capability
BACNet Snort has industrial protocols
COSEM preprocessors.
COTP
Can do analysis and anomaly
DNP3
Emission control protocol
detection on them.
Fujitsu device control Modbus
GOOSE DNP3
GSE
IEC-60870-5-104 OpenAppID CIP
IEC-60870-5-104
ISO MMS
Modbus Allows to create IEC 61850 – MMS
OPC-UA application detectors for S7COM*
Q931 custom application
SRC e.g., detect Modbus read coils,
TPKT write single coil etc
CIP
Honeywell Control Station/NIF Server * Roadmap
Honeywell Experion DSA Server Monitor
The firewall can identify the protocol, and Snort can analyze the protocol and
decide if allow in the access control policies check conformace to the standard
Industrial protocols visibility with detectors
OpenAppID for specific commands
Industrial protocols signatures (i.e. SCADA)
• 400+ built-in Signatures for

OT protocols and endpoints
• Based on Vulnerabilities
discovered in protocols,
devices
• Protection against
Known/Unknown threats.
• Updated regularly
Architecture for basic segmentation

Firewall
ISA3K/FTD
AreaControl
Control Level 2
2
Area
Basic Control Level 1

1
Process Level 0 0
Identity Based
Segmentation
(TrustSec)
The value of TrustSec Cell-1 Cell-2
Cell-1
Cell-2
Which policy is easier?
Unknown
1. Traditional Segmentation Policy

Switch-1#show ip access-list
Extended IP access list CorpPolicy
10 permit tcp 10.1.100.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 80
20 permit tcp 10.1.100.0 0.0.0.255 172.16.100.0 0.0.0.255 eq 443
2. TrustSec Segmentation Policy

Switch-1# show cts role-based permissions
IPv4 Role-based permissions default:
Deny IP-00
IPv4 Role-based permissions from group 10:Employee_SGT to group 100:ProdServer_SGT:
WWW_Only-10
TrustSec concepts
Application
Servers
SGT:10
SGT:6
SGT:5 Network
Surveillance
Servers
SGT:12
SGT assignment Propagation Enforcement
• Assignment of Security Group Tag (SGT) based on context (identity, device group, etc.).
• SGT are carried propagated through the network
• Firewalls, routers and switches use SGT to make filtering decisions via SGACL.
Classification Mechanisms
Dynamic
Dynamic Classification
Classification Static
Static Classification
AD
PassiveID
L3 Interface (SVI) to SGT IP to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
Enterprise
Backbone
Hypervisor SW
WLC Firewall
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
SGT Propagation
In data plane In control plane
• SGT information stays with traffic • Propagate SGT over an OOB protocol
• 16 bit TAG in the CMD of the Ethernet Frame • No hardware dependencies

• SXP for switch/router or ASA propagation
Propagation options
Cisco Meta Ethernet MACsec VXLAN • pxGrid on other device support
Data (CMD)
Ethernet Frame Cisco MetaData
IPsec DM-VPN GET-VPN Destination MAC CMD EtherType
Source MAC Version
802.1Q Length
ETHTYPE SGT Opt Type
CMD SGT Value

Inline tagging
ISE PAYLOAD Other CMD Options
Untagged
Branches
Handling enforcement
Identity
Services permit tcp dst eq 6970 log
permit tcp dst eq 6972 log
Engine permit tcp dst eq 3804 log
permit tcp dst range 30000 39999 log
permit udp dst range 5070 6070 log
deny ip log
Authentications
Employee
Application
Servers App Servers
TRAFFIC SGFW
SGACL (Firewall)
ZBFW
(Switch)
(Router)
Database
DB Servers
Servers
Today SGACL cannot block multicast traffic

Switch Support for TrustSec and SGTs
Aggregation
Access
Best in Class
IE5000
IE 3400 IE4000 IE4010
• Designed for all
industries
IE 3300 • Layer 2 • For all industries • For all industries • Layer 2 or 3
IE 3200
Feature
• 2 GE uplinks • Layer 2 or 3 • Layer 2 or 3 (IP service)

• Up to 24 GE (IP service) (IP service) • 4 10 GE* uplinks
• Layer 2 ports • 4 GE uplinks • 4 GE uplinks • 24 GE downlinks
IE2000 IE2000U • Layer 2 • 2 GE uplinks • IEEE1588 PTP • Up to 20 GE • 28 total GE • IEEE1588 PTP
• 2 GE uplinks • Up to 24 GE • REP ports ports (default and power
• 8 GE downlinks ports • IEEE1588 PTP • IEEE1588 PTP profiles)
• L2 or L3 (IP lite) • L2 or L3 (IP • IEEE1588 PTP • IEEE1588 PTP Roadmap (default and (default and • Layer 2 NAT
• Small form factor services) • Up to 8
IE1000 • IP30, IP67 • Small form PoE/PoE+ ports
• Up to 16 • FNF power profiles) power profiles) • Up to 12 PoE/PoE+
PoE/PoE+ • PoE/PoE+ • Layer 2 NAT • Layer 2 NAT • Dying gasp
• DLR (only Stratix) factor • REP • REP • Layer 3 • Up to 8 PoE / • Up to 12 or 24 • Cisco TrustSec
• MRP, REP • PRP, REP
• Lightly- • TrustSec® PoE+ ports PoE/PoE+ SGT/SGACL
• Layer 2 NAT • 1588 PTP Roadmap Roadmap
managed SGT/SGACL • Dying gasp • Dying gasp • MACSec
• IEEE1588 PTP default and • FNF • FNF
• Layer 2 only • Layer 2 NAT, • Cisco® TrustSec • Cisco TrustSec® • FNF
• Up to 8 PoE/PoE+ power profiles • MACsec • Layer 3
• 30 second • MACSec SGT/SGACL HW-ready • TSN-ready
• Conformal • Up to 4 • Cisco DNA • MACSec
boot-up time • MRP, PRP, HSR • MACSec, FNF • MACSec HW- • Stacking*
coating* PoE/PoE+ ports Essentials • Profinet
• Web config tool • IOX • Time-Sensitive ready • Conformal coating*
• Cisco DNA • MRP
• Up to 8 • TSN Network (TSN) • TSN-ready • IOx-ready
Essentials • Cisco DNA E/A
PoE/PoE+ ports • SDA FE ready • IOx-ready • Timing interfaces
• Cisco DNA E/A
SGT Today
• IOx
• MRP, REP, PRP
• Cisco DNA E/A
• REP, PRP
• Cisco DNA E/A
(IRIG-B, GPS, TOD)
• Cisco DNA E/A
10/100M 1G 10G
‘*’ –Selected Models
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/6-5-gbp-system-bulletin.pdf
TrustSec Support Matrix for Cisco product Line
IE Switch Trustsec Capabilities
PLATFORM Trustsec Supported
IE2000 • No enforcement possible

• SXP speaker
IE4000/4010/5000 • “Limited enforcement” (Only L2 adjacent devices)
• SXP speaker, SGT support
• MACSec
IE3400 • inline SGT
• MACSec
• SGACL:16x16 tested – spec’d @ 21x21* (Stratix
5800 equiv)
• SXP: speaker/listener
IE 3300 • MACSec
• SXP
IE3200 • SXP
Architecture for segmentation
ISE Site Business Planning and Logistics Network Level 4
Site Manufacturing Operations and Control Firewall

Level 3
ISE / Trustsec
AreaControl
Control Level 2
2
Area

1
ISA3K/FTD
Process Level 0 0
Network Segmentation Z1 Z2 PLC MES
Z1 ✓ ✘ ✓ ✘
Let‘s put everything together Z2 ✘ ✓ ✓ ✘
PLC ✓ ✓ ✓ ✓
1. CyberVision discovers industrial assets and groups
it into Zones. MES ✘ ✘ ✓ ✓
2. CyberVision context is shared with ISE & Level 3

Stealthwatch so that security policy can be written MES MES / DCS
Historian
based on business logic: e.g. zone-1 cannot talk to
zone-2. C O N T E X T Q u a r a n t i n e
Stealth
ISE 3 Watch
3. ISE enforces segmentation within zones based on

CyberVision C O N T E X T NetFlow Level 0-2
Scalable Group Tags (SGT). DPI
4. Stealthwatch and CyberVision run analytics to raise

alarms on policy violation. Z1 PLC
Z2
Z2
Z1 Vision
PLC
5. Users can trigger quarantine of offending assets .
IO Drive PLC PLC Robot
Zone-1 Zone-2
OT user and IT user are working with asset
identities rather than IP addresses
Use Case:
Remote Access –
A Challenging
Necessity
Remote Access with Multi Factor AuthC
Adaptive Multi Factor Authentication with DUO
DUO works with Remote Access and any type of Portal Access
On-Demand Remote Access
AnyConnect to check security posture, Field Engineer
establish VPN From Manufacturer X
Tracks user session in ISE along with
TAG role.
• Only a specific asset being serviced must
be accessible over remote access AnyConnect
• Minimal dependency on IT to enable access Jump DMZ

Permission
host
during maintenance window 3
SXP ISA 3000
Level 3
2
IT User ISE
C O N T E X T
• IT team predefines general access policies

including a policy for serviced asset. 1 Level 0-2
CyberVisi
on/IND
• IT and OT tools are interoperating and OT User Permission
exchanging policies and context information
Architecture for Remote Access
Level 3
Firewall
Remote Access
with MultiFactor
AreaControl
Control Level 2
2
Area

1
Process Level 0 0
Rapid Incident
Response
Cisco Platform Exchange Grid (PxGrid)
Enable Unified Threat Response by Sharing Contextual Data
pxGrid – Industry Adoption
Security Technical Alliance Partners: https://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html

Integration Guides: https://communities.cisco.com/docs/DOC-64012
Rapid Threat Containment Level 3
H O S T G R O U P S
• Group assets in
Q u a r a n t i n e
Stealth
ISE IT User
3 Watch
communication trust C O N T E X T 2
zones and detect C o A

Level 0-2
anomalous traffic OT User

Cyber
Vision N E T F L O W
behavior Cell-1
Port
4
Cell-2
Scan
1
• Easily detect the source
of anomaly & quarantine
if necessary
• Quarantine can be non
invasive (Not impacting
communication).
Conclusion
What we have seen…
Enable visibility into OT systems Enforce Access control and

in order to inventory and baseline. perform proper segmentation
Secure touchpoints where

Add tools that enable and inform humans and their devices
rapid Incident Response. interact with OT systems.
Full architecture
SWE
ISE
Level 3.5
Remote Access Industrial Demilitarized Zone — Shared Access
with MultiFactor
Site Manufacturing Operations and Control Level 3 Firewall
ISE / Trustsec
AreaControl
Control Level 2
2
Area
ISA3K/FTD Basic Control Level 1

1
CyberVision Process Level 0 0
A Fully Integrated OT Security Solution
Working together to define & apply IoT security policies

Cisco Cyber Vision
ICS Visibility & Detection
Cisco Firepower Cisco ISE

Traffic Filtering Access Control
Cisco Industrial
Application Data Network
OT Context Cisco Stealthwatch
Security Policies Network Flow Analysis
What we have seen…
Enable visibility into OT systems Enforce Access control and

in order to inventory and baseline. perform proper segmentation
Secure touchpoints where

Add tools that enable and inform humans and their devices
rapid Incident Response. interact with OT systems.
Threat Prevention and Control for Human devices
Malware Umbrella
C2Callbacks Blocks malicious requests before
Phishing connections are even made,
blocking Threats.
Protects Users
AMP for Endpoints

Blocks attacks at initial inspection
monitoring files. Memory, and behavior.
Uses sandbox to inspect the unknown.
Continuous analysis via retrospection
Protects Devices
User endpoint
IT-OT collaboration is vital for securing ICS
Drives best practices

Fights cyber attacks
Industrial
Cybersecurity skills Industrial process skills
Network Operational events context
Network hygiene
Security policies Traffic OT Asset criticality levels
Detection & Remediation IT Equipment configuration
Ensures production continuity

Defines behavioral baselines
Key Takeaways IT-OT collaboration is key to securing ICS
environments
Start from Visibility and Monitoring
Your network has to be trustworthy – It’s where

your critical assets connect, and security policy
gets applied
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the Walk-in

Cisco campus self-paced labs
Meet the engineer

Related sessions
1:1 meetings
Reference sessions
Security
• BRKSEC-2462: (Stealthwatch Beyond Alarms )
• BRKSEC-2430: (ISE Deployment Staging and Planning )
• BRKSEC-1003: (Cisco Platform Exchange Grid (pxGrid) Inside Out )
• BRKSEC-3690: (Advanced Security Group Tags: The Detailed Walk Through )
• BRKSEC-2348: (Deploying AnyConnect with Firepower Threat Defense with posture and MFA )
• BRKSEC-2140: (2 birds with 1 stone: DUO integration with Cisco ISE and Firewall solutions )
• BRKSEC-2382 : (Application and User-centric Protection with Duo Security )
• BRKSEC-2433: (Threat Hunting and Incident Response with Cisco Threat Response )
• BRKSEC-2047: (Behind the Perimeter: Fighting Advanced Attackers )
Reference sessions
IoT
• BRKIOT-2204: (Leveraging industrial device visibility and operational intent to inform
security policies and controls )
• BRKIOT-2100: (IoT and Intent-Based Networking Solutions for Smart Cities and
Connected Roadways )
• BRKIOT-2600: (Enabling OT-IT collaboration by transforming traditional industrial
networks to modern IoT Architectures )
• DEVNET-1343: (A to Z of MUD Usage for secure IOT Onboarding )
• BRKIOT-1618: (Industrial IoT Network Management using Cisco Industrial Network
Director – A Deep Dive. )
• PSOIOT-1156 : (Securing Industrial Networks: Introduction to Cisco Cyber Vision )
Document Links
• Network & Security in Automation Validated Design Guide
https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-
AutomationDG/Industrial-AutomationDG.html
• Trustsec SAFE document

• https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/iot-
threat-defense-mfg-design-implementation-guide.pdf
• Rockwell CPWE Security Document

• https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/CPwE/5-
1/Network_Security/DIG/CPwE-5-1-NetworkSecurity-DIG.html
• IND to ISE via pxGrid

• https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/214586-
configure-ise-2-4-pxgrid-ind-1-6-1-integ.html?dtid=osscdc000283
• ISE to Stealthwatch via pxGrid

• https://community.cisco.com/t5/security-documents/deploying-cisco-stealthwatch-7-0-with-
cisco-ise-2-4-using-pxgrid/ta-p/3793357?dtid=osscdc000283
Thank you

Brksec 2111

Uploaded by

Copyright:

Available Formats

Brksec 2111

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 2111

Uploaded by

Copyright:

Available Formats

Visibility and Segmentation:

first steps to securing

• Technical Solutions Architect

• In Cisco since 20 years (and few days)...

Moving from proprietary networking technologies, to open standard networking such as

77% of ICS/OT companies

“1 in 6 CISO now medicate or

 Security = Cyber Security

Remote Patch Management AV Firewall

Level 0 Sensors Drives Actuators Robots Process

IEC 62443/ISA-99: builds on existing

NIST Cybersecurity Framework: Best

Purdue model: provides a general

Industrial Demilitarized Zone — Shared Access Level 3.5

Site Manufacturing Operations and Control Level 3

Discover Baseline & Segment Detect Enforce

Visibility Recognition of zones, conduits, and their control

Segmentation Fault domain isolation. Differentiated Services. Security

Control Ability to react to and isolate problems. Ensure stability

Compliance Having the audit trail

Threat Detection Continuously updated detection engines from world-

Most customers don’t have Blind to what their assets are

ISE + Cisco Cyber Vision Cisco Cyber Vision + Stealthwatch

Identity Profiling Role-based policy Network

Compliant Secure Access

Unknown Building-A Floor-1

Unknown 10:30 AM EST on April 27

Unknown Unknown Wireless / Ethernet / Zigbee Known

Unknown No Threats / Vulnerabilities

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

All new 700+ Automation and Control Profile Libraries

Enterprise Assets Industrial Assets

Camera Printer Laptop IP Phone

Cisco pxGrid Devnet Site: www.cisco.com/go/pxgridpartner

Access MUD MUD File

MUD is supported by NIST and IETF (RFC8520)

Devices Enterprise Manufacturer

Access MUD MUD File

MUD is supported by NIST and IETF (RFC8520)

1. Passively analyses industrial protocols Cyber Vision Center

2. Dynamically builds an inventory of all

3. Operational insight: extracts process

Inventory: Process Control: Network:

Flows are listed for each

A Flow is characterized by its endpoints properties:

Fosters IT/OT collaboration

Netflow/IPFIX is the detailed phone bill of the network.

KNOW SEE Understand what is Be alerted to Respond to

Collect and Create a baseline Alarm on anomalies

Packet Number of Rate of

Flows in Stealthwatch are enriched with context from CyberVision

WAN Cyber Vision

Level 2 SCADA Engineering

ISE Site Business Planning and Logistics Network

Stealthwatch Level 3.5

for Differentiated Access Authenticator

Device Type: LAN

A device is Authenticated using profiling groups (e.g., IoTMAB or Siemens-

I D PLC PLC Robot