在工業網絡中實施分段.pdf

《在工業網絡中實施分段.pdf》由會員分享，可在線閱讀，更多相關《在工業網絡中實施分段.pdf（80頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveAndrew McPhee,Industrial Security Solutions ManagerBRKIOT-2882BRKIOT-2882Implementing Segmentation in Industrial Networks 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat

2、 with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234https:/ 2023 Cisco and/o

3、r its affiliates.All rights reserved.Cisco PublicBRKIOT-28823Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhy Segmentation is ImportantOverview of Ciscos Industrial Security GuidelinesIEC 62443 Zones&ConduitsIdentifying the AssetsMacro vs Micro SegmentationImplementing Seg

4、mentation with Cisco Identity Services Engine(ISE)Q&ABRKIOT-28824Security can and should be simple!Why Segmentation is Important 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive7Attack Techniques used to exploit the Industrial NetworkBRKIOT-2882Initial Access(TA0108)Discov

5、ery(TA0102)Lateral Movement(TA0109)Command and Control(TA0101)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJourney to Securing the Industrial NetworkBuild a Security Build a Security FoundationFoundation1 1Develop an Incident Develop an Incident Investigation&Investigat

6、ion&Response planResponse plan4 4Gain Visibility&Gain Visibility&Device PostureDevice Posture2 2Segment network Segment network into smaller trust into smaller trust zoneszones3 3Cisco Cyber VisionCisco Identity Services EngineITSensorZONE 1ZONE 2SensorSensorDefine the IT/OT Boundary with Cisco Secu

7、re FirewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orchestrate response with Cisco SecureXIDMZCisco SecureXBRKIOT-28828 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBefore Exploring Micro-segmentation make sure

8、 you have started with protecting from Initial Access ExploitsBuild a Security Build a Security FoundationFoundation1 1Develop an Incident Develop an Incident Investigation&Investigation&Response planResponse plan4 4Gain Visibility&Gain Visibility&Device PostureDevice Posture2 2Segment network Segme

9、nt network into smaller trust into smaller trust zoneszones3 3Cisco Cyber VisionCisco Identity Services EngineITSensorZONE 1ZONE 2SensorSensorDefine the IT/OT Boundary with Cisco Secure FirewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orches

10、trate response with Cisco SecureXIDMZCisco SecureXBRKIOT-28829 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIDMZ with Cisco Secure FirewallCisco Secure FirewallIDMZ Applications and ServicesUCSAMPFile TransfersSW UpdatesRemote AccessData ProxyLDAPCisco IDMZ Applications

11、UCSAMPSecurityI I-DMZDMZOil andGasManufacturingTransmissionLinesSubstationWindTurbineCriticalCriticalNetworksNetworksUntrustedUntrustedNetworksNetworksRemoteVendorConnectedITSecurityThreatHackerIoTBRKIOT-288210 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGoogle Dorking

12、Hacking using Google Search Engine!Special search queries crafted by cybersecurity specialists using keywords that have special significance to GoogleExample:inurlinurl:/Portal/:/Portal/Portal.mwsPortal.mwslBRKIOT-288211 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCred

13、entials will be compromised!12BRKIOT-2882 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Equipment Access(SEA)Browser-based access(SEA)and native application access(SEA+)for remote usersCisco Secure Equipment AccessCloud service with multiple equipment access

14、 methodsGranular access control to manage remote hosts and applicationsIoT ODIT Remote Session ControlHTTP(S)/RDP/VNC/SSH/TelnetIoT OD Managed GatewayIndustrial EquipmentSEA AgentCiscos cloud solution designed for OT/IT to easily and securely monitor and perform critical day-to-day operations of ind

15、ustrial equipment.*SSO through IdPSAML 2.0Cisco Networking InfrastructureBRKIOT-288213 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Access by Duo More than just MFAMajority of breaches leverage stolen stolen or weak passwordsor weak passwordsCisco Secure Ac

16、cess by Duo Cisco Secure Access by Duo verifies identity of users upon IoT OD access through Single Sign On(SSO)Single Sign On(SSO)Block Anonymous networks and implement GeoGeo-RestrictionsRestrictionsConfigure Cisco Secure Endpoint Cisco Secure Endpoint policy in Duo to instantly block risky device

17、s recommended for users recommended for users with SEA+privilegeswith SEA+privilegesBRKIOT-288214 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFocus of Todays Session-Segmentation WITHIN the OTBuild a Security Build a Security FoundationFoundation1 1Develop an Incident

18、Develop an Incident Investigation&Investigation&Response planResponse plan4 4Gain Visibility&Gain Visibility&Device PostureDevice Posture2 2Segment network Segment network into smaller trust into smaller trust zoneszones3 3Cisco Cyber VisionCisco Identity Services EngineITSensorZONE 1ZONE 2SensorSen

19、sorDefine the IT/OT Boundary with Cisco Secure FirewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orchestrate response with Cisco SecureXIDMZCisco SecureXBRKIOT-288215ISA/IEC 62443 Zones&Conduits Model 2023 Cisco and/or its affiliates.All righ

20、ts reserved.Cisco Public#CiscoLiveIEC 62443 Zones&ConduitsZoneZone:Collection of entities that represent a partitioning of a System under Consideration(SUC)based on their functional,logical and physical(including location)relationship that share common security requirementsConduitConduit:Physical or

21、 logical grouping of communication channels,intermittent or permanent,between connecting a zone with another zoneor with the outside that share common security requirements The intent is to identify those assets which share common security characteristics in order to establish a set of common securi

22、ty requirements that reduce cybersecurity riskBRKIOT-288217 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNIST Zero Trust Guidance is practically the sameISA/IEC 62443ConduitConduitConduitConduitEnterpriseDMZIndustrial Data CenterCell/AreaZone 1SISNIST Zero Trust Guidanc

23、eBRKIOT-288218Identifying the Assets 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAsset Visibility&Device Posture using the Network as a SensorBuild a Security Build a Security FoundationFoundation1 1Develop an Incident Develop an Incident Investigation&Investigation&Re

24、sponse planResponse plan4 4Gain Visibility&Gain Visibility&Device PostureDevice Posture2 2Segment network Segment network into smaller trust into smaller trust zoneszones3 3Cisco Cyber VisionCisco Identity Services EngineITSensorZONE 1ZONE 2SensorSensorDefine the IT/OT Boundary with Cisco Secure Fir

25、ewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orchestrate response with Cisco SecureXIDMZCisco SecureXBRKIOT-288220 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Network as a Sensor?Purdue level 3Purdue l

26、evel 2Purduelevel 0-1ICSNetworkExpensiveExpensiveSPANSPANcablingcablingOutOut-ofof-BandBandSPAN SPAN collectioncollectionnetworknetworkMassiveMassiveincrease in increase in traffic due to traffic due to SPANSPANOther solutionsOther solutionsApplicationApplication-FlowFlowLightweightMetadataSensorSen

27、sorSensorSensorSensorSensorCyber Vision CenterICSnetworkSPAN based solutions incur SPAN based solutions incur huge additional hiddenhuge additional hidden-costscostsYour network sees everything Your network sees everything that attaches to it,eliminating that attaches to it,eliminating the need for

28、SPANthe need for SPANBRKIOT-288221 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Cyber VisionCisco Cyber VisionCentralized active discovery cannot Centralized active discovery cannot see behind firewalls and NAT see behind firewalls and NAT boundariesboundariesOthe

29、r solutionsOther solutionsActive discovery by edge sensors Active discovery by edge sensors can see morecan see moreNAT/Firewall BoundaryActive discovery requestsActive discovery requestsLightweightLightweightMetadataMetadataWhy is a network-sensor important?PLC/RTU/IEDNAT/Firewall BoundaryPLC/RTU/I

30、EDSensorSensorDistributed edge active discovery gives you 100%visibilityBRKIOT-288222 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Cyber Vision Unique edge monitoring architectureIndustrial SwitchingSensorIoT Gateways/ComputeSensorIndustrial RoutingSensorIndustria

31、lWi-FiSensorSensor Networking(RF Mesh)SensorCisco Cyber Vision Center:Centralized analytics&data visualization Cisco integrations SecureX,FMC,ISE,Stealthwatch,DNA-CPartner integrations SIEM,CMDB,ICS vendor softwareCyber Vision Sensors:Deep Packet Inspection built into network elements Industrial cyb

32、ersecurity that can be deployed at scaleApplication flowBRKIOT-288223 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAsset VisibilityAsset InventoryComprehensive up to date inventory of all assets in your environment Asset InventoryCisco Cyber VisionCommunication Patterns

33、Dynamic communication map with detailed application flow level informationCommunication MapBRKIOT-288224 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity PostureRisk ScoringAsset risk scoring based on impact and likelihood to help you improve complianceVulnerabilit

34、y DetectionVulnerability DetectionIdentify known asset vulnerabilities so you can patch them before they are exploited Risk ScoresCisco Cyber VisionBRKIOT-288225 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetect malicious intrusions with Snort IDS and Talos threat int

35、elligenceSnort Intrusion Detection Add-On Catalyst IR8300 SeriesCatalyst IR8300 SeriesRugged RouterRugged RouterCatalyst 9300Catalyst 9300Enterprise SwitchEnterprise SwitchCyber Vision CenterCyber Vision CenterBRKIOT-288226 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA

36、ggregated activities match IEC62443 conduitsUnaggregatedAggregatedView all asset relationshipsEasily browse through conduitsBRKIOT-288227Implementing the Zones&Conduits Model 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUsing the Network as the Policy Enforcement PointB

37、uild a Security Build a Security FoundationFoundation1 1Develop an Incident Develop an Incident Investigation&Investigation&Response planResponse plan4 4Gain Visibility&Gain Visibility&Device PostureDevice Posture2 2Segment network Segment network into smaller trust into smaller trust zoneszones3 3C

38、isco Cyber VisionCisco Identity Services EngineITSensorZONE 1ZONE 2SensorSensorDefine the IT/OT Boundary with Cisco Secure FirewallNetwork as a Sensor with Cisco Cyber VisionNetwork as an Enforcer with Cisco ISEInvestigate threats&orchestrate response with Cisco SecureXIDMZCisco SecureXBRKIOT-288229

39、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISE Segmentation TechnologiesACLs:DL,Named,DNSDownloadable ACL(Wired)or Named ACL(Wired+Wireless)EmployeeEmployeepermit ip any anyContractorContractordeny ip host permit ip any anySecurity Group Tags16-bit SGT assignment and

40、 SGT based Access ControlCisco Group-Based PolicyVLANsDynamic VLAN AssignmentsEmployeesEmployeesVLAN 3Per port/Per Domain/Per MACGuestGuestVLAN 4PrintersPrintersVLAN 5BRKIOT-288230 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAuthentication and AuthorizationEmployeeWho

41、are you?AUTHENTICATIONalice*ContractorAUTHORIZATIONWhat can you do?PROTECTED SERVERSSHARED SERVICESPUBLIC NETWORKNETWORK ACCESSBRKIOT-288231 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco TrustSec Hybrid Macro/Micro SegmentationWho are you?AUTHENTICATIONAUTHORIZATIO

42、NWhat can you do?ASSEMBLY WORKSHOPWELDING WORKSHOPSCADA/MESNETWORK ACCESSIm an OT device in the ASSEMBLY WORKSHOPIm an OT device in the WELDING WORKSHOPIm a SCADA/MES server/workstationMacro SegmentationMicro SegmentationBRKIOT-288232 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

43、#CiscoLiveSecurity Group ACL(SGACL)vs IP ACL ip access-list role-based FALLBACKpermit ipcts role-based permissions from 9043 to 9043 FALLBACKcts role-based permissions from 911 to 0 FALLBACKcts role-based permissions from 0 to 911 FALLBACKcts role-based permissions from 911 to 911 FALLBACKcts role-b

44、ased permissions from 9043 to 911 FALLBACKcts role-based permissions from 911 to 9043 FALLBACKSGACLDefine the ACL oncePoint to the ACL when defining group pairsBRKIOT-288233Macro Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegmentation differences in IT&OT

45、PrinterPrinterPrinterPrinterPrinting ServicesHMIHMIITOTShould the HMI on one production line,be able to access the others?BRKIOT-288235 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterUse Case 1:Cell/Area Zone to Cell/Area Zone denied by default.No se

46、gmentation inside the zoneOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisc

47、o IE SwitchSensorDenyHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Network location has purpose in Industrial NetworksConnectivity over Security WITHIN the zoneLeast Privilege across zones(conduit)Visibility in the zone is key“I am an HMI in Cell/Area 1”BRKIOT-288236 2023 Cisco and/or its a

48、ffiliates.All rights reserved.Cisco Public#CiscoLiveCould I do this with a Firewall?37BRKIOT-2882SensorSensorCisco Secure FirewallSensorSensorSensorIDSZone 1Zone 2Zone 2Zone 1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Case 2:Infrastructure Services that need acce

49、ss to all Cell/Area Zones.The Default rule for the zone cannot be Deny All!Operations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkHMIPLC/RTU/IEDSensorSensorCisco IE SwitchSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure Firewa

50、llDistribution StackSensorIDSDuoIndustrial Data CenterHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Cell/Area Zone-1NTPMake sure to allow communication to Infrastructure Services!There will be a minimum set of services ALL zones need access to!Switch Management should be on a dedicated subn

51、et with access to ISE for exampleBRKIOT-288238 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterUse Case 3:Safety network could be air gapped,or logically segmented from the rest of the networkOperations and ControlPurdue Level 3ProcessPurdue Level 0-2

52、I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Safety is ano

53、ther Macro Zone in the networkLogical Segmentation is possible,but ensure all routes are blocked.Still recommended to Air Gap from rest of network to avoid misconfiguration errorsBRKIOT-288239 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMacro Segmentation Policy Matrix

54、ASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPINFRASTRUCTURE SERVICESINFRASTRUCTURE SERVICESTIP:Only define policy that deviates from Default!BRKIOT-288240 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMacro Segmentat

55、ion Policy Matrix Default AllowASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPINFRASTRUCTURE SERVICESINFRASTRUCTURE SERVICESBRKIOT-288241 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMacro Segmentation Policy Matrix D

56、efault DenyASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPINFRASTRUCTURE SERVICESINFRASTRUCTURE SERVICESBRKIOT-288242 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMacro Segmentation Policy Matrix-SGACLASSEMBLY WORKSHO

57、PWELDING WORKSHOPPAINTING WORKSHOPASSEMBLY WORKSHOPWELDING WORKSHOPPAINTING WORKSHOPINFRASTRUCTURE SERVICESINFRASTRUCTURE SERVICESpermit ip src dst eq 123permit ip src dst eq 67permit ip src dst eq 68permit ip src dst eq 53permit ip src dst eq 1812permit ip src dst eq 1813deny ipBRKIOT-2882431.How d

58、o we classify a Zone?2.What if we have 100s of Zones?For the Implementers in the Audience:2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec FundamentalsAccessDistributionCorePLC/RTU/IEDMESBRKIOT-288245 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

59、c#CiscoLiveTrustSec Fundamentals The TrustSec DomainAccessDistributionCoreTrustSec DomainPLC/RTU/IEDMESBRKIOT-288246 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Fundamentals Static&Dynamic ClassificationISEAccessDistributionCoreStatic Classification at ingress

60、 of TrustSec domainDynamic ClassificationPLC/RTU/IEDMESBRKIOT-288247 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Fundamentals SXP&Inline TaggingISEAccessDistributionCoreSXPSXPInline tagging inside TrustSec DomainPLC/RTU/IEDMESBRKIOT-288248 2023 Cisco and/or it

61、s affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Fundamentals TrustSec Enforcement happens at egress of TrustSec DomainISEAccessDistributionCoreSGACL at egressof TrustSec DomainPolicy Matrix sent from ISEPLC/RTU/IEDMES101020203030101020203030BRKIOT-288249 2023 Cisco and/or its affilia

62、tes.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterUse Case 1:Cell/Area Zone to Cell/Area Zone denied by default.No segmentation inside the zoneOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMS

63、ecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2TrustSec Domain:Distribution&Core SwitchesClassification:Static(Subnet SGT)Transportation:Inl

64、ine(between Distribution&Core)SXP(between ISE&Domain)Enforcement:Denied at Egress of Distribution SwitchTrustSec DomainDenyBRKIOT-288250 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive51What if we have 100s of Zones?BRKIOT-2882Option1:Have 100s of Cells in the Policy Matr

65、ixOption2:Take Advantage of the TrustSec DomainIndustrial CoreSensorSensorDistribution StackSensorIDSCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2TrustSec Domain 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn

66、dustrial Data CenterTrustSec Domain starts outside of the Cell,so applying the same SGT will not deny interzone trafficOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco S

67、ecure FirewallCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorSensorIDSHMISISSwitchSensorIC3000SPANCell/Area Zone-2ApprovePLC/RTU/IEDSGT does not exist inside the Cell/Area ZoneOnly create unique tags for traffic that deviates from the default!Cell/Area ZonesCell/Area ZonesInfra

68、structure Infrastructure ServicesServicesCell/Area Cell/Area ZonesZonesInfrastructure Infrastructure ServicesServicesDenyWe are only focused on policy for traffic that leaves the zone!SGT 1001SGT 1001BRKIOT-288252 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEngineering

69、WorkstationIndustrial ApplicationsCyberVisionCenterUCSAMPSwitchSwitchDistribution SwitchStackPLCCisco CatalystIE3400SensorCatalyst9000ApplicationWorkstationPLCSensorI/OSensorSite Operations ZoneCell/Area ZoneISEHMIEngineering WorkstationI/OCisco CatalystIE3200Cisco CatalystIE3200Exceptions to the ru

70、le When the Cell/Area Zone becomes part of the TrustSec DomainCisco CatalystIE3400I/Opermit rule requiredPLCCisco CatalystIE3400SensorPLCSensorI/OHMIEngineering WorkstationI/OCisco CatalystIE3200Cisco CatalystIE3200Cisco CatalystIE3400I/OSGT 1001SGT 1002BRKIOT-288253 2023 Cisco and/or its affiliates

71、.All rights reserved.Cisco Public#CiscoLiveL2 NAT is another example where TrustSec Domain spans past the Distribution SwitchEngineeringWorkstationIndustrial ApplicationsCyberVisionCenterUCSAMPSwitchSwitchDistributionSwitchStackCisco CatalystIE3400SensorCatalyst9000ApplicationWorkstationPLCI/OSensor

72、ISEHMIThin ClientCisco CatalystIE32001:1 NATIngress ClassificationEgress EnforcementInline TaggingExtended TrustSec DomainSXPSame principles as beforeClassify on ingressEnforce on egressInline Tagging in the DomainSXP from devices outside the domainBRKIOT-288254 2023 Cisco and/or its affiliates.All

73、rights reserved.Cisco Public#CiscoLive55Monitor ModeBRKIOT-2882Kernow-Cat9300#show cts role-based permissions IPv4 Role-based permissions default:Permit IP-00IPv4 Role-based permissions from group 33:EFT_SGT1 to group 28:Cameras(monitored)(monitored):Deny_IP_Log-00Nov 24 17:42:53.047:%RBM-6-SGACLHIT

74、:ingress_interface=LISP0.4099 sgacl_name=Deny_IP_Log-00 action=Monitor action=Monitor protocol=udp src-vrf=BuildingMgmt src-ip=10.4.1.122 src-port=63619 dest-vrf=BuildingMgmt dest-ip=10.6.5.109 dest-port=69 sgt=33 dgt=28 logging_interval_hits=1Kernow-Cat9300#show cts role-based counters from 33 to 2

75、8Role-based IPv4 countersFrom To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HWHW-MonitorMonitor33 28 0 0 0 0 0 1 Micro Segmentation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterUse Case 4:Select devices,such as interlocking PLCs,require c

76、ommunication across zonesOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorSensorIDSHM

77、ISISSwitchSensorIC3000SPANCell/Area Zone-2ApprovePLC/RTU/IEDUse cases occur where we can no longer apply policy to a Zone,but to individual devicesExample,PLC in Cell/Area 1 sends data to PLC in Cell/Area 2By default,this communication would be deniedBRKIOT-288257 2023 Cisco and/or its affiliates.Al

78、l rights reserved.Cisco Public#CiscoLive Zone 1Zone 2PLCMESZone 1Zone 2PLCMESUse the Visibility we gained earlier to Drive SegmentationCyber Vision Map ViewCisco ISE Policy MatrixpxGrid update with asset endpoint identities and group Cell1 as custom attributeSGTdACLVLANOTITI now have OT I now have O

79、T context to build the context to build the right security right security policiespoliciesSegmentation of industrial networkThis user interface This user interface understands industrial understands industrial processes.I can group processes.I can group assets into zonesassets into zonesHMIPLC/RTU/I

80、EDCell 1 SegmentCell 1 SegmentIndustrialSwitchHMIPLC/RTU/IEDCell 2 SegmentCell 2 SegmentIndustrialSwitchPLCMESBRKIOT-288258 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive59Cyber Vision 4.0-Attributes via pxGridBRKIOT-2882ISE attributeISE attributeCisco Cyber Vision prope

81、rtyCisco Cyber Vision propertyDescriptionDescriptionIOTASSET LibraryIOTASSET LibraryassetIdIDCyber Vision Component IDassetNameNameComponent nameassetIpAddressIPComponent IP addressassetMacAddressMacComponent MAC addressassetVendorVendor-nameComponent manufacturer(IEEE OUI)assetProductIdModel-refMan

82、ufacturer product IDassetSerialNumberSerial-numberManufacturer serial numberassetSwRevisionFw-versionComponent firmware versionassetHwRevisionHw-versionComponent hardware versionassetProtocolProtocolsAll Protocols concatenated in one stringCustom AttributesCustom AttributesassetModelNameModel-nameMa

83、nufacturer model nameassetOsNameOS-nameOperating system nameassetProjectNameProject-nameProject name(from PLC program)assetProjectVersionProject-versionProject version(from PLC program)assetGroupGroupComponent group in Cyber VisionassetGroupPathGroup PathComponent group path in Cyber Vision(Nested G

84、roups)assetCustomNameCustom NameCustom Name assigned to component by user 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterOnboarding new devices on the networkOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5In

85、dustrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMICisco IE SwitchSensorHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2ZonesConduitsPLC/RTU/IEDOperator installs a new device in

86、 a Cell/Area ZoneEvery Zone in my network has a unique subnetCommunication within a Zone is not subject to enforcementVisibility highly recommendedWhen leaving the zone,SGT is assigned based on subnetPolicy enforcement is enforced between subnetsBRKIOT-288260 2023 Cisco and/or its affiliates.All rig

87、hts reserved.Cisco Public#CiscoLive61Migrating device to a Micro-Segmentation PolicyBRKIOT-2882 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterSGT classification for Micro Segmentation policiesOperations and ControlPurdue Level 3ProcessPurdue Level 0

88、-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMICisco IE SwitchSensorHMISISSwitchSensorIC3000SPANCell/Area Zone-2ZonesConduitsPLC/RTU/IEDPLC is no

89、w assigned a device specific SGT,will not receive the Cell/Area SGTOnly the PLCs can communicate across zoneSGT is based on process NOT network locationPLC/RTU/IEDBRKIOT-288262 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOrder of Precedence for SGT Classificationcts ro

90、le-based sgt-map vlan-list sgt Bcts role-based sgt-map sgt AStatic IP to SGTStatic VLAN to SGTStatic Subnet to SGTcts role-based sgt-map sgt EDynamic SGT,LOCALInline/CMDSXPStatic L3 Interface(IP Prefix)to SGTint gx/y/zno switchportip add cts role-based sgt-map sgt C HIGHEST PRECEDENCELOWEST PRECEDEN

91、CEBRKIOT-288263What about People?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndustrial Data CenterUse Case 5:Technicians plugging their devices into a Maintenance ZoneOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial

92、CoreITOTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallCyber VisionISEDuoHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Cell/Area Zone-1HMIPLC/RTU/IEDSensorMaintenance ZoneMaintenanceStationDistribution StackSensorIDSBRKIOT-288265 2023 Cisco and/or its

93、affiliates.All rights reserved.Cisco Public#CiscoLiveAuthentication and AuthorizationEmployeeWho are you?AUTHENTICATIONalice*ContractorAUTHORIZATIONWhat can you do?PROTECTED SERVERSSHARED SERVICESPUBLIC NETWORKNETWORK ACCESSBRKIOT-288266 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

94、lic#CiscoLivePosture&ComplianceAuthorization PolicyIF IF JailBroken is No ANDAND PinLock is Yes THENTHEN CompliantMDM AttributesActivityTypeAdminActionAdminActionUUIDAnyConnectVersionDaysSinceLastCheckinDetailedInfoDeviceIDDeviceNameDeviceTypeDiskEncryptionEndPointMatchedProfileFailureReasonIdentity

95、GroupIMEIIpAddressJailBrokenLastCheckInTimeStampMacAddressManufacturerMDMCompliantStatusMDMFailureReasonMDMServerNameMEIDModelOperatingSystemPhoneNumberPinLockPolicyMatchedRegisterStatusSerialNumberServerTypeSessionIdUDIDUserNameUserNotifiedAgentlessCiscoSecureClient EMM/MDMISEBRKIOT-288267 2023 Cis

96、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAgentless Posture802.1X/MABPosture StatusCompliantUnknownEmployee3.0ISELinux Support added in ISE 3.1PowerShell_Shell(.sh)BRKIOT-288268 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Client(fo

97、rmerly AnyConnect)VPN Module(Core)ISE PostureDiagnostics and Reporting Tool(DART)BRKIOT-288269 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Security is the Norm for IT systemsBRKIOT-288270 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL

98、iveWhere do you install Endpoint Protection in the OT?Operations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area

99、 Zone-1PLC/RTU/IEDCisco IE SwitchSensorSISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Employee laptops/tablets/mobiles should always have itIndustrial Data CenterMESHMIHMIOTPersonaDevices wont support itPossibly,but policy may not allow itBRKIOT-288271 2023 Cisco and/or its affiliates.All right

100、s reserved.Cisco Public#CiscoLiveUSB drives still pose a major concern for Industrial Networks“According to Honeywell,79%of the malware identified by its USB security product on the drives scanned by customers in 2020 was capable of disrupting operational technology(OT)systems,up from 59%in 2019.”BR

101、KIOT-288272 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSheep dip computer for assessing USB drivesOperations and ControlPurdue Level 3ProcessPurdue Level 0-2I-DMZEnterprisePurdue Level 4-5Industrial CoreITOTIT NetworkSensorSensorSIEMSecureXFMCCyber Vision Global Cente

102、rCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1PLC/RTU/IEDCisco IE SwitchSensorSISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Industrial Data CenterMESHMIHMIUSB will continue to be used in OT(e.g.,firmware upgrades)Assign a machine on your network to assess U

103、SB drivesSheep dip computer scans the USB drive to check its content for malwareOTPersonaSheep Dip ComputerBRKIOT-288273 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Case 6:Administrative users need access to all zonesI-DMZEnterprisePurdue Level 4-5Industrial CoreIT

104、OTIT NetworkMESSensorSensorSIEMSecureXFMCCyber Vision Global CenterCisco Secure FirewallDistribution StackSensorIDSCyber VisionISEDuoCell/Area Zone-1HMIPLC/RTU/IEDCisco IE SwitchSensorIndustrial Data CenterAdmin UserHMISISPLC/RTU/IEDSwitchSensorIC3000SPANCell/Area Zone-2Restrict the number of accoun

105、ts that have full network accessUse MFA for these users!ISE integrates with Duo as a RADIUS authentication proxyBRKIOT-288274Key TakeawaysMitigate Initial Access with a Strong Security PerimeterUse Visibility to drive SegmentationMicro Segmentation does not replace Macro Segmentation,its complementa

106、ry Do NOT over complicate securityDo not forget about the users 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while suppl

107、ies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKIOT-288276 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your ed

108、ucationVisit the IoT Booths at World of SolutionsWalk-In Lab:Industrial Automation Visibility with Cisco Cyber Vision LABIOT-2000Visit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive79Gamify your Cisco Li

109、ve experience!Get points for attending this session!Get points for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123479 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKIOT-2882#CiscoLive