Brkiot 2112

© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Public
BRKIOT-2112
Securing the
Internet of Things
Philippe Roggeband, Manager

GSSO EMEAR Business Development
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKIOT-2112
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The IoT pillars
While these pillars represent disparate technology, purposes, and challenges, what they all share are
the vulnerabilities that IoT devices introduce.
Information Technology Operations Technology Consumer Technology

It’s not just about the “things”
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Challenges and Constraints

• Specific threats and Protection mechanisms
• Cisco best practices and solutions
• Q&A
• Conclusion
Agenda

• Q&A
• Conclusion
Consumer IoT Characteristics
Consumer objects Challenges and constraints
• These devices are highly constrained in terms of
• Physical size, Inexpensive
• CPU power, Memory, Bandwidth
• Autonomous operation in the field
• Power consumption is critical

• If it is battery powered then energy efficiency is
paramount, batteries might have to last for years
• Some level of remote management is required
• Value often linked to a Cloud platform or Service
Connected objects complexity
• Single Bus is used to exchange information

• Example CAN messages:
• A/C temperature
• Radio Volume
• Lights
• Cruise Control
• Complex consumer objects may be part of a

bigger picture
• Smart City
• Machine to Machine
Who is responsible ?
User
Internet Cloud
Service solution
Provider provider
Owner
Manufacturer
Enterprise IoT
Enterprise IoT
• (Partially) controlled environment
• Security policies for objects (should) exist
• Cloud access security policies (should) exist
• but...
• Consumer objects may be connected by
users
• Unsecure objects get hacked in devious
ways
Commercial Buildings Digitization
Enterprise IoT (EIoT)
Lighting
HVAC
Energy/Metering
Major Trend of Low-voltage transition, IP Convergence,
IoT-enabled Applications
Physical Security
Inventory
Sensors
Appliances
Cisco Smart & Connected Real Estate
IoT protocols, many options…
EnergyWise CoAP MQTT XMPP
End device OS Any, OpenRTOS Contiki, RIOT, Posix, windows Linux, iOS, • IoT still evolving
support TinyOS, mbed, Android, windows,
iOS, Android OSX, OpwnWRT • Multiple protocols
Transport Protocol TCP/UDP UDP TCP TCP emerging for IoT
Standard Proprietary & Open Open Open Open
• Open Source and
Development Cisco & Cisco Cisco, ARM, Eclipse Allseen alliance
community Partners Eclipse, libcoap, Mosquitto/Paho open standards
for widespread
Implementation C, Java C, Java, Python, C, Java, Python, C, Java,Perl, Ruby,
adoption
languages Go, C#, Ruby, Lua, C++ PHP, Lisp, Python,
Haskell, TCL, JS • CoAP gaining
Standards body Cisco / IETF IETF OASIS IETF traction in the
industry
Security PSK, TLS DTLS TLS TLS
Industry adoption Cisco, Cisco ARM, Cisco, IBM, Elecsys, Qualcomm,
trend partners Ericsson, Philips, Eurotech Alseen, Cisco
Huawei, Alcatel-
lucent
Security Threats
Service Disruption Unauthorized Network Traditional Threats
Access
• Vulnerabilities on • IP/MAC spoofing
Endpoints • Potential network entry
point • MAC flooding
• Vulnerabilities on
Management • Unauthorized POE • DHCP related attacks
Applications.( i.e Devices • DDoS
Control/Monitoring)
• End Points support only • DNS poisoning
MAB – MAC spoofing risk
• MITM
• Snooping of Control traffic
Industrial Control Systems
Assets We need to Protect
Asset Description Examples and Notes
Intelligent Electronic Device – Commonly used within

Sensor, actuator, motor, transformer,
IEDs a control system, and is equipped with a small
circuit breaker, pump
microprocessor to communicate digitally.
Remote Terminal Unit – Typically used in a substation
Overlap with PLC in terms of capability
RTUs or remote location. It monitors field parameters and
and functionality
transmit data back to central station.
Programmable Logic Controller – A specialized
Most PLCs do not use commercial OS,
PLCs computer used to automate control functions within
and use “ladder logic” for control functions
industrial network.
Human Machine Interfaces – Operator’s dashboard or HMIs are typically modern control
HMIs control panel to monitor and control PLCs, RTUs, and software running on modern operating
IEDs. systems (e.g. Windows).
Supervisory Collect information from industrial assets and present Unlike HMI, a supervisory workstation is
Workstations the information for supervisory purposes. primarily read-only.
Software system that collects point values and other

Typically with built-in high availability and
Data Historians information from industrial devices and store them in
replicated across the industrial network.
specialized database.
Many other devices may be connected to an industrial For example, printers can be connected
Other Assets
network. directly to a control loop.
Convergence of IT and OT
The Rigid Silos between IT and OT
Cyber-Security IT/OT Convergence
IT • Security Risk Assessment OT

• Asset Visibility across IT/OT
• Protect IT Assets • Segmented Access Control • Operations
• Confidentiality, • Evolving Security Regulations uptime/Safety
Integrity, Availability • High Availability,
• Data, Voice, Video
• Remote Access • Integrity, Confidentially
• Network • Control
Authentication Protocols/Motion
• Threat Detection • Physical Access
• Process Anomalies
Industrial Networks: Manufacturing +
Where are these Protocols Found ?
TCP/IP
FieldBus
CIP (Common Industrial Protocol) over Ethernet
• Developed in the late 90’s by Rockwell
• Now under the control of ODVA, known as EtherNet/IP Port
0xAF12
• Object-oriented approach
Ethernet TCP/UDP CIP
IP Header CRC
• Designed to be media-independent Header Header Payload
• May now run over IP

CIP Data Model CIP
1. Required Objects Studio/Manager
2. Application
Objects
3. Vendor-specific
Objects
CIP Devices
Profibus and Profinet (Profibus over Ethernet)
• Originally developed in late 1980s in

Germany by the Central Association for
the Electrical Industry.
• Profibus is a Master/Slave protocol that
supports multiple master nodes through the
use of token sharing: when a master has
control of the token, it can communicate with
its slaves (each slave is configured to
respond to a single master).
• In Profibus DP-V2, slaves can initiate
communications to master or to other slaves
under certain conditions.
• Typically, a master Profibus node is a PLC
or RTU, and a slave is sensor, motor, or
some other control system devices.
Profibus and Profinet (Profibus over Ethernet)
• Originally developed in late 1980s in

Germany by the Central Association for
the Electrical Industry.
• Profibus is a Master/Slave protocol that
supports multiple master nodes through the
use of token sharing: when a master has
control of the token, it can communicate with
its slaves (each slave is configured to
respond to a single master).
• In Profibus DP-V2, slaves can initiate
communications to master or to other slaves
under certain conditions.
• Typically, a master Profibus node is a PLC
or RTU, and a slave is sensor, motor, or
some other control system devices.
Modbus HMI
• Modbus is the oldest and perhaps the most
widely deployed industrial control protocol.
• Modbus is a request/response protocol
using only three distinct PDUs: Request,
Modbus TCP over Ethernet Response, and Exception Response.
• Modbus TCP uses TCP/IP to transport
PLC (Master)
Modbus commands and messages over
Ethernet-based routable networks.
• Modbus is typically deployed between PLCs
Modbus and HMIs, or between a Master PLC and
slave devices such as PLCs, Drives,
Sensors, and other I/O devices.
Ethernet TCP/UDP
IP Header Payload
Header Header
Start Address Function Data CRC End
T1 – T4 8 bits 8 bits n x 8 bits 16 bits T1 – T4

IEDs (Slave)
OPC (OLE for Process Control)
Windows • OPC is a suite of protocols that
collectively enable Process Control
Systems to communicate using
RPC
Microsoft’s Object Linking and
Embedding (OLE) architecture.
Windows
• Originally OPC was DCOM-based,
though recently has been updated to
use OPC-UA (Unified Architecture) and
OPC-XI (Express Interface). However,
legacy OPC systems remain heavily
deployed.
• OPC is typically used as a gateway
between fieldbus protocols and
Windows-based computing
networks.
• OPC inherits security risks and
vulnerabilities from Windows.
OPC (OLE for Process Control)
Windows • OPC is a suite of protocols that
collectively enable Process Control
Systems to communicate using
RPC
Microsoft’s Object Linking and
Embedding (OLE) architecture.
Windows
• Originally OPC was DCOM-based,
though recently has been updated to
use OPC-UA (Unified Architecture) and
OPC-XI (Express Interface). However,
legacy OPC systems remain heavily
deployed.
• OPC is typically used as a gateway
between fieldbus protocols and
Windows-based computing
networks.
• OPC inherits security risks and
vulnerabilities from Windows.
DNP3
• DNP3 is mainly used between master
SCADA Control Center control stations and remote slave devices
(e.g. RTUs).
HMI Historian
• DNP3 was a layer-2 protocol, and now works
over TCP/IP (typically using TCP or UDP port
IEDs/PLCs 20000).
• DNP3 is very reliable, while remaining
efficient and well-suited for real-time data
transfer.
Sub-station Sub-station
• DNP3 is bi-directional and support exception-
based reporting.
IEDs/RTUs IEDs/RTUs
• Secure DNP3 is a DNP3 variant that adds
authentication to the request/response
process.
• IEEE adopted DNP3 as IEEE Std 1815-2010
on the 23rd of July 2010 (Std 1815-2012 is
the latest).æ
IEC 60870-5-104
• Standard for power system monitoring,
control & associated communications
for telecontrol, teleprotection, and
associated telecommunications for
electric power systems.
• IEC TS 60870-5-7 defines Security
extensions, including authentication
and end-to-end encryption, but rarely
implemented due to increased
complexity
Common SCADA Security Issues
• Weak Access controls to HMI and other equipment
• Separation of duty for operator, administrator, audit
• Little or no Password management
• Physical segmentation of the SCADA network

• Dual-homed servers or PLCs act as Firewall
• Segmented network has only physical security
• Unauthenticated command execution

• Communication is un-encrypted
• Outdated operating systems left unpatched
• Rogue wireless access points without encryption
• Insufficient controls on contractors (i.e. access policy, laptops, etc…)
• Humans are writing the SCADA system software
Purdue Reference Model – Like OSI for Manufacturing
Enterprise Network Level 5 5
Enterprise Zone
Site Business Planning and Logistics Network Level 4
4
IDMZ Industrial Demilitarized Zone — Shared Access Level 3.5
3
Manufacturing Zone Site Manufacturing Operations and Control Level 3
Area Control Level 2

2
Cell/Area Zone Basic Control Level 1
1
Process Level 0 0
Kill Chain – ICS Variant
• Intrusion Phase
• Reconnaissance
• Targeting
• Weaponization
• Develop / Test
• Delivery / Exploit / Persist
• Install
• Modify Systems
• Command and Control
• Attack
• Anti-Forensics
OT Security Challenges
Visibility Lack of visibility into assets on network
Control 24x7 availability limits operational change
Compliance Out of date OS & firmware on PLC & HMI etc.
Segmentation Flatter networks – Bus & Ring
Legacy Infra Outdated systems prone to compromises and cyber

challenges
Secure Access Lack of security controls supporting vendor access.
Summary : Holistic View of Vertical Segments
Illustrative
Top Two: Manufacturing and Healthcare
IT – Info Tech OT Oper Tech
Digital Connected Connected Connected Connected Connected Digital Connected

Healthcare Retail City Service Provider Car Transportation Manufacturing Utilities
Level 5
100% IT 90% IT 90% IT 70% IT 60% IT 60% IT 30% IT 30% IT
Enterprise Network
E.g. ERP, E.g.

Level 4
Finance, & Backend
Site Business E.g. Fleet, E.g. E.g. 60% IT
E.g. Virtual E.g. Store- E.g. City A/P Offices
Planning asset Collaborative Stations, Wi-
Patient, IP in-a-box, Wi-Fi,
Level 3.5 DMZ Video, Wi- Digital Location, Managemen to Navigation Fi,
Demilitarized Zone Fi, RFID, Experience, Traffic, t Applications Automated 70% OT 70% OT
Medical Electronic Safety/ Kiosks/Conso
Purdue Model
Inventory Shelf-Edge Security, le Traffic &

Trackers, Labels, Smart Trash Parking
Level 3 Plant Zone
Patient Product Bins,& Sensor
Site Operations &
Control Media Tracking Smart
Experience Tags Building
Level 2 Cell/Area Zone
Area Control
40% OT 40% OT
E.g. SCADA, E.g. Smart
E.g. E.g. ICS,EMS,AG Gas Meter,
Level 1 Cell/Area Zone
30% OT Automotive Roadways, C, Power Room,
Subsystems Trackside, Automation, Distribution &
Basic Control
E.g. Remote Interior to Onboard, & Robots, Substation,
Cell Towers Safety Mobile Assets Oilfield,
10% OT 10% OT Sensors Signature Tracking, & Refinery, &
Level 0 Cell/Area Zone Device
Process E.g. Asset E.g. Asset RFID Tag Smart Grid
Tracking Tracking Reader Devices
Note: IT & OT As Defined by IOT BU

*OT Baseline Features
Agenda

• Q&A
• Conclusion
Connected objects:
DNS DYN attack 2016
IOT Systems as Attack Surface
IOT devices and control

systems are vulnerable
October 21st, 2016
Netflix, Twitter, Amazon, AirBnb, Spotify, NYT, Box, PayPal, …
Who is Dyn? (pronounced [ˈdaɪn])
• Company originally became known for providing DNS services for

users with dynamic Internet Addresses (home users, small
businesses)
• More recently, Dyn offers services to large enterprises that need a
robust geographically diverse DNS infrastructure
• Dyn is one of the biggest, if not the biggest provider of such
services. It maintains data centers around the globe and uses
various techniques to provide redundancy
Authoritative & Recursive DNS
Your ISP
You, looking for DynDNS
Twitter.com OpenDNS
Google DNS …
…
Why Did Dyn Fail
• A large network of compromised
devices (493,000 IoT devices
(Cameras, DVRs, …) infected by Mirai
was used to flood Dyn’s servers with
traffic
• In particular servers used as part of
Dyn’s enterprise offerings were
targeted
• Dyn wasn’t able to handle the
additional traffic, and its servers either
stopped responding or responses were
substantially delayed.
MIRAI Architecture overview
The MIRAI Botnet
• Reconnaissance phase
• Reporting of potential victims
• Malicious payload insertion
• Attack capabilities
Infection spreading mechanism
• Scanner.c looks for targets using
random IP address generator
• Tries to access remote device using
a list of hardcoded credentials
• Once access is successfully
granted, sends back report
• Infects new remote device
• New remote device connects to
C&C
Available attacks
• Straight up UDP flood
• Valve source engine query flood
• DNS water torture
• SYN flood with options
• ACK flood
• ACK flood to bypass mitigation devices
• GRE IP flood
• GRE Ethernet flood
• Plain UDP flood optimized for speed
• HTTP Layer 7 Flood
Securing the IoT
• On the device : firmware, admin
password, physical access, …
• Between device and infrastructure :
encryption, RF communication
• Infrastructure : Stealthwatch,
Umbrella, Cloudlock, …
Smartcache in use during authoritative DNS DDoS attack
against Dyn
2) OpenDNS try to reach tweeter’s authoritative
DNS servers hosted by Dyn
Umbrella
208.67.222.222
3) Since Dyn is not available, OpenDNS use his

1) Users requests access to twitter.com smartcache feature and serves the cached IP
BrickerBot : Response to IoT-based DDos attacks
• Author : “the Janitor”
• Vigilante worm that destroys
insecure IoT devices, described as
“‘Internet Chemotherapy;’”
• Destroys low-security devices
running a Linux package called
BusyBox , which have telnet-based
interfaces with default passwords.
Enterprise IoT
NOT an IoT attack after all...
IoT: Medical
Internet of Things (IoT) in the Enterprise
• does not introduce “new”
security problems
• raises the stakes; medical
devices, traffic control
systems; IoT brings the
need for security into
daily life
Manufacturing:
German Smelter 2014
December 2014 – Attack on German Smelter
German Smelter Attack
• What is known:
• Phishing Attack
• Malware
• Access to ICS
Cloud Systems
System
• Shutdown
commands
• Damaged smelter
* OT Baseline features
Electric Utilities:
Ukraine 2015
Ukraine Power Grid
Incident
• 3 Ukrainian power distribution companies

• 30 sub-stations were disconnected
• 225K customers lost power for hours
• Attackers remotely controlled SCADA DMS
Source: http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
BlackEnergy & KillDisk
Ukraine Grid Attack – Chronology of Events
Spear phishing to gain Theft of Remote operation
business network access KillDisk to erase MBR
Credentials of ICS Systems and delete targeted logs
BlackEnergy 3 Use of VPNs to S2E devices compromised at

malware installed firmware level Power Outage
access ICS network
All-time favorite : Stuxnet
How did Stuxnet work ?
The Target ICS Infrastructure – Iran’s Natanz Nuclear
Facilities
Profibus Stage Exhaust
CPS Controller Valve
(Siemens S7-417)
Isolation Valve
Pressure
Step 7 Control
Controller
Software running
on Windows Cascade Protection System
CDS Controller
Supervisory Network
(Siemens S7-315) Communication
Processor
Centrifuge Drive System
IR-1 Centrifuges Frequency

Converter
What was so special about Stuxnet?
Exploited four zero-day

The first rootkit targeting Compromised two digital
vulnerabilities in the
ICS certificates
dropper
Ability to inject code into Hide from control system Remotely controlled by CC
PLC operators or act autonomously
Agenda

• Q&A
• Conclusion
IoT “hygiene” – Trustworthy systems
Cisco IoT Threat Defense Components
• Stealthwatch- Visibility of • FP NGFW - Segment IT and
connections and OT environments
relationships • TrustSec - Segment OT
• ISE – Device / User identity devices in the IT network
• NGFW – App Activity • ISE – Align access with users /
• AMP – End Point Activity Segmented device
Visibility & • Switches – Dynamic
Access segmentation enforcement
Analysis
Control
• AnyConnect - Secure Secure IOT

Connection in/out of OT Remote Security
network
Access Services
• ISE – dynamic access • Risk assessment for baseline
control • Deployment and Migration
• FirePower – Observe • Incident response Service for
remote activities breach situations
• DNS – remote site risk
protection
Access to the Manufacturing Floor – Cisco ISE
Network
Partner
Who Context Data
What
Cisco ISE
Where
Consistent Secure
Access Policy
When
How
Profiling
• What ISE Profiling is:
• Dynamic classification of every device that connects to network using the infrastructure.
• Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS Phone
UPS Phone Printer
Printer AP
AP Infra
How?
 What Profiling is NOT:

‒ An authentication mechanism.
‒ An exact science for device classification
How we profile?
Collection Classification
NMAP AD NetFlow
HTTP SNMP LLDP
Radius DNS DHCP
• Process of collecting data to be used

for identifying devices
Classifies based on Device fingerprint
• Uses Probes for collecting device attributes
Cisco IoT System Network Connectivity
IoT Network Network Visibility and Enforcement
IE Switches, IR Routers, ISE
Industrial Switching Industrial Routing
High performance, H/W accelerated VPN – IR 809, 829
IE 2000, 3000
Portfolio wide consistent policy enforcement CGS2000 IR 829
Attack and abnormal traffic detection mitigation

IP67 IE 4000 IE 5000 IR 809
Misconfiguration prevention
MAC Bypass for legacy device identification
DDOS attack mitigation
Simplified Risk Consistent Policy Increased System

Compliance Mitigation Enforcement Availabilty
Visibility & Context in Industrial Networks
Security starts with Visibility Context Enhances Security
Who Bob
Discover Industrial
What Rockwell PLC
Assets using CIP,
PROFINET, Modbus,
When 11:00 AM EST on April 10th
BACNet Protocols
Where Extrusion, Zone-2, Cell-1
pxGrid How Wired Access
Visualize connectivity Yes
between automation and
Compliance
Industrial Identity
networking assets None
Network Services Threat
Director Engine
Vulnerability CVSS score of 6
IND shares industrial asset identity with ISE over pxGrid

… this Visibility combined with Context, becomes a force-multiplier for Security
Policy and Segmentation with TrustSec
Firewall
Regardless of topology or location, policy
(Security Group Tag) stays with users, devices,
and servers Aggregation Layer Data Tag
Lights Tag
Guest Tag
HVAC Tag
Access Layer
Voice Data Lights Guest HVAC
Retaining initial VLAN/Subnet Design
Visibility through NetFlow
172.168.134.2
Network as a Sensor
10.1.8.3 Switches Routers
NetFlow provides Internet

• Trace of every conversation in your network Flow Information Packets
• An ability to collect record everywhere in SOURCE ADDRESS 10.1.8.3

DESTINATION
your network (switch, router, or firewall) ADDRESS
172.168.134.2
• Network usage measurement SOURCE PORT 47321
• An ability to find north-south as well as DESTINATION PORT 443
east-west communication INTERFACE Gi0/0/0
• Light weight visibility compared to SPAN IP TOS 0x00

IP PROTOCOL 6
based traffic analysis
NEXT HOP 172.168.25.1
• Indications of Compromise (IOC) TCP FLAGS 0x1A
• Security Group Information SOURCE SGT 100
: :
NBAR SECURE-
APPLICATION NAME
HTTP
Cisco Stealthwatch
System Overview
Network
Non-NetFlow Devices
Capable Device NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
• Collect and analyze
Stealthwatch StealthWatch • Up to 4,000 sources
FlowSensor FlowCollector • Up to 240,000 FPS sustained
Stealthwatch • Management and reporting

Management • Up to 25 FlowCollectors
Console • Up 6 million FPS globally
Cisco AMP – Advanced Malware Protection
AMP Everywhere: See Once, Protect Everywhere
Visibility
Threat
Intelligence
AMP Intelligence Sharing
WWW
Endpoint Networks Web Email
Cisco Umbrella
Visibility on Any Device, Anywhere
CHALLENGES
Multiple Internet
Service Providers
Direct-to-Internet
Branch Offices
Users Forget to
Always Turn VPN On
Different DNS
Log Formats
Cisco Umbrella
Visibility on Any Device, Anywhere
BENEFITS
CHALLENGES
Global
MultipleInternet
Internet
Activity
Service Visibility
Providers
Network Security
Direct-to-Internet
w/o Adding
Branch Latency
Offices
Consistent Policy
Users Forget to
Enforcement
Always Turn VPN On
Internet-Wide
Different DNS
Cloud App Visibility
Log Formats
IT/OT Converged Security Model
Internet
Enterprise Network
Levels 4–5 Cloud-based Threat Protection
Network-wide Policy Enforcement
Access Control (application-level)
Web Apps DNS FTP
Demilitarized Zone
Level 3.5 Firewall Firewall VPN & Remote Access Services
(Active) (Standby) Patch Mgmt.
Gbps Link for Next-Generation Firewall
Failover Terminal Services
Detection Application Mirror
AV Server Intrusion Prevention (IPS)
Manufacturing Zone Access Switch ISE

Core Stateful Firewall
Level 3 Switches
Factory
Application Intrusion Protection/Detection (IPS/IDS)
Servers Aggregation
Network Services
Switch Physical Access Control Systems
Cell/Area Zone
Levels 0–2 Access Control
Ruggedized Firewall and Intrusion Detection
Layer 2 HMI Controller
Drive Access Switch HMI Advanced Malware protection and Threat
Controller Intelligence
Drive Drive
HMI Distributed Controller Remote Monitoring / Surveillance
I/O Distributed I/O
Cell/Area #1 Cell/Area #2 Cell/Area #3 SW, Config & Asset Mgmt
(Redundant Star Topology) (Ring Topology) (Linear Topology)
Capabilities vs Solutions
Visibility ISE, Firepower, Stealthwatch - Network as a Sensor
Control ISE, AMP, Stealthwatch - Network as an Enforcer
Compliance Firepower, OpenDNS, CloudLock
Segmentation ISE, TrustSec, Network as an Enforcer
Threat Detection Talos, WSA/ESA, AMP, Firepower, Stealthwatch
Secure Access ISE, AnyConnect VPN, ASA, Firepower
Q&A
Final thoughts
There is not one Internet of Things, there are
many
As always, for security, it starts with
designing the right policies & processes
Related sessions
• BRKSEC-2339 - How IoT Threat Defense is protecting the promise of the IoT
• Mustafa Mustafa, IoT Security Technical Marketing Engineer , Cisco
• PSOSEC-4377- IoT Threat Defense and Ransomware Defense - Two solutions
that address critical business concerns
• Albert Salazar, Director Enterprise Solutions, Cisco
• BRKIOT-2111 - Power Utilities Energy Automation Design Session
• Paulo Pereira, Consulting Systems Engineer, Cisco
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKIOT-2112
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Brkiot 2112

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Brkiot 2112

Caricato da

Copyright:

Formati disponibili

© 2018 Cisco and/or its affiliates. All rights reserved.

Philippe Roggeband, Manager

Information Technology Operations Technology Consumer Technology

• Challenges and Constraints

• Challenges and Constraints

• Power consumption is critical

• Single Bus is used to exchange information

• Complex consumer objects may be part of a

Intelligent Electronic Device – Commonly used within

Software system that collects point values and other

IT • Security Risk Assessment OT

• May now run over IP

• Originally developed in late 1980s in

• Originally developed in late 1980s in

Start Address Function Data CRC End

T1 – T4 8 bits 8 bits n x 8 bits 16 bits T1 – T4

• Physical segmentation of the SCADA network

• Unauthenticated command execution

IDMZ Industrial Demilitarized Zone — Shared Access Level 3.5

Area Control Level 2

Visibility Lack of visibility into assets on network

Control 24x7 availability limits operational change

Compliance Out of date OS & firmware on PLC & HMI etc.

Segmentation Flatter networks – Bus & Ring

Legacy Infra Outdated systems prone to compromises and cyber

Secure Access Lack of security controls supporting vendor access.

Digital Connected Connected Connected Connected Connected Digital Connected

E.g. ERP, E.g.

Inventory Shelf-Edge Security, le Traffic &

Note: IT & OT As Defined by IOT BU

• Challenges and Constraints

IOT devices and control

• Company originally became known for providing DNS services for

3) Since Dyn is not available, OpenDNS use his

• 3 Ukrainian power distribution companies

BlackEnergy 3 Use of VPNs to S2E devices compromised at

Centrifuge Drive System

IR-1 Centrifuges Frequency

Exploited four zero-day

• Challenges and Constraints

• AnyConnect - Secure Secure IOT

 What Profiling is NOT:

HTTP SNMP LLDP

Radius DNS DHCP

• Process of collecting data to be used

Attack and abnormal traffic detection mitigation

MAC Bypass for legacy device identification

DDOS attack mitigation

Simplified Risk Consistent Policy Increased System

IND shares industrial asset identity with ISE over pxGrid

Voice Data Lights Guest HVAC

Retaining initial VLAN/Subnet Design

NetFlow provides Internet

• An ability to collect record everywhere in SOURCE ADDRESS 10.1.8.3

• Network usage measurement SOURCE PORT 47321

• An ability to find north-south as well as DESTINATION PORT 443

east-west communication INTERFACE Gi0/0/0

• Light weight visibility compared to SPAN IP TOS 0x00

Stealthwatch • Management and reporting

AMP Intelligence Sharing

Endpoint Networks Web Email

Manufacturing Zone Access Switch ISE

Visibility ISE, Firepower, Stealthwatch - Network as a Sensor