Join us on Wednesday for a DevNet webinar on the following topics:Introduction to Git - download slides and listen to replayDate: Wed, August 16, 2017Join Ashley Roach (Principal Engineer and API/ Cloud Evangelist for Cisco's developer relations team...
Grab the recording here: https://cisco.webex.com/ciscosales/lsr.php?RCID=107e82ed478546fa81328615a88d7837
What is AngelHack?AngelHack is a series of global hackathons that happen frequently in major cities. They ignite the passion of the world’s most vibrant community of code creators + change makers to invent the new and make change happen, together.The...
What is CiscoStartUp?When I first joined this training session, I first thought I’d be working with different Startup companies solving problems and forming new ideas. I was close, but this wasn’t it. Another person asked me if CiscoStartup is where ...
For NBAPI using Java code to execute it, it already built into NMS tool. This is an example on how to use the built-in script in cgnm-tools to call the NBAPI.
This will guide you how to install anyconnect on Linux Fedora distribution and connect to CG-REDI infrastructure.
This guide will walk you through how to re-new the self-signed web certification of CGNMS if it is expired.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Moving from proprietary networking technologies, to open standard networking such as Ethernet, WiFi, IP, etc improves the accessibility of data and information. Visibility and Operational Insights are key to providing security to Industrial Networks. Cisco Cyber Vision is a foundational element of Cisco's industrial security solutions that can bring full visibility into industrial environments and integrates into the rest of the Cisco Security portfolio to provide a holistic industrial security solution.
In this note we are going to find answer for the following questions?
What is Zero-Trust security?
Zero Trust is a security model associated with a set of architectural principles and patterns. it’s about trying to secure everything everywhere. It is a comprehensive approach on securing all access across your networks, applications, and environment.
Cisco Secure Zero Trust is built on these three pillars
As the Internet of Things (Io T) world very much falls into the workplace arena these are the foundations of Zero Trust for workplaces. Industrial endpoints are not the same as the visibility endpoints in industrial settings. what you need for visibility in this particular environment is the ability to inspect traffic and decode the type of asset that is communicating on the network. Also get visibility to the communications within that traffic payload. This is based on application level decoding of the industrial traffic as well as behavior modeling of the industrial endpoint.
For more details can search on - https://www.cisco.com/c/en/us/products/security/zero-trust.html
What is the current trend in Industrial IoT?
Digitization brings new requirements & challenges
The role of IT is critical to help OT secure industrial operations- When it comes to the actual industrial environment we can see increased amount of industrial control systems are now connected to the enterprise and there is an increased volume of remote users that are connecting to the network. So the notion of the traditional perimeter is slowly going away as we can see users, devices, apps are everywhere.
IT Networks:
• Many dynamic applications.
• Interoperability unconstrained.
• IT teams manage the data.
• Equipment are known, modern and controlled.
• IT attacks can be identified.
OT Networks:
• Continually operating.
• Availability and safety first!
• Few defined long conversations.
• OT assets are very old.
• Attacks look like legitimate instructions.
What are the Security Capabilities in Industrial Security?
Architecture for Visibility and Monitoring
Explain Cisco’s fully integrated IT-OT security solution?
You cannot secure the “things” if you don’t know what they are. We can Integrate data from Cyber Vision into additional tools for example
For Industrial endpoint compliance these are the two key focus areas:
One is common vulnerabilities and exposures on devices. They are known vulnerabilities that have been published about industrial assets.
Second is risk coding of these endpoints - now Cyber Vision has a vulnerability feed that it uses to match known vulnerabilities about assets with what it sees on the network.
So cybervision is decoding the make model serial number of these devices matching it against the vulnerability feed and let you know which is vulnerable against which assets in your environment. Cyber Vision computes the risk score based on likelihood times impact. Cyber vision has visibility to where the asset lies in the network. It has the ability to understand what is the likelihood of this asset being compromised. When it comes to impact it's looking at the criticality of this particular asset.
What is Cisco Cyber Vision?
Cisco solution Cyber Vision is the product that provides the same point of visibility based on application-level decoding of industrial protocol traffic and behavior modeling of industrial endpoints. Cyber Vision provides cyber-resilience for Industrial Control Systems (ICS) that integrates with your SOC.
You have the component called as the cyber vision sensor that runs on the network which is a small lightweight app running within the industrial ethernet switches and gateways. It is inspecting the traffic that is traversing these devices and decoding the device identity along with the communication that's going on between these devices. All these information is sent up to the cyber vision center which is the brains of the operation. At Cyber Vision Center based on the pieces of information gathered will get you the identity of the assets and their behavior.
The key point here is that the flow of traffic is not just the network header level information. But the actual application payload of the industrial protocol. So we get to see much more than just the device identity. That is a very detailed information about the make, model, serial number and what kind of PLC program is running on the actual asset. Also we get information about the communication patterns. We know who's talking to whom and can look inside those application level payloads to understand what the device is performing. Whether it is a read operation or a write operation, or is it a PLC (Programmable Logical Controller) program to download something or to perform CPU start/ stop commands and so on. Here we go one level further and actually give you visibility into what objects or variables are being read or written.
Why do we need Segmentation?
For securing the environment to block/contain attacks. We Segment infrastructure to protect inbound and outbound communications and each other. We can also permit Identity based access for restricting connection to known systems and devices.
Segmentation in industrial environments is quite a challenging aspect because experts who know how to write segmentation policy are not necessarily familiar with the processes on the plant floor. This is where the Cisco solution helps you build these segmentation policies. We're focusing on endpoint visibility to identify groups of devices so you can create zones and conduits .
After that the ability to dynamically map assets into these zones is provided. Once you have this information it will help you assign scalable group tags to assets and this is based on integration with ISE.
How do Cyber Vision and ISE enable dynamic segmentation of industrial networks?
To monitor traffic patterns between scalable group tags we have to deploy the segmentation policy onto the network. Now let's take each of these step by step
Identity Based Segmentation (TrustSec)
• Assignment of Security Group Tag (SGT) based on context (identity, device group, etc.).
• SGT are carried propagated through the network
• Firewalls, routers and switches use SGT to make filtering decisions via SGACL.
Cyber Vision is able to detect threats and alert users in the sock about these threats and then give them the ability to run investigations in addition to the visibility aspect. Cyber vision is not only alerting you on changes in control system behavior but it also gives you the ability to set baselines according to what is normal and then the platform will alert you when there's deviation to that normal.
When it comes to signature-based threat detection we're using a smart engine and the signatures for these threats are being fed from a threat intelligence. Once a threat is detected an alert is issued by cyber vision. You have to feed that information up into the sock. The key here is to alert the sock to critical events as they happen on the plant floor by feeding events from cyber vision via syslog.
Let‘s put everything together:
Summary
We have gone through Cyber Vision's capabilities including OT Asset Visibility and how this information is leveraged by other Cisco solutions like ISE (Identity Services Engine), TrustSec, and Cisco Secure Firewalls to effectively construct the appropriate Security policy and enforce Segmentation without disrupting operations.
References: