Practical approaches to managing and securing cyber-physical systems - - PowerPoint PPT Presentation

practical approaches to managing and securing cyber
SMART_READER_LITE
LIVE PREVIEW

Practical approaches to managing and securing cyber-physical systems - - PowerPoint PPT Presentation

Sep 13, 2023 190 likes •325 views

Practical approaches to managing and securing cyber-physical systems Sanjiv Doshi, Principal Engineer - Cisco Nov 2018 Ciscos take on Cyber-Physical Systems Cyber-Physical Systems are fundamentally integration of three components

slide-1
SLIDE 1

Sanjiv Doshi, Principal Engineer - Cisco Nov 2018

Practical approaches to managing and securing cyber-physical systems

slide-2
SLIDE 2

Cisco’s take on Cyber-Physical Systems

  • Cyber-Physical Systems are fundamentally integration of three

components

  • Physical World (OT)
  • Network (IT)
  • Compute (IT)
  • Cisco play a big role in IT networking
  • Cyber-physical systems are an extension to IT networks
  • We have an important role in compute as well
  • Maybe not at the deep edge, but certainly the next level
slide-3
SLIDE 3

IT impact to Cyber-Physical Systems Networking

  • Extend the reach of IP to OT
  • Maybe not to the last mile in all theaters but the visibility of CPS

systems to IT will be through IP

  • Bucketized to three theaters
  • Extended Enterprise - Warehouse distribution centers
  • Remote and Mobile assets - Public safety fleets, Kiosks
  • Industry Plays - Factories, Utilities, Oil & Gas
  • Normalize CPS ecosystem in all theaters across all domains
  • Connectivity
  • Security
  • Compute
slide-4
SLIDE 4

Why Cisco in Edge/FOG computing

  • Edge/FOG compute is natural extension to Cisco platforms
  • Campus and IoT implementations need networks first
  • “Cloud/DC” computing is a result of compute coming to “data-at-rest”
  • “Edge” computing is compute coming to “data-in-motion”
  • Reminds me of Sun Microsystems tagline ”Network is the computer”
  • General purpose compute and enterprise class storage elements are siloed in data

centers

  • Only distributed hardware platforms today are network elements in IT
  • They already have compute, memory and storage
  • No need to truck roll and separately manage a compute infrastructure
  • All this w/o compromising the core functionality i.e. deliver secure and stable networks
  • Just as in real estate – it is “location, location, location”
slide-5
SLIDE 5

App building

Linux distro toolchains 32/64 bit

Building Blocks

Fog2Fog Cloud2Fog Fog2Cloud Protocol Plugins

App Distribution

Multi architecture Repository Artifact Management

Edge Infrastructure

[Cisco/3rd Party] [Compatible with IoT and Enterprise Platforms]

IOS XR/eXR

Platform Management

CPU Peripherals Accounting Routers/ Switches Network Memory IOS Classic Polaris IOS XE KVM LXC VMAN Docker

Containment

cgroups

Security

Device Onboarding Developer Certificates RBAC Application Security App Signing

App Management

Lifecycle logging upgrades debugging Scalability

IOx Value Proposition

Fog Requirements

App Development App Hosting Management Security Distribution/Control Fog Services Manageable Uniform Secure Distribution

slide-6
SLIDE 6

IOx Architecture Overview

Cisco Docker Hub/Application Repository FOG Director (FD) microservice (VM/Container)

(Centralized app lifecycle management, app repo etc.,) Northbound APIs Local Manager UI App Controller CAF (Cisco App Hosting Framework)

Host OS

IOx/EFM Services Network / Middleware Services

Dev Net

ioxclient

Edge/Fog Nodes (Routers, Switches, etc..) Embedded/Sensors Edge On Prem/Cloud Cloud

Apps Cisco IOS (Network Control Plane)

FN D

FD UI

NETCONF-YANG Cisco CLI

Cisco Kinetic Administrator

slide-7
SLIDE 7

Comprehensive Platform Security

IoT PaaS Platforms

Fog Director

Communications

Platform CAF IOx Services Fog Portal Apps

  • App Signing
  • Developer Keys
  • RBAC
  • Package Registry
  • TLS
  • Certificate based auth
  • Secure device

O nboarding with SNO verification

  • App Profiling
  • RADIUS
  • RBAC
  • Secure Device Discovery
  • Pluggable AuthModules
  • Custom er provided SSL/TLS

connection

  • Application Access Control
  • Secure device onboarding

leveraging IO S LDEV infrastructure

  • API Security
  • Pluggable Auth M odules (PAM )
  • App Signature Verification
  • O Auth for API Access
  • Secure Fog2Cloud
  • M anaged or Unm anaged key and cert.

m anagem ent

  • Secure storage
  • cgroups
  • SMACK, SELinux
  • USERNS
  • Application access control
  • Continuous application signature

verification

  • Scalable, low latency message

signing per flow

  • Shared storage across containers

Embedded/Sensors On Prem/DC Cloud (Cisco/Partners) Edge

slide-8
SLIDE 8

Cisco Multi-cloud micro-service centric platform architecture

Secure Network Operating System

IOS

Container Enabled Linux Kernel + IOx container engine IOx Broker (DS-API/HTTPS/WebSocket)

Kinetic EFM Industrial protocol micro services Platform Services (GPS, Network/Security Policy, Store and Forward)

Cisco Industrial Router

AWS Greengrass core Kinetic DCM Lambda_1 Lambda_2 Partner micro services Kinetic DCM Data policy control tools Data DNA Center Azure IoT Edge edge functions

slide-9
SLIDE 9

Use Cases

  • Network Element Monitoring
  • I.e. Self-monitoring
  • Network Management Services
  • Day 0, 1, 2 configurations
  • Optimize Netflow, SNMP MIBS records
  • Security
  • Traffic Monitoring
  • Deception Technology (device emulation)
  • Security Policies
  • Firewall
  • IDS/IPS
  • Micro-segmentation
  • DDoS mitigation
  • Edge Processing
  • Complex Event Processing (CEP)/ML
  • Preventative Maintenance
  • Bandwidth optimization
  • Cost optimization
  • Network selection based on signal strength,

geographic location

  • Network Services
  • DHCP
  • Print
  • Light Weight Custom Apps
  • Time Sharing
  • Asset Monitoring
slide-10
SLIDE 10

Network Segmentation

OT User As Assigns a set of assets to to Group Cell-1 1 in IND

IND Topology Screen Identity Services Engine

px pxGrid d upda pdate with asset en endpoint iden entities es and gr group p Cell-1a 1as custom at attribute SGT dACL VLAN

  • Default Auth policy on ISE for switchport is configured as “open access” – i.e no NAC blocking
  • PxGrid attribute “Ce

Cell-1” 1” matches a Profiling policy on ISE and triggers corresponding Authorization policy

  • ISE Authorization policy can be used to dynamically apply dACL, SGT or VLAN to switchports to segment the assets
  • OT user and IT user are working with asset identities rather than IP addresses

IT User

C E C E L L - 1 1 S e g m e n t
slide-11
SLIDE 11

What is this thing? How do I protect it and my business? Is it doing what it should be doing? Who is responsible for it?

MUD- Key Questions to Ask

slide-12
SLIDE 12
  • MUD: IETF Standard: draft-ietf-opsawg-mud-22 standards

track

  • The goal of MUD is to provide a means for end devices to

signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control. Later work can delve into other aspects.

Manufacturers Usage Description

https://tools.ietf.org/id/draft-ietf-opsawg-mud-22.html

slide-13
SLIDE 13