US20210194760A1 - Dynamic segmentation in an industrial network based on inventory tags - Google Patents
Dynamic segmentation in an industrial network based on inventory tags Download PDFInfo
- Publication number
- US20210194760A1 US20210194760A1 US16/853,622 US202016853622A US2021194760A1 US 20210194760 A1 US20210194760 A1 US 20210194760A1 US 202016853622 A US202016853622 A US 202016853622A US 2021194760 A1 US2021194760 A1 US 2021194760A1
- Authority
- US
- United States
- Prior art keywords
- network
- endpoint device
- tags
- service
- intent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000011218 segmentation Effects 0.000 title claims abstract description 39
- 230000000694 effects Effects 0.000 claims abstract description 26
- 238000007689 inspection Methods 0.000 claims abstract description 9
- 238000000034 method Methods 0.000 claims description 64
- 230000006855 networking Effects 0.000 claims description 45
- 230000008569 process Effects 0.000 claims description 28
- 238000004891 communication Methods 0.000 description 29
- ANJPRQPHZGHVQB-UHFFFAOYSA-N hexyl isocyanate Chemical compound CCCCCCN=C=O ANJPRQPHZGHVQB-UHFFFAOYSA-N 0.000 description 18
- 230000006399 behavior Effects 0.000 description 14
- 230000006870 function Effects 0.000 description 14
- 238000004519 manufacturing process Methods 0.000 description 9
- 238000010801 machine learning Methods 0.000 description 8
- 239000000523 sample Substances 0.000 description 8
- 230000002547 anomalous effect Effects 0.000 description 5
- 238000013459 approach Methods 0.000 description 4
- 230000000875 corresponding effect Effects 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 238000012549 training Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000004378 air conditioning Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000010438 heat treatment Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 238000001228 spectrum Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 238000009529 body temperature measurement Methods 0.000 description 1
- QVFWZNCVPCJQOP-UHFFFAOYSA-N chloralodol Chemical compound CC(O)(C)CC(C)OC(O)C(Cl)(Cl)Cl QVFWZNCVPCJQOP-UHFFFAOYSA-N 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000009499 grossing Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000035755 proliferation Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/08—Logistics, e.g. warehousing, loading or distribution; Inventory or stock management
- G06Q10/087—Inventory or stock management, e.g. order filling, procurement or balancing against orders
- G06Q10/0875—Itemisation or classification of parts, supplies or services, e.g. bill of materials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
- H04L47/323—Discarding or blocking control packets, e.g. ACK packets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/149—Network analysis or design for prediction of maintenance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
Definitions
- the present disclosure relates generally to computer networks, and, more particularly, to intent-based security for industrial Internet of Things (IoT) devices.
- IoT Internet of Things
- the Internet of Things represents an evolution of computer networks that seeks to connect many everyday objects to the Internet.
- IoT Internet of Things
- smart devices that are Internet-capable such as thermostats, lighting, televisions, cameras, and the like.
- these devices may also communicate with one another.
- an IoT motion sensor may communicate with one or more smart lightbulbs, to actuate the lighting in a room when a person enters the room.
- Vehicles are another class of ‘things’ that are being connected via the IoT for purposes of sharing sensor data, implementing self-driving capabilities, monitoring, and the like.
- IoT The nature of the IoT makes network security particularly challenging, especially in the case of industrial settings, such as factories, mines, ports, power substations, and the like. Indeed, these types of networks are typically large scale in nature, include a variety of legacy devices that do not support authentication methods (e.g., 802.1x) and lack system patching, making it very difficult to define adequate security policies for each device.
- authentication methods e.g. 802.1x
- FIG. 1 illustrate an example network
- FIG. 2 illustrates an example network device/node
- FIG. 3 illustrates an example network architecture for an industrial network
- FIGS. 4A-4B illustrate example displays of component and activity tags
- FIG. 5 illustrates an example screen capture of an asset profile
- FIGS. 6A-6B illustrate examples of applying segmentation to a network
- FIG. 7 illustrates an example simplified procedure for segmenting a network.
- a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device.
- the service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device.
- the service translates the intent of the endpoint device into a network segmentation policy.
- the service configures a network overlay in the network that implements the network segmentation policy.
- a computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc.
- end nodes such as personal computers and workstations, or other devices, such as sensors, etc.
- Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs).
- LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus.
- WANs typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, or Powerline Communications, and others.
- Other types of networks such as field area networks (FANs), neighborhood area networks (NANs), personal area networks (PANs), etc. may also make up the components of any given computer network.
- FANs field area networks
- NANs neighborhood area networks
- computer networks may include an Internet of Things network.
- IoT Internet of Things
- IoE Internet of Everything
- objects objects
- the IoT involves the ability to connect more than just computers and communications devices, but rather the ability to connect “objects” in general, such as lights, appliances, vehicles, heating, ventilating, and air-conditioning (HVAC), windows and window shades and blinds, doors, locks, etc.
- HVAC heating, ventilating, and air-conditioning
- the “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., via IP), which may be the public Internet or a private network.
- IoT networks operate within a shared-media mesh networks, such as wireless or Powerline Communication networks, etc., and are often on what is referred to as Low-Power and Lossy Networks (LLNs), which are a class of network in which both the routers and their interconnect are constrained. That is, LLN devices/routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnects are characterized by, illustratively, high loss rates, low data rates, and/or instability.
- constraints e.g., processing power, memory, and/or energy (battery)
- IoT networks are comprised of anything from a few dozen to thousands or even millions of devices, and support point-to-point traffic (between devices inside the network), point-to-multipoint traffic (from a central control point such as a root node to a subset of devices inside the network), and multipoint-to-point traffic (from devices inside the network towards a central control point).
- Fog computing is a distributed approach of cloud implementation that acts as an intermediate layer from local networks (e.g., IoT networks) to the cloud (e.g., centralized and/or shared resources, as will be understood by those skilled in the art). That is, generally, fog computing entails using devices at the network edge to provide application services, including computation, networking, and storage, to the local nodes in the network, in contrast to cloud-based approaches that rely on remote data centers/cloud environments for the services. To this end, a fog node is a functional node that is deployed close to fog endpoints to provide computing, storage, and networking resources and services. Multiple fog nodes organized or configured together form a fog system, to implement a particular solution.
- local networks e.g., IoT networks
- the cloud e.g., centralized and/or shared resources, as will be understood by those skilled in the art. That is, generally, fog computing entails using devices at the network edge to provide application services, including computation, networking, and storage, to the local nodes
- Fog nodes and fog systems can have the same or complementary capabilities, in various implementations. That is, each individual fog node does not have to implement the entire spectrum of capabilities. Instead, the fog capabilities may be distributed across multiple fog nodes and systems, which may collaborate to help each other to provide the desired services.
- a fog system can include any number of virtualized services and/or data stores that are spread across the distributed fog nodes. This may include a master-slave configuration, publish-subscribe configuration, or peer-to-peer configuration.
- LLCs Low power and Lossy Networks
- Smart Grid e.g., certain sensor networks
- Smart Cities e.g., Smart Cities
- Links are generally lossy, such that a Packet Delivery Rate/Ratio (PDR) can dramatically vary due to various sources of interferences, e.g., considerably affecting the bit error rate (BER);
- PDR Packet Delivery Rate/Ratio
- Links are generally low bandwidth, such that control plane traffic must generally be bounded and negligible compared to the low rate data traffic;
- Constraint-routing may be required by some applications, e.g., to establish routing paths that will avoid non-encrypted links, nodes running low on energy, etc.;
- Scale of the networks may become very large, e.g., on the order of several thousands to millions of nodes;
- Nodes may be constrained with a low memory, a reduced processing capability, a low power supply (e.g., battery).
- a low power supply e.g., battery
- LLNs are a class of network in which both the routers and their interconnect are constrained: LLN routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnects are characterized by, illustratively, high loss rates, low data rates, and/or instability. LLNs are comprised of anything from a few dozen and up to thousands or even millions of LLN routers, and support point-to-point traffic (between devices inside the LLN), point-to-multipoint traffic (from a central control point to a subset of devices inside the LLN) and multipoint-to-point traffic (from devices inside the LLN towards a central control point).
- constraints e.g., processing power, memory, and/or energy (battery)
- LLNs are comprised of anything from a few dozen and up to thousands or even millions of LLN routers, and support point-to-point traffic (between devices inside the LLN), point-to-multipoint
- An example implementation of LLNs is an “Internet of Things” network.
- IoT Internet of Things
- IoT may be used by those in the art to refer to uniquely identifiable objects (things) and their virtual representations in a network-based architecture.
- objects in general, such as lights, appliances, vehicles, HVAC (heating, ventilating, and air-conditioning), windows and window shades and blinds, doors, locks, etc.
- the “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., IP), which may be the Public Internet or a private network.
- IP computer network
- Such devices have been used in the industry for decades, usually in the form of non-IP or proprietary protocols that are connected to IP networks by way of protocol translation gateways.
- AMI smart grid advanced metering infrastructure
- smart cities smart cities, and building and industrial automation
- cars e.g., that can interconnect millions of objects for sensing things like power quality, tire pressure, and temperature and that can actuate engines and lights
- FIG. 1 is a schematic block diagram of an example simplified computer network 100 illustratively comprising nodes/devices at various levels of the network, interconnected by various methods of communication.
- the links may be wired links or shared media (e.g., wireless links, powerline communication links, etc.) where certain nodes, such as, e.g., routers, sensors, computers, etc., may be in communication with other devices, e.g., based on connectivity, distance, signal strength, current operational status, location, etc.
- the cloud 110 may comprise general connectivity via the Internet 112 , and may contain one or more datacenters 114 with one or more centralized servers 116 or other devices, as will be appreciated by those skilled in the art.
- various fog nodes/devices 122 e.g., with fog modules, described below
- fog nodes/devices 122 may include edge routers and/or other networking devices that provide connectivity between cloud layer 110 and IoT device layer 130 .
- Data packets e.g., traffic and/or messages sent between the devices/nodes
- a protocol consists of a set of rules defining how the nodes interact with each other.
- Data packets may be exchanged among the nodes/devices of the computer network 100 using predefined network communication protocols such as certain known wired protocols, wireless protocols (e.g., IEEE Std. 802.15.4, Wi-Fi, Bluetooth®, DECT-Ultra Low Energy, LoRa, etc..), powerline communication protocols, or other shared-media protocols where appropriate.
- a protocol consists of a set of rules defining how the nodes interact with each other.
- FIG. 2 is a schematic block diagram of an example node/device 200 that may be used with one or more embodiments described herein, e.g., as any of the nodes or devices shown in FIG. 1 above or described in further detail below.
- the device 200 may comprise one or more network interfaces 210 (e.g., wired, wireless, etc.), at least one processor 220 , and a memory 240 interconnected by a system bus 250 , as well as a power supply 260 (e.g., battery, plug-in, etc.).
- Network interface(s) 210 include the mechanical, electrical, and signaling circuitry for communicating data over links coupled to the network.
- the network interfaces 210 may be configured to transmit and/or receive data using a variety of different communication protocols, such as TCP/IP, UDP, etc.
- the device 200 may have multiple different types of network connections 210 , e.g., wireless and wired/physical connections, and that the view herein is merely for illustration.
- the network interface 210 is shown separately from power supply 260 , for powerline communications the network interface 210 may communicate through the power supply 260 , or may be an integral component of the power supply. In some specific configurations the powerline communication signal may be coupled to the power line feeding into the power supply.
- the memory 240 comprises a plurality of storage locations that are addressable by the processor(s) 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein.
- the processor 220 may comprise necessary elements or logic adapted to execute the software programs and manipulate the data structures 245 .
- An operating system 242 e.g., the Internetworking Operating System, or IOS®, of Cisco Systems, Inc., another operating system, etc.
- portions of which are typically resident in memory 240 and executed by the processor(s) functionally organizes the node by, inter alia, invoking network operations in support of software processors and/or services executing on the device.
- These software processors and/or services may comprise a network security process 248 .
- processor and memory types including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein.
- description illustrates various processes, it is expressly contemplated that various processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while processes may be shown and/or described separately, those skilled in the art will appreciate that processes may be routines or modules within other processes.
- network security process 248 may be configured to perform any or all of the following tasks:
- network security process 248 may employ any number of machine learning techniques, to assess the gathered telemetry data regarding the traffic of the device.
- machine learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., telemetry data regarding traffic in the network) and recognize complex patterns in the input data.
- some machine learning techniques use an underlying model M, whose parameters are optimized for minimizing the cost function associated to M, given the input data.
- the learning process then operates by adjusting the parameters a,b,c such that the number of misclassified points is minimal.
- network security process 248 can use the model M to classify new data points, such as information regarding new traffic flows in the network.
- M is a statistical model, and the cost function is inversely proportional to the likelihood of M, given the input data.
- network security process 248 may employ one or more supervised, unsupervised, or semi-supervised machine learning models.
- supervised learning entails the use of a training set of data, as noted above, that is used to train the model to apply labels to the input data.
- the training data may include sample telemetry data that is “normal,” or “suspicious.”
- unsupervised techniques that do not require a training set of labels.
- a supervised learning model may look for previously seen attack patterns that have been labeled as such, an unsupervised model may instead look to whether there are sudden changes in the behavior of the network traffic.
- Semi-supervised learning models take a middle ground approach that uses a greatly reduced set of labeled training data.
- Example machine learning techniques that network security process 248 can employ may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, mean-shift, etc.), neural networks (e.g., reservoir networks, artificial neural networks, etc.), support vector machines (SVMs), logistic or other regression, Markov models or chains, principal component analysis (PCA) (e.g., for linear models), multi-layer perceptron (MLP) ANNs (e.g., for non-linear models), replicating reservoir networks (e.g., for non-linear models, typically for time series), random forest classification, or the like.
- PCA principal component analysis
- MLP multi-layer perceptron
- ANNs e.g., for non-linear models
- replicating reservoir networks e.g., for non-linear models, typically for
- the performance of a machine learning model can be evaluated in a number of ways based on the number of true positives, false positives, true negatives, and/or false negatives of the model.
- the false positives of the model may refer to the number of traffic flows that are incorrectly classified as malware-generated, anomalous, etc.
- the false negatives of the model may refer to the number of traffic flows that the model incorrectly classifies as normal, when actually malware-generated, anomalous, etc.
- True negatives and positives may refer to the number of traffic flows that the model correctly classifies as normal or malware-generated, etc., respectively.
- recall refers to the ratio of true positives to the sum of true positives and false negatives, which quantifies the sensitivity of the model.
- precision refers to the ratio of true positives the sum of true and false positives.
- network security process 248 may assess the captured telemetry data on a per-flow basis. In other embodiments, network security process 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions. For example, traffic flows may be grouped based on their sources, destinations, temporal characteristics (e.g., flows that occur around the same time, etc.), combinations thereof, or based on any other set of flow characteristics.
- the very nature of the IoT presents certain challenges, from a security standpoint. Indeed, the diversity of the various devices in the network in terms of their hardware, software, and purposes (e.g., sensing, controlling, etc.), as well as the specific configuration of the network (e.g., cells in an industrial network, etc.), can make enforcing network security particularly challenging.
- IoT devices typically follow a well prescribed communication profile (e.g., to which devices they should be communicating, on what protocol, and what the protocol should be doing). For instance, a supervisory control and data acquisition (SCADA) slave should only ever communicate to a SCADA master on an established port and should only execute allowable commands.
- SCADA supervisory control and data acquisition
- PLCs programmable logic controllers
- VFD variable-frequency drive
- HMIs human-machine interfaces
- I/O controllers input/output controllers
- an infected endpoint can send control commands to another endpoint, with whom communication is allowed, that can damage or disrupt the operations of the equipment and, potentially, the industrial environment as a whole.
- malicious SCADA commands to a PLC could cause the PLC to drive a motor in an unsafe way, cause power to be turned off or on to a circuit (e.g., a feeder in an electrical power station), or the like.
- the techniques herein introduce a network architecture whereby devices are automatically discovered and classified, to drive intent-based network segmentation in a dynamic manner.
- endpoint devices in the network can be tagged according to their component and activity types, allowing for easy identification of the intent of the device and translation of the intent into a corresponding network overlay.
- the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the network security process 248 , which may include computer executable instructions executed by the processor 220 (or independent processor of interfaces 210 ) to perform functions relating to the techniques described herein.
- a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device.
- the service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device.
- the service translates the intent of the endpoint device into a network segmentation policy.
- the service configures a network overlay in the network that implements the network segmentation policy.
- FIG. 3 illustrates an example network architecture 300 for an industrial network, according to various embodiments.
- architecture 300 may include industrial equipment 304 connected to a controller 306 , such as a PLC, a VFD, or the like, that controls the operations of industrial equipment 304 .
- controller 306 for industrial equipment 304 may be connected to an HMI 310 via networking equipment 308 , allowing a human user to interface with it (e.g., to visualize the industrial process, issue commands, etc.).
- networking equipment 308 may also provide connectivity via the greater network 302 to any number of network services 312 - 320 provided in the local network of networking equipment 308 and/or remotely.
- services 312 - 320 may be implemented in the local network via dedicated equipment or virtualized across any number of devices (e.g., networking equipment 308 ). In other cases, services 312 - 320 may be provided by servers in a remote data center, the cloud, or the like.
- industrial equipment 304 may differ, depending on the industrial setting in which architecture 300 is implemented.
- industrial equipment 304 may comprise an actuator such as, but not limited to, a motor, a pump, a solenoid, or the like.
- industrial equipment 304 may include a circuit and controller 306 may control the powering of the circuit.
- Industrial equipment 304 may also include any number of sensors configured to take measurements regarding the physical process implemented by industrial equipment 304 .
- sensors may take temperature readings, distance measurements, humidity readings, voltage or amperage measurements, or the like, and provide them to controller 306 for industrial equipment 304 .
- controller 306 may use the sensor data from industrial equipment 304 as part of a control loop, thereby allowing controller 306 to adjust the industrial process as needed.
- HMI 310 may include a dedicated touch screen display or may take the form of a workstation, portable tablet or other handheld, or the like.
- visualization data may be provided to HMI 310 regarding the industrial process performed by industrial equipment 304 .
- such visualizations may include a graphical representation of the industrial process (e.g., the filling of a tank, etc.), the sensor data from industrial equipment 304 , the control parameter values used by controller 306 , or the like.
- HMI 310 may also allow for the reconfiguration of controller 306 , such as by adjusting its control parameters for industrial equipment 304 (e.g., to shut down the industrial process, etc.).
- Networking equipment 308 may include any number of switches, routers, firewalls, telemetry exporters and/or collectors, gateways, bridges, and the like. In some embodiments, these networking functions may be performed in a virtualized/containerized manner.
- a telemetry exporter may take the form of a containerized application installed to networking equipment 308 , to collect and export telemetry regarding the operation networking equipment 308 (e.g., queue state information, memory or processor resource utilization, etc.) and/or network 302 (e.g., measured delays, drops, jitter, etc.).
- At least a portion of network 302 may be implemented as a software-defined network (SDN).
- SDN software-defined network
- control plane decisions by the networking equipment of network 302 such as networking equipment 308
- networking equipment 308 may be centralized with an SDN controller.
- networking equipment 308 establishing routing paths and making other control decisions, individually, such decisions can be centralized with an SDN controller (e.g., network supervisory service 312 , etc.).
- network supervisory service 312 may function to monitor the status and health of network 302 and networking equipment 308 .
- An example of such a network supervisory service is DNA-Center by Cisco Systems, Inc.
- network supervisory service 312 may take the form of a network assurance service that assesses the health of network 302 and networking equipment 308 through the use of heuristics, rules, and/or machine learning models. In some cases, this monitoring can also be predictive in nature, allowing network supervisory service 312 to predict failures and other network conditions before they actually occur. In either case, network supervisory service 312 may also provide control over network 302 , such as by reconfiguring networking equipment 308 , adjusting routing in network 302 , and the like. As noted above, network supervisory service 312 may also function as an SDN controller for networking equipment 308 , in some embodiments.
- architecture 300 may also include SCADA service 314 which supervises the operation of the industrial process. More specifically, SCADA service 314 may communicate with controller 306 , to receive data regarding the industrial process (e.g., sensor data from industrial equipment 304 , etc.) and provide control over controller 306 , such as by pushing new control routines, software updates, and the like, to controller 306 .
- SCADA service 314 may communicate with controller 306 , to receive data regarding the industrial process (e.g., sensor data from industrial equipment 304 , etc.) and provide control over controller 306 , such as by pushing new control routines, software updates, and the like, to controller 306 .
- SCADA service 314 , controller 306 , and/or HMI 310 may communicate using an automation protocol.
- protocols may include, but are not limited to, Profibus, Modbus, DeviceNet, HART, DNP3, IEC 61850, IEC 60870-5, and the like.
- different protocols may be used within network 102 and among networking equipment 308 , depending on the specific implementation of architecture 300 .
- different portions of network 302 may be organized into different cells or other segmented areas that are distinct from one another and interlinked via networking equipment 308 .
- Policy Architecture 300 may also include a policy service 316 that is responsible for creating and managing security and access policies for endpoints in network 302 .
- a policy service 316 is the Identity Services Engine (ISE) by Cisco Systems, Inc.
- ISE Identity Services Engine
- policy service 316 may also be configured to identify the types of endpoints present in network 302 (e.g., HMI 310 , controller 306 , etc.) and their corresponding actions/functions. In turn, this information can be used to drive the policies that policy service 316 creates.
- Security service 318 is configured to enforce the various policies created and curated by policy service 316 in the network. For example, such policies may be implemented by security service 318 as access control lists (ACLs), firewall rules, or the like, that are distributed to networking equipment 308 for enforcement.
- ACLs access control lists
- firewall rules or the like
- architecture 300 may also include asset inventory service 320 that is used to collect information about learned assets/endpoints in network 302 and maintain an inventory of these various devices in network 302 .
- asset inventory service 320 may do so by embedding sensing modules in networking equipment 308 which passively analyze communications between endpoints.
- the sensors may use deep packet inspection (DPI) to not only identify the protocols in use by a given packet (e.g., the automation protocol used between HMI 310 , controller 306 , and SCADA service 314 ), but also understand the action(s) that are being communicated and to classify both the type of device/component and its application behavior.
- DPI deep packet inspection
- a sensor module executed by networking equipment 308 may examine the payload of each flow to identify any or all of the following:
- the sensor modules of networking equipment 308 then then organize the collected information into meaningful tags.
- these tags are simply a way to categorize devices and their behaviors, similar to the same way a human may look at a pen or a pencil and categorize them as writing instruments.
- Each device can also have multiple tags associated with it, such as the following:
- the sensor modules embedded in networking equipment 308 may also collect metadata about the communicating devices/endpoints, including its network identifiers (e.g., IP and MAC addresses), vendor, device-type, firmware version, the switch ID and port where the device is connected, etc. As the sensor module learns details of a new device/endpoint in network 302 , it may send its collected metadata about that device, along with its tags, to the asset inventory service 320 .
- network identifiers e.g., IP and MAC addresses
- asset inventory service 320 may maintain an inventory of each of the endpoint devices in network 302 , their associated tags, and their metadata. Thus, as new devices are discovered in network 302 , their profile information is added to the live inventory of devices maintained by asset inventory service 320 .
- the various tags applied by the sensor modules deployed to networking equipment 308 and used by asset inventory service 320 may be predefined or may, via a user interface (not show) be user-defined.
- FIGS. 4A-4B illustrate example displays 400 , 410 , respectively, showing component and activity tags, in some embodiments.
- the various component tags can be used to identify a particular endpoint or other device in the network by its type (e.g., PLC, SCADA station, etc.), its software (e.g., CodeSys, Windows, etc.).
- analysis of the traffic of the device can also lead to various activity tags being applied to that device, as well.
- activity tags may distinguish between control system behaviors (e.g., insert program, device init., etc.) and IT behaviors (e.g., host config., ping, etc.).
- asset inventory service 320 may also leverage device classification functions provided by policy service 316 , to identify the component and activity tags of a particular device in network 302 under scrutiny.
- device classification also known as “device profiling”
- the device classification by policy service 316 can be achieved by applying a trained machine learning-based classifier to the captured telemetry data from networking equipment 308 .
- Such telemetry data can also take the form of information captured through active and/or passive probing of the device.
- this probing may entail policy service 316 sending any or all of the following probes via networking equipment 308 :
- Further information that may be captured by networking equipment 308 and reported via telemetry data to policy service 316 may include traffic behavioral characteristics of the traffic of a device, such as the communication protocols used, flow information, timing and pattern data, and the like.
- the telemetry data may be indicative of the operational intent of the endpoint device (e.g., controller 306 , HMI 310 , etc.).
- additional information that policy service 316 and asset inventory service 320 may use to tag the various devices/components in network 302 may include any or all of the following:
- policy service 316 may operate in conjunction with one another to apply various tags to the devices in network 302 and their traffic flows.
- FIG. 5 illustrates an example screen capture 500 of an asset profile, in some embodiments.
- the techniques herein have been implemented as part of a prototype system and screen capture 500 is from that prototype system.
- a particular asset has been identified as a Yokogawa device and has been tagged with various component and activity tags (e.g., PLC, CodeSys, Citect Report, etc.).
- This profile may be stored by the asset inventory service (e.g., service 320 in FIG. 3 ) and provide to a user interface, allowing the user to quickly learn information about the device. Such information can also be automatically updated over time, using the techniques herein.
- the various tags associated with a particular asset/device connected to network 302 may be used to segment network 302 according to the needs and intent of that device.
- network segmentation involves dividing a network into smaller parts such that only a subset of the devices on the network can communicate with each other.
- Network segmentation can be achieved in a number of different ways.
- the network can be segmented by distributing firewalls throughout the network and propagating the appropriate access control lists (ACLs) to them. Doing so would effectively block a given device in the network from communicating with other devices or services outside of its allowed set.
- ACLs access control lists
- network segmentation can be achieved through the use of virtual LAN (VLAN) configurations pushed to the networking equipment of the network, such as networking equipment 308 .
- VLAN virtual LAN
- network segmentation can be implemented through the use of software-defined access technologies by grouping and tagging network traffic, accordingly.
- Micro-segmentation is a relatively new form of network segmentation that provides even more granularity to the segmentation of a network.
- micro-segmentation may take into account application-layer information, allowing different for to segmentations to occur on a per-application basis, even for the same device.
- policy service 316 may collects the inventory of the discovered devices from asset inventory service 320 , according to various embodiments.
- policy service 316 may have any number of policies defined that distinguish between normal/acceptable and abnormal/unacceptable behavior of a device.
- controller 306 during its normal operation. may communicate with SCADA service 314 and HMI 310 , via network 302 , but should not communicate with other controllers or devices outside of its cell/area zone.
- Such a segmentation policy can be defined within policy service 316 based on the tags associated with controller 306 that policy service 316 retrieves from asset inventory service 320 .
- a segmentation policy constructed by policy service 316 may be on a per-device basis or may be more generic in nature. For example, assume that architecture 600 is implemented in a factory setting in which there are any number of controllers 306 and HMIs 310 in various locations throughout the factory. For example, a more generic network segmentation policy may be of the form:
- such a policy may be defined as a logical combination of tags.
- a policy may be defined as a logical combination of tags.
- a segmentation policy may be generated by policy service 316 by grouping together similar devices that should communicate with each other based on their function, location, and/or context, as defined by the specific combinations of tags associated with them.
- asset inventory service 320 (or any of the other services 312 - 314 , 318 ) may communicate additional information to policy service 316 regarding the various communications attempted by the TO devices connected to network 302 .
- such information may indicate the set of devices to which SCADA service 314 is attempting to communicate.
- policy' service 316 may provide data to a user interface regarding the various tags associated with component of architecture 600 as well as, potentially, data regarding the traffic involving it. This allows an administrator to easily compare the attempted communications of a given device or service to its expected behavior. For instance, such a comparison can answer the question, “is HMI 310 communicating with controller 306 as it should be, or is it attempting to communicate elsewhere in network 302 , as well?” Once the administrator codifies this into a formal network segmentation policy, this type of comparison can be made automatically within network 302 (e.g., by networking equipment 308 ), to identify policy violations and take corrective measures, as needed. For example, when HMI 310 attempts to communicate with a controller outside of its area, networking equipment 308 may block the connection and/or raise a security alert.
- the network segmentation may leverage network overlay tags, to create a network overlay fabric.
- a segmentation policy can be used to implement a network overlay 602 that limits controller 306 to communicating only with HMI 310 and SCADA service 314 .
- this can be achieved by tagging controller 306 , HMI 310 , and SCADA service 314 , and/or their corresponding traffic, with scalable group tags.
- this can be achieved through the use of Virtual Extensible LAN (VxLAN) encapsulation with VxLAN Network Identifiers (VNIDs).
- VxLAN Virtual Extensible LAN
- VNIDs VxLAN Network Identifiers
- network segmentation policies may be implemented through application of any or all of the following, in various embodiments:
- micro-segments are defined for industrial devices that need to communicate with each other.
- Devices of the same micro-segment are assigned a scalable group tag which will allow them to be isolated as a virtual overlay in the network.
- the scalable group tags may be shared with network supervisory service 312 , which functions as the SUN controller for network 302 .
- the SDN controller communicates to the edge switches in networking equipment 308 where the devices are connected and implements the policy to tag all traffic from the devices with the appropriate scalable group tags, so that they are placed in the SDN overlay, accordingly.
- the micro-segmentation at the application level may take into account the sender-receiver pair, the protocol(s) used by the packet, as well as the specific parameter values in the payload of the packet. Indeed, since the sensors to embedded in networking equipment 308 perform deep packet inspection (DPI) on the packets between devices in network 302 , and packets in an industrial setting are typically unencrypted, the sensors can also extract out the specific data actually being sent, as well.
- DPI deep packet inspection
- HMI 310 is to only provide visualizations of the industrial process performed by industrial equipment 304 and provide no control over the process. Since the sensors embedded in networking equipment 308 are able to evaluate the traffic to and from controller 306 down to the specific parameter values in the payloads of the packets, another potential micro-segmentation of network 302 may be to allow control traffic 604 from SCADA service 314 to controller 306 and only display traffic 606 between TIMI 310 and controller 306 .
- FIG. 7 illustrates an example simplified procedure for segmenting a network, in accordance with one or more embodiments described herein.
- a non-generic, specifically configured device e.g., device 200
- the procedure 700 may start at step 705 , and continues to step 710 , where, as described in greater detail above, the service may obtain one or more component tags and one or more activity tags that were assigned to an endpoint device in a network, based on DPI of the traffic associated with the endpoint device.
- a PLC installed in the network may be tagged with a PLC component tag and an activity tag that indicates that the PLC communicates with a SCADA service.
- the service may determine an intent of the endpoint device, using the one or more component tags and the one or more activity tags. For example, once a PLC, VFD, or other endpoint device has been tagged according to its traffic, the service may determine the purpose of the endpoint device in the network and how it should behave (e.g., the applications that it may use, the senders or receivers with which it should communicate, etc.). In some embodiments, the service may do so in part by receiving an indication of one or more scalable group tags for the endpoint device and associating those tag(s) with the endpoint device. For instance, the service may provide the details regarding the device to a user interface and, in return, receive the indication of the scalable group tag(s) via the user interface.
- the service may translate the intent of the endpoint device into a network segmentation policy, as described in greater detail above.
- the service may do so by generating a security group access control list, based on the one or more scalable group tags associated with the endpoint device.
- the intent may be translated into a VxLAN configuration for the network.
- the service may configure a network overlay in the network that implements the network segmentation policy.
- the service may do so by sending the security group access control list or VxLAN configuration to networking equipment in the network.
- the network overlay restricts the endpoint device to communicating only with a subset of senders or receivers via the network and, in some cases, may further restrict the endpoint device to sending or receiving only a specific type of application traffic via the network. For instance, assume that one or more of the component tags associated with the endpoint device are indicative of a physical location of the device. In such a case, the network overlay may restrict the endpoint to communicating with a particular sender or receiver also located in the same physical location as the endpoint device.
- Procedure 700 then ends at step 730 .
- the techniques described herein therefore, allow for intent-based security to be implemented in an IoT network through the use of network segmentation.
- policies can be put into place that ensure that the endpoint does not deviate from its expected behavior.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Economics (AREA)
- General Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- Development Economics (AREA)
- Finance (AREA)
- Accounting & Taxation (AREA)
- Theoretical Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- This application claims priority to U.S. Provisional Patent Application No. 62/951.645, filed on Dec. 20, 2019, entitled “INTENT-BASED SECURITY FOR INDUSTRIAL IOT DEVICES” by Barton et al., the contents of which are incorporated by reference herein.
- The present disclosure relates generally to computer networks, and, more particularly, to intent-based security for industrial Internet of Things (IoT) devices.
- The Internet of Things, or “IoT” for short, represents an evolution of computer networks that seeks to connect many everyday objects to the Internet. Notably, there has been a recent proliferation of ‘smart’ devices that are Internet-capable such as thermostats, lighting, televisions, cameras, and the like. In many implementations, these devices may also communicate with one another. For example, an IoT motion sensor may communicate with one or more smart lightbulbs, to actuate the lighting in a room when a person enters the room. Vehicles are another class of ‘things’ that are being connected via the IoT for purposes of sharing sensor data, implementing self-driving capabilities, monitoring, and the like.
- The nature of the IoT makes network security particularly challenging, especially in the case of industrial settings, such as factories, mines, ports, power substations, and the like. Indeed, these types of networks are typically large scale in nature, include a variety of legacy devices that do not support authentication methods (e.g., 802.1x) and lack system patching, making it very difficult to define adequate security policies for each device.
- The embodiments herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identically or functionally similar elements, of which:
-
FIG. 1 illustrate an example network; -
FIG. 2 illustrates an example network device/node; -
FIG. 3 illustrates an example network architecture for an industrial network; -
FIGS. 4A-4B illustrate example displays of component and activity tags; -
FIG. 5 illustrates an example screen capture of an asset profile; -
FIGS. 6A-6B illustrate examples of applying segmentation to a network; and -
FIG. 7 illustrates an example simplified procedure for segmenting a network. - According to one or more embodiments of the disclosure, a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device. The service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device. The service translates the intent of the endpoint device into a network segmentation policy. The service configures a network overlay in the network that implements the network segmentation policy.
- A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc. Many types of networks are available, ranging from local area networks (LANs) to wide area networks (WANs). LANs typically connect the nodes over dedicated private communications links located in the same general physical location, such as a building or campus. WANs, on the other hand, typically connect geographically dispersed nodes over long-distance communications links, such as common carrier telephone lines, optical lightpaths, synchronous optical networks (SONET), synchronous digital hierarchy (SDH) links, or Powerline Communications, and others. Other types of networks, such as field area networks (FANs), neighborhood area networks (NANs), personal area networks (PANs), etc. may also make up the components of any given computer network.
- In various embodiments, computer networks may include an Internet of Things network. Loosely, the term “Internet of Things” or “IoT” (or “Internet of Everything” or “IoE”) refers to uniquely identifiable objects (things) and their virtual representations in a network-based architecture. In particular, the IoT involves the ability to connect more than just computers and communications devices, but rather the ability to connect “objects” in general, such as lights, appliances, vehicles, heating, ventilating, and air-conditioning (HVAC), windows and window shades and blinds, doors, locks, etc. The “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., via IP), which may be the public Internet or a private network.
- Often, IoT networks operate within a shared-media mesh networks, such as wireless or Powerline Communication networks, etc., and are often on what is referred to as Low-Power and Lossy Networks (LLNs), which are a class of network in which both the routers and their interconnect are constrained. That is, LLN devices/routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnects are characterized by, illustratively, high loss rates, low data rates, and/or instability. IoT networks are comprised of anything from a few dozen to thousands or even millions of devices, and support point-to-point traffic (between devices inside the network), point-to-multipoint traffic (from a central control point such as a root node to a subset of devices inside the network), and multipoint-to-point traffic (from devices inside the network towards a central control point).
- Fog computing is a distributed approach of cloud implementation that acts as an intermediate layer from local networks (e.g., IoT networks) to the cloud (e.g., centralized and/or shared resources, as will be understood by those skilled in the art). That is, generally, fog computing entails using devices at the network edge to provide application services, including computation, networking, and storage, to the local nodes in the network, in contrast to cloud-based approaches that rely on remote data centers/cloud environments for the services. To this end, a fog node is a functional node that is deployed close to fog endpoints to provide computing, storage, and networking resources and services. Multiple fog nodes organized or configured together form a fog system, to implement a particular solution. Fog nodes and fog systems can have the same or complementary capabilities, in various implementations. That is, each individual fog node does not have to implement the entire spectrum of capabilities. Instead, the fog capabilities may be distributed across multiple fog nodes and systems, which may collaborate to help each other to provide the desired services. In other words, a fog system can include any number of virtualized services and/or data stores that are spread across the distributed fog nodes. This may include a master-slave configuration, publish-subscribe configuration, or peer-to-peer configuration.
- Low power and Lossy Networks (LLNs), e.g., certain sensor networks, may be used in a myriad of applications such as for “Smart Grid” and “Smart Cities.” A number of challenges in LLNs have been presented, such as:
- 1) Links are generally lossy, such that a Packet Delivery Rate/Ratio (PDR) can dramatically vary due to various sources of interferences, e.g., considerably affecting the bit error rate (BER);
- 2) Links are generally low bandwidth, such that control plane traffic must generally be bounded and negligible compared to the low rate data traffic;
- 3) There are a number of use cases that require specifying a set of link and node metrics, some of them being dynamic, thus requiring specific smoothing functions to avoid routing instability, considerably draining bandwidth and energy;
- 4) Constraint-routing may be required by some applications, e.g., to establish routing paths that will avoid non-encrypted links, nodes running low on energy, etc.;
- 5) Scale of the networks may become very large, e.g., on the order of several thousands to millions of nodes; and
- 6) Nodes may be constrained with a low memory, a reduced processing capability, a low power supply (e.g., battery).
- In other words, LLNs are a class of network in which both the routers and their interconnect are constrained: LLN routers typically operate with constraints, e.g., processing power, memory, and/or energy (battery), and their interconnects are characterized by, illustratively, high loss rates, low data rates, and/or instability. LLNs are comprised of anything from a few dozen and up to thousands or even millions of LLN routers, and support point-to-point traffic (between devices inside the LLN), point-to-multipoint traffic (from a central control point to a subset of devices inside the LLN) and multipoint-to-point traffic (from devices inside the LLN towards a central control point).
- An example implementation of LLNs is an “Internet of Things” network. Loosely, the term “Internet of Things” or “IoT” may be used by those in the art to refer to uniquely identifiable objects (things) and their virtual representations in a network-based architecture. In particular, the next frontier in the evolution of the Internet is the ability to connect more than just computers and communications devices, but rather the ability to connect “objects” in general, such as lights, appliances, vehicles, HVAC (heating, ventilating, and air-conditioning), windows and window shades and blinds, doors, locks, etc. The “Internet of Things” thus generally refers to the interconnection of objects (e.g., smart objects), such as sensors and actuators, over a computer network (e.g., IP), which may be the Public Internet or a private network. Such devices have been used in the industry for decades, usually in the form of non-IP or proprietary protocols that are connected to IP networks by way of protocol translation gateways. With the emergence of a myriad of applications, such as the smart grid advanced metering infrastructure (AMI), smart cities, and building and industrial automation, and cars (e.g., that can interconnect millions of objects for sensing things like power quality, tire pressure, and temperature and that can actuate engines and lights), it has been of the utmost importance to extend the IP protocol suite for these networks.
-
FIG. 1 is a schematic block diagram of an examplesimplified computer network 100 illustratively comprising nodes/devices at various levels of the network, interconnected by various methods of communication. For instance, the links may be wired links or shared media (e.g., wireless links, powerline communication links, etc.) where certain nodes, such as, e.g., routers, sensors, computers, etc., may be in communication with other devices, e.g., based on connectivity, distance, signal strength, current operational status, location, etc. - Specifically, as shown in the
example IoT network 100, three illustrative layers are shown, namelycloud layer 110,fog layer 120, andIoT device layer 130. Illustratively, thecloud 110 may comprise general connectivity via theInternet 112, and may contain one ormore datacenters 114 with one or morecentralized servers 116 or other devices, as will be appreciated by those skilled in the art. Within thefog layer 120, various fog nodes/devices 122 (e.g., with fog modules, described below) may execute various fog computing resources on network edge devices, as opposed to datacenter/cloud-based servers or on theendpoint nodes 132 themselves of theIoT layer 130. For example, fog nodes/devices 122 may include edge routers and/or other networking devices that provide connectivity betweencloud layer 110 andIoT device layer 130. Data packets (e.g., traffic and/or messages sent between the devices/nodes) may be exchanged among the nodes/devices of thecomputer network 100 using predefined network communication protocols such as certain known wired protocols, wireless protocols, powerline communication protocols, or other shared-media protocols where appropriate. In this context, a protocol consists of a set of rules defining how the nodes interact with each other. - Those skilled in the art will understand that any number of nodes, devices, links, etc. may be used in the computer network, and that the view shown herein is for simplicity. Also, those skilled in the art will further understand that while the network is shown in a certain orientation, the
network 100 is merely an example illustration that is not meant to limit the disclosure. - Data packets (e.g., traffic and/or messages) may be exchanged among the nodes/devices of the
computer network 100 using predefined network communication protocols such as certain known wired protocols, wireless protocols (e.g., IEEE Std. 802.15.4, Wi-Fi, Bluetooth®, DECT-Ultra Low Energy, LoRa, etc..), powerline communication protocols, or other shared-media protocols where appropriate. In this context, a protocol consists of a set of rules defining how the nodes interact with each other. -
FIG. 2 is a schematic block diagram of an example node/device 200 that may be used with one or more embodiments described herein, e.g., as any of the nodes or devices shown inFIG. 1 above or described in further detail below. Thedevice 200 may comprise one or more network interfaces 210 (e.g., wired, wireless, etc.), at least oneprocessor 220, and amemory 240 interconnected by a system bus 250, as well as a power supply 260 (e.g., battery, plug-in, etc.). - Network interface(s) 210 include the mechanical, electrical, and signaling circuitry for communicating data over links coupled to the network. The network interfaces 210 may be configured to transmit and/or receive data using a variety of different communication protocols, such as TCP/IP, UDP, etc. Note that the
device 200 may have multiple different types ofnetwork connections 210, e.g., wireless and wired/physical connections, and that the view herein is merely for illustration. Also, while thenetwork interface 210 is shown separately frompower supply 260, for powerline communications thenetwork interface 210 may communicate through thepower supply 260, or may be an integral component of the power supply. In some specific configurations the powerline communication signal may be coupled to the power line feeding into the power supply. - The
memory 240 comprises a plurality of storage locations that are addressable by the processor(s) 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein. Theprocessor 220 may comprise necessary elements or logic adapted to execute the software programs and manipulate thedata structures 245. An operating system 242 (e.g., the Internetworking Operating System, or IOS®, of Cisco Systems, Inc., another operating system, etc.), portions of which are typically resident inmemory 240 and executed by the processor(s), functionally organizes the node by, inter alia, invoking network operations in support of software processors and/or services executing on the device. These software processors and/or services may comprise anetwork security process 248. - It will be apparent to those skilled in the art that other processor and memory types, including various computer-readable media, may be used to store and execute program instructions pertaining to the techniques described herein. Also, while the description illustrates various processes, it is expressly contemplated that various processes may be embodied as modules configured to operate in accordance with the techniques herein (e.g., according to the functionality of a similar process). Further, while processes may be shown and/or described separately, those skilled in the art will appreciate that processes may be routines or modules within other processes.
- In general,
network security process 248 may be configured to perform any or all of the following tasks: -
- 1. Identifying and classifying devices in the network—this may entail, for example, determining the make, model, software configuration, type, etc. of a given device.
- 2. Discerning operational insights about a device—for example,
network security process 248 may assess the traffic of a particular device, to determine what the device is doing, or attempting to do, via the network. Such information may take the form of device details and communication maps for the device. In further cases, the device functions and application flows may be converted into tags and/or events for presentation to a user interface. Further,process 248 may also track variable changes, to monitor the integrity of the industrial workflow. - 3. Detecting anomalies—
network security process 248 may also assess the behaviors of a device on the network, to determine whether its behaviors are anomalous. In various embodiments, this may entailnetwork security process 248 determining whether the behavior of the device has changed significantly over time and/or does not fit the expected behavioral pattern for its classification. For example, if the device is identifies as being a temperature sensor that periodically sends temperature measurements to a supervisory service, but the device is instead communicating data elsewhere,process 248 may deem this behavior anomalous.
- In various embodiments,
network security process 248 may employ any number of machine learning techniques, to assess the gathered telemetry data regarding the traffic of the device. In general, machine learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., telemetry data regarding traffic in the network) and recognize complex patterns in the input data. For example, some machine learning techniques use an underlying model M, whose parameters are optimized for minimizing the cost function associated to M, given the input data. For instance, in the context of classification, the model M may be a straight line that separates the data into two classes (e.g., labels) such that M=a*x+b*y+c and the cost function is a function of the number of misclassified points. The learning process then operates by adjusting the parameters a,b,c such that the number of misclassified points is minimal. After this optimization/learning phase,network security process 248 can use the model M to classify new data points, such as information regarding new traffic flows in the network. Often, M is a statistical model, and the cost function is inversely proportional to the likelihood of M, given the input data. - In various embodiments,
network security process 248 may employ one or more supervised, unsupervised, or semi-supervised machine learning models. Generally, supervised learning entails the use of a training set of data, as noted above, that is used to train the model to apply labels to the input data. For example, the training data may include sample telemetry data that is “normal,” or “suspicious.” On the other end of the spectrum are unsupervised techniques that do not require a training set of labels. Notably, while a supervised learning model may look for previously seen attack patterns that have been labeled as such, an unsupervised model may instead look to whether there are sudden changes in the behavior of the network traffic. Semi-supervised learning models take a middle ground approach that uses a greatly reduced set of labeled training data. - Example machine learning techniques that network
security process 248 can employ may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, mean-shift, etc.), neural networks (e.g., reservoir networks, artificial neural networks, etc.), support vector machines (SVMs), logistic or other regression, Markov models or chains, principal component analysis (PCA) (e.g., for linear models), multi-layer perceptron (MLP) ANNs (e.g., for non-linear models), replicating reservoir networks (e.g., for non-linear models, typically for time series), random forest classification, or the like. - The performance of a machine learning model can be evaluated in a number of ways based on the number of true positives, false positives, true negatives, and/or false negatives of the model. For example, the false positives of the model may refer to the number of traffic flows that are incorrectly classified as malware-generated, anomalous, etc. Conversely, the false negatives of the model may refer to the number of traffic flows that the model incorrectly classifies as normal, when actually malware-generated, anomalous, etc. True negatives and positives may refer to the number of traffic flows that the model correctly classifies as normal or malware-generated, etc., respectively. Related to these measurements are the concepts of recall and precision. Generally, recall refers to the ratio of true positives to the sum of true positives and false negatives, which quantifies the sensitivity of the model. Similarly, precision refers to the ratio of true positives the sum of true and false positives.
- In some cases,
network security process 248 may assess the captured telemetry data on a per-flow basis. In other embodiments,network security process 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions. For example, traffic flows may be grouped based on their sources, destinations, temporal characteristics (e.g., flows that occur around the same time, etc.), combinations thereof, or based on any other set of flow characteristics. - As noted above, the very nature of the IoT presents certain challenges, from a security standpoint. Indeed, the diversity of the various devices in the network in terms of their hardware, software, and purposes (e.g., sensing, controlling, etc.), as well as the specific configuration of the network (e.g., cells in an industrial network, etc.), can make enforcing network security particularly challenging.
- Best practices for Industrial IoT security typically follow standardized models, such as IEC 62443. This security model implements both operational technology (OT) and information technology (IT) security levels and establishes how security should be designed in industrial systems. Furthermore, it describes how security between levels is accomplished through the use of controlled conduits. However, industrial security remains very difficult to enforce, as evidenced by recent industrial attacks where this model was in place. A superior approach would be to leverage intent-based networking, complete with abstraction, automation and analytics, to define, enforce and assure IoT security policies.
- It is also important to recognize that IoT devices typically follow a well prescribed communication profile (e.g., to which devices they should be communicating, on what protocol, and what the protocol should be doing). For instance, a supervisory control and data acquisition (SCADA) slave should only ever communicate to a SCADA master on an established port and should only execute allowable commands. However, it remains very difficult to both 1.) verify that the things, such as intelligent electronic devices, programmable logic controllers (PLCs), variable-frequency drive (VFD), human-machine interfaces (HMIs), input/output (I/O) controllers, etc., are communicating in the expected way and 2.) control their behaviors such that any unexpected network attacks are isolated.
- Even when the communications between endpoints are seemingly innocuous, there has been a recent trend in malware taking advantage of these communications to mo damage equipment. In these forms of attacks, an infected endpoint can send control commands to another endpoint, with whom communication is allowed, that can damage or disrupt the operations of the equipment and, potentially, the industrial environment as a whole. For example, malicious SCADA commands to a PLC could cause the PLC to drive a motor in an unsafe way, cause power to be turned off or on to a circuit (e.g., a feeder in an electrical power station), or the like.
- The techniques herein introduce a network architecture whereby devices are automatically discovered and classified, to drive intent-based network segmentation in a dynamic manner. In some aspects, endpoint devices in the network can be tagged according to their component and activity types, allowing for easy identification of the intent of the device and translation of the intent into a corresponding network overlay.
- Illustratively, the techniques described herein may be performed by hardware, software, and/or firmware, such as in accordance with the
network security process 248, which may include computer executable instructions executed by the processor 220 (or independent processor of interfaces 210) to perform functions relating to the techniques described herein. - Specifically, according to various embodiments, a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device. The service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device. The service translates the intent of the endpoint device into a network segmentation policy. The service configures a network overlay in the network that implements the network segmentation policy.
- Operationally,
FIG. 3 illustrates anexample network architecture 300 for an industrial network, according to various embodiments. As shown,architecture 300 may includeindustrial equipment 304 connected to acontroller 306, such as a PLC, a VFD, or the like, that controls the operations ofindustrial equipment 304. In turn,controller 306 forindustrial equipment 304 may be connected to anHMI 310 vianetworking equipment 308, allowing a human user to interface with it (e.g., to visualize the industrial process, issue commands, etc.). In addition,networking equipment 308 may also provide connectivity via thegreater network 302 to any number of network services 312-320 provided in the local network ofnetworking equipment 308 and/or remotely. For example, services 312-320 may be implemented in the local network via dedicated equipment or virtualized across any number of devices (e.g., networking equipment 308). In other cases, services 312-320 may be provided by servers in a remote data center, the cloud, or the like. - As would be appreciated,
industrial equipment 304 may differ, depending on the industrial setting in whicharchitecture 300 is implemented. In many cases,industrial equipment 304 may comprise an actuator such as, but not limited to, a motor, a pump, a solenoid, or the like. In other cases,industrial equipment 304 may include a circuit andcontroller 306 may control the powering of the circuit. -
Industrial equipment 304 may also include any number of sensors configured to take measurements regarding the physical process implemented byindustrial equipment 304. For example, such sensors may take temperature readings, distance measurements, humidity readings, voltage or amperage measurements, or the like, and provide them tocontroller 306 forindustrial equipment 304. During operation,controller 306 may use the sensor data fromindustrial equipment 304 as part of a control loop, thereby allowingcontroller 306 to adjust the industrial process as needed. -
HMI 310 may include a dedicated touch screen display or may take the form of a workstation, portable tablet or other handheld, or the like. Thus, during operation, visualization data may be provided toHMI 310 regarding the industrial process performed byindustrial equipment 304. For example, such visualizations may include a graphical representation of the industrial process (e.g., the filling of a tank, etc.), the sensor data fromindustrial equipment 304, the control parameter values used bycontroller 306, or the like. In some embodiments,HMI 310 may also allow for the reconfiguration ofcontroller 306, such as by adjusting its control parameters for industrial equipment 304 (e.g., to shut down the industrial process, etc.). -
Networking equipment 308 may include any number of switches, routers, firewalls, telemetry exporters and/or collectors, gateways, bridges, and the like. In some embodiments, these networking functions may be performed in a virtualized/containerized manner. For example, a telemetry exporter may take the form of a containerized application installed tonetworking equipment 308, to collect and export telemetry regarding the operation networking equipment 308 (e.g., queue state information, memory or processor resource utilization, etc.) and/or network 302 (e.g., measured delays, drops, jitter, etc.). - In some embodiments, at least a portion of
network 302 may be implemented as a software-defined network (SDN). In such implementations, control plane decisions by the networking equipment ofnetwork 302, such asnetworking equipment 308, may be centralized with an SDN controller. For example, rather than networkingequipment 308 establishing routing paths and making other control decisions, individually, such decisions can be centralized with an SDN controller (e.g., networksupervisory service 312, etc.). - During operation, network
supervisory service 312 may function to monitor the status and health ofnetwork 302 andnetworking equipment 308. An example of such a network supervisory service is DNA-Center by Cisco Systems, Inc. For example, in some implementations, networksupervisory service 312 may take the form of a network assurance service that assesses the health ofnetwork 302 andnetworking equipment 308 through the use of heuristics, rules, and/or machine learning models. In some cases, this monitoring can also be predictive in nature, allowing networksupervisory service 312 to predict failures and other network conditions before they actually occur. In either case, networksupervisory service 312 may also provide control overnetwork 302, such as by reconfiguringnetworking equipment 308, adjusting routing innetwork 302, and the like. As noted above, networksupervisory service 312 may also function as an SDN controller fornetworking equipment 308, in some embodiments. - As shown,
architecture 300 may also includeSCADA service 314 which supervises the operation of the industrial process. More specifically,SCADA service 314 may communicate withcontroller 306, to receive data regarding the industrial process (e.g., sensor data fromindustrial equipment 304, etc.) and provide control overcontroller 306, such as by pushing new control routines, software updates, and the like, tocontroller 306. - As would be appreciated,
SCADA service 314,controller 306, and/orHMI 310 may communicate using an automation protocol. Examples of such protocols may include, but are not limited to, Profibus, Modbus, DeviceNet, HART, DNP3, IEC 61850, IEC 60870-5, and the like. In addition, different protocols may be used within network 102 and amongnetworking equipment 308, depending on the specific implementation ofarchitecture 300. Further, different portions ofnetwork 302 may be organized into different cells or other segmented areas that are distinct from one another and interlinked vianetworking equipment 308. -
Architecture 300 may also include apolicy service 316 that is responsible for creating and managing security and access policies for endpoints innetwork 302. An example of such apolicy service 316 is the Identity Services Engine (ISE) by Cisco Systems, Inc. In various embodiments, as detailed below,policy service 316 may also be configured to identify the types of endpoints present in network 302 (e.g.,HMI 310,controller 306, etc.) and their corresponding actions/functions. In turn, this information can be used to drive the policies thatpolicy service 316 creates. -
Security service 318 is configured to enforce the various policies created and curated bypolicy service 316 in the network. For example, such policies may be implemented bysecurity service 318 as access control lists (ACLs), firewall rules, or the like, that are distributed tonetworking equipment 308 for enforcement. - According to various embodiments,
architecture 300 may also includeasset inventory service 320 that is used to collect information about learned assets/endpoints innetwork 302 and maintain an inventory of these various devices innetwork 302. In various embodiments,asset inventory service 320 may do so by embedding sensing modules innetworking equipment 308 which passively analyze communications between endpoints. The sensors may use deep packet inspection (DPI) to not only identify the protocols in use by a given packet (e.g., the automation protocol used betweenHMI 310,controller 306, and SCADA service 314), but also understand the action(s) that are being communicated and to classify both the type of device/component and its application behavior. - For example, when a sensor module executed by
networking equipment 308 identifies the use of an automation protocol by a packet, it may examine the payload of each flow to identify any or all of the following: -
- The device type (e.g., based on passive scan of traffic and matching a known criterion, the device is classified).
- The software and/or hardware versions of the device.
- MAC and IP addresses of all devices with which the discovered device is communicating.
- The activity profile of the device (e.g., how is it trying to communicate), and the protocol(s) it is using.
- The commands that are being passed (e.g., SCADA commands, etc.), down to the specific control parameter values.
- The sensor modules of
networking equipment 308 then then organize the collected information into meaningful tags. In general, these tags are simply a way to categorize devices and their behaviors, similar to the same way a human may look at a pen or a pencil and categorize them as writing instruments. Each device can also have multiple tags associated with it, such as the following: -
- Component Tags—these tags identify device specific details (e.g., Device ID, SCADA station, PLC, Windows device, etc.).
- Activity Tags—these tags identify what the device is doing at the protocol level (Programming CPU, Heartbeat, Emergency Break, Data Push).
- User-Defined Tags—these could be custom tags to supply additional context (e.g. “
Cell 1 Tag”). - Dynamically Generated Tags—these could be added dynamically (e.g., using ML) to signify whether the behavior of the device is normal or anomalous, or for other dynamic conditions.
- Scalable Group Tags—These tags are applied to specific packet flows between a defined group of devices/services in the network. For example, in the case shown,
HMI 310,controller 306, andSCADA service 314 may be tagged as belonging to a particular group.
- The sensor modules embedded in
networking equipment 308 may also collect metadata about the communicating devices/endpoints, including its network identifiers (e.g., IP and MAC addresses), vendor, device-type, firmware version, the switch ID and port where the device is connected, etc. As the sensor module learns details of a new device/endpoint innetwork 302, it may send its collected metadata about that device, along with its tags, to theasset inventory service 320. - In this manner,
asset inventory service 320 may maintain an inventory of each of the endpoint devices innetwork 302, their associated tags, and their metadata. Thus, as new devices are discovered innetwork 302, their profile information is added to the live inventory of devices maintained byasset inventory service 320. As noted above, the various tags applied by the sensor modules deployed tonetworking equipment 308 and used byasset inventory service 320 may be predefined or may, via a user interface (not show) be user-defined. -
FIGS. 4A-4B illustrate example displays 400, 410, respectively, showing component and activity tags, in some embodiments. As shown, the various component tags can be used to identify a particular endpoint or other device in the network by its type (e.g., PLC, SCADA station, etc.), its software (e.g., CodeSys, Windows, etc.). In addition, analysis of the traffic of the device can also lead to various activity tags being applied to that device, as well. For example, such activity tags may distinguish between control system behaviors (e.g., insert program, device init., etc.) and IT behaviors (e.g., host config., ping, etc.). - Referring again to
FIG. 3 , to facilitate the labeling of devices innetwork 302 using tags,asset inventory service 320 may also leverage device classification functions provided bypolicy service 316, to identify the component and activity tags of a particular device innetwork 302 under scrutiny. In general, device classification (also known as “device profiling”) has traditionally used static rules and heuristics for the determination. In further embodiments, the device classification bypolicy service 316 can be achieved by applying a trained machine learning-based classifier to the captured telemetry data fromnetworking equipment 308. Such telemetry data can also take the form of information captured through active and/or passive probing of the device. Notably, this probing may entailpolicy service 316 sending any or all of the following probes via networking equipment 308: -
- Dynamic Host Configuration Protocol (DHCP) probes with helper addresses
- SPAN probes, to get messages in INIT-REBOOT and SELECTING states, use of ARP cache for IP/MAC binding, etc.
- Netflow probes
- HyperText Transfer Protocol (HTTP) probes to obtain information such as the operating system (OS) of the device, Web browser information, etc.
- Remote Authentication Dial-In User Service (RADIUS) probes.
- Simple Network Management Protocol (SNMP) to retrieve Management Information Base (MIB) object or receives traps.
- Domain Name System (DNS) probes to get the Fully Qualified Domain Name (FQDN)
- etc.
- Further information that may be captured by
networking equipment 308 and reported via telemetry data topolicy service 316 may include traffic behavioral characteristics of the traffic of a device, such as the communication protocols used, flow information, timing and pattern data, and the like. In addition, the telemetry data may be indicative of the operational intent of the endpoint device (e.g.,controller 306,HMI 310, etc.). - According to various embodiments, additional information that
policy service 316 andasset inventory service 320 may use to tag the various devices/components innetwork 302 may include any or all of the following: -
- Manufacturer's Usage Description (MUD) information—As proposed in the Internet Engineering Task Force (IETF) draft entitled, “Manufacturer Usage Description Specification,” devices may be configured by their manufacturers to advertise their device specifications. Such information may also indicate the intended communication patterns of the devices.
- Asset Administration Shell data—this is an Industry 4.0 method to express how an IoT device should behave, including expected communication patterns.
- IEC 61850 Substation Configuration Language (SCL) data—this is a language that is used primarily in the utility industry to express Intelligent Electronic Device (IED) intent.
- Open Platform Communication Unified Architecture (OPC UA) data—such data provides industrial models used in manufacturing contexts.
- Thus,
policy service 316,asset inventory service 320, and the sensor nodules and telemetry exporters ofnetworking equipment 308 may operate in conjunction with one another to apply various tags to the devices innetwork 302 and their traffic flows. -
FIG. 5 illustrates anexample screen capture 500 of an asset profile, in some embodiments. Notably, the techniques herein have been implemented as part of a prototype system andscreen capture 500 is from that prototype system. As can be seen, a particular asset has been identified as a Yokogawa device and has been tagged with various component and activity tags (e.g., PLC, CodeSys, Citect Report, etc.). This profile may be stored by the asset inventory service (e.g.,service 320 inFIG. 3 ) and provide to a user interface, allowing the user to quickly learn information about the device. Such information can also be automatically updated over time, using the techniques herein. - Referring again to
FIG. 3 , according to various embodiments, the various tags associated with a particular asset/device connected to network 302 may be used tosegment network 302 according to the needs and intent of that device. In general, network segmentation involves dividing a network into smaller parts such that only a subset of the devices on the network can communicate with each other. - Network segmentation can be achieved in a number of different ways. In some cases, the network can be segmented by distributing firewalls throughout the network and propagating the appropriate access control lists (ACLs) to them. Doing so would effectively block a given device in the network from communicating with other devices or services outside of its allowed set. In other cases, network segmentation can be achieved through the use of virtual LAN (VLAN) configurations pushed to the networking equipment of the network, such as
networking equipment 308. In further cases, network segmentation can be implemented through the use of software-defined access technologies by grouping and tagging network traffic, accordingly. - Micro-segmentation is a relatively new form of network segmentation that provides even more granularity to the segmentation of a network. For example, micro-segmentation may take into account application-layer information, allowing different for to segmentations to occur on a per-application basis, even for the same device.
- To leverage the various tags assigned to a device for purposes of (micro-)
segmenting network 302,policy service 316 may collects the inventory of the discovered devices fromasset inventory service 320, according to various embodiments. Using the techniques above,policy service 316 may have any number of policies defined that distinguish between normal/acceptable and abnormal/unacceptable behavior of a device. For example,controller 306 during its normal operation. may communicate withSCADA service 314 andHMI 310, vianetwork 302, but should not communicate with other controllers or devices outside of its cell/area zone. Such a segmentation policy can be defined withinpolicy service 316 based on the tags associated withcontroller 306 thatpolicy service 316 retrieves fromasset inventory service 320. - In various cases, a segmentation policy constructed by
policy service 316 may be on a per-device basis or may be more generic in nature. For example, assume thatarchitecture 600 is implemented in a factory setting in which there are any number ofcontrollers 306 andHMIs 310 in various locations throughout the factory. For example, a more generic network segmentation policy may be of the form: -
- IF the device is a PLC AND is in CELL-1 THEN it may communicate with device-x
- More specifically, such a policy may be defined as a logical combination of tags. For example,
-
- IF <component_tag=PLC> AND <user_tag=Cell-1> THEN it may communicate with device-x
Such a policy could be reused and applied to all PLC's within Cell-1 of the factory to allow them to communicate with a particular device or service (e.g.,HMI 310,SCADA service 314, etc.).
- IF <component_tag=PLC> AND <user_tag=Cell-1> THEN it may communicate with device-x
- In further embodiments, a segmentation policy may be generated by
policy service 316 by grouping together similar devices that should communicate with each other based on their function, location, and/or context, as defined by the specific combinations of tags associated with them. To facilitate this, asset inventory service 320 (or any of the other services 312-314, 318) may communicate additional information topolicy service 316 regarding the various communications attempted by the TO devices connected tonetwork 302. For example, such information may indicate the set of devices to whichSCADA service 314 is attempting to communicate. - To aid in defining a. network segmentation policy, policy'
service 316 may provide data to a user interface regarding the various tags associated with component ofarchitecture 600 as well as, potentially, data regarding the traffic involving it. This allows an administrator to easily compare the attempted communications of a given device or service to its expected behavior. For instance, such a comparison can answer the question, “isHMI 310 communicating withcontroller 306 as it should be, or is it attempting to communicate elsewhere innetwork 302, as well?” Once the administrator codifies this into a formal network segmentation policy, this type of comparison can be made automatically within network 302 (e.g., by networking equipment 308), to identify policy violations and take corrective measures, as needed. For example, whenHMI 310 attempts to communicate with a controller outside of its area,networking equipment 308 may block the connection and/or raise a security alert. - In various embodiments, the network segmentation may leverage network overlay tags, to create a network overlay fabric. For example, as shown in
FIG. 6A , a segmentation policy can be used to implement anetwork overlay 602 that limitscontroller 306 to communicating only withHMI 310 andSCADA service 314. In some embodiments, this can be achieved by taggingcontroller 306,HMI 310, andSCADA service 314, and/or their corresponding traffic, with scalable group tags. In further embodiments, this can be achieved through the use of Virtual Extensible LAN (VxLAN) encapsulation with VxLAN Network Identifiers (VNIDs). - Thus, the network segmentation policies may be implemented through application of any or all of the following, in various embodiments:
-
- Metadata gathered by sensors performing deep packet inspection of industrial protocols, which are then associated with components, activities, and variables by means of component, activity, user-defined, and/or dynamic tags.
- Scalable Group Tags are then assigned to specific packet flows from devices, using the other tags, either in isolation or by logical combination.
- Scalable Group Tags are presented in a high-level user-interface for an operator to express intent on which devices may/may not communicate with each other.
- An intent-based policy is then enforced throughout the network infrastructure via the automated deployment of security group access control lists (SGACLs) to the networking equipment.
- As the network sensors are able to evaluate traffic in
network 302 all the way to the application layer, this allows their corresponding tags to drive micro-segmentation policies, as well. By way of example, assume that all devices with SCADA tags are assigned a SCADA scalable group tag at the network edge innetworking equipment 308. In turn, an operator may then express a policy viapolicy service 316 such that only devices with a SCADA scalable group tag may be permitted to communicate with the SCADA service in the industrial data center. Thus, by a combination of their tags, flow information, and policy, micro-segments are defined for industrial devices that need to communicate with each other. Devices of the same micro-segment are assigned a scalable group tag which will allow them to be isolated as a virtual overlay in the network. - In the case of
network 302 utilizing software-defined networking (SDN) the scalable group tags may be shared with networksupervisory service 312, which functions as the SUN controller fornetwork 302. In turn, the SDN controller communicates to the edge switches innetworking equipment 308 where the devices are connected and implements the policy to tag all traffic from the devices with the appropriate scalable group tags, so that they are placed in the SDN overlay, accordingly. - In some embodiments, the micro-segmentation at the application level may take into account the sender-receiver pair, the protocol(s) used by the packet, as well as the specific parameter values in the payload of the packet. Indeed, since the sensors to embedded in
networking equipment 308 perform deep packet inspection (DPI) on the packets between devices innetwork 302, and packets in an industrial setting are typically unencrypted, the sensors can also extract out the specific data actually being sent, as well. - For instance, as shown in
FIG. 6B , assume thatHMI 310 is to only provide visualizations of the industrial process performed byindustrial equipment 304 and provide no control over the process. Since the sensors embedded innetworking equipment 308 are able to evaluate the traffic to and fromcontroller 306 down to the specific parameter values in the payloads of the packets, another potential micro-segmentation ofnetwork 302 may be to allowcontrol traffic 604 fromSCADA service 314 tocontroller 306 and only displaytraffic 606 betweenTIMI 310 andcontroller 306. -
FIG. 7 illustrates an example simplified procedure for segmenting a network, in accordance with one or more embodiments described herein. In various embodiments, a non-generic, specifically configured device (e.g., device 200) may performprocedure 700 by executing stored instructions (e.g., process 248), to provide a service to a network. Theprocedure 700 may start atstep 705, and continues to step 710, where, as described in greater detail above, the service may obtain one or more component tags and one or more activity tags that were assigned to an endpoint device in a network, based on DPI of the traffic associated with the endpoint device. For example, a PLC installed in the network may be tagged with a PLC component tag and an activity tag that indicates that the PLC communicates with a SCADA service. - At
step 715, as detailed above, the service may determine an intent of the endpoint device, using the one or more component tags and the one or more activity tags. For example, once a PLC, VFD, or other endpoint device has been tagged according to its traffic, the service may determine the purpose of the endpoint device in the network and how it should behave (e.g., the applications that it may use, the senders or receivers with which it should communicate, etc.). In some embodiments, the service may do so in part by receiving an indication of one or more scalable group tags for the endpoint device and associating those tag(s) with the endpoint device. For instance, the service may provide the details regarding the device to a user interface and, in return, receive the indication of the scalable group tag(s) via the user interface. - At
step 720, the service may translate the intent of the endpoint device into a network segmentation policy, as described in greater detail above. In some embodiments, the service may do so by generating a security group access control list, based on the one or more scalable group tags associated with the endpoint device. In further embodiments, the intent may be translated into a VxLAN configuration for the network. - At
step 725, as detailed above, the service may configure a network overlay in the network that implements the network segmentation policy. In some embodiments, the service may do so by sending the security group access control list or VxLAN configuration to networking equipment in the network. In various embodiments, the network overlay restricts the endpoint device to communicating only with a subset of senders or receivers via the network and, in some cases, may further restrict the endpoint device to sending or receiving only a specific type of application traffic via the network. For instance, assume that one or more of the component tags associated with the endpoint device are indicative of a physical location of the device. In such a case, the network overlay may restrict the endpoint to communicating with a particular sender or receiver also located in the same physical location as the endpoint device.Procedure 700 then ends atstep 730. - The techniques described herein, therefore, allow for intent-based security to be implemented in an IoT network through the use of network segmentation. In some aspects, by learning the intent of an endpoint in the network, policies can be put into place that ensure that the endpoint does not deviate from its expected behavior.
- While there have been shown and described illustrative embodiments for intent-based network segmentation, it is to be understood that various other adaptations and modifications may be made within the intent and scope of the embodiments herein. For example, while specific endpoint device types are described, the techniques can be applied to any number of different types of devices. Further, while the techniques herein are described as being performed at certain locations within a network, the techniques herein could also be performed at other locations, as desired (e.g., fully in the cloud, fully within the local network, etc.).
- The foregoing description has been directed to specific embodiments. It will be apparent, however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/RAM/EEPROM/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Accordingly, this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true intent and scope of the embodiments herein.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/853,622 US20210194760A1 (en) | 2019-12-20 | 2020-04-20 | Dynamic segmentation in an industrial network based on inventory tags |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962951645P | 2019-12-20 | 2019-12-20 | |
US16/853,622 US20210194760A1 (en) | 2019-12-20 | 2020-04-20 | Dynamic segmentation in an industrial network based on inventory tags |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210194760A1 true US20210194760A1 (en) | 2021-06-24 |
Family
ID=76438939
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/838,822 Pending US20210194851A1 (en) | 2019-12-20 | 2020-04-02 | Intent-based security for industrial iot devices |
US16/853,622 Pending US20210194760A1 (en) | 2019-12-20 | 2020-04-20 | Dynamic segmentation in an industrial network based on inventory tags |
US16/854,616 Pending US20210194815A1 (en) | 2019-12-20 | 2020-04-21 | Telemetry collection and policy enforcement using asset tagging |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/838,822 Pending US20210194851A1 (en) | 2019-12-20 | 2020-04-02 | Intent-based security for industrial iot devices |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/854,616 Pending US20210194815A1 (en) | 2019-12-20 | 2020-04-21 | Telemetry collection and policy enforcement using asset tagging |
Country Status (1)
Country | Link |
---|---|
US (3) | US20210194851A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220012975A1 (en) * | 2020-07-01 | 2022-01-13 | Renetec, Inc. | Method and system of touch-free vending |
WO2023120917A1 (en) * | 2021-12-23 | 2023-06-29 | Samsung Electronics Co., Ltd. | System and method for introducing a new emergency alert using modular tag device |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11706241B1 (en) | 2020-04-08 | 2023-07-18 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data |
US11720686B1 (en) | 2020-04-08 | 2023-08-08 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data with risk-entity facing cybersecurity alert engine and portal |
US11777992B1 (en) * | 2020-04-08 | 2023-10-03 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data |
US20210406255A1 (en) * | 2020-06-29 | 2021-12-30 | Forescout Technologies, Inc. | Information enhanced classification |
DE102020209993A1 (en) * | 2020-08-06 | 2022-02-10 | Robert Bosch Gesellschaft mit beschränkter Haftung | Method and device for processing data from a technical system |
US11848838B2 (en) * | 2021-06-24 | 2023-12-19 | Hewlett Packard Enterprise Development Lp | Communicating node events in network configuration |
WO2024086130A1 (en) * | 2022-10-21 | 2024-04-25 | Cisco Technology, Inc. | Multi-layered secure equipment access |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9350703B2 (en) * | 2014-05-06 | 2016-05-24 | Futurwei Technologies, Inc. | Enforcement of network-wide context aware policies |
WO2019190403A1 (en) * | 2018-03-29 | 2019-10-03 | Agency For Science, Technology And Research | An industrial control system firewall module |
US11677627B2 (en) * | 2018-06-29 | 2023-06-13 | Forescout Technologies, Inc. | Dynamic segmentation management |
US11463407B2 (en) * | 2018-07-13 | 2022-10-04 | Raytheon Company | Policy engine for cyber anomaly detection |
US10944652B2 (en) * | 2019-05-16 | 2021-03-09 | Arista Networks, Inc. | Method and network device for tagging network traffic flows |
-
2020
- 2020-04-02 US US16/838,822 patent/US20210194851A1/en active Pending
- 2020-04-20 US US16/853,622 patent/US20210194760A1/en active Pending
- 2020-04-21 US US16/854,616 patent/US20210194815A1/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220012975A1 (en) * | 2020-07-01 | 2022-01-13 | Renetec, Inc. | Method and system of touch-free vending |
US11961373B2 (en) * | 2020-07-01 | 2024-04-16 | Pepsico, Inc. | Method and system of touch-free vending |
WO2023120917A1 (en) * | 2021-12-23 | 2023-06-29 | Samsung Electronics Co., Ltd. | System and method for introducing a new emergency alert using modular tag device |
Also Published As
Publication number | Publication date |
---|---|
US20210194815A1 (en) | 2021-06-24 |
US20210194851A1 (en) | 2021-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210194760A1 (en) | Dynamic segmentation in an industrial network based on inventory tags | |
US11909741B2 (en) | Validating a device class claim using machine learning | |
US11265286B2 (en) | Tracking of devices across MAC address updates | |
US10855698B2 (en) | Leveraging endpoint and network environment inferences for malware traffic classification | |
US20180316555A1 (en) | Cognitive profiling and sharing of sensor data across iot networks | |
US11962469B2 (en) | Identifying devices and device intents in an IoT network | |
US10742678B2 (en) | Vulnerability analysis and segmentation of bring-your-own IoT devices | |
US11443230B2 (en) | Intrusion detection model for an internet-of-things operations environment | |
US11528231B2 (en) | Active labeling of unknown devices in a network | |
US11153347B2 (en) | Preserving privacy in exporting device classification rules from on-premise systems | |
US10700984B2 (en) | Differentiating devices with similar network footprints using active techniques | |
US11392115B2 (en) | Zero-trust architecture for industrial automation | |
EP3648407B1 (en) | Using stability metrics for live evaluation of device classification systems and hard examples collection | |
US11190579B1 (en) | Edge to multi-cloud data processing and governance | |
US20220321467A1 (en) | Dynamic intent-based qos policies for commands within industrial protocols | |
US11151476B2 (en) | Learning criticality of misclassifications used as input to classification to reduce the probability of critical misclassification | |
US11425009B2 (en) | Negotiating machine learning model input features based on cost in constrained networks | |
US11616727B2 (en) | Data pipeline configuration using network sensors | |
US11121952B2 (en) | Device health assessment data summarization using machine learning | |
US11516199B2 (en) | Zero trust for edge devices | |
US11863555B2 (en) | Remote access policies for IoT devices using manufacturer usage description (MUD) files | |
US20220038335A1 (en) | Automatic orchestration of iot device data management pipeline operations | |
US20230412603A1 (en) | Industrial device mac authentication bypass bootstrapping | |
US20230379350A1 (en) | Continuous trusted access of endpoints | |
US20230379213A1 (en) | Intelligent closed-loop device profiling for proactive behavioral expectations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BARTON, ROBERT EDGAR;SZIGETI, THOMAS;HENRY, JEROME;AND OTHERS;SIGNING DATES FROM 20200414 TO 20200420;REEL/FRAME:052447/0273 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL READY FOR REVIEW |
|
STCV | Information on status: appeal procedure |
Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS |
|
STCV | Information on status: appeal procedure |
Free format text: BOARD OF APPEALS DECISION RENDERED |