Industrial Security Appliance SCALANCE S...S7-1500 HMI Máquina 1/Cliente 1 S615 Máquina1/ Cliente2...
Transcript of Industrial Security Appliance SCALANCE S...S7-1500 HMI Máquina 1/Cliente 1 S615 Máquina1/ Cliente2...
Unrestricted © Siemens SA 2020
Industrial Security Appliance – SCALANCE S
https://siemens.com/scalance-s
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Design and housing variants
Page 2
SC632-2C SC636-2C S615 SC642-2C SC646-2C
Industrial security appliance SCALANCE S
Unrestricted © Siemens SA 2020
Concepto de seguridad en Siemens
Estrategia de “Defensa en profundidad”
Detección y prevención de Malware
Gestión de parches
Gestión de cuentas de usuario- Administración de usuarios (control de acceso basado en roles)
Robustez del sistema- Reducción de vulnerabilidades de un sistema informático
Comunicación segura- Protección de la comunicación en redes no seguras
Protección de los puntos de acceso- Implementación de firewalls
Segmentación en zonas / Células seguras- Segmentación del sistema
Políticas y procedimientos- Gestión del riesgo, evaluaciones y auditorías
- Compliance
- Recuperación del sistema ante desastres (resiliencia)
Atacante potencial
Seguridad física- Medidas de control en los edificios
- Video vigilancia, control de acceso
Page 3
Unrestricted © Siemens SA 2020
Network Security – Scalance SC
Segmentación de célula
• Segmentación para
evitar propagación de fallos
• Firewall para controlar
las comunicaciones
• Enmascaramiento para estandarizar
• Acceso remoto seguro
• Gran Ancho de banda
• Integración TIA Portal
Page 4
Unrestricted © Siemens SA 2020
SCALANCE S Portfolio – Overview
Interfaces 10/100 Mbps 10/100/1000 Mbps
Firewall/Routing 100 Mbps 600 Mbps
VPN 35 Mbps 120 Mbps
Firewall
NAT
VPN
S615
Limits:
128 Rules
20 VPN
SC642-2C, SC646-2C
Limits:
1000 Rules
200 VPN
Firewall
NAT
SC632-2C, SC636-2C
Limits:
1000 Rules
Page 5
Unrestricted © Siemens SA 2020
SCALANCE S
Hardware – functions in comparison
Page 6
SC632-2C SC636-2C S615 SC642-2C SC646-2C
Number of electrical/optical ports
(max.)2 6 5 2 6
Port characteristics, electrical (max.) 2x RJ45 6x RJ45 5x RJ45 2x RJ45 6x RJ45
Port characteristics, optical (max.) 2x SFP 2x SFP - 2x SFP 2x SFP
Data rate, electrical 10/100/1000 Mbps 10/100/1000 Mbps 10/100 Mbps 10/100/1000 Mbps 10/100/1000 Mbps
Data rate, optical 100/1000 Mbps 100/1000 Mbps - 100/1000 Mbps 100/1000 Mbps
Housing Metal/plastic Metal/plastic Metal Metal/plastic Metal/plastic
Degree of protection IP20 IP20 IP20 IP20 IP20
MountingDIN rail, S7-300/S7-1500
profile rail, wall
DIN rail, S7-300/S7-1500
profile rail, wall
DIN rail, S7-300/S7-1500
profile rail, wall
DIN rail, S7-300/S7-1500
profile rail, wall
DIN rail, S7-300/S7-1500
profile rail, wall
Dimensions WxHxD [mm] / Weight [g] 60x145x125 / 580 60x145x125 / 580 35x147x127 / 400 60x145x125 / 580 60x145x125 / 580
Power supply (redundant) 24 V DC 24 V DC 24 V DC 24 V DC 24 V DC
Ambient temperature (operation) -40 to 70 °C -40 to 70 °C -40 to 70 °C -40 to 70 °C -40 to 70 °C
Digital input 2-pin terminal block 2-pin terminal block 2-pin terminal block 2-pin terminal block 2-pin terminal block
Digital output - - 2-pin terminal block - -
Signaling contact 2-pin terminal block 2-pin terminal block - 2-pin terminal block 2-pin terminal block
Console port Yes Yes - Yes Yes
PLUG slot Yes Yes Yes Yes Yes
Main characteristics
Unrestricted © Siemens SA 2020
SCALANCE S
Software – functions in comparison
Page 7
SC632-2C SC636-2C S615 SC642-2C SC646-2C
Type of configurationWBM / CLI / SNMP /
TIA Portal
WBM / CLI / SNMP /
TIA Portal
WBM / CLI / SNMP /
TIA Portal
WBM / CLI / SNMP /
TIA Portal
WBM / CLI / SNMP /
TIA Portal
Execution of firewallStateful packet inspection
L3 / L4
Stateful packet inspection
L3 / L4
Stateful packet inspection
L3 / L4
Stateful packet inspection
L3 / L4
Stateful packet inspection
L3 / L4
Maximum data rate firewall/routing 600 Mbps 600 Mbps 100 Mbps 600 Mbps 600 Mbps
Maximum number of firewall rules 1000 1000 64 1000 1000
Type of VPN connectionsOpenVPN
(client to SINEMA RC)
OpenVPN(client to SINEMA RC)
IPsec(client + server)
OpenVPN(client to SINEMA RC)
IPsec(client + server)
OpenVPN(client to SINEMA RC)
IPsec(client + server)
OpenVPN(client to SINEMA RC)
Number of possible IPsec-VPN
connections- - 20 200 200
Type of hashing algorithms - -MD5, SHA1, SHA256,
SHA384 or SHA512
MD5, SHA1, SHA256,
SHA384 or SHA512
MD5, SHA1, SHA256,
SHA384 or SHA512
Maximum data rate IPsec-VPN - - 35 Mbps 120 Mbps 120 Mbps
NAT / NAPT Yes Yes Yes Yes Yes
Main characteristics
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Protection of industrial networks with SCALANCE S615
Feature / function Benefit
Firewall and VPN
(IPsec and OpenVPN to SINEMA RC)
• Protection against unauthorized
access from outside and associated
data transmission
Variable security zones via VLAN
• High degree of flexibility for firewall
configuration
Digital input for controlled tunnel
creation
• Communication via unprotected
networks only if required
Auto-configuration interface for
SINEMA Remote Connect
• Time and cost savings
• No expert knowledge necessary
TIA Portal1) and SINEC NMS2)
integration
• Network management and end-to-end
engineering in the TIA Portal
Page 8
1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Structure of SCALANCE S615
Page 9
Status LED: VPN ( )
SET button
Status LED: Line (L)
Redundant voltage feed
Status LED: Fault (F)
Fast Ethernet 5-port switch
with retaining collars
Security zones configurable
via VLAN
Status LED for DI/DO
Digital input
(electrically isolated)
PLUG slot
(on the back)
Mounting to
- Wall
• DIN rail
• SIMATIC S7-300 profile rail
• SIMATIC S7-1500 profile rail
QR code (EAN, MLFB)
Digital output
(electrically isolated)
Grounding connection
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Structure of SCALANCE SC-600 shown with SC646-2C
Page 10
SELECT/SET button
Signaling contact
Clear LED field
• Port status
• Data rate
• Fault LED
Redundant voltage feed
PLUG slot
Console port
Digital input
- 6x RJ45 Gigabit Ethernet (GE) of
which 2 are combo ports (SFP);
- RJ45 ports with Fast Connect
retaining collars
Mounting to
- Wall
- DIN rail
- SIMATIC S7-300 profile rail
- SIMATIC S7-1500 profile rail
Robust IP20 housing, plastic front
Housing back made of die-cast
aluminum
Grounding screw
Unrestricted © Siemens SA 2020 1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018
Industrial security appliances – SCALANCE S
Protection of industrial networks with SCALANCE SC-600
Feature / function Benefit
Firewall or encryption performance approx.
600 Mbps or 120 Mbps respectively
High data throughput and the best possible data
security in the network
Virtual Private Network: VPN (IPsec)
only SC642-2C and SC646-2C
Eavesdropping and integrity protection
• Up to 6 ports
• 2 of them designed as combo port
• Configurable ports – depending on
requirements and quantity structure
• Combo port can be equipped with SFPs for
FO topologies
• Stateful inspection firewall
• NAT/NAPT
• Protection against unauthorized network
access
• Integration of networks with identical IP
addresses
(e.g., standardized machines)
Implementation of a flexible security zone
concept
Network separation, DMZ
(e.g., for secured remote maintenance)
TIA Portal1) and SINEC NMS2) integration
Network management and end-to-end
engineering in the TIA Portal
Integration into SINEMA Remote Connect
Secured remote access to machinery and
equipment
Page 11
Unrestricted © Siemens SA 2020
Page 12
Industrial security appliances – SCALANCE S
Ordering data of industrial security appliances
Product name Order number Description
SCALANCE SC632-2C 6GK5632-2GS00-2AC22x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP
combo port, firewall, SINEMA RC device license integrated
SCALANCE SC636-2C 6GK5636-2GS00-2AC26x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP
combo port, firewall, SINEMA RC device license integrated
SCALANCE S615 6GK5615-0AA00-2AA25x 10/100 Mbps RJ45 port, firewall, VPN, SINEMA RC
device license optionally via KEY-PLUG
SCALANCE SC642-2C 6GK5642-2GS00-2AC2
2x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP
combo port, firewall, VPN, SINEMA RC device license
integrated
SCALANCE SC646-2C 6GK5646-2GS00-2AC2
6x 10/100/1000 Mbps RJ45 port, 2x 100/1000 Mbps SFP
combo port, firewall, VPN, SINEMA RC device license
integrated
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Approvals for SCALANCE SC-600
CE, RCM (formerly C-Tick), cULus1), cULus HazLoc1), FM1)
EMC (electromagnetic compatibility)
Emitted interference EN 61000-6-4: 2007
Interference immunity EN 61000-6-2: 2005
2011/65/EU (RoHS)
EN 50581
2014/34/EU (ATEX explosion protection directive)
ATEX classification:
II 3 G Ex nA IIC T4 Gc, KEMA 07ATEX0145 X
IECEx classification: Ex nA IIC T4 Gc, DEK 14.0025X
The products meet the requirements of the standards:
• EN 60079-15
• EN 60079-0
Marine approvals
ABS (American Bureau of Shipping, USA)
BV (Bureau Veritas, France)
DNV GL (Det Norske Veritas Germanischer Lloyd, Norway and Germany)
LRS (Lloyd's Register of Shipping, GB)
PRS (Polski Rejestr Statkow, Poland)
RINA (Registro Italiano Navale, Italy)
Page 13
1) Planned for 2018
Unrestricted © Siemens SA 2020
Network Security – Scalance SC
Segmentación de célula
• Segmentación para
evitar propagación de fallos
• Firewall para controlar
las comunicaciones
• Enmascaramiento para estandarizar
• Acceso remoto seguro
• Gran Ancho de banda
• Integración TIA Portal
Page 14
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Use case “Demilitarized zone (DMZ)”
Task
The security concept of an industrial network is to be
divided into several security zones.
Solution
A flexible security zone concept can be implemented with
the industrial security appliance SCALANCE S.
Benefit
• Different security zones such as DMZ, network
separation, etc., can be implemented
• Remote access only to specific, selected sections of
the industrial network
• Firewall with 600 Mbps and VPN with 120 Mbps
• NAT/NAPT support (serial machines)
Page 15
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Use case “Secured remote maintenance via rendezvous server”
Task
Secured, remote access to production sites distributed
around the world is to be possible.
Solution
The industrial security appliance SCALANCE S is
integrated into the management platform of remote
networks (SINEMA Remote Connect). A high data
throughput with maximum data security at the same time
allows service technicians to quickly and securely access
machinery and equipment.
Benefit
• Firewall with 600 Mbps and VPN with 120 Mbps
• NAT/NAPT support (standardized machines)
• Integration into SINEMA Remote Connect
Page 16
Unrestricted © Siemens SA 2020
S7-1500
HMI
Máquina 1/Cliente 1
S615
Máquina 1/Cliente 2
S7-1500
HMI
M874-3
Máquina 2/Cliente 2
M816-1 S7-1500
HMI
Máquina 3/Cliente 3
SINEMA REMOTE CONNECT
Arquitectura
INTERNET
Ethernet
Router
ADSL
ESTACIÓN DE INGENIERÍA CLIENTE 2
Cliente SINEMA RC
Herramientas de ingeniería
Conexión con el
concentrador
Túnel VPN
CONCENTRADORTÚNELES VPN
Servidor SINEMA RC
Router ADSL
IP pública estática
o DNS
ESTACIÓN DE INGENIERÍA CLIENTE 1
Cliente SINEMA RC
Herramientas de ingeniería
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Use case “Direct, secured access”
Task
Direct, secured access to machinery and equipment of a
production site is to be made possible.
Solution
A VPN tunnel to the automation plants secured via the
industrial security appliance SCALANCE S is established
via the SOFTNET Security Client.
Benefit
• Firewall with 600 Mbps and VPN with 120 Mbps
• NAT/NAPT support (standardized machines)
• Direct, secured connection establishment via a client-
server VPN connection
Page 18
Unrestricted © Siemens SA 2020
Industrial security appliances – SCALANCE S
Use case “End-to-end engineering”
Page 19
Task
The security components employed in the network are to
be configurable via standard engineering methods as well
as from a central location.
Solution
The industrial security appliance SCALANCE S supports
common standard methods such as WBM and SNMP, and
can also be centrally engineered via the TIA Portal1).
Benefit
• Standard methods such as WBM, SNMP, MIB are
supported
• End-to-end engineering with the TIA Portal1)
• Integration into network management systems such as
SINEMA Server and SINEC NMS2)
1) TIA Portal V15 or higher2) Planned start of delivery in 9/2018
Network
view
Setting of
firewall rules
Creation of VPN
connections
Unrestricted © Siemens SA 2020
SCALANCE SC-600
Use case “Secured communication in process automation”
Page 20
Task
Depending on the requirements, different, secured
communication channels must be established to the
secured automation networks in the process automation.
Solution
A flexible security zone concept can be implemented with
the industrial security appliance SCALANCE S. Thus, for
example, the communication between cells can be
secured.
Benefit
• Different security zones such as DMZ, network
separation, etc., can be implemented
• Firewall with 600 Mbps and VPN with 120 Mbps
• Release of SCALANCE SC-600 in PCS 7 planned1)
1) SIMATIC PCS 7 release of SCALANCE SC-600 planned for 2018
SCALANCE
SC646-2C
SCALANCE
SC642-2C
SCALANCE
SC642-2C
Unrestricted © Siemens SA 2020
SCALANCE SC-600
Outlook: Use case “Service bridge”1)
Page 21
Task
For reasons of security and availability, the plant bus and fieldbus
are set up separately in typical process industry plants.
Solution
The service bridge is a specially configured switch that allows
dedicated temporary access from the plant bus to the fieldbus while
ensuring the logical separation between the fieldbuses.
Security is provided by the industrial security appliance
SCALANCE SC-600 between the plant bus and the service bridge.
Benefit
• Manual addressing, naming of PN devices
• Use of the scan/online function of the STEP 7 topology editor
• Use of commissioning tools (e.g., PRONETA)
• Enhanced network diagnostics (e.g., SINEMA Server)
• Access to the web servers of PROFINET devices
• Installation of firmware updates
• Access to up to 23 separate PN subnets
See also FAQ in SIOS: https://support.industry.siemens.com/cs/ww/de/view/109747975
1) Requires layer 2 firewall, which is planned for firmware version 2.0 in 2018
SCALANCE
SC642-2C
SCALANCE
XC208
(service bridge)
Unrestricted © Siemens SA 2020
Seite 22
https://siemens.com/network-security
Gracias por su atención!