Protecting Productivity in Industrial Networks · Protecting Productivity in Industrial Networks...

Protecting Productivity

in Industrial Networks Maximilian Korff, Siemens Nürnberg

siemens.com/network-security Unrestricted © Siemens AG 2017

Unrestricted © Siemens AG 2016

Digitalization requires more connectivity. Lets do it in a secure way!

V1.0

Yesterday: Limited interoperability

• Limited communication between

office and production layer

Production

Office

Arising challenges through increasing interoperability

• Challenge to handle complexity of increasing

communication

Office

Defined interface to handle complexity

• Two dedicated networks with

defined managed interface

Field

Control

Enterprise

Management

Production Operator Ba

ckbon

e A

ggreg

ation

Sh

op flo

or /

Cell N

etwork

Of

fice

Netw

ork

Core

Interoperability


Internet of (hacked) Things


The key to a secure infrastructure:

Defense in depth

Date Footer

Great wall

Impenetrable wall One-layer protection One point of attack

Defense in depth

Multi-layer protection Each layer protects the other layers An attacker must spend time and effort at each transition

A single protection measure is never enough to withstand a threat!


Industrial – Trend towards open

industrial networks…

• Availability is key

• Knowledge protection

• Secured remote access

• Open standards, PC-based systems

…increase potential threats

• Espionage and manipulation of data

• Damages and data loss by malware

• Access violation from unauthorized

persons

• Sabotages of production

Importance of Network Security

Office – main threat is loss

of data and confidentiality

Network security is vital part of Defense-in-depth strategy

V1.0

Network security

System integrity

Plant security

Overall Siemens concept captures all levels of Security

• Secured remote

maintenance

• Secured data

exchange

• Decoupled networks

to prohibit unchecked

communication

• Firewalls

• Protection against

network problems

• Avoid unauthorized

access

Remote access

Network Security by Siemens

DMZ

Cell protection

DMZ: Demilitarized Zone


Network Security Integrated

Secure Remote Access

Integrated Security Functions

Secured PLC-PLC communication

Secure Engineering Stations

Secured Operator Station

Firewalls to protect different areas of

the plant network


Security measures in the „smart Grid“

V1.0


IEC 62443 addresses all stakeholders for a holistic protection concept

Dr. Kobes PD TI AT 2017-02-28

On site / site specific

Off site

operates and maintains

Product Supplier

Asset Owner

Service Provider

Industrial Automation and Control System

(IACS)

designs and deploys System Integrator

Parts of IEC

62443

2-4

3-2

2-1

2-4 2-3

3-3

4-1

3-3

4-2

develops products

Operational policies and procedures

Automation solution

Maintenance policies and procedures

Control functions Safety functions Complementary

functions


Each stakeholder can create vulnerabilities

Example User Identification and Authentication

IACS environment / project specific

Independent of IACS environment

Industrial Automation and Control System

(IACS)

Product Supplier

System

Integrator

Asset Owner

develops

designs and deploys

operates

Control System

as a combination of

Host devices

Network components Applications

Embedded devices

is the base for

+

Operational and Maintenance

policies and procedures

Automation solution

Basic Process Control System (BPCS)

Safety Instrumented System (SIS)

Complementary Hardware and Software

Hard coded passwords

Elevation of privileges

Default passwords not

changed

Temporary accounts not

deleted

Non confidential

passwords

Passwords not renewed can create weaknesses

can create weaknesses

can create weaknesses

Example: User Identification and Authentication

Invalid accounts not

deleted


Meeting IEC 62443-3-3 system requirements is easier with a comprehensive

Industrial Communication portfolio that is already based on -4-1 and -4-2

SCALANCE: Industrial Communication Proved to enable communication in production

Deep Dive

• High availability

based on industrial features and industrial design

• Fast & easy integration

for new and existing networks based on TIA design

• Easy to use

with configuration via Web Based Management or

TIA Portal

• Easy device replacement

with C-PLUG, also by untrained staff

• For all Ethernet networks

local, wireless and remote

V1.0

IEC 62443 ready Portfolio

Remote

Wired

Wireless

Security

Software

• Industrial features

• Industrial design

• Fast & easy integration

• Indoor and outdoor applications

• Several country approvals

• Real-time capability

• Different medias (DSL, UMTS, LTE)

• Transparent connectivity

• Easy enrollment with SINEMA RC

• Transparency for the industrial network

• Integration into HMI / SCADA systems

• Firewall & VPN

• Remote access

• Fits to industrial security concepts


System Integrity / Secure com. certificates

Siemens is the leading vendor of Achilles level 2 certified products

+ Protection

against DoS

attacks

+ Defined behavior in case

of attack

• Improved Availability

• International Standard

Certified CPUs

LOGO!

S7- 300 PN/DP

S7- 400 PN/DP

S7- 1500 and 1505S

S7- 1200

S7- 400 HF CPU V6.0

S7- 410-5H

Certified CPs

CP343-1 Advanced

CP443-1 & Advanced

CP1243-1

CP1543-1

CP1628

Certified DP

ET 200 PN/DP CPUs

ET 200SP PN CPUs

Certified Firewalls

SCALANCE S602, S612,

S623, S627-2M


Network Security

Use Switch Hardening!

• Use Password

• Use VLAN

• Disable DCP write

• Enable Management Access

List

• Broadcast limitation

• Disable unused ports

• Enable SNMP V3


Checklist for Setting Up SCALANCE Devices

The checklist focuses on:

• Using the latest firmware

• Disabling unencrypted protocols

• Changing default passwords

• Setting up time synchronization

• PROFINET

• Dynamic Configuration Protocol – DCP

• Quality of service – traffic prioritization

• Redundancy

• Wireless LAN

• Configuration backup

• Additional settings, e. g. port settings, Syslog, etc

„Secure by design“, but not „secure by default“

V1.1

https://support.industry.siemens.com/cs/ww/en/view/109745536


Network Management with SINEMA Server V14

.. helps to fulfill IEC 62443 requirements…

• Password Management

• Firmware update

• Syslog / SNMP Management

• Firewall / NAT rule

Management

• NAT V2 support

• Config. Backup / Restore


IEC 62443

Security measures are scalable!

Date Footer

PL 1

PL 2

PL 3

PL 4

Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door

Revolving doors with card reader

Doors with card reader

Locked building/doors with keys

Awareness training (e.g. Operator Aware. training)

Network segmentation Firewall protection (e.g. SCALANCE S)

Security logging on all systems Backup / recovery system

Mandatory rules on USB sticks (e.g. Whitelisting) …

…

Automated backup / recovery

No Email, No WWW, etc. in Secure Cell

…

2 PCs (Secure Cell/outside)

2 factor authentic ation for Remote Access…

Remote access with cRSP or equivalent

Monitoring of all human interactions

Dual approval for critical actions

Firewalls with Fail Close(e.g. Next Generation Firewall)

Monitoring of all device activities

Online security functionality verification

…

Persons responsible for security within own organization

Continuous monitoring (e.g. SIEM) Backup verification

Mandatory security education

…

Physical network segmentation or equivalent (e.g. SCALANCE)

Remote access restriction (e.g. need to connect principle)

+

Organize

Security

Secure Network

Design

Secure

Operations

Secure Lifecycle

management

Secure Physical

Access

+

+


Industrial Security

Security of Siemens Products

• We do product design for fundamental

system hardening

• We adapted PLM, SCM, and CRM

processes to fulfil IEC 62443

requirements

• We do 3rd party product certifications


Industrial Security

Security Vulnerability Handling

• We created a sophisticated team of

security experts and Product

Computer Emergency Response

Team (ProductCERT)

• We maintain open communication

with customers

• We make advisories and updates

available on a public website


Security Lifecycle Certification: IEC 62443 with Tüv-Süd


Elektronikwerk Amberg: we use what we sell!

Implementation and operation of Industrial Security Monitoring

Challenge

Customer

benefit Profile

Elektronikwerk Amberg is a prime example of a digital

factory. The factory uses cutting-edge technologies to

produce approximately fifteen million SIMATIC products

each year.

• Highly sensitive IT-controlled processes

• Fully networked automation environment

• Comprehensive data flow and database

• Protection against industrial espionage, manipulation

and hacker activities

• Implementation of Defense in Depth with S7-1500

and SCALANCE S using TIA Portal

• Monitoring of security-relevant events

• Monthly status report on plant and system security

• Recommendations for optimizing the level of protection

• Protection of networks and TIA components according

to the defense-in-depth security concept

• Solid, in-depth security information thanks to Security

Information and Event Management (SIEM – CSOC)

• Continuous optimization of the security concept

Solution

Bild & Logo


Reference Center

Industrial Security

… discover more – concepts, products and news!

From customers for customers!

Customers report on real applications from

all sectors

webservices.siemens.com/references

Security functions in less than 10

minutes with the TIA Portal!

Questions? Contact our expert

team

Automation Tasks Security Experts

www.industry.siemens.com/topics [email protected]

RSS Feed

Always up to date!

RSS Feed on vulnerabilities and warnings

Detailed concept information and

news on vulnerabilities

News/alerts

Products/concepts

Whitepapers

Internet

www.siemens.com/industrialsecuri

ty

www.siemens.com/industrialsecurit

y

http://webservices.siemens.com/referenzen/

http://www.industry.siemens.com/topics/global/en/tia-portal/automation-tasks/Pages/default.aspx?tabcardname=simatic s7-1500

mailto:[email protected]

http://www.siemens.com/industrialsecurity





Thank you for your attention!

Maximilian Korff

Product Sales Development

Siemens AG, PD PA S CI PSD

Gleiwitzer Str. 555

90475 Nuremberg

Mobile: +49 (173) 9128143

E-mail:

[email protected]

siemens.com/network-security

mailto:[email protected]


Minimum standards for IT security

• Minimum standards are currently

being worked out

• Compliance with the minimum

standards will be regularly reviewed by

the Federal Office for Information Security

• Fines up to EUR 100,000

• Expected to commence in March 2018

Security law for Critical Infrastructure Protection (CIP) in Germany

Mandatory reporting requirements

• Mandatory reporting requirements related

to the Federal Office for Information

Security for IT security incidents

• Including the requirement to

establish a point of contact with the

Federal Office for Information Security

• Fines up to EUR 50,000

• Expected to commence in November 2016

1

Part 1:

• Energy

• Water, wastewater

• Food

• Information

technology and

telecommunications

Part 2:

• Health

• Transport and

transportation

• Finance and

insurance industry,

media and culture

All sites with 500,000 or more

customers are affected

NEW

Siemens proposal

Assess security

Security status and

development of a

security timetable

Cyber security

operations center

Continuous security

monitoring of facilities

Security integrated portfolio

Implementation of the

minimum standards

to reduce costs

Integrated engineering

Efficient implementation

in the automation

project

2

§§§

Industries

§§

§§

Protecting Productivity in Industrial Networks · Protecting Productivity in Industrial Networks...

Documents

Transcript of Protecting Productivity in Industrial Networks · Protecting Productivity in Industrial Networks...