Protecting Productivity Industrial Security · 2018-08-23 · • Use of McAfee Command Line...

Unrestricted / © Siemens AG 2016. All Rights Reserved. siemens.com/industrialsecurity

Protecting Productivity

Industrial Security

Unrestricted / © Siemens AG 2016. All Rights Reserved.

January 2016 Industrial Security

• Benefits of Working with Siemens 40

• Application Examples 29

• The Siemens Solution 9

• Introduction 2

Industrial Security



Security TrendsGlobally we are seeing more network connections than ever before

Source: World Economic Forum, 50 Global Risks

Trends Impacting Security

• Cloud Computing approaches

• Increased use of Mobile Devices

• Wireless Technology

• Reduced Personnel Requirements

• Smart Grid

• The worldwide and remote access to remote plants, remote machines and mobile applications

• The “Internet of Things”



Industrial SecurityThe corporate security chain is only as strong as its weakest link

Security Can Fail at Any of these Points

• Employees• Smartphones• Laptops• PC workstations• Network infrastructure• Mobile storage devices• Tablet PC• Computer center• Policies and guidelines• Printer• Production systems/plants



Industrial SecurityVulnerability disclosures are headline news

Pressure SCADA Developers on Security

Dangerous Security Holes in U.S. Power Plant & Factory Software

Hacking the Grid

U.S. at Risk of Hack Attack

Aging industrial control systems increasingly vulnerable to cyber attack

Feb. 12, 2013: „Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses... Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.“

- U.S. President Barack Obama

Source: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf

In the ICS-CERT fiscal year (October 2013 until September 2014) ICS-CERT analyzed 245 attacks to control systems in the USA.



Industrial SecurityWhy has industrial security become so important?

Main Trends Impacting the Vulnerability of Oil & Gas Operations

• Horizontal and vertical Integration at all network levels• Connection of automation networks with IT-Networks and Internet for remote

maintenance• Increased use of open standards and PC-based systems• Possible Threats increased due to these trends:

• Access violation through unauthorized persons• Espionage and manipulation of data• Damages and data loss caused by malware

• Several security incidents reveal the vulnerability of oil & gas operations.



Industrial SecurityCyber vulnerabilities can affect your facility at many levels

The Need to Act Because of Cyber Security Vulnerabilities

• Loss of intellectual property…• Sabotage of production facilities • Downtime e.g. caused by virus and malware• Manipulation of data or application software• Unauthorized use of system functions• Regulations and standards for industrial security

require conformance• Regulations:

FDA, NERC CIP, CFATS, CPNI, KRITIS• Standards:

ISA 99, IEC 62443



Overview of the top 10 threats 2012

1. Unauthorized use of remote maintenance access2. Online attacks via office/enterprise networks3. Attacks against standard components used in the ICS

network4. (Distributed) denial-of-service ((D)DOS) attacks5. Human error and sabotage6. Introduction of harmful code via removable media and

external hardware7. Reading and writing messages in the ICS network8. Unauthorized access to resources9. Attacks on network components10. Technical faults and acts of God

Overview of the top 10 threats 2014

1. Infection with harmful software via the Internet and Intranet

2. Introduction of harmful software via removable media and external hardware

3. Social engineering4. Human error and sabotage5. Unauthorized use of remote maintenance access6. Internet-connected control components7. Technical faults and acts of God8. Compromised smartphones in the production

environment9. Compromised Extranet and cloud components10. (Distributed) denial-of-service ((D)DOS) attacks

Industrial SecurityBSI: Top 10 threats for ICS

Source: BSI analysis on cyber security 2012Source: BSI analysis on cyber security 2014






• Introduction 2

Industrial Security



Network security• Cell protection, DMZ and

remote maintenance• Firewall and VPN

System integrity• System hardening• Authentication and use administration• Patch management• Detection of attacks• Integrated access protection in automation

Facility security• Physical access protection• Processes and guidelines• Security service protecting production plants

Security threats demand action

Industrial SecurityThe Defense in Depth Concept

Security solutions in an industrial context must take account of all protection levels



Industrial SecuritySolution for facility security

Facility Security

Network security

System integrity



Industrial SecuritySecurity Management

Security Management is essential for a well thought-out security concept

Security Management Process

• Risk analysis with definition of mitigation measures

• Setting up policies and coordination of organizational measures

• Coordination of technical measures• Regular / event-based repetition of risk analysis

Technical measures

Risk analysis

Validation & Improvement

Policies, Organizational

measures

1

2

3

4



Siemens Security ServicesComplete service portfolio aligned with Risk Management methodology

Security AssessmentsEvaluation of the current security

status of an ICS environment

Security ImplementationsRisk mitigation through

implementation of security measures for reactive protection

Security ManagementComprehensive security

through monitoring and pro-active protection



A risk-based Approach withSecurity Assessments

Identify security gaps and measures for risk mitigation• According to ISO 27001 and IEC 62443 regulations• Available for Siemens and third party systems• Question-based • Recommendations for risk mitigation (Report up to 30 pages)

SIMATIC WinCC/ PCS 7 Security Assessment

Identify security gaps and measures for risk mitigation in the context of PCS 7• In accordance with SIMATIC PCS 7 & WinCC security concept• Customized for SIMATIC PCS 7 & WinCC systems• Question-based• Recommendations for risk mitigation (Report up to 30 pages)

Risk and Vulnerability Assessment

Identify, classify and evaluate risks; risk-based security program• Data-based analysis of threats, vulnerabilities and gaps (plus scenarios)• Risk classification and scoring considering the evaluation of criticality• Recommendations for risk mitigation controls (Report contains more than 100 pages)• Basis for a risk-based security program

Security Assessment



Risk Mitigation throughImplementation Controls

Establish standard practice in ICS cyber security• Establish new/ review existing ICS security policies, processes + procedures which influence plant security• Integration with enterprise cyber security practice• Implementation of recommendations• Examples: Patch- and Backup-Strategy, handling of removable media, …

ICS* Policies & Procedures Consulting

Network Security Consulting

Support on secured network design and setup • Cell segmentation in security cells based on IEC62443 and SIMATIC PCS 7 & WinCC security concept• Planning of DMZ network (perimeter)• Plant Perimeter Firewall rule establishment / review and implementation

First line of defense against highly developed threats• Based on Automation Firewall Appliance• Installation, configuration, commissioning, test and backup of firewall system and traffic rules• Consideration of customer-specific applications (e.g. fine-tuning of intrusion detection/prevention system

(IDS/IPS))

Perimeter Protection Firewall Installation

Rule-based monitoring of security status for industrial plants• SIEM is a log-file based solution to monitor the security status of an environment and identify threats and

security-relevant events• Definition of monitoring scenarios based on system-specific threat vectors and the existing infrastructure• Installation of SIEM system (HW and SW) and integration and configuration of security relevant event logging

Plant Security Monitoring Installation (SIEM*) * Security Information

and Event Management

* Industrial Control System




Validate “clean-slate” status of environment• Identification of security gaps thanks to virus scanning with two different scan engines• Use of McAfee Command Line Scanner and Kaspersky Rescue Disk• No installations required: Use of USB stick and Command Lines

Clean Slate Validation

Windows Local Policy Deployment

System hardening: Establish asset OS host-security baseline • Analysis of plant environment and configuration of local Windows® policies• Checklist-based use of CIS-CAT• Requires system restart

System hardening: Establish asset OS host-security baseline • Analysis of plant environment and configuration of Windows® policies for active directory groups• Checklist-based use of CIS-CAT• Requires system restart

Windows Group Policy Deployment

Installation von Microsoft OS Patches• Installation of automation vendor validated and customer approved Microsoft® OS patches via customer-

owned WSUS server• Consideration of compatibility: Patches recommended by the supplier of automation technology AND

authorized by the customer

Windows Patch Deployment




Virus protection solution for malware detection and prevention• Installation and configuration of virus protection software (McAfee Agents)• Installation of the McAfee ePO* central management console recommended when more than 10 anti-virus

agents installed• Compatibility consideration for SIMATIC PCS 7 Systems

Whitelisting Installation

White-listing solution for malware detection and prevention• Installation of whitelisting software (McAfee Application Control)• Installation of the McAfee ePO central management console recommended when more than 10 white-listing

agents installed• Compatibility consideration for SIMATIC PCS 7 Systems

Disaster Recovery Support: System Backup

ICS system backup• Performance of one-time backup of systems in plant environment• Symantec System Recovery software procured and owned by customer

Virus Protection Installation

* ePolicy Orchestrator



• Facility Security Services powered by Siemens Cyber Security Operations Center for comprehensive security management

• Security analysts proactively monitorvulnerability and cyber threat activity globally, to deliver real-time communication alerts and advisories

• When global threat intelligence indicates an elevated risk, the Cyber Security Operations Center defines and delivers the appropriate proactive defensive measures

• If an incident is detected on your ICS environment, the Cyber Security Operations Center will coordinate the incident response consisting of investigation, forensic analysis and remediation

• Remediation support by a security engineer tailored to severity of incident, impact on your environment and your business needs

Siemens Cyber Security Operations CenterContinuous & proactive protection for your ICS environment

Continuous Facility Security Monitoring

Secure Connection

CSOC Security Management

Incident Handling

Subscribed Customer

Anti-Virus and Whitelisting Management

Facility Perimeter Firewall Management and Firewall Rules Review

Subscribed Customer

Subscribed Customer



Network Security

Industrial SecuritySolution for network security

System integrity

Facility security



Network Security –Essential Network Security use cases

• Network services for secure and unsecure network

• Prevent direct connectionsA security module controls the access

Demilitarized zone (DMZ)

• Higher reliability and avail-ability of secure connectionSecurity modules in synchronized standby mode

Secure redundancy

• Remote programming,and monitoring

• Access via internet and mobile networksEncryption and securedaccess via VPN

Remote access

• System is divided into separated cells

• All communicationinto the cells is controlledCommunication is securedby firewall mechanisms

Cell protection

Securezone

DMZzone

Unsecurezone

MRP ring(CU or fiber optic)



Industrial SecuritySecurity Integrated – Overview

Siemens products with Security Integrated provide security features such as integrated firewall, VPN communication, access protection, protection against manipulation.



Industrial Security ServicesSecurity Packages - Automation Firewall

Customer Requirement

Validated solutions for secure network-segmentation, threat-management and secure web access from the system.

Our Solution

The Firewall package offers front-/back-firewall or 3-homed firewall, as well as access point firewall functionality with additional services. It supports an extensive threat management.

As a standard, we offer the “Automation Firewall“ as a tested and validated solution for the implementation with PCS 7, WinCC and SIMATIC NET products.

Additional services support customized solutions and additions, for example monitoring or security management (see Plant Security Services portfolio).



System integrity

Industrial SecuritySolution for network security

Facility security

Network security



Industrial SecuritySIMATIC S7-1200, S7-1500 and the TIA Portal

Security Highlights

The SIMATIC S7-1200 V4, S7-1500 and the TIA Portal provide several security features:• Increased Know-How Protection in STEP 7

Protection of intellectual property and effective investment:• Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against

unauthorized copying of e.g. developed algorithms • Password protection against unauthorized evaluation of the program blocks with external programs

• from the STEP 7 project• from the data of the memory card • from program libraries

• Increased Copy ProtectionProtection against unauthorized reproduction of executable programs:• Binding of single blocks to the serial number of the memory card or PLC• Protection against unauthorized copying of program blocks with STEP 7• Protection against duplicating the project saved on the memory card



Industrial SecuritySIMATIC S7-1200, S7-1500 and the TIA Portal

Security Highlights

The SIMATIC S7-1200 V4, S7-1500 and the TIA Portal provide several security features:• Increased Access Protection (Authentication)

Extensive protection against unauthorized project changes:• New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) *• Configurable levels of authorization (1-3 with own password)• For accessing over PLC and Communication Module interfaces• General blocking of project parameter changes via the built-in display

• Expanded Access ProtectionExtensive protection against unauthorized project changes:• Via Security CP1543-1 by means of integrated firewall and VPN communication

• Increased Protection against ManipulationProtection of communication against unauthorized manipulation for high plant availability: • Improved protection against manipulated communication by means of digital checksums when accessing controllers• Protection against network attacks such as intrude of faked / recorded network communication (replay attacks)• Protected password transfer for authentication• Detection of manipulated firmware updates by means of digital checksums

* Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server



Industrial SecuritySIMATIC Logon


• Central, system-wideuser management

• Conforms with therequirements of theFood and DrugAdministration (FDA)

• Configuration atruntime (add / lock / remove user accounts)

• High Security throughbeing based on MSWindows

• Supports domain conceptand Windows workgroups

Our Solution

Secure access control with SIMATIC Logon

User Management of WinCC based on SIMATIC Logon with…

• Central administration (incl. password aging, auto logoff after inactivity time or multiple wrong password entries, lock screen)

• Configuration at runtime (add / lock / remove user accounts)

• All WinCC configurations are supported included web

• Supports domain concept and Windows work groups

User management and authentication for the security of your plant



Industrial SecurityAntivirus and whitelisting


Detection and prevention of Viruses, Worms and Trojans

Protection against:• Malicious or unwanted

Software• Manipulation

Our Solution

Antivirus and whitelisting solutions provide different security functions:

• Protection against Viruses, Worms and Trojans

• Stop unauthorized applications and malware



Industrial SecuritySIMATIC supports all protection levels

The interfaces are subject to regulations - and are monitored accordingly.

Implementation of Security Management

The control level must be protected.

PC-based systems must be protected.

Communication must be monitored and can be segmented.






• Introduction 2

Industrial Security



Industrial SecurityOverview: Application Examples Network Security

Adapted measures for production

Network Access Control• Interface to IT networks:

Secure architecture with DMZ • Secure Remote Access via Internet• Local network access (port security) via device

and user authentication

Cell Protection• Risk mitigation through network segmentation• Extension of the cell protection concept with

• Security PC- and S7-CPs• Flexible VLAN configuration (S615)

Redundancy• Protection of redundant network topologies and

secure redundant connection of underlying networks or rings

– Products with firewall or VPN functionality



Cell Protection and network-segmenting

TaskFor risk minimization, a large automation network is to be segmented into several safety-technical areas. The individual segments are subject to different requirements.

SolutionIndividual segments are secured with a SCALANCE S or a Security communication processor which controls access to the lower-level segment by means of a firewall. A S615 is placed upstream a segment and is able to secure multiple further lower-level cells by means of VLAN



Construction of a demilitarized zone (DMZ) e.g. for data server access

TaskNetwork users (e.g. MES servers) should be reachable from the secure and non-secure network without creating a direct connection between the networks.

SolutionA DMZ can be established on the yellow port with the SCALANCE S623, in which the aforementioned server can be placed.



VPN for secure remote maintenance

TaskSystem access via the Internet using an encrypted VPN tunnel.

SolutionStarting point (e.g. system integrator):e.g. SSC, CP1628 or SCALANCE M as VPN client End point (e.g. end client system): SCALANCE S623 as VPN server• Red port:

Connection to plant network• Yellow port:

Connection of modem / router• Green port:

Connection of secure cells



Secure and redundant connection of an underlaid ring with the plant network

*) alternatively to MRP the ring could be also an HRP ring

TaskA ring is to be connected to the plant network in a secure and redundant way.

SolutionThe ring is connected via the ports of the second media module (green ports) and the plant networkis connected via the ports of the first media module (red ports) with SCALANCE S627-2M. A second redundant SCALANCE S627-2M is connected in the same way and is in a stand-by-linking. The state comparison is done via a synch-connection between the yellow ports.Alternatively:The ring is connected via the ports of the second media module (green ports) and the plant network is connected to the red RJ45 port with SCALANCE S627-2M. A second redundant SCALANCE S627-2M is connected in the same way and is in a stand-by-mode. The state comparison is done via the yellow ports.



Secure and redundant connection of an Automation Cell to a Ring

TaskAn automation cell is to be connected to a ring in a secure and redundant way.

SolutionThe ring is connected via the ports of the first media module (red ports) and the automation cellis connected via the ports of the second media module (green ports) with SCALANCE S627-2M. A second redundant SCALANCE S627-2M is connected in the same way and is in a stand-by-linking. The state comparison is done via the yellow ports.Alternatively:The ring is connected via the red RJ45 port and the automation cell is connected via the second media module (green ports) with SCALANCE S627-2M. A second redundant SCALANCE S627-2M is connected in the same way and is in a stand-by-linking. The state comparison is done via the yellow ports. *) alternatively to MRP the ring could be also an HRP ring



Access control and network separation through firewalls

TaskThe communication between automation network and separated automation cell with a S7-1500 controller should be controlled and secured.

SolutionThe CP1543-1 secures the S7-1500 controller with integrated security functions(firewall and VPN) against unauthorizedaccess, espionage and manipulation.Via the network separation it is possible touse identical networks respectivelymachines with the same IP addresses.



Industrial SecuritySecurity Integrated (Firewalls) in TIA Portal: Configuration of the User Management

TaskConfiguration of the User Management für Security Integrated products (Firewalls) and assignment of roles and rights in TIA Portal

SolutionStep 1: Navigate to global security settings and open the

User Management Folder.

Step 2: Click the flag „user“ to assign user names andpasswords for the predefined system roles “Administrator“, “Standard“ und “Diagnosis“. Optionally, additional roles can be added.

Step 3: Click the flag „roles“ to assign the engineering and device rights to the different roles via a specific list of rights.



Industrial SecuritySIMATIC S7-1500 and TIA Portal: Setup of Security features including protection level

TaskSetup Security features including protection level for a SIMATIC S7-1500 connected to an HMI device.

SolutionSTEP 1: Select the SIMATIC S7-1500 in the device view or

network view and select the properties view of the SIMATIC S7-1500.

STEP 2: Navigate to the Display properties and set thepassword for the display.

STEP 3: Navigate to the Web server properties, enable the Webserver and activate https. Afterwards add an user andassign access rights to the new user.

STEP 4: Navigate to the Protection properties and set theprotection level.Note: “Complete protection“ means protection level 4.

STEP 5: Enter password for the HMI communication.



Industrial SecuritySystem hardening with whitelisting

Example 1The maintenance for an operating system on a computer important for production requires:

• Reboot after the installation of security patches.

• During this update process the production needsto be stopped.

SolutionThe time interval for maintenance can be extended by setting up whitelisting on this computer:

• Since only predefined software runs on this computer, security patches need to be installed less frequently.

• Accordingly, the production process needs to be stopped less frequently.

Example 2The Microsoft support for Windows XP ends 2014. For current versions of mEC controllers this means:

• mEC controllers do not support a 64 bit operating system.

• An mEC controller supporting a 64 bit operating system is excepted after 2014.

SolutionThe lifetime of an mEC controller can be extended by setting up whitelisting on such a controller:

• Since only predefined software runs on this controller it may still be used for a certain period of time even after 2014 without further security patches.






• Introduction 2

Industrial Security



Industrial SecuritySiemens Vertical Expertise: Chemical

Chemical Environment• Chemical Environment• Production Flexibility • Operational Efficiency• Product Quality

Industrial Security provides• Increased Plant Availability• Secure User Access

Industrial Security to keep your plant running securely



Industrial Security

• Security is at the Core of TIA

• Increased Protection

• Increased Plant Availability

• Reduced Risk

• Intellectual Property Protection

• Complete Security Life-Cycle Support

Customer benefits...

Facilitysecurity

Networksecurity

Systemintegrity

Protecting productivity with Industrial Security from Siemens



Summary: Industrial SecurityThe Defense in Depth Concept in Detail

DCS/SCADA*

*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition

Potential Attack

Facility SecurityPhysical Security• Physical access to facilities and equipment

Policies & procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery

Network SecuritySecurity cells & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell

System IntegritySystem hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware detection and prevention• Anti Virus and Whitelisting



Industrial SecuritySecurity Information

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens’ products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates.

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit http://support.automation.siemens.com.



DISCLAIMER/ TERMS OF USE:

THE INFORMATION PROVIDED HEREIN IS PROVIDED AS A GENERAL REFERENCE REGARDING THE USE OF THE APPLICABLE PRODUCTS IN GENERIC APPLICATIONS. THIS INFORMATION IS PROVIDED WITHOUT WARRANTY. IT IS YOUR RESPONSIBILITY TO ENSURE THAT YOU ARE USING ALL SIEMENS PRODUCTS PROPERLY IN YOUR SPECIFIC APPLICATION. ALTHOUGH THIS SITE STRIVES TO MAINTAIN ACCURATE AND RELEVANT INFORMATION, THERE IS NO OFFICIAL GUARANTEE THAT THE INFORMATION PROVIDED HEREIN IS ACCURATE. IF YOU USE THE INFORMATION PROVIDED HEREIN IN YOUR SPECIFIC APPLICATION, PLEASE DOUBLE CHECK ITS APPLICABILITY AND BE ADVISED THAT YOU ARE USING THIS INFORMATION AT YOUR OWN RISK. THE PURCHASER OF THE PRODUCT MUST CONFIRM THE SUITABILITY OF THE PRODUCT FOR THE INTENDED USE, AND ASSUME ALL RISK AND LIABILITY IN CONNECTION WITH THE USE.



Niraj KachhadiaBusiness Development

DF FA

Phone: 510-364-5403

E-Mail: [email protected]

Thank you for your attention!

usa.siemens.com/industrialsecurity

Protecting Productivity Industrial Security · 2018-08-23 · • Use of McAfee Command Line...

Documents

Transcript of Protecting Productivity Industrial Security · 2018-08-23 · • Use of McAfee Command Line...