Unrestricted / © Siemens AG 2016. All Rights Reserved.
CLASS 2016 Protection of real time industrial communication protocols and its technical impacts
Márcio Santos
SIEMENS
19.05.2016
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Who we are?
SIEMENS
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Global presence
Close to customers all over the world
3
29%
21%
Share
of total
worldwide
€21.7 billion
73,500
Americas
36%
28%
Share
of total
worldwide
€27.6 billion
98,800
Europe (excluding Germany), CIS,
Africa, Middle East 15%
33%
Share
of total
worldwide
€11.2 billion
114,000
Germany
20%
18%
Share
of total
worldwide
€15.1 billion
61,500
Asia, Australia
Revenue by customer location Employees as of September 30, 2015
All figures refer to continuing operations. CIS: Commonwealth of Independent States
Today Mid term – 2020
Electrification
Automation
Digitalization
Market development (illustrative)
Unrestricted / © Siemens AG 2016. All Rights Reserved.
168 years of innovation
Milestones
2015 Somatom Force
2010 Biograph mMR
2013 PLM Software
1881 Electric streetcar
1985 ICE –
top speed
300 km/h
1988 Megabit chip
1962 Thyristors for energy transmission
1974 Computed tomography scanner
1847 Werner von Siemens founds the company
1847 Pointer telegraph
1879 Electric train
1866 Dynamo
1840
1881 Telephone switchboard
1850 1860 1870 1880 1890 1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010 2020
1959 Simatic (electronic
automation)
1953 High-purity
silicon
1965 Integrated circuit
1958 Heart
pacemaker
1935 Coaxial cable
1924 Traffic light
2009 World record gas turbine, 370 MW
2000 Wind turbine rotor blades in one cast
2000 syngo user interface
1939 Electron
microscope
4
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Brazil presence
Close to customers in a continental country
At present, Siemens employs more than 7,000
employees in Brazil, with 12 manufacturing facilities, 7
R&D centers and 13 regional offices.
5
Unrestricted / © Siemens AG 2016. All Rights Reserved.
110 years of innovations
Milestones
1867 1905 1922 1939 1955 1983 2005 2007 2009 2012 2013 2015 2016 2020
1867 Supply and installation of a
telegraph line between Rio de
Janeiro and Rio Grande do Sul.
1905 Founding of Cia. Brazileira de
Eletricidade Siemens-
Schuckertwerke,
in Rio de Janeiro.
1922 Installation of Brazil's 1st automatic
telephone office in Porto Alegre.
1939 Siemens inaugurates in São Paulo
the 1st transformer plant in Brazil.
1955 Installation of Brazil's 1st
automatic telephone office in
Porto Alegre.
1983 Installation of the first of 18
generator rotors at the Itaipu
Hydroelectric Power Plant/
2005 Siemens celebrates its 100th
anniversary in Brazil.
2007 Siemens inaugurates the largest Latin
American energy equipment plant in
Jundiai (São Paulo). 2009 Siemens’ first train modernization and assembly
center of Latin America, in
Cabreúva (São Paulo).
2012 Siemens inaugurates its diagnostic
imaging equipment plant in Joinville
2013 Production and installation of
Siemens' first wind turbines in
Brazil (Trairi, Ceará).
2015 Siemens celebrates its 110th
anniversary in Brazil
2016 Siemens Foundation celebrates its 30th
anniversary
6
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Power Generation Services
Flat and market driven organization along the value chain will capture growth
opportunities D
ivis
ion
s (
Glo
ba
l P
&L
)
1) Commonwealth of Independent States
Managing Board
Market Americas
Global
Healthcare
Middle
East, CIS1)
Asia,
Australia
Europe,
Africa
Financial
Services
Power
and Gas
Wind
Power and
Renewables
Mobility
Energy
Management
Building
Technologies
Digital Factory
Process
Industries
and Drives
Healthcare
Separately managed
Corporate Core Corporate Services
PG
MO PS
WP
EM BT DF PD HC SFS
Go
-to
-ma
rke
t
7
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Motivation: Real time protocols VS Security
frameworks?
Protection of real time industrial communication protocols
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communication
Vulnerability disclosures are headline news
9
Industrial Communications do not have any kind
of self protection, says hacker during international
Hacker Conference
Hacking the Grid in 5 steps
Hackers exploit SCADA holes to take full control of
critical infrastructure
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communication
5 Simple steps for a successful attack
Control System
Discrete and analog
signals
SCADA Server
Invader
Switch
Now I know:
- The temperature value
- The communication relation
Give me the temperature
The temperature is 35
Give me the temperature
The temperature is 35
Now I´m the Man-In-The-Middle
- I can change the temperature
1. Gain network access
2. Sniffer the network packets
3. Discovery the communication relations
4. Redirect the communication traffic
5. Be happy and be ethical
Man-in-the middle attack in 5 simple steps
Powered by
10
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communication
Important questions regarding industrial communication
Control System
Discrete and analog
signals
SCADA Server
Invader
Switch
Give me the temperature
The temperature is 35
Give me the temperature
The temperature is 35 1. No network access protection?
2. No data confidentially?
3. No data integrity?
4. No user authentication?
5. Is such configuration common?
5 important questions in this case:
Powered by
11
Unrestricted / © Siemens AG 2016. All Rights Reserved.
What is it?
Real Time Control
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Home Example
Reservoir level control
Time(s)
Level (L)
Maximum level
Minimum level
Valve
Opened
Valve
Closed
Reaction
Time
Reaction
Time
Ops!!!
Houston, we have a problem!
13
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Example
From discrete signals to intelligent field devices
A long time ago Not so long time ago Now and in the future
14
16 bit control
Discrete and analog
signals
Backplane
I/O
Discrete and analog
signals
32 bit control
Industrial
RS-485 Bus
Communication
Processors
64 bit control
Ethernet Bus
Intelligent field
devices
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Application Layer
HTTP SNMP Socket
IP
TCP/UDP
Industrial Communications Vs Real Time Control
How does it work using Ethernet networks?
Sensor system
PLC PC
SNMP/OPC server
Field Devices PC
Internet Explorer
Real-time
Communication
Ethernet
PLC
Ethernet
Cable
ASIC/FPGA
15
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Sync
1 ms 1 µs
Several cycles
frozen on the
oscilloscope
Industrial Communications Vs Real Time Control
What are the influences of the network latency in control system?
1 µs jitter
16
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Differente solutions for different challenges for different factories
- Real time
- Determinism
TCP/IP Até 31.25 ms Up to 250 ms
Real-time Isochronous real-time
10 ms 100ms 10ms
Cycle time
1 ms
Ap
plic
atio
n
Co
mm
un
ica
tio
n
La
ye
rs
Performance reserves Production Line
Tool Machine
Print Machines
Packing Machines
Storage & Logistics
Press
Robot
Layer 2
17
Unrestricted / © Siemens AG 2016. All Rights Reserved.
How to protect real time industrial networks?
Industrial Communications
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
The Defense in Depth Concept in Detail
DCS/
SCADA*
*DCS: Distributed Control System
SCADA: Supervisory Control and Data Acquisition
Potential
Attack
Plant Security
Physical Security • Physical access to facilities and equipment
Policies & procedures • Security management processes • Operational Guidelines • Business Continuity Management & Disaster Recovery
Network Security
Security cells & DMZ • Secure architecture based on network segmentation
Firewalls and VPN • Implementation of Firewalls as the only access point to a security cell
System Integrity
System hardening • Adapting system to be secure by default User Account Management • Access control based on user rights and privileges Patch Management • Regular implementation of patches and updates
Malware detection and prevention • Anti Virus and Whitelisting
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Protection of real time networks (based on layers 3/4)
Typical Layer 3/4 network
PLC
Firewall
Trusted network
Untrusted network
192.168.0.2 192.168.0.3
192.168.0.1
Expected cycle time: 10~20ms
Firewall rules:
Firewall considerations:
- Typical latency: 0.5ms~5ms
- Usually statefull firewall
- Usually only supports layer 3/4 rules
Has the firewall significative influences in the
cycle time and in the system functionality?
No at all in this case!!!
Direction Source Destination Port
Ext->Int 192.168.0.1 192.268.0.2 502
Ext->Int 192.168.0.1 192.268.0.3 502
20
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Protection of real time networks (based on layers 3/4)
Typical Layer 3/4 network
21
Firewall
Trusted network
Untrusted network
Firewall overall performance depends on:
- Hardware or software implementation
- Others embedded functionalities (VPN, Router)
- Costs (High-End vs Low-End solution)
Source: DataCenters Firewall Comparative Analysis – NSS Labs – 2013
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Protection of real time networks (based on layers 3/4)
DPI (Data Package Inspection) Firewall
Firewall rules (Layer 3/4):
Direction Source Destination Port
Ext->Int 192.168.0.1 192.268.0.2 502
Ext->Int 192.168.0.1 192.268.0.3 502
Firewall rules (Layer 7):
Destination Register Read Write
192.168.0.2 50001 Allow Allow
192.168.0.3 50001 Allow Deny
Firewall considerations:
-The firewall must be able to recognize and interpret the frames,
applying additional rules protection
- Theoretically more time processing, but not so critical considering
the expected cycle time
Firewall
Trusted network
Untrusted network
192.168.0.2 192.168.0.3
Expected cycle time: 10~20ms
22
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Protection of real time networks (based on layer 2)
23
Typical Layer 2 network
PLC
Firewall
Trusted network
Untrusted network 192.168.0.1
08-01-E1-00-FF-01
Expected cycle time: 31.25µs~1ms
Firewall rules:
Firewall considerations:
- Typical latency: 0.5ms~5ms
- Must to support layer 2 rules
Has the firewall significative influences in the
cycle time and in the system functionality?
For sure!!!
Direction Source Destination Service
Type
Ext->Int 08-01-E1-00-FF-01 08-01-E1-00-FF-02 ????
Ext->Int 08-01-E1-00-FF-01 08-01-E1-00-FF-03 ????
192.168.0.2
08-01-E1-00-FF-02
192.168.0.3
08-01-E1-00-FF-03
This kind of
solution is not
feasible nowadays
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Protection of real time networks (based on layer 2)
24
Typical Layer 2 network
Firewall Challenges:
- Unaccepted latency
- Device replacement restrictions
- Dynamics firewall rules
- No DPI due to complex semantics
So, it´s not possible to have a secure
environment with industrial control systems due
to performance and functionality restrictions?
Yes, it is possible, but you have to design it
properly!!!
Firewall
Trusted network
Untrusted network
Expected cycle time: 31.25µs~1ms
192.168.0.2
08-01-E1-00-FF-02
192.168.0.3
08-01-E1-00-FF-03
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
ISA-99/IEC-62443 protection recommendations (for all kind of networks)
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Secure Automation Cell
Industrial Communications
ISA-99/IEC-62443 protection recommendations (for all kind of networks)
26
Untrusted network
Trusted network
PLC
Expected cycle time: 31.25µs~1ms
Firewall
Unsecure Environment
Benefits
- No influences in the internal and high performing communications
- No restrictions in the control system functionalities
- External access can be controlled in the perimeter protection
- Can be used for monitoring system and engineering system
- Even engineering functions based, on layer 2, can be used in this
case
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Secure Automation Cell
Industrial Communications
ISA-99/IEC-62443 protection recommendations (cell to cell communication)
Trusted network
PLC
Internal Communications
- Reliable
- High performance
- Without restrictions
Expected cycle time: 31.25µs~1ms
Firewall
Secure Automation Cell
Trusted network
Internal Communications
- Reliable
- High performance
- Without restrictions
Expected cycle time: 31.25µs~1ms
PLC Firewall
27
Untrusted network
Expected cycle time:
10~1000ms
Unrestricted / © Siemens AG 2016. All Rights Reserved.
OPC UA - Unified Architecture
Industrial Communications
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
OPC UA – The first industrial protocol with enhanced security functions
29
OPC History - success story
Benefits of OPC UA - Open connectivity
- Plug-and-Play
- Interfaces available from multiple
vendors
- Easy to use
- Secure by birth
- Independent of HW/SW platform
- Can be implemented in small devices
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
OPC UA – The first industrial protocol with enhanced security functions
30
Platform Independence OPC UA is designed to be independent of the platform
Using SOAP/XML over HTTP, OPC UA can be deployed on Linux, Windows XP Embedded, VxWorks, Mac, Windows
7 and Classical Windows platforms.
Access via Firewalls and across the Internet OPC UA uses message based security which means messages can be relayed through HTTP, UA TCP port or
any other single port available.
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
OPC UA – The first industrial protocol with enhanced security functions
OPC UA
Client
u@#r**ss0+ Hello
Public key of the server certificate
Encryption
Private key of the server certificate
Decryption
Hello
Hi Hi j4#€*s@0+
Decryption
Private key of the client certificate Public key of the client certificate
Encryption
OPC UA
Server
Sequence of encrypted communication Server and client encrypt their messages using the public keys of the partners. These then decrypt the message
again with their private keys
31
Unrestricted / © Siemens AG 2016. All Rights Reserved.
OPC UA + PROFINET
The backbone of Industry 4.0
Industrial Communications
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Digital Enterprise
The practical way to Industry 4.0
33
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Expected cycle time:
10~1000ms
Industrial Communications
OPC UA + PROFINET – The Best in class combination
Secure Automation Cell
Trusted network
PLC
Expected cycle time: 31.25µs~1ms
Secure Automation Cell
Trusted network
Expected cycle time: 31.25µs~1ms
PLC
Intelligent Field Devices
- PROFINET I/O Devices
- OPC UA Servers
- OPC UA Clients
Intelligent Field Devices
- PROFINET I/O Devices
- OPC UA Servers
- OPC UA Clients
Intelligent Controllers
- PROFINET I/O Controllers
- OPC UA Servers
- OPC UA Clients
Intelligent Controllers
- PROFINET I/O Controllers
- OPC UA Servers
- OPC UA Clients Untrusted network
Corporate Level
Others Secure
Automation Cells
Firewall Firewall
34
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
OPC UA + PROFINET In Action – ICS Village – CLASS 2016
PLC Firewall
Access
Point
Firewall
Access
Point
SCADA SERVER
Firewall
OPC UA SERVER
DMZ BUS
Process BUS
Corporate BUS
OPC UA CLIENT
35
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Summary
Industrial Communications
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Industrial Communications
Summary for
Overall cycle time and system functionality must be taken into account while design cyber security
systems
PROFINET is the market leader industrial automation protocol based on Ethernet network. Achieving
cycles times of 31.25µs with 1µs jitter
OPC UA is a trend setter protocol in terms of automation connectivity (non real time) and it has
embedded cyber security mechanisms
+
PROFINET + OPC UA is the best in class combination driving perfect solutions for real time
applications and connectivity in the whole factory.
This combination makes possible to create high flexible automation networks without compromising
the cyber security aspects
37
Unrestricted / © Siemens AG 2016. All Rights Reserved.
Márcio Santos
Technical Consultant
SIEMENS Brazil
Phone: +55(11) 9 7244-0552
E-Mail: [email protected]
Visit us during the CLASS 2016 and take advantage to see a real
control system in action and its protection layers provided by
different vendors.
Thank you for your attention!
5/27/2016
Top Related