protecting productivity in industrial networks - siemens · protecting productivity in industrial...
Post on 30-May-2018
216 Views
Preview:
TRANSCRIPT
Protecting Productivity
in Industrial Networks Maximilian Korff, Siemens Nürnberg
siemens.com/network-security Unrestricted © Siemens AG 2017
Unrestricted © Siemens AG 2016
Digitalization requires more connectivity. Lets do it in a secure way!
V1.0 Page 2
Yesterday: Limited interoperability
• Limited communication between
office and production layer
Production
Office
Arising challenges through increasing interoperability
• Challenge to handle complexity of increasing
communication
Office
Defined interface to handle complexity
• Two dedicated networks with
defined managed interface
Field
Control
Enterprise
Management
Production Operator Ba
ckbon
e A
ggreg
ation
Sh
op flo
or /
Cell N
etwork
Of
fice
Netw
ork
Core
Interoperability
Unrestricted © Siemens AG 2016
The key to a secure infrastructure:
Defense in depth
Date Footer Page 5
Great wall
Impenetrable wall One-layer protection One point of attack
Defense in depth
Multi-layer protection Each layer protects the other layers An attacker must spend time and effort at each transition
A single protection measure is never enough to withstand a threat!
Unrestricted © Siemens AG 2016
Industrial – Trend towards open
industrial networks…
• Availability is key
• Knowledge protection
• Secured remote access
• Open standards, PC-based systems
…increase potential threats
• Espionage and manipulation of data
• Damages and data loss by malware
• Access violation from unauthorized
persons
• Sabotages of production
Importance of Network Security
Office – main threat is loss
of data and confidentiality
Network security is vital part of Defense-in-depth strategy
V1.0 Page 6
Network security
System integrity
Plant security
Overall Siemens concept captures all levels of Security
• Secured remote
maintenance
• Secured data
exchange
• Decoupled networks
to prohibit unchecked
communication
• Firewalls
• Protection against
network problems
• Avoid unauthorized
access
Remote access
Network Security by Siemens
DMZ
Cell protection
DMZ: Demilitarized Zone
Unrestricted © Siemens AG 2016
Network Security Integrated
Secure Remote Access
Integrated Security Functions
Secured PLC-PLC communication
Secure Engineering Stations
Secured Operator Station
Firewalls to protect different areas of
the plant network
Unrestricted © Siemens AG 2016
IEC 62443 addresses all stakeholders for a holistic protection concept
Dr. Kobes PD TI AT 2017-02-28 Page 11
On site / site specific
Off site
operates and maintains
Product Supplier
Asset Owner
Service Provider
Industrial Automation and Control System
(IACS)
designs and deploys System Integrator
Parts of IEC
62443
2-4
3-2
2-1
2-4 2-3
3-3
4-1
3-3
4-2
develops products
Operational policies and procedures
Automation solution
Maintenance policies and procedures
Control functions Safety functions Complementary
functions
Unrestricted © Siemens AG 2016
Each stakeholder can create vulnerabilities
Example User Identification and Authentication
IACS environment / project specific
Independent of IACS environment
Industrial Automation and Control System
(IACS)
Product Supplier
System
Integrator
Asset Owner
develops
designs and deploys
operates
Control System
as a combination of
Host devices
Network components Applications
Embedded devices
is the base for
+
Operational and Maintenance
policies and procedures
Automation solution
Basic Process Control System (BPCS)
Safety Instrumented System (SIS)
Complementary Hardware and Software
Hard coded passwords
Elevation of privileges
Default passwords not
changed
Temporary accounts not
deleted
Non confidential
passwords
Passwords not renewed can create weaknesses
can create weaknesses
can create weaknesses
Example: User Identification and Authentication
Invalid accounts not
deleted
Unrestricted © Siemens AG 2016
Meeting IEC 62443-3-3 system requirements is easier with a comprehensive
Industrial Communication portfolio that is already based on -4-1 and -4-2
SCALANCE: Industrial Communication Proved to enable communication in production
Deep Dive
• High availability
based on industrial features and industrial design
• Fast & easy integration
for new and existing networks based on TIA design
• Easy to use
with configuration via Web Based Management or
TIA Portal
• Easy device replacement
with C-PLUG, also by untrained staff
• For all Ethernet networks
local, wireless and remote
V1.0 Page 13
IEC 62443 ready Portfolio
Remote
Wired
Wireless
Security
Software
• Industrial features
• Industrial design
• Fast & easy integration
• Indoor and outdoor applications
• Several country approvals
• Real-time capability
• Different medias (DSL, UMTS, LTE)
• Transparent connectivity
• Easy enrollment with SINEMA RC
• Transparency for the industrial network
• Integration into HMI / SCADA systems
• Firewall & VPN
• Remote access
• Fits to industrial security concepts
Unrestricted © Siemens AG 2016
System Integrity / Secure com. certificates
Siemens is the leading vendor of Achilles level 2 certified products
+ Protection
against DoS
attacks
+ Defined behavior in case
of attack
• Improved Availability
• International Standard
Certified CPUs
LOGO!
S7- 300 PN/DP
S7- 400 PN/DP
S7- 1500 and 1505S
S7- 1200
S7- 400 HF CPU V6.0
S7- 410-5H
Certified CPs
CP343-1 Advanced
CP443-1 & Advanced
CP1243-1
CP1543-1
CP1628
Certified DP
ET 200 PN/DP CPUs
ET 200SP PN CPUs
Certified Firewalls
SCALANCE S602, S612,
S623, S627-2M
Unrestricted © Siemens AG 2016
Network Security
Use Switch Hardening!
• Use Password
• Use VLAN
• Disable DCP write
• Enable Management Access
List
• Broadcast limitation
• Disable unused ports
• Enable SNMP V3
Unrestricted © Siemens AG 2016
Checklist for Setting Up SCALANCE Devices
The checklist focuses on:
• Using the latest firmware
• Disabling unencrypted protocols
• Changing default passwords
• Setting up time synchronization
• PROFINET
• Dynamic Configuration Protocol – DCP
• Quality of service – traffic prioritization
• Redundancy
• Wireless LAN
• Configuration backup
• Additional settings, e. g. port settings, Syslog, etc
„Secure by design“, but not „secure by default“
V1.1 Page 16
https://support.industry.siemens.com/cs/ww/en/view/109745536
Unrestricted © Siemens AG 2016
Network Management with SINEMA Server V14
.. helps to fulfill IEC 62443 requirements…
• Password Management
• Firmware update
• Syslog / SNMP Management
• Firewall / NAT rule
Management
• NAT V2 support
• Config. Backup / Restore
Unrestricted © Siemens AG 2016
IEC 62443
Security measures are scalable!
Date Footer Page 18
PL 1
PL 2
PL 3
PL 4
Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door
Revolving doors with card reader
Doors with card reader
Locked building/doors with keys
Awareness training (e.g. Operator Aware. training)
Network segmentation Firewall protection (e.g. SCALANCE S)
Security logging on all systems Backup / recovery system
Mandatory rules on USB sticks (e.g. Whitelisting) …
…
Automated backup / recovery
No Email, No WWW, etc. in Secure Cell
…
2 PCs (Secure Cell/outside)
2 factor authentic ation for Remote Access…
Remote access with cRSP or equivalent
Monitoring of all human interactions
Dual approval for critical actions
Firewalls with Fail Close(e.g. Next Generation Firewall)
Monitoring of all device activities
Online security functionality verification
…
Persons responsible for security within own organization
Continuous monitoring (e.g. SIEM) Backup verification
Mandatory security education
…
Physical network segmentation or equivalent (e.g. SCALANCE)
Remote access restriction (e.g. need to connect principle)
+
Organize
Security
Secure Network
Design
Secure
Operations
Secure Lifecycle
management
Secure Physical
Access
+
+
Unrestricted © Siemens AG 2016
Industrial Security
Security of Siemens Products
• We do product design for fundamental
system hardening
• We adapted PLM, SCM, and CRM
processes to fulfil IEC 62443
requirements
• We do 3rd party product certifications
Unrestricted © Siemens AG 2016
Industrial Security
Security Vulnerability Handling
• We created a sophisticated team of
security experts and Product
Computer Emergency Response
Team (ProductCERT)
• We maintain open communication
with customers
• We make advisories and updates
available on a public website
Unrestricted © Siemens AG 2016
Elektronikwerk Amberg: we use what we sell!
Implementation and operation of Industrial Security Monitoring
Challenge
Customer
benefit Profile
Elektronikwerk Amberg is a prime example of a digital
factory. The factory uses cutting-edge technologies to
produce approximately fifteen million SIMATIC products
each year.
• Highly sensitive IT-controlled processes
• Fully networked automation environment
• Comprehensive data flow and database
• Protection against industrial espionage, manipulation
and hacker activities
• Implementation of Defense in Depth with S7-1500
and SCALANCE S using TIA Portal
• Monitoring of security-relevant events
• Monthly status report on plant and system security
• Recommendations for optimizing the level of protection
• Protection of networks and TIA components according
to the defense-in-depth security concept
• Solid, in-depth security information thanks to Security
Information and Event Management (SIEM – CSOC)
• Continuous optimization of the security concept
Solution
Bild & Logo
Unrestricted © Siemens AG 2016
Reference Center
Industrial Security
… discover more – concepts, products and news!
From customers for customers!
Customers report on real applications from
all sectors
webservices.siemens.com/references
Security functions in less than 10
minutes with the TIA Portal!
Questions? Contact our expert
team
Automation Tasks Security Experts
www.industry.siemens.com/topics Industrialsecurity.i.@siemens.com
RSS Feed
Always up to date!
RSS Feed on vulnerabilities and warnings
Detailed concept information and
news on vulnerabilities
News/alerts
Products/concepts
Whitepapers
Internet
www.siemens.com/industrialsecuri
ty
www.siemens.com/industrialsecurit
y
Unrestricted © Siemens AG 2016
Thank you for your attention!
Maximilian Korff
Product Sales Development
Siemens AG, PD PA S CI PSD
Gleiwitzer Str. 555
90475 Nuremberg
Mobile: +49 (173) 9128143
E-mail:
Maximilian.Korff@siemens.com
siemens.com/network-security
Page 24
Unrestricted © Siemens AG 2016
Minimum standards for IT security
• Minimum standards are currently
being worked out
• Compliance with the minimum
standards will be regularly reviewed by
the Federal Office for Information Security
• Fines up to EUR 100,000
• Expected to commence in March 2018
Security law for Critical Infrastructure Protection (CIP) in Germany
Mandatory reporting requirements
• Mandatory reporting requirements related
to the Federal Office for Information
Security for IT security incidents
• Including the requirement to
establish a point of contact with the
Federal Office for Information Security
• Fines up to EUR 50,000
• Expected to commence in November 2016
1
Part 1:
• Energy
• Water, wastewater
• Food
• Information
technology and
telecommunications
Part 2:
• Health
• Transport and
transportation
• Finance and
insurance industry,
media and culture
All sites with 500,000 or more
customers are affected
NEW
Siemens proposal
Assess security
Security status and
development of a
security timetable
Cyber security
operations center
Continuous security
monitoring of facilities
Security integrated portfolio
Implementation of the
minimum standards
to reduce costs
Integrated engineering
Efficient implementation
in the automation
project
2
§§§
Industries
§§
§§
top related