how vulnerable is your network to cyber-threats? presented by … · 2020-04-13 · industrial...
TRANSCRIPT
attendmia.com
How vulnerable is your network to cyber-threats?
Presented by Paul Nuss
Manufacturing in America │ April 2020
Unrestricted © Siemens 2020
Unrestricted
How vulnerable is your network to cyber-threats?
Presented by Paul Nuss
Manufacturing in America │ April 2020
attendmia.comUnrestricted © Siemens 2020
visit usa.siemens.com/network-security Page 3 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 3 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-attacks?
Presentation agenda
What’s driving security?
IIoT benefits and risks
Asset protection
Productivity*
Recommended approach
Defense in Depth
People Process Technology
Partners
1
2
* Government regulations are a
significant driver in some industries
How to get started
Assessment
Standards
Segmentation
IT OT & DMZ
Remote access
Training
Evaluation questions,
examples &
recommendations
3
Not necessarily
in this order
visit usa.siemens.com/network-security Page 4 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 4 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
What's driving security? The Industrial Internet of Things (IIoT)
Benefits and the need to protect more assets
Opportunities & benefits Billions of devices are being connectedby the Internet of Things, and are the backbone of our infrastructure and economy
50.1B (2020)
IoT Inception (2009) 8.7B (2012)
11.2B (2013)
14.2B (2014)
18.2B (2015)
22.9B (2016)
28.4B (2017)
42.1B (2019)
0.5B (2003)
Connected Systems
Connected Facilities/Plant/Site
Connected Products
34.8B (2018)
Billions of Devices
… and risksExposure to malicious cyber attacks is also growing dramatically, putting our lives andthe stability of our society at risk
Blue BoxingCryptovirologyAOHell
Level Seven Crew hackDenial-of-service attacks
Cloudbleed
sl1nk SCADA hacks Meltdown/Spectre
Infineon/TPM
AT&T Hack Morris Worm Melissa Worm ILOVEYOUWannaCry
NotPetya
HeartbleedIndustroyer/Chrashoverride
Stuxnet
2000 2004 2008 2012 2016 202019961988 1992
IIoT market annual growth
at 18% through 2024*
*marketwatch.com
visit usa.siemens.com/network-security Page 5 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 5 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
What's driving security?
A familiar goal: Protecting assets
Physical access
protection
Company Data:
Employee, processes,
trade secrets, IP, software
Equipment, machines,
materials, robots, AGVs
Assets requiring protection
Equipment, machines, materials, e.g. robots, AGVs
Software, applications, production and process data
Customer and or employee personal data and safety
Process documentation, programs, know how
Future plans, trade secrets, Intellectual Property (IP)
Production applications, process
documentation, know how
Personal safety
Enterprise (IT)
Production (OT)
visit usa.siemens.com/network-security Page 6 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 6 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
What's driving security?
The goals are familiar, industrial security helps us achieve them
Increase plant
availability
Reduce total cost
of ownership
Benefit from better
data and IIoT
* Government regulations are a
significant driver in some industries
visit usa.siemens.com/network-security Page 7 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 7 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How to get started
Assessment
Standards
Segmentation
IT OT & DMZ
Remote access
Training
Evaluation questions,
examples &
recommendations
How vulnerable is your industrial network to cyber-attacks?
Presentation agenda
What’s driving security?
IIoT benefits and risks
Asset protection
Productivity*
Recommended approach
Defense in Depth
People Process Technology
Partners
1
2
* Government regulations are a
significant driver in some industries
3
Not necessarily
in this order
visit usa.siemens.com/network-security Page 8 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 8 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Recommended industrial security approach:
A successful strategy is multilayered
System Integrity
(Hardening, patch management)
Network
Security
Defense in depth
Security threats
demand action
Plant Security(Physical)
Check with you security expert and appropriate security standard before implementation
visit usa.siemens.com/network-security Page 9 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 9 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Recommended industrial security approach:
A successful strategy includes People, Process and Technology
People
TechnologyProcess
Training
Certifications
Experience
Hardware
Software
Services
Standards
Policies
Programs
visit usa.siemens.com/network-security Page 10 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 10 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Recommended industrial security approach:
A successful strategy includes strong partners
Understands IIoT & digitalization
Has vertical industryexpertise
Understands industrial
communication
Expertise withindustrial security
products and services
Has processes and products that are
proven and certified
In a fast-paced industry full of challenges and risk, it’s important to have a reliable, qualified and proven partner for Industrial Network Security!
visit usa.siemens.com/network-security Page 11 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 11 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Securing industrial networks or Operational Technology (OT) is
different than securing IT networks
Industrial or OT networks typically have unique data requirements compared to IT networks
Enterprise (IT)
InteroperabilityInformation based- e.g. e-mails
- Seconds delay is not
critical
Data Type
Real-time or
Mission critical- e.g. Coordination of
physical machines and
processes
- Seconds delay and even
milliseconds is critical
Data Prioritization
1. Confidentiality
2. Integrity
3. Availability
1. Safety
2. Availability
3. Integrity
4. Confidentiality
Production (OT)
visit usa.siemens.com/network-security Page 12 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 12 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-attacks?
Presentation agenda
What’s driving security?
IIoT benefits and risks
Asset protection
Productivity*
Recommended approach
Defense in Depth
People Process Technology
Partners
1
2
* Government regulations are a
significant driver in some industries
How to get started
Assessment
Standards
Segmentation
IT OT & DMZ
Remote access
Training
Evaluation questions,
examples &
recommendations
3
Not necessarily
in this order
visit usa.siemens.com/network-security Page 13 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 13 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Security Assessment
Secure Remote Access
Asset Discovery & Management
Security Training
Secure IT OT Collaboration
1. Have you had an industrial network (OT) security assessment?
2. Have you selected a security standard?
Asset Discovery &
Management
Secure OT /
Automation Network
Security
Training
Secure
Remote
AccessSecure IT OT
Collaboration
Secure OT / Automation Network
Security
Assessment
visit usa.siemens.com/network-security Page 14 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 14 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Industrial Network Security Assessment
Analysis & Discovery Summary
• Discuss your security goals
• Identify a security standard for the assessment
• Question & answer sessions with appropriate staff
• Review relevant documentation, configurations and processes
• Create a mutually agreed upon assessment plan
visit usa.siemens.com/network-security Page 15 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 15 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Industrial Network Security Assessment
Security and Vulnerability Scan Summary
• Perform a network scan based on the
mutually agreed upon plan
• Identify and verify network communication
• OT environment scan tools may include
Wireshark, OpenVAS, NESSUS or others
depending on the assessment goals
• Scan documentation is created for the report
visit usa.siemens.com/network-security Page 16 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 16 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Industrial Network Security Assessment
visit usa.siemens.com/network-security Page 17 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 17 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Industrial Network Security Assessment
Examples of Siemens Industrial Network Security Assessments
Customer: U.S. Electric Utility Company
Assessment period: Two months
Methodology: The security assessment included interviews
with engineers, technicians, IT and management. The
security was evaluated for physical access. The network was
assessed with packet captures, logs, configuration files and
network scanning tools. Systems evaluated included
workstations, servers, switches, routers, firewalls, encryption
and cellular devices.
Deliverable: The assessment report (less than 100 pages)
provided a comprehensive analysis of the current security
posture and a prioritized list of recommendations.
Customer: U.S. Industrial Manufacturing Facility
Assessment period: One week
Methodology: A security assessment of network
documentation, passwords, architecture, switches, routers,
firewalls, encryption, computers, servers and other devices
was completed. Data communication was verified with
traffic analysis and network health information from all
devices was evaluated.
Deliverable: The near 50-page assessment report provided
network health results, traffic load of the network, a network
validation checklist, data communication results and
recommendations on future enhancements to further secure
the network and eliminate potential vulnerabilities.
visit usa.siemens.com/network-security Page 18 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 18 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Select a security standard
NIST SP 800-82 Rev 2 ISA / IEC 62443
visit usa.siemens.com/network-security Page 19 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 19 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Select a security standard
Examples from NIST SP 800-82 Rev 2
“The aim of network segmentation and
segregation is to minimize access to sensitive
information for those systems and people
who don’t need it while ensuring that the
organization can continue to operate effectively.”
“Network segmentation and segregation is one of the
most effective architectural concepts that an organization
can implement to protect its ICS.”
visit usa.siemens.com/network-security Page 20 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 20 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure OT / Automation Network
Secure OT /
Automation Network
visit usa.siemens.com/network-security Page 21 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 21 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure OT / Automation Network
1. Is your OT network properly segmented and segregated?
2. Is network and device access controlled and monitored (including physical access)?
3. Are non-secure and unused protocols deactivated and / or have risk mitigation measures been taken?
visit usa.siemens.com/network-security Page 22 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Network segmentation and segregation
Protect the data that keeps your operation productive
✓ Risk mitigation by dividing an OT or automation network into different
protected segments or cells
✓ Allow only the communication paths and data types needed to reach
respective segments with VLAN
✓ Implement secure protocols, availability and access control
Secure OT /
Automation Network
Layer 2/3
OT
Layer 2
OT
Layer 3
IT / OT
Enterprise
IT
Field
Devices
visit usa.siemens.com/network-security Page 23 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Network segmentation and segregation
SC646-2C
Secure OT &
Automation Network
Protect the data that keeps your operation productive
✓ Allow only data required for the operation to access specific network
segments with VLAN, Firewall, VPN, IPsec
✓ Protection with availability by using HRP / MRP, VRRPv3
✓ Secure protocols and NAT / NAPT
✓ Access control lists (e.g. MAC, password or RADIUS) and logging
Layer 2/3
OT
Layer 2
OT
Layer 3
IT / OT
Enterprise
IT
Field
Devices
visit usa.siemens.com/network-security Page 24 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Network segmentation and segregation
Secure Plant
/ Physical
Secure OT &
Automation Network
Secure IT / OT
Collaboration
Asset Discovery &
ManagementProtect the data that keeps your operation productive
✓ Cell 1 is segmented (VLAN) so only essential traffic will have access
✓ Availability is achieved with HRP / MRP
✓ Secure protocols and NAT are implemented for additional security
Layer 2/3
OT
Layer 2
OT
Layer 3
IT / OT
Enterprise
IT
Field
Devices
visit usa.siemens.com/network-security Page 25 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Network segmentation and segregation
Layer 2/3
OT
Layer 2
OT
Layer 3
IT / OT
Enterprise
IT
Field
Devices
Secure Plant
/ Physical
Secure OT &
Automation Network
Secure IT / OT
Collaboration
Asset Discovery &
Management
CP 1543-1
XC206-2SFP G
SC646-2C
Protect the data that keeps your operation productive
✓ The Cell 1 VLAN segment has additional protection with a firewall,
VPN, IPsec
✓ Communication across the network for transparency is protected
✓ Availability protection with redundant VRRPv3, HRP / MRP
✓ Access control lists (e.g. MAC, password or RADIUS) and logging
Industrial Ethernet RJ45 Port Lock
Physical security
visit usa.siemens.com/network-security Page 26 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 26 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Security inside the automation cell
Protection against:
➢ Theft of intellectual property
➢ Unauthorized modification
➢ Unauthorized access
(approved PCs only)
➢ Manipulation
➢ Malware
➢ …
Bind to serial number of the CPU
visit usa.siemens.com/network-security Page 27 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 27 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Use of secure and non-secure protocols
FTP FTPS TFTP
OSPFv2
SNMPv3
RIPRIPv2
SNMP
HTTP HTTPS
OSPF
OSPFv3
SCPSSH /
TLS*SSL /
WPA
WPA2/AES
TELNET
visit usa.siemens.com/network-security Page 28 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 28 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Use of secure and non-secure protocols
FTP FTPS TFTPSCP
TELNET
OSPFv2SNMP
HTTP
OSPF
*TLS unencrypted mode is not secure
SSH /
RIPOSPFv3WPA
RIPv2WPA2/AES
TLS*SSL / SNMPv3
HTTPS
visit usa.siemens.com/network-security Page 29 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 29 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure IT / OT Collaboration
Secure IT OT
Collaboration
visit usa.siemens.com/network-security Page 30 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 30 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure IT / OT Collaboration
1. Is your OT network isolated from the IT network with firewall(s) and / or a demilitarized zone (DMZ)?
2. What type of firewall(s) are used (stateful, NGFW)?
visit usa.siemens.com/network-security Page 31 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 31 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• Several possible architectures with
advantages and disadvantages
• A DMZ is a commonly cited and
recommended architecture by
security standards
• “…no direct communication paths are
required from the corporate network
to the control network; each path
effectively ends in the DMZ.” - NIST
SP 800-82 Rev 2
• Let’s take a look at a recent example
where a DMZ may have helped…
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 32 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 32 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks: Actual hack
February 18, 2020
• “CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas
compression facility.”
• “A cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before
pivoting to its OT network.”
• “The threat actor then deployed commodity ransomware to Encrypt Data for Impact on both networks.”
• “Specific assets experiencing a Loss of Availability on the OT network included human machine interfaces (HMIs), data historians, and polling
servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting
in a partial Loss of View for human operators.”
• “The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations.”
• “…the decision was made to implement a deliberate and controlled shutdown to operations.“
A malicious link led to IT network access → OT access → loss of OT network availability → shutdown for 2 days → loss of revenue
Summary:
Source: https://www.us-
cert.gov/ncas/alerts/aa20-049a
Spearphising Ransomware Attack
reported by
visit usa.siemens.com/network-security Page 33 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 33 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks: Actual hack
February 18, 2020Source: https://www.us-
cert.gov/ncas/alerts/aa20-049a
Spearphising Ransomware Attack
reported by
“The victim failed to implement robust segmentation between the IT and OT networks, which
allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”
visit usa.siemens.com/network-security Page 34 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 34 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• Robust segmentation between the IT
and OT networks” may look like this…
Firewall(s) Firewall(s)
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 35 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 35 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OT Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• No “robust segmentation between the
IT and OT networks” may look more
like this…
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 36 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 36 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OT Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• No “robust segmentation between the
IT and OT networks” may look more
like this…
• A Spearphising attack email is crafted
to look and sound just right to target a
specific individual, company, or
industry with social engineering
• Attackers may circumvent some
security by tricking users already on
the network to infect the system
John,
Here are the options for next years’
health benefits. As you know,
enrollment ends next week.
www.company.benefits.com
- HR department
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 37 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 37 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OT Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• No “robust segmentation between the
IT and OT networks” may look more
like this…
• A Spearphising attack email is crafted
to look and sound just right to target a
specific individual, company, or
industry with social engineering
• Attackers may circumvent some
security by tricking users already on
the network to infect the system
• Once clicked, that malware may gain
access to the network and infect IT
and OT if proper security is not in
place
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 38 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 38 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OT Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• No “robust segmentation between the
IT and OT networks” may look more
like this…
• A Spearphising attack email is crafted
to look and sound just right to target a
specific individual, company, or
industry with social engineering
• Attackers may circumvent some
security by tricking users already on
the network to infect the system
• Once clicked, that malware may gain
access to the network and infect IT
and OT if proper security is not in
place
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 39 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 39 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Example only, not a representative of actual events
• With robust segmentation between
the IT and OT networks, the intrusion
may be stopped (prevented) or more
quickly known (detected)
John,
Here are the options for next years’
health benefits. As you know,
enrollment ends next week.
www.company.benefits.com
- HR department
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 40 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 40 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Segmentation of the IT and OT networks
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• With robust segmentation between
the IT and OT networks, the intrusion
may be stopped (prevented) or more
quickly known (detected)
• Consult standards and security
experts to determine the best
approach for the specific application
• Some security technologies that may
help include Intrusion Detection
System (IDS), Deep Packet
Inspection (DPI), Intrusion Prevention
System (IPS) and Next Generation
Firewall (NGFW) among others
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 41 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 41 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Technologies to help protect your network
Intrusion Detection System (IDS) is an application that monitors a network or systems for malicious activity or policy violations and is typically reported northbound to a centralized server or SIEM
IDS
Deep Packet Inspection (DPI) is a type of data processing that examines the data being sent over a network in detail, and usually takes action by blocking, re-routing, or logging it accordingly
DPI
Intrusion Prevention System (IPS) monitors a network for malicious activities such as security threats or policy violations. Identifies suspicious activity, creates logs, attempts to block or drop the activity, and finally reports it
IPS
Next Generation Fire Wall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line DPI and an IPS
NGFW
Applications for complex OT requirements
101010101010101010
101010101010101010
1010101010101010
101010101010101010
101010101010101010
101010101010101010
visit usa.siemens.com/network-security Page 42 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 42 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
NGFW (Next Generation Firewall)
IDS + Deep Packet Inspection (DPI)
Intrusion Detection System (IDS)
RX1400
Execution of tested / qualified 3rd party
cybersecurity software in with Siemens
RUGGEDCOM Application Processing Engine
(APE1808)
Certified PLM process
based on IEC 62443-4-1
APE1808 with RX1500
Technology security solutions
Siemens RUGGEDCOM hardware with 3rd party security software
+
visit usa.siemens.com/network-security Page 46 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 46 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure Remote Access
Secure
Remote
Access
visit usa.siemens.com/network-security Page 47 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 47 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Secure Remote Access
1. Are you using VPN and unique user authentication?
2. Is access limited to only required devices? Is access logged?
visit usa.siemens.com/network-security Page 48 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 48 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Secure remote access
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
• Secure remote access requires an
entry-point into the OT network
• Like any entry-point, it’s important to
secure and authorize the pathway
• One option, especially for wired
connections, is to utilize the securely
established DMZ and configure the
appropriate configuration
• Further protection like a physical
enable / disable switch on-site can be
used
Firewall(s) Firewall(s)
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 49 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 49 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Industrial Network
How vulnerable is your industrial network to cyber-threats?
Secure remote access
Enterprise Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Firewall(s) Firewall(s)
Example only, not a representative of actual events
• Secure remote access should be
uniquely authenticated and logged
• Dedicated Device Access (DDA) only
allows access to specific devices by
configuration
• A physical enable / disable switch
allows local control of the connection
1100
1100
1100
Access
denied
Example of secure remote
access server On-Site
1011
1100
1100
Success!
visit usa.siemens.com/network-security Page 50 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 50 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Industrial Network
How vulnerable is your industrial network to cyber-threats?
Secure remote access
Enterprise Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
IT OTRemote
Access
Industrial
DMZ
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Firewall(s) Firewall(s)
Example only, not a representative of actual events
• Secure remote access should be
uniquely authenticated and logged
• Dedicated Device Access (DDA) only
allows access to specific devices by
configuration
• A physical enable / disable switch
allows local control of the connection
1100
1100
1100
Access
denied
Example of secure remote
access server On-Site
1011Access
denied
1100
1100
Success!
visit usa.siemens.com/network-security Page 51 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 51 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Solution:
Software
• SRC Server
• SRC Client
Hardware
▪ Scalance S for hardwire connections
▪ Scalance M for mobile connections
• Key Plug (for M & S615)
How vulnerable is your industrial network to cyber-threats?
Secure remote access
SCALANCE S600 SIMATIC S7-1200
SINEMA Remote Connect – Client
VPN tunnel to SRC server
SINEMA Remote-Connect – server
Manages communication rights & connection between client and devices
Key-plug
Mobile
wireless
network
SIMATIC S7-1500
SINEMA
Remote Connect Server
/ Virtual Appliance
Internet router
Internet router
Internet
router
SCALANCE M876-4
Internet
Company network & DMZ
Remote host
network & DMZ
1011
1100
11001011
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 52 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 52 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
SINEMA Remote Connect Server /
Virtual Appliance can be hosted at
a remote location or on-site
Solution:
Software
• SRC Server
• SRC Client
Hardware
▪ Scalance S for hardwire connections
▪ Scalance M for mobile connections
• Key Plug (for M & S615)
How vulnerable is your industrial network to cyber-threats?
Secure remote access
SCALANCE S600 SIMATIC S7-1200
SINEMA Remote Connect – Client
VPN tunnel to SRC server
Key-plug
Mobile
wireless
network
SIMATIC S7-1500
SINEMA
Remote Connect Server
/ Virtual Appliance
Internet router
Internet router
Internet
router
SCALANCE M876-4
Internet
Company network & DMZ
1011
1100
Example only, not a representative of actual events
visit usa.siemens.com/network-security Page 53 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 53 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Asset discovery and management
Asset Discovery & ManagementAsset Discovery &
Management
visit usa.siemens.com/network-security Page 54 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 54 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Asset discovery and management
Asset Discovery & Management
1. Do you have configuration management procedure and tools?
2. Is there an effective identification and authentication process?
visit usa.siemens.com/network-security Page 55 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 55 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Asset discovery and management
Firewall Management
Policy based device configuration
Certificate Management
Firmware Management
Configuration File Management
Alarms / Notifications
Role Based Access Control incl. timeout
Network Access Control 802.1x (RADIUS - Server)
Receive security events (Syslog-Server)
Documentation and traceability of configuration changesSINEC NMS & SINEC INS
visit usa.siemens.com/network-security Page 56 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 56 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Security Assessment
Secure OT / Automation Network
Secure Remote Access
Asset Discovery & Management
Security Training
Secure IT / OT Collaboration
1. Have network users been trained on relevant security policies and procedures?
NIST SP 800-82 Rev 2:
“Awareness and Training (AT): policies and
procedures to ensure that all information system users
are given appropriate security training relative to their
usage of the system and that accurate training records
are maintained.“
“Incident Response (IR): policies and procedures
pertaining to incident response training, testing,
handling, monitoring, reporting, and support services.“
… More training guidance is available in the standard
visit usa.siemens.com/network-security Page 57 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 57 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Topics to help evaluate your OT network security
Security Assessment
Secure OT / Automation Network
Secure Remote Access
Asset Discovery & Management
Security Training
Secure IT / OT Collaboration
Additional training (some free): ICS-CERT, ISA, SANS, EC-Council
Siemens network security training:
• Strengthen security knowledge to implement a security strategy
• Learn about proven security concepts, tools, implementation,
encryption, firewall, Next Generation Firewall (NGFW)
• Gain hands-on experience…➢ Creating firewalls
➢ Scanning non-secure and secure networks
➢ Enabling secure protocols, disabling non-secure protocols
➢ Implementing secure availability with VRRP
➢ Setting up and testing NAPT
➢ Segmenting at network with VLAN and firewall
➢ Creating a protected WLAN
➢ Enabling password protection and access control
➢ more…
visit usa.siemens.com/network-security Page 58 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 58 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Case study: Manufacturing facility
visit usa.siemens.com/network-security Page 59 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 59 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Case study: Manufacturing facility
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Diagram is not actual topology of case study facility
DMZ with
RUGGEDCOM
firewalls and
SCALANCE XR500
IT OTRemote
Access
Industrial
DMZ
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 60 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 60 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Case study: Manufacturing facility
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Aggregation
Layer
SCALANCE
XM416-4C
Diagram is not actual topology of case study facility
IT OTRemote
Access
Industrial
DMZ
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 61 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 61 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Case study: Manufacturing facility
Enterprise Network Industrial Network
Core
Layer
Data Center
Distribution
Layer
Access
Layer
Server
Enterprise
NetworkInternet/
Cloud
Industrial
DatacenterMES
SCADA
NMS
INS
Industrial
Backbone
Layer
Aggregation
Layer
Cell
Layer
Cell layer
firewall
SCALANCE
SC636-2C with
SRC secure
remote access
capability
Cell layer
devices
Diagram is not actual topology of case study facility
IT OTRemote
Access
Industrial
DMZ
Firewall(s) Firewall(s)
visit usa.siemens.com/network-security Page 62 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 62 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
Summary
• Evaluation of the current
security status of an ICS
environment
• Risk mitigation through
implementation of
security measures for
reactive protection
• Monitor to detect
indicators of compromise
• Manage to keep security
up-to-date
• React fast upon security
relevant threats
visit usa.siemens.com/network-security Page 63 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 63 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
More information available!
Videos
White papers,
articles, brochures
Case studies
New website!
Free consultation offer
at website!
familiar categories to
this presentation to
follow-along
visit usa.siemens.com/network-security Page 64 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 64 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
How vulnerable is your industrial network to cyber-threats?
More information available!
Videos
White papers,
articles, brochures
Case studies
New website!
Free consultation offer
at website!
familiar categories to
this presentation to
follow-along
visit usa.siemens.com/network-security Page 65 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Page 65 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.
Check with your security expert and appropriate security standard before implementation for any specific application.
Thank you for your attention
Questions?
Paul Nuss
Industrial Networking and Security Product Marketing Manager
Norcross, GA
E-mail: [email protected]