Industrie 4.0 – Lessons

Learned from the Digital

Supply Chain

siemens.com/industrialsecurity© Siemens AG 2017

Manuel Ifland, CISSP – Siemens AG

Cyber Security for Industry 4.0 International Conference

21 - 22 November 2017

© Siemens AG 2017

21 - 22 November 2017Page 2 Cyber Security for Industry 4.0 International Conference

Digitalization Impacts the Entire Value Chain

and Every Siemens SectorProcess Automation

Building Automation

Factory Automation Energy Automation

Mobility Systems Urban Infrastructures

© Siemens AG 2017

21 - 22 November 2017Page 3 Cyber Security for Industry 4.0 International Conference

Cyber Security Impacts the Entire Value Chain

and Every Siemens SectorProcess Automation

Building Automation

Factory Automation Energy Automation

Mobility Systems Urban Infrastructures

© Siemens AG 2017

21 - 22 November 2017Page 4 Cyber Security for Industry 4.0 International Conference

Our Customers Have Essential Requirements –

Throughout the Manufacturing Industry

Security

Speed Flexibility Quality Efficiency

© Siemens AG 2017

21 - 22 November 2017Page 5 Cyber Security for Industry 4.0 International Conference

The Lessons We Learned …

© Siemens AG 2017

21 - 22 November 2017Page 6 Cyber Security for Industry 4.0 International Conference

Lesson One

If we can't help ourselves,

how are we meant to help

others?

© Siemens AG 2017

21 - 22 November 2017Page 7 Cyber Security for Industry 4.0 International Conference

Siemens Amberg Plant: The Industry 4.0 Factory

© Siemens AG 2017

21 - 22 November 2017Page 8 Cyber Security for Industry 4.0 International Conference

60,000+ customers worldwide each year

24 hour lead time for new orders

75% OEE plus 20% buffer for overcapacity

~1 Million monthly production of SIMATIC products

1200+ Teamcenter managed products shipped to

Siemens Amberg Plant

Fast!

Flexible!

Efficient

~11 dpm means near perfect quality – every timeQuality!

© Siemens AG 2017

21 - 22 November 2017Page 9 Cyber Security for Industry 4.0 International Conference

Implementation of Defense in Depth with

S7-1500 and SCALANCE S using

TIA Portal

Protection Level 31) in selected areas

Monitoring of security-relevant events

Monthly status report on plant and

system security

Regular security training

Siemens Amberg Plant

Implementation and Operation of Industrial Security

Highly sensitive IT-controlled processes

Fully networked automation environment

Comprehensive data flow and database

Protection against industrial espionage,

manipulation and hacker activities

From challenges … To solutions …From challenges …

1) based on the definition of IEC 62443

© Siemens AG 2017

21 - 22 November 2017Page 10 Cyber Security for Industry 4.0 International Conference

Lesson Two

“Security by Design” is

what we need!

© Siemens AG 2017

21 - 22 November 2017Page 11 Cyber Security for Industry 4.0 International Conference

Security by Design Cares for the Entire Product and

System Life Cycle

Integrate security in

solutions and services

Measure and

assure adequate

security level

Design, implement

and select security

building blocks

Operate securely,

detect and handle

security threats and

incidents

Enable an organization

to adequately address

security

© Siemens AG 2017

21 - 22 November 2017Page 12 Cyber Security for Industry 4.0 International Conference

Lesson Three

Don’t forget your third-

party components in the

digital supply chain.

© Siemens AG 2017

21 - 22 November 2017Page 13 Cyber Security for Industry 4.0 International Conference

© Siemens AG 2017

21 - 22 November 2017Page 14 Cyber Security for Industry 4.0 International Conference

© Siemens AG 2017

21 - 22 November 2017Page 15 Cyber Security for Industry 4.0 International Conference

Development Lifecycle and Third-Party Component

(TPC) Management Life Cycle Should Go Hand in Hand

…SupportDevelopDesignRequirements

Maintain a List of TPCs

Assess Security Risks from TPCs

Mitigate or Accept Security Risks from Selected TPCs

Monitor for Changes in Risk Profiles of TPCs

Verify BOMVerify Bill of Materials (BOM)

© Siemens AG 2017

21 - 22 November 2017Page 16 Cyber Security for Industry 4.0 International Conference

Siemens Published Some Best Practices via SAFECode

https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf

© Siemens AG 2017

21 - 22 November 2017Page 17 Cyber Security for Industry 4.0 International Conference

Lesson Four

Don’t forget your

suppliers in the digital

supply chain.

© Siemens AG 2017

21 - 22 November 2017Page 18 Cyber Security for Industry 4.0 International Conference

IACS: Automation Solution and Control System

IACS environment / project specific

Independent of IACS environment

Industrial Automation and Control System

(IACS)

Operational and Maintenance

policies and procedures

Product Supplier

System

Integrator

Asset Owner

develops

designs and deploys

operates

Control System

as a combination of

HostDevices

NetworkComponents Applications

EmbeddedDevices

is the base for

+Automation Solution

Control Functions Safety FunctionsComplementary

Functions

HW / SW SupplierHW/SWComp.

develops HW/SWComp.

HW/SWComp.

HW/SWComp.

HW/SWComp.

© Siemens AG 2017

21 - 22 November 2017Page 19 Cyber Security for Industry 4.0 International Conference

IACS: Each Stakeholder Can Create Vulnerabilities

Example: User Identification and Authentication

IACS environment / project specific

Independent of IACS environment

Industrial Automation and Control System

(IACS)

Operational and Maintenance

policies and procedures

Product Supplier

System

Integrator

Asset Owner

develops

designs and deploys

operates

Control System

as a combination of

HostDevices

NetworkComponents Applications

EmbeddedDevices

is the base for

+Automation Solution

HW / SW SupplierHW/SWComp.

develops HW/SWComp.

HW/SWComp.

HW/SWComp.

HW/SWComp.

Hard coded passwords

Elevation of privileges

Default passwords not

changed

Temporary accounts not

deleted

Non confidential passwords

Passwords not renewed

Invalid accounts not

deleted

can create weaknesses

can create weaknesses

can create weaknesses

Unprotected interfaces /

Hidden functions

can create weaknesses

Control Functions Safety FunctionsComplementary

Functions

© Siemens AG 2017

21 - 22 November 2017Page 20 Cyber Security for Industry 4.0 International Conference

Lesson Five

A Holistic Security

Concept takes security to

the next level.

© Siemens AG 2017

21 - 22 November 2017Page 21 Cyber Security for Industry 4.0 International Conference

“Holistic Security Concept” Takes Security to the Next

Level - A Holistic Approach for IT and OT

“What in my business do I need to protect?”Identification of the critical business assets is a

core component of the concept

“Which level of security do I need?”Security level drives requirements, in alignment

with IEC 62443, to protect against attacks

“How do I protect the specific assets?”Standards based security solutions are applied to

protect and monitor critical assets

Handle Incidents

Improve Process

Security Features

Enhance Awareness

IT -Infrastructure

HSC addresses 5 levers including the ITHSC answers key questions for security

in business

© Siemens AG 2017

21 - 22 November 2017Page 22 Cyber Security for Industry 4.0 International Conference

Lesson Six

Enhanced Defense in

Depth should be based

on IEC 62443.

© Siemens AG 2017

21 - 22 November 2017Page 23 Cyber Security for Industry 4.0 International Conference

IEC 62443 Addresses All Stakeholders for a Holistic

Protection Concept

On site / site specific

Off site

operates and maintains

Product Supplier

Asset Owner

Service Provider

Operational policies and procedures

Automation Solution

Maintenance policies and procedures

System Integrator

Parts of IEC

62443

2-4

3-2

2-1

2-42-3

3-3

4-1

3-3

4-2

develops products

Industrial Automation and Control System

(IACS)

Control Functions Safety FunctionsComplementary

Functions

designs and deploys

© Siemens AG 2017

21 - 22 November 2017Page 24 Cyber Security for Industry 4.0 International Conference

Actual Structure of IEC / ISA-62443

Main Documents to Be Published

ComponentSystemPolicies and proceduresGeneral

Processes

1-1 Terminology, concepts

and models

1-2 Master glossary of terms

and abbreviations

1-3 System security

compliance metrics

Definitions

Metrics

Requirements to secure system

components

Functional requirements

Requirements placed on security

organization and processes of the

plant owner and suppliers

Requirements to achieve a

secure system

3-3 System security

requirements and security

levels

3-1 Security technologies for

IACS

2-3 Patch management in the

IACS environment

4-2 Technical security

requirements for IACS

products

4-1 Product development

requirements

2-4 Requirements for IACS

solution suppliers

3-2 Security risk assessment

and system design

2-1 Requirements for an

IACS security management

system Ed.2.0

Profile of

ISO 27001 / 27002

IEC / ISA-62443

© Siemens AG 2017

May 22, 2017Page 25 Cyber Security for Industry 4.0 International Conference

Contact

Speaker:

Manuel Ifland, CISSP

manuel.ifland@siemens.com

Siemens AG

Siemens ProductCERT

Otto-Hahn-Ring 6

81739 Munich

Germany

Internet

https://siemens.com/cert/advisories

https://siemens.com/industrialsecurity