industrie 4.0 lessons learned from the digital supply chain 2_1550 - 1630_mr. manuel ifla… · 4-2...
TRANSCRIPT
Industrie 4.0 – Lessons
Learned from the Digital
Supply Chain
siemens.com/industrialsecurity© Siemens AG 2017
Manuel Ifland, CISSP – Siemens AG
Cyber Security for Industry 4.0 International Conference
21 - 22 November 2017
© Siemens AG 2017
21 - 22 November 2017Page 2 Cyber Security for Industry 4.0 International Conference
Digitalization Impacts the Entire Value Chain
and Every Siemens SectorProcess Automation
Building Automation
Factory Automation Energy Automation
Mobility Systems Urban Infrastructures
© Siemens AG 2017
21 - 22 November 2017Page 3 Cyber Security for Industry 4.0 International Conference
Cyber Security Impacts the Entire Value Chain
and Every Siemens SectorProcess Automation
Building Automation
Factory Automation Energy Automation
Mobility Systems Urban Infrastructures
© Siemens AG 2017
21 - 22 November 2017Page 4 Cyber Security for Industry 4.0 International Conference
Our Customers Have Essential Requirements –
Throughout the Manufacturing Industry
Security
Speed Flexibility Quality Efficiency
© Siemens AG 2017
21 - 22 November 2017Page 5 Cyber Security for Industry 4.0 International Conference
The Lessons We Learned …
© Siemens AG 2017
21 - 22 November 2017Page 6 Cyber Security for Industry 4.0 International Conference
Lesson One
If we can't help ourselves,
how are we meant to help
others?
© Siemens AG 2017
21 - 22 November 2017Page 7 Cyber Security for Industry 4.0 International Conference
Siemens Amberg Plant: The Industry 4.0 Factory
© Siemens AG 2017
21 - 22 November 2017Page 8 Cyber Security for Industry 4.0 International Conference
60,000+ customers worldwide each year
24 hour lead time for new orders
75% OEE plus 20% buffer for overcapacity
~1 Million monthly production of SIMATIC products
1200+ Teamcenter managed products shipped to
Siemens Amberg Plant
Fast!
Flexible!
Efficient
~11 dpm means near perfect quality – every timeQuality!
© Siemens AG 2017
21 - 22 November 2017Page 9 Cyber Security for Industry 4.0 International Conference
Implementation of Defense in Depth with
S7-1500 and SCALANCE S using
TIA Portal
Protection Level 31) in selected areas
Monitoring of security-relevant events
Monthly status report on plant and
system security
Regular security training
Siemens Amberg Plant
Implementation and Operation of Industrial Security
Highly sensitive IT-controlled processes
Fully networked automation environment
Comprehensive data flow and database
Protection against industrial espionage,
manipulation and hacker activities
From challenges … To solutions …From challenges …
1) based on the definition of IEC 62443
© Siemens AG 2017
21 - 22 November 2017Page 10 Cyber Security for Industry 4.0 International Conference
Lesson Two
“Security by Design” is
what we need!
© Siemens AG 2017
21 - 22 November 2017Page 11 Cyber Security for Industry 4.0 International Conference
Security by Design Cares for the Entire Product and
System Life Cycle
Integrate security in
solutions and services
Measure and
assure adequate
security level
Design, implement
and select security
building blocks
Operate securely,
detect and handle
security threats and
incidents
Enable an organization
to adequately address
security
© Siemens AG 2017
21 - 22 November 2017Page 12 Cyber Security for Industry 4.0 International Conference
Lesson Three
Don’t forget your third-
party components in the
digital supply chain.
© Siemens AG 2017
21 - 22 November 2017Page 13 Cyber Security for Industry 4.0 International Conference
© Siemens AG 2017
21 - 22 November 2017Page 14 Cyber Security for Industry 4.0 International Conference
© Siemens AG 2017
21 - 22 November 2017Page 15 Cyber Security for Industry 4.0 International Conference
Development Lifecycle and Third-Party Component
(TPC) Management Life Cycle Should Go Hand in Hand
…SupportDevelopDesignRequirements
Maintain a List of TPCs
Assess Security Risks from TPCs
Mitigate or Accept Security Risks from Selected TPCs
Monitor for Changes in Risk Profiles of TPCs
Verify BOMVerify Bill of Materials (BOM)
© Siemens AG 2017
21 - 22 November 2017Page 16 Cyber Security for Industry 4.0 International Conference
Siemens Published Some Best Practices via SAFECode
https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
© Siemens AG 2017
21 - 22 November 2017Page 17 Cyber Security for Industry 4.0 International Conference
Lesson Four
Don’t forget your
suppliers in the digital
supply chain.
© Siemens AG 2017
21 - 22 November 2017Page 18 Cyber Security for Industry 4.0 International Conference
IACS: Automation Solution and Control System
IACS environment / project specific
Independent of IACS environment
Industrial Automation and Control System
(IACS)
Operational and Maintenance
policies and procedures
Product Supplier
System
Integrator
Asset Owner
develops
designs and deploys
operates
Control System
as a combination of
HostDevices
NetworkComponents Applications
EmbeddedDevices
is the base for
+Automation Solution
Control Functions Safety FunctionsComplementary
Functions
HW / SW SupplierHW/SWComp.
develops HW/SWComp.
HW/SWComp.
HW/SWComp.
HW/SWComp.
© Siemens AG 2017
21 - 22 November 2017Page 19 Cyber Security for Industry 4.0 International Conference
IACS: Each Stakeholder Can Create Vulnerabilities
Example: User Identification and Authentication
IACS environment / project specific
Independent of IACS environment
Industrial Automation and Control System
(IACS)
Operational and Maintenance
policies and procedures
Product Supplier
System
Integrator
Asset Owner
develops
designs and deploys
operates
Control System
as a combination of
HostDevices
NetworkComponents Applications
EmbeddedDevices
is the base for
+Automation Solution
HW / SW SupplierHW/SWComp.
develops HW/SWComp.
HW/SWComp.
HW/SWComp.
HW/SWComp.
Hard coded passwords
Elevation of privileges
Default passwords not
changed
Temporary accounts not
deleted
Non confidential passwords
Passwords not renewed
Invalid accounts not
deleted
can create weaknesses
can create weaknesses
can create weaknesses
Unprotected interfaces /
Hidden functions
can create weaknesses
Control Functions Safety FunctionsComplementary
Functions
© Siemens AG 2017
21 - 22 November 2017Page 20 Cyber Security for Industry 4.0 International Conference
Lesson Five
A Holistic Security
Concept takes security to
the next level.
© Siemens AG 2017
21 - 22 November 2017Page 21 Cyber Security for Industry 4.0 International Conference
“Holistic Security Concept” Takes Security to the Next
Level - A Holistic Approach for IT and OT
“What in my business do I need to protect?”Identification of the critical business assets is a
core component of the concept
“Which level of security do I need?”Security level drives requirements, in alignment
with IEC 62443, to protect against attacks
“How do I protect the specific assets?”Standards based security solutions are applied to
protect and monitor critical assets
Handle Incidents
Improve Process
Security Features
Enhance Awareness
IT -Infrastructure
HSC addresses 5 levers including the ITHSC answers key questions for security
in business
© Siemens AG 2017
21 - 22 November 2017Page 22 Cyber Security for Industry 4.0 International Conference
Lesson Six
Enhanced Defense in
Depth should be based
on IEC 62443.
© Siemens AG 2017
21 - 22 November 2017Page 23 Cyber Security for Industry 4.0 International Conference
IEC 62443 Addresses All Stakeholders for a Holistic
Protection Concept
On site / site specific
Off site
operates and maintains
Product Supplier
Asset Owner
Service Provider
Operational policies and procedures
Automation Solution
Maintenance policies and procedures
System Integrator
Parts of IEC
62443
2-4
3-2
2-1
2-42-3
3-3
4-1
3-3
4-2
develops products
Industrial Automation and Control System
(IACS)
Control Functions Safety FunctionsComplementary
Functions
designs and deploys
© Siemens AG 2017
21 - 22 November 2017Page 24 Cyber Security for Industry 4.0 International Conference
Actual Structure of IEC / ISA-62443
Main Documents to Be Published
ComponentSystemPolicies and proceduresGeneral
Processes
1-1 Terminology, concepts
and models
1-2 Master glossary of terms
and abbreviations
1-3 System security
compliance metrics
Definitions
Metrics
Requirements to secure system
components
Functional requirements
Requirements placed on security
organization and processes of the
plant owner and suppliers
Requirements to achieve a
secure system
3-3 System security
requirements and security
levels
3-1 Security technologies for
IACS
2-3 Patch management in the
IACS environment
4-2 Technical security
requirements for IACS
products
4-1 Product development
requirements
2-4 Requirements for IACS
solution suppliers
3-2 Security risk assessment
and system design
2-1 Requirements for an
IACS security management
system Ed.2.0
Profile of
ISO 27001 / 27002
IEC / ISA-62443
© Siemens AG 2017
May 22, 2017Page 25 Cyber Security for Industry 4.0 International Conference
Contact
Speaker:
Manuel Ifland, CISSP
Siemens AG
Siemens ProductCERT
Otto-Hahn-Ring 6
81739 Munich
Germany
Internet
https://siemens.com/cert/advisories
https://siemens.com/industrialsecurity