profisafe and it security - peter brown of siemens a&d

What is

PROFIsafe and

how does it

work?

Pete BrownSiemens I CS

2

Author / Title of the presentation

“The condition of being safe; freedom from danger, risk, or injury.”

In the UK (and Europe) this can cover many areas and industries, for example:Supply of Machinery (Safety) RegulationsElectromagnetic Compatibility RegulationsElectrical Equipment (Safety) RegulationsPressure Equipment RegulationsSimple Pressure Vessels (Safety) RegulationsEquipment and Protective Systems Intended for Use in Potentially Explosive Atmospheres RegulationsLifts RegulationsMedical Devices RegulationsGas Appliances (Safety) Regulations

Important: It is essential to have some form of riskassessment / risk analysise.g. HAZAN / HAZID / HAZOP / RA to ISO 12100

What do we mean by “Safety”

3


Profibus DP

Standard-Host/PLC

F-Gate-way

otherSafety-

Bus

Repeater

Standard-I/O

Master-Slave Assignment

F-Field-Device

DP/PA

Coexistence of standard and failsafe communication

F-Host/FPLC

Standard-I/O

F-I/O

Engineering Tool

PG/ES withsecure accesse.g. Firewall

TCP/IP

F = Failsafe

F-Sensor F-Actuator

PROFIsafe – The Vision

4


"Black Channel": ASICs, Links, Cables, etc. Not safety relevant

"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers,Sequencing, Signature, etc.

Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems

Non safety critical functions, e.g. diagnostics

Standard-I /O

StandardControl

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

SafetyInput

SafetyControl

SafetyOutput

Safety-LayerSafety-LayerSafety-Layer

e.g.. Diagnostics

PROFIsafe – ISO/OSI Model

5


PROFIsafe – Add-on Strategy

Standardengineering

toolSTEP 7

StandardCPU

StandardPROFIBUS DP

StandardRemote I/O

Failsafe engineeringTool

Distributed Safety

FailsafeI/O Modules

PROFIsafe

Failsafe ApplicationProgramF-Hardware

6


Coexistence of standard program and safety-related program on one CPU

Changes to the standard program have no effect on the integrity of the safety-related program section

Standard program

Safety program

Standard program

Back-up

PROFIsafe - Program

7


Time redundancy and diversity replacecomplete redundancy

Time redundancyTime

DiverseOperation

Operation

Coding Comparison

DiverseOperators

Operators

DiverseOutput

Output

Stopby D /C

D = /C

CA, B

/A, /B

OR

AND

PROFIsafe – Coded Processing

Coded Processing

8


“Black channel"

PROFIsafelayer

PROFIsafelayer

Standarddata

Fail-safedata

Standardbusprotocol

Standarddata

Fail-safedata

Standardbus

protocol

PROFIBUS

PROFINET

PROFIsafe - Introduction

Safety-oriented communication via PROFIsafe First standard of communication in accordance with safety standard IEC 61508PROFIsafe supports safe communication for the open standard PROFIBUS and PROFINET The PROFIsafe meets possible faults like addresserror, delay, data loss with

Serial numerationof PROFIsafe-telegramTime monitoringAuthenticity monitoring via unique addressesOptimized CRC-checking

PROFIsafe supports standard- and failsafe Communication by one medium

9


Failure type:

Remedy: ConsecutiveNumber

Time Outwith Receipt

Codename forSender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

Revolving memory failure within switches

Overview: Possible Errors and detection mechanism


10


Which protocol must be supported ?

IO-C

FDO

Actuator

PROFINET

-IODevice

FDI

FDO

Sensor

PROFIBUS.

PROFIBUS DeviceModular Device

Local bus

F-Host

PROFINET-PROFIBUS

Link

Encapsulation

EncapsulationEncapsulation

F-DI Fail-safe digital inputF-DO Fail-safe digital outputIO-C PROFINET IO-Controller

PROFINETSWITCH


11


Which protocol version applies when ?

PROFIsafe V2 Slave used in

Protocol with 8Bit-Counter(= PROFIsafe

V1 mode)

Protocol with 24Bit-Counter(= PROFIsafe

V2 mode)PROFIBUS network only mandatory mandatory

PROFINET network only - mandatory

PROFIBUS / PROFINET network

mandatory mandatory

Goal: 100% compatabilityA PROFIsafe slave which supports the v2 mode must be able to replace an older version of this PROFIsafe slave which only supports the v1 mode without the need of any adaption


12


DP MasterDP Master

PROFINET – PROFIsafe V2

PROFIBUS – PROFIsafe V1 or V2

DP Slave V2DP Slave V2

I/OI/O--Device V2Device V2

DP Slave V1DP Slave V1DP Slave V1DP Slave V1

Proxy

Only Only DP Slave V2DP Slave V2

V1 = PROFIsafe Profil V1V1 = PROFIsafe Profil V1V2 = PROFIsafe Profil V2V2 = PROFIsafe Profil V2

Which protocol version applies when ?


Security for

Industrial

Automation

Considering the PROFINET Security

Guideline

14

Peter Brown / IT Security for Industrial Automation

DCS/SCADA*

*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition

Potential Attack

Plant SecurityPhysical Security• Physical access to facilities and equipment

Policies & Procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery

Network SecuritySecurity Zones & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell

System IntegritySystem Hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware Detection and Prevention• Anti Virus and Whitelisting

Industrial IT Security

15


What is IT Security? (Cyber/Network)

Protection of computers and networks from intrusion and disruption

With so many systems relying on networks this is criticalThe internet allows global connectivity and all its advantagesThese advantaged lead to vulnerability

Security

16


Why do I need IT Security?

Intrusion can be malicious or accidentalGovernments are concerned by terrorist actsBusiness is concerned by industrial espionage and theftEx employees may have a grudgeCurrent employees can be carelessComputer viruses can attack PLCsNetwork intrusions are on the increase – The damage can be catastrophic

17


How do I implement IT Security?

CPNI recommendationsRisk analysis and policiesIndustrial grade equipmentPROFINET / PROFINET Security Guideline(ICS CERT recommendations)

Industrial Security Homepage:http://www.industry.siemens.com/topics/global/en/industrial-security

18


PROFINET Security Concept

The PROFINET Security ConceptFrom the PROFINET Security Guideline

Network Architecture – Security ZonesTrust Concept – within ZonesPerimeter Defence – Firewall/VPNProvision of Confidentiality and IntegrityTransparent Integration of Firewalls

www.AllThingsPROFINET.com

19


Security Zones

Security ZoneCommunication based on trust within zoneTrusted networks should be able to talk with each otherPerimeter defense

Local Security MeasuresE.g. Locked Ethernet ports, Networking equipment in cabinets

Trusted Network

Firewall

20


…Using Industrial FirewallsMonitor incoming and outgoing data packets on the basis of predefined rulesOnly authorized connections are acceptedHelp to keep unwanted traffic out (e.g. Office Broadcasts)Rugged industrial design“Industrial like” administrationBuilt-in VPN capabilities

How to secure the Network…

21


Linking Security Zones

Data traffic control between network using security modules Encrypted data transmission between security modulesFirewalls help to keep unwanted office traffic out as well

Trusted Network

Firewall

Trusted Network

Firewall

Corporate Network/Backbone

VPN

22


Secure Automation Cells (Zones)

Complete plant security

Secure automation cells

Internet

23


Connecting to the Outside World

When connecting to the outside world, think about Security against

Wrong address allocationsUnauthorized accessSpyingManipulation

Different requirements in industrial applications inNetworks architecturesPerformance and functions

PROFINET leverages effective and certified security standards (VPN)

e.g. IPSec

http://www.profibus.com/pall/meta/downloads/article/00341/

24


Methods for Network Security

Security issues and vulnerabilities need to be addressedThere are many methodsHow can we address these vulnerabilities using these techniques:

FirewallProtect against unauthorized accessVLAN (Virtual Local Area Network)Logical network that operates on the basis of a physical networkDMZ (De-Militarized Zone)Exchange data with external partners via safe areasVPN (Virtual Private Network)Secure tunnel between authenticated users

25


Industrial Security – Everyone?

Man

agem

ent

Ope

rato

rsO

EM /

Syst

emin

tegr

ator

sC

ompo

nent

supp

liers

Requirements that operators of industrialautomation systems must meet:

Security guidelines and processes, Risk management in terms of securityInformation and document mgmt.etc.

System-side requirements in terms of . Access protection, user controlData integrity and confidentialityControlled data flow,etc.

Requirements that components of an automation system must meet in terms of

Product development processesProduct functionalities

Measures and processes that prevent unauthorized access of persons to the surrounding area of the plantPhysical access protection for critical automation components (e.g. locked control cabinets)

26


Industrial Security for Controllers / HMIs

Logon Control – Central, plant-wide user administration.Deactivation of services – Most network services deactivated in our products in their basic configuration.Deactivation of hardware interfaces – The unused interfaces of HMI / Controller / Device can be deactivated via the configuration.Robust Communication – One of the system properties of our PROFINET devices is their robustness against large volumes of network traffic or faulty network packets.Encryption of the user program – Application code for the PLC / controller can be encrypted.Copy protection – Encryption protection can be supplemented with copy protection that prevents duplication of application code.

27


Example of a “Cell” (Machine?)

28


Passwords!

Various Passwords are set by default:

HMI: web server; default password = “100”.HMI: user “Administrator”; default password = “administrator”.Switches : user “Administrator”; default password = “administrator”.

29


Monitoring of PROFINET / Networks for:Detection of changesLoad monitoringSecurity monitoringEvent-forwarding

TAP

BANY Agent (integrated TAP)

BANY Agent (external TAP)

MRP

Industrial ServiceStation

Continuous Network / Security Monitoring

30


DCS/SCADA*

*DCS: Distributed Control SystemSCADA: Supervisory Control and Data Acquisition

Plant SecurityPhysical Security• Physical access to facilities and equipment

Policies & procedures• Security management processes• Operational Guidelines• Business Continuity Management & Disaster Recovery

Network SecuritySecurity cells & DMZ• Secure architecture based on network segmentationFirewalls and VPN• Implementation of Firewalls as the only access point to a security cell

System IntegritySystem hardening• Adapting system to be secure by defaultUser Account Management• Access control based on user rights and privilegesPatch Management• Regular implementation of patches and updatesMalware detection and prevention• Anti Virus and Whitelisting

Sec

urity

Ser

vice

s

Industrial IT Security

Any Questions?

31


Questions?31

profisafe and it security - peter brown of siemens a&d

Technology

profisafe slave

presentation profisafe

profisafe program

safety relevant profisafe

profisafe v2 slave

safety standard iec

standard of communication

profisafe profil v1