Comprehensive Cyber Security Features in SIPROTEC & SICAM. SIPROTEC Dag 11. Mei 2017

Transcription

1 Comprehensive Cyber Security Features in SIPROTEC & SICAM SIPROTEC Dag 11. Mei 2017 siemens.tld/keyword

2 Changes to Substation Automation and Protection over Time Evolving Threat Landscape (tomorrow today...) 1 st generation: Standard cabling Mimic board Ancient past 2 nd generation: Point-to-point connections since Recent past Security through Simplicity: the analog times Minimal connectivity in substation control and protection HMI Clear point-to-point connections Fault recorder Protection RTU Parallel wiring Bay Substation controller Other bays Serial connection Bay Secured buildings Owned communication networks Parallel wiring Parallel wiring Page 2

3 Changes to Substation Automation and Protection over Time Evolving Threat Landscape (tomorrow today...) 1 st generation: Standard cabling Mimic board Ancient past 2 nd generation: Point-to-point connections since Recent past 3 rd Generation: Digital Substations HMI Fault recorder Protection RTU Parallel wiring Bay Substation controller Other bays Serial connection Bay Parallel wiring Parallel wiring Page 3

4 Connectivity with Responsibility Cyber Security must be considered holistically Security Availability, Integrity, Confidentiality & Data Protection GENERATION TRANSMISSION DISTRIBUTION CONSUMPTION RAIL & MICROGRIDS Technological impact Remote control Seamless interfacing between the IT world and the Process world Usage of public infrastructure Increasing adoption of IT infrastructure Developments Renewable energy resources, Pro-/ Consumer markets, Network optimization GRID AND ENTERPRISE IT COMMUNI- CATION & AUTOMATION FIELD DEVICES SENSORS AND PROTECTION PRIMARY EQUIPMENT AUTOMATION GRID CONTROL PROTECTION SMART TRANSMISSION SENSORS HMI BIG DATA ANALYTICS, IT INTEGRATION EMS DMS ADMS Microgrids SMART DISTRIBUTION GRID APPLICATION POWER QUALITY Virtual Power Plants Demand Response Meter Data Mgmt. ecar Operation Center COMMUNICATION SMART METERS RAIL & MICROGRIDS SERVICE & SMART GRID SECURITY Page 4

5 Vulnerabilities in Digital Substations Potential Threats and Attackers Control Center Level Attackers: Remote access Station Level Nation states (spy agencies) Criminal organizations Attacks over Internet Attacks over Internet Malware Script kiddies Insiders / service providers Substation automation Unauthorized access Unauthorized access Malware Protection Field Level Malware Unauthorized access Unauthorized access Page 5

6 Cyber attacks against critical infrastructure State of IT-Security in the Energy Infrastructure Threats: Increase in software vulnerabilities Cloud Computing Hardware vulnerabilities Cyber attacks on industrial control systems More than 439 million Windows-malware variants Security Incidents in US, 2015: Yearly report on all critical infrastructure sectors Energy sector reported the second highest number of incidents Similar report from Australia Source: Page 6 Source:

7 Energy Concerns under Attack Example: Ukraine Page 7

8 Digital Substations are vulnerable to Cyber Attacks Threat Scenarios Substation automation threatened by DoS* Substation automation threatened by unauthorized access, malware Distribution automation threatened by insecure communication Protection threatened by malware, unsecured engineering changes Page 8

9 Field level Protection Technology Cyber Security Risks Unauthorized access: Risks with protection relays without adequate security features: Unauthorized access easily possible without password protection, in order to alter settings anonymously Endangered Operational Security Without device-side validation compromised firmware can be downloaded into device, that could harm primary topology Neglecting operational security for deployed devices / SW endangers system vulnerability Unsecured communication between device and configuration software cannot hinder sniffing / alteration of settings Settings SW PATCHES Einstell. SW Fehler! Increased chances for attackers to utilize vulnerabilities over remote access for attacks (no network segregation in device) Page 9

10 Field Level Protection Technology Deny unauthorized Access with SIPROTEC 5 Risks with protection relays without secured access control: Without password control it is easily possible to access the relays anonymously Unencrypted / weakly encrypted password handling enables sniffing Simple passwords and eternally valid passwords acquire feet over time Access Control in SIPROTEC 5 Connection password as per NERC-CIP and BDEW White Paper complexity requirements Transfer of connection password from DIGSI5 to device over secured SSL/TLS connection Secured storage of password hash in device Centralized management of password complexity, lifetime and access control for thousands of SIPROTEC 5 devices with Ruggedcom CrossBow Confirmation codes for safety-critical operations with the device All access attempts are logged securely in device and protected from being manipulated + Page 10

11 Field Level Protection Technology Avoid unsecured communication with SIPROTEC 5 Risks with protection relays without secured communication during engineering/operation: Unsecured communication between device and configuration software enables the sniffing and overwriting of protection settings Unencrypted / weakly encrypted password handling enables sniffing Danger of having relays configured using disallowed tools Secured Communication in SIPROTEC 5 Protection against sniffing and manipulation of settings / passwords: SSL/TLS encryption of the communication between DIGSI 5 and the SIPROTEC 5 device Cryptographic, two-way authentication between DIGSI 5 und SIPROTEC 5 means: Protection against usage of disallowed tools Protection against usage of SIPROTEC 5 like relays that have not been manufactured by Siemens Page 11

12 Field Level Protection Technology Avoid Endangered Operational Security with SIPROTEC 5 Negligence of operational security for already deployed devices / SW increases cyber risks: Manipulated firmware can be loaded into device due to missing device-side validation Malware on PC can influence device behavior 3 rd Party patches not compatible with products Unsecured internet connectivity increases the risks Unclear vulnerability / incident handling process High Operational Security with SIPROTEC 5 Protection against usage of manipulated logic in device thanks to cryptographically signed firmware: Validation of firmware signature prior to acceptance Validation of firmware signature at reboot DIGSI 5 is compatible with Application Whitelisting Monthly validation of DIGSI 5 compatibility with the latest 3 rd party patches (e.g. Microsoft, Adobe, etc.) and antivirus patterns Separation of process communication from management communication in device thanks to modular communication units DIGSI 5 compatible for remote/vpn connectivity Page 12 Transparent vulnerability handling over Siemens ProductCERT

13 Protection Technology High Future Readiness with SIPROTEC 5 Continuous Verification during Development Threat and risk analysis Product hardening Secure development process Ready for PKI : integrated Crypto-Chip Secure storage of cryptographic key material Cryptographic computations Physically protected against data theft Ready for future PKI* based applications *PKI: Public Key Infrastructure Page 13 Modularity for Tomorow Out-of-Band networks for today s and future applications Distribution of communication load on the device

14 Protection Technology Comprehensive Cyber Security with SIPROTEC 5 SECURED COMMUNICATION SECURED WITH SSL/TLS CLIENT/SERVER AUTHENTICATION OPERATIONAL SECURITY SIGNED FIRMWARE UPDATE APP. WHITELISTING COMPATIBILITY ACCESS CONTROL COMPLEX CONNECTION PASSWORD CENTRAL PASSWORD MANAGEMENT PRODUCTCERT 3RD PARTY PATCH MANAGEMENT VULNERABILITY HANDLING FUTURE READINESS READY FOR PKI MODULARITY FOR TOMORROW Page 14

15 Thank you for your attention! Chaitanya Bisale Product Lifecycle Manager Cyber Security & Substation Automation EM DG PRO LM SC Humboldtstr Nuremberg Phone: +49 (911) Mobile: +49 (172) siemens.com/gridsecurity Page 15