Industrial Security Getting Started

Size: px

Start display at page:

Download "Industrial Security Getting Started"

Judith Palmer
5 years ago
Views:

1 Industrial Security Getting Started Unrestricted Siemens A/S siemens.com/industrial-security

2 Agenda 09:00 - Getting started. The Framework 10:00 - Coffee break 10:15 - Patch Management, Asset and Network Management, Network design and Secure Cells 11:15 - Coffee break 11:30 - Hardening, Authentication and User Management, security Services, 12:30 - Lunch break and dialogue with the specialists

3 Countermeasures Hardening

4 Hardening Windows based systems SCADA Controllers and I/O Network Components One size doesn't fits all Page 4

5 Hardening Network components - examples How? User Management Use Radius Use VLAN Disable DCP and SNMP write Broadcast limitation Disable unused ports Enable SNMP V3 Page 5

6 Hardening Network components - examples How? Keep it simple Physical locks Page 6

7 Hardening Network components FR 7 Resource availability SRs und REs SL 1 SL 2 SL 3 SL 4 SR 7.1 Denial of service protection SR 7.1 RE 1 Manage communication loads SR 7.1 RE 2 Limit DoS effects to other systems or networks Page 7

8 Securing robustness Loop Detection and broadcast limitation Production network Broadcast limitation A remote loop is detected when LD frames are received at the sender port Remote loop A local loop is detected when LD frames are received at a different port from the correct sender port Local loop Loop detection configured at sender ports Page 8

9 Hardening of SCALANCE Checklist for hardening of SCALANCE products Page 9 More info:

10 Hardening Bulk Engineering Demo

11 Hardening Controllers and How? User Management Password Know how Protection Encryption Data Management Page 11

12 Authentication and use administration FR 3 System integrity SRs und REs SL 1 SL 2 SL 3 SL 4 SR 3.1 Communication integrity SR 3.1 RE 1 Cryptographic integrity protection Page 12

13 SCADA Controller communication via OPC And standard setup SCADA Controller Page 13

14 SCADA Controller communication Via imbedded Firewall 3. Part SCADA Via Security CP-Cards or Controller: Controller S7-1500, ET 200SP CPU PLCSIM Adv. S7 400 via CP OPC-UA Page 14

15 SCADA Controller communication Via OPC UA Access possible Write access possible SCADA, OPC UA server Controller, OPC UA client Page 15

16 OPC UA Well structured Whitepaper Page 16 More info:

17 Controller/Controller communication Via Open User communication Controller Encrypted Open User communication: S ET 200SP CPU Controller Page 17

18 Open User Communication Demo

19 Knowhow protection Page 19

20 Authentication anduser Management Integrated Security engineering

21 Authentication and use administration FR 1 Identification and authentication control SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.1 Human user identification and authentication SR 1.1 RE 1 Unique identification and authentication SR 1.1 RE 2 Multifactor authentication for untrusted networks SR 1.1 RE 3 Multifactor authentication for all networks Page 21

22 Passwords Page 22

User Management and Access Control UMAC and Option UMC Cooperation UMAC: User Management and Access Control Built-in functionality in TIA Portal Allows personalized access to TIA Portal projects

23 User Management and Access Control UMAC and Option UMC Cooperation UMAC: User Management and Access Control Built-in functionality in TIA Portal Allows personalized access to TIA Portal projects Define project users, roles and assign them UMAC TIA Portal V15 UMAC TIA Portal V15 UMC: User Management Component Extends UMAC by optional use Manages users/groups outside TIA Portal projects Import of needed UMC users/groups into TIA Portal projects Assigning project roles to them Authenticates UMC users logins afterwards Option UMAC TIA Portal V15 UMC Windows AD UMAC TIA Portal V15 Page 23

24 User Management and Access Control UMAC What is it aiming for? Security: Protection of industrial machines/plants Personalized Access instead of Password Access Unauthorized Access is prevented (Password) User Name Password Efficiency: Centralized management Of Users in a project or even for multiple projects Of Roles summarizing Function Rights of products Assignment of Users/Groups to Role/s Substitutes product-local solutions Everyone is allowed to do all Product Product Only qualified people are allowed Product Product Function Function Function Function x x x x Role x x x x x x x Role Role Role Page 24

25 Authentication and use administration in TIA-portal User/Group Engineering Users Windows Active Directory User groups UMC Domain 1 n UMC R-Server UMC R-Server UMC Server User Authentication Login Win PC Win PC Win PC User Password ********** OK Page 25

26 Hardening Windows based system How? User Management Use Anti Virus Use Whitelisting And Windows firewall Page 26

27 Whitelisting Protection by blocking unknown applications How does whitelisting work? Execution of application approved Plant system with whitelisting application control Attempt to execute application/ software Comparison with whitelist Execution of application denied Page 27

28 Protection by antivirus or whitelisting Comparison: antivirus and whitelisting Not dependent on signatures Protection possible without virus signatures Regular software updates Internet connection required for updates Commissioning and setup Amount of effort for initial commissioning Maintenance outlay Outlay after modifications to machines Maximum service life of operating system Usability after end-of-life Antivirus No Yes Low None No Whitelisting Yes No Medium Medium Yes Necessary to upgrade operating system when support ends Yes No Required system resources System utilization on target system Medium Low Page 28

compatibility with the latest versions of the

29 Antivirus and Whitelisting Working with partners McAfee Total Protection Trend Micro Office Scan Symantec Endpoint Protection Before new software versions are released, their compatibility with the latest versions of the following virus scanners are whitelistning sw. are tested! Page 29

30 Virus scanners and Whitelisting In a SIMATIC environment Page 30 More info:

31 Logging, Monitoring anddetection of attacks

32 Authentication and use administration FR 2 Use control SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.8 Auditable events SR 2.8 RE 1 Centrally managed, system-wide audit trail Page 32

33 Logging How and why? Administrator check for Syslog messages Troubleshooting / monitoring Administrator Networked Devices Syslog Message send to Syslog Server Syslog Server Syslog Server sends Alerts to Administrator Page 33

34 Logging Sending Syslog messages with a SIMATIC S7 CPU Page 34 More info:

35 Authentication and use administration FR 2 Use control SRs und Res SL 1 SL 2 SL 3 SL 4 SR 2.11 Timestamps SR 2.11 RE 1 Internal time synchronization SR 2.11 RE 2 Protection of time source integrity Page 35

00110101001110010011010010110110101001010100111000101110110010101001001001001

36 What time is it? Network Time Protocol (NTP) NTP client & server NTP Server on the Internet or via GPS Prerequisites for Syslog and also Certificate based communication.. Page 36

37 Network Time Protocol (NTP) Client and Server LOGO! CRM2020 Support Network Time Protocol (NTP), Time-of-day synchronization The time of the LOGO! 8 basic unit can be set by transferring the received time from LOGO! CMR by UTC-Time of an accessible NTP-Server Time of the GPS-Signal or the cellular network providers Page 37 More info:?????????

38 It s asystem Asset and Network Management +

39 Asset and Network Management + Even more. SINEC NMS Control SINEC NMS Operation Page 39 More info:

40 Asset and Network Management + Architecture of SINEMA Server Network Monitoring SINEMA Server SINEMA Server SINEMA Server SINEMA Server SINEMA Server Page 40 More info:

41 Asset and Network Management + Architecture of SINEC NMS Network Monitoring Operation Operation CONTROL Policy based network configuration Operation Operation Firmware management Device backup management Operation Role-based access control / UMC Page 41 More info:

42 Asset and Network Management + SINEC NMS..based on an ISO framework! OT IT Fulfillment of current security guidelines according to IEC Page 42

43 SINEC NMS Provides Visibility SINEC NMS Discovery Asset Inventory All devices Vendor Firmware Versions Owner Online View (updated regularly) Base for Security Page 43

44 Visibility Example Page 44

45 SINEC NMS Provides Policy-based Security Configuration Policies are defined by skilled personnel Security configuration according to policies Password Management Scheduled Backups Firmware Updates Automatic Rollout is scheduled For specific devices or areas At a given time (in sync with maintenance windows) Configuration is applied automagically Intelligent Optimized based on Topology Information Page 45

46 Security Configuration Example Page 46

47 SINEC NMS Provides Security Reporting Functionality Syslog Protocol Reporting System (e.g. SIEM, Security KPIs) OPC UA, JSON, CSV, Device Syslog Configuration Apply Available Info in SINEC NMS Events SINEC NMS Reports Inventory, Trend Charts, Performance Generate SINEC NMS Validation Availability, Bandwidth utilization, Security configuration more than 20 validation criteria Page 47

48 Asset and Network Management + SINEC NMS Centralized user management Centralized system management Role based access control Event notifications ( ) OPC UA interface Integration into HMI Page 48

49 Asset and Network Management + SINEC NMS Topology detection and monitoring PROFINET diagnosis Redundancy diagnosis PLC monitoring (S7-300,S7-400) General network device diagnostic Page 49

50 Asset and Network Management + SINEC NMS Firmware management and roll out Config backup/edit/compare/restore Port parameter configuration WLAN access point configuration General device configuration Page 50

51 Asset and Network Management + SINEC NMS Device inventory Page 51

52 Asset and Network Management + SINEC NMS Monitoring port statistics Global availability reporting Page 52

53 Asset and Network Management + SINEC NMS Device hardening Device credential management Validation reports Enable devices for radius Based on IEC Page 53

54 Countermeasures Security Services

55 Assess Security following a risk-based approach Assess Security covers a holistic analysis of threats and vulnerabilities, the identification of risk and recommendations Industrial Security Assessment IEC Assessment ISO Assessment Risk and Vulnerability Assessment* Page 55

56 The IEC Assessment Enable you making informed decisions Processes Technology We evaluate the maturity of organizational processes and work instructions towards cyber security risk mitigation IEC We evaluate your installed base and system architecture to find gaps regarding the IEC standard IEC Deliverables IEC62443 compliance report Recommendations for risk mitigation controls Roadmap (standardized) of how to implement cyber security Page 56

57 The IEC Assessment The Report Page 57

Advanced solutions Detection Prevention NGFW Next

security services and zones DPI Deep Packet

protocols specific commands (e.g. S7, 61850, Modbus.

58 Advanced solutions Detection Prevention NGFW Next Generation Firewall Application level detection and protection (e.g. Malware monitoring) Scalable management for multiple security services and zones DPI Deep Packet Inspection IDS + Deep Packet Inspection for protocols specific commands (e.g. S7, 61850, Modbus... IDS Intrusion Detection Statistical and behavioral algorithms Non-intrusive, non- signature based Page 58

59 Recap Hardening of all products are crucial Authentication and user management is a cornerstone iniec62443 We can offer Solutions, Consulting, Assessments and Services

60 And now the Quiz Kahoot.it Play

61 Lunch and Thank you for your Attention

Contact information Name Phone email Per Krogh Christiansen +4540426239 per.

kristiansen@siemens.com Morten Kromann +45 2037 3508 morten.kromann@siemens.

62 Contact information Name Phone Per Krogh Christiansen Jesper Kristiansen Morten Kromann Lars Peter Hansen Page 62 11/29/2017

63 Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. The customer is responsible for preventing unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the Internet where necessary and with appropriate security measures (e.g., use of firewalls and network segmentation) in place. Additionally, Siemens' guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends applying product updates as soon as they are available, and always using the latest product version. Using versions that are obsolete or are no longer supported can increase the risk of cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed at Page 63

Protecting productivity with Industrial Security Services

Protecting productivity with Industrial Security Services Identify vulnerabilities and threats at an early stage. Take proactive measures. Achieve optimal long-term plant protection. usa.siemens.com/industrialsecurityservices