IEC A cybersecurity standard approaching the Rail IoT

Size: px

Start display at page:

Download "IEC A cybersecurity standard approaching the Rail IoT"

Christine French
6 years ago
Views:

1 IEC A cybersecurity standard approaching the Rail IoT siemens.com/communications-for-transportation

Today s Siemens company structure focusing on several businesses Siemens AG Power and Gas (PG) Energy Management (EM) Building Technologies (BT) Mobility (MO) Digital Factory (DF) Process Industries

2 Today s Siemens company structure focusing on several businesses Siemens AG Power and Gas (PG) Energy Management (EM) Building Technologies (BT) Mobility (MO) Digital Factory (DF) Process Industries and Drives (PD) Financial Services (SFS) Healthineers Siemens Gamesa Renewable Energy Rolling stock for urban and intercity rail transport Locomotives Rail automation for passenger and freight transport Regional and highspeed trains and components Digital service and maintenance AFC Network Control Power supply solutions Distributed Control System (hardware and software) and Plant Engineering Software Systems and solutions for Fiber, Mining and Cement Water solutions Offshore & Onshore production solutions Motors, converters, control units, gears Industrial communication & Identification 2

3 The Internet of things brave new world without any drawbacks? Cyber threats targeting office and industrial control systems increase and become more specialized and complex Information technologies are used in industrial automation: Horizontal and vertical integration, open standards, PC-based systems Industry 4.0 calls for the next level of connectivity (IT and OT). Production processes need a higher level of protection Cost pressure and production availability necessitate prioritized and balanced security investment Lack of expertise & resources generate need of trusted partners 51 % of companies in Germany suffered a security incident in the last two years* 51 billions loss in revenue yearly due to cyber incidents* 62% of the companies face a significant lack of qualified resources** In the next 5 years 1.5 millions posts for security experts worldwide will remain vacant, since there will not be no suitable applicants** 3 There is a significant need to identify gaps, protect assets, early detect security risks, respond to incidents and recover rapidly * Source Bitkom Research 2015 ** Source (ISC)² Center for Cyber Safety and Education's Global Information Security Workforce Study 2015

A recent incident case: Darkness in Ukraine something you don t want enter your communication network Table of events: December 2015: Hackers are attacking 3 different utility companies throughout

workstations: hackers took control of the HMI software and disable mouse and keyboard so operators cannot interfere Raiders start a DDoS attack to the call center and format all harddisks Result: 30

4 A recent incident case: Darkness in Ukraine something you don t want enter your communication network Table of events: December 2015: Hackers are attacking 3 different utility companies throughout Ukraine Workstations and SCADA systems were influenced by external sources outside normal parameters At the substations: hackers are switching of circuit breakers to interrupt the power grid In the workstations: hackers took control of the HMI software and disable mouse and keyboard so operators cannot interfere Raiders start a DDoS attack to the call center and format all harddisks Result: 30 substations were switched off, people were left without electricity for 1 to 6 hours The big lesson here is that someone actually brought down a power system through cyber means. That is an historic event, it ha never occurred before.. - Robert M. Lee, Cyber Warfare Operation Officer for the US Air Force The need for a common approach regarding a cyber security standard is given in order to prevent such incidents in industry & critical infrastructure 4

5 Buying a piece of Firewall is not enough! The 3 cornerstones of a security solution Manage Security Comprehensive security through monitoring and proactive protection: Monitor to detect indicators of compromise Manage to keep security up-to-date React fast upon security relevant threats Asset Owner Assess Security Evaluation of the current security status of an ICS environment Asset Owner Implement Security Risk mitigation through implementation of security measures for reactive protection System Integrator Product Supplier Cybersecurity involves the three major stakeholders asset owner, system integrator and product supplier in a continuous cycle of assess, implement and manage 5

6 IEC a holistic approach addressing IT and OT security The standard IEC is dedicated to the security of industrial automation and control systems (IACS). It involves the three major stakeholders in the protection of plants against cyber attacks: Asset Owner, System Integrator, Product Supplier. 1 Risk analysis A key concept of IEC is that security requires a set of coordinated measures. This approach is commonly described as defense-in-depth. 4 Validation & Improvement 2 Policies, Organizational measures The development of a security strategy should be risk-based. Risk management cycles of all stakeholders are linked. IEC will be considered with all relevant security laws e.g. German IT-law for critical infrastructure 3 Technical measures IEC establishes itself as a holistic international security framework where operator, system integrator and product supplier share a common sense about cybersecurity 6

7 Current structure of IEC / ISA Main documents to be published IEC / ISA General Policies and procedures System Component 1-1 Terminology, concepts and models 1-2 Master glossary of terms and abbreviations 2-1 Requirements for an IACS security management system Ed.2.0 Profile of ISO / Security technologies for IACS 3-2 Security risk assessment and system design 4-1 Product development requirements 4-2 Technical security requirements for IACS products 1-3 System security compliance metrics 1-5 Protection Levels 2-3 Patch management in the IACS environment 2-4 Requirements for IACS solution suppliers 3-3 System security requirements and security levels Definitions Metrics Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components Functional requirements Processes 7

IEC 62443 addresses all stakeholders for a holistic protection concept On site / site specific Industrial Automation and Control System (IACS) Parts of IEC 62443 Asset Owner Service Provider operates

8 IEC addresses all stakeholders for a holistic protection concept On site / site specific Industrial Automation and Control System (IACS) Parts of IEC Asset Owner Service Provider operates and maintains Operational policies and procedures Maintenance policies and procedures System Integrator designs and deploys Control functions Automation solution Safety functions Complementary functions Off site Product Supplier develops products 8

9 Assess Security in the context of IEC With a risk-based approach Assess Security entails the comprehensive analysis of threats and vulnerabilities, the identification of risks and the recommendation of security measures. 9

IEC 62443 assessment based on security functionalities and processes Based Security on IEC 62443-2-4 process and ISO 27001 Maturity Level 1-4 Security assessment result Security functionalities Based

10 IEC assessment based on security functionalities and processes Based Security on IEC process and ISO Maturity Level 1-4 Security assessment result Security functionalities Based on IEC Security Level 1-4 ML 4 ML 3 ML 2 Process controlled, continuously improved SL 4 SL 3 SL 2 Intentional violation with extended resources ML 1 Process poorly controlled and reactive SL 1 Casual or coincidental violation 10

Implement Security in the context of IEC 62443 To minimize the risk Implement Security

11 Implement Security in the context of IEC To minimize the risk Implement Security means the implementation of protective measures to raise the security level of the system 11

Training & Policy DMZ Firewalls & VPN Systemhardening

12 Implementation of possible security measures acc. IEC Customer facility Implementation elements Training & Policy DMZ Firewalls & VPN Systemhardening Usermanagement Patch Management Virusscan & Whitelisting 12

Manage Security in the context of IEC 62443 For comprehensive, continuous protection

13 Manage Security in the context of IEC For comprehensive, continuous protection Manage Security means the continuous monitoring and updating of implemented measures 13

14 The Siemens PD offer for Cybersecurity regarding IEC Security integrated Firewalls Intrusion Detection RADIUS Client Port security x User Authentification & Management VPN IPSec Check point security Network Monitoring Firewalls Network Remote The development process of products above are certified by TUV based on IEC

Siemens is your trusted partner for Industrial Communication Networks We understand Digitalization We understand your Industry We understand

15 Siemens is your trusted partner for Industrial Communication Networks We understand Digitalization We understand your Industry We understand Industrial Communication We understand Security We have a proven track record Let us help you build a reliable communication base to drive Digitalization! 15

16 Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions constitute one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. For additional information on industrial security measures that may be implemented, please visit Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under industrialsecurity. 16

17 Thank you for your attention! Siemens PD PA S&V CI VSD Vertical Sales Development Transportation Gleiwitzer Str Nuremberg, Germany Mobile: siemens.com 17

Plant Security Services Protecting productivity in the digital era October

Plant Security Services Protecting productivity in the digital era October2017 Restricted www.siemens.com/plant-security-services Internet of (hacked) Things Page 2 Use case - No OT cybersecurity company