Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Transcription

1 - Protecting productivity Industrial Security in Pharmaanlagen siemens.com/industrialsecurity

2 Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security Cloud Computing approaches Increased use of Mobile Devices Wireless Technology Reduced Personnel Requirements Smart Grid The worldwide and remote access to remote plants, remote machines and mobile applications The Internet of Things Source: World Economic Forum, 50 Global Risks Page

3 The corporate security chain is only as strong as its weakest link Security Can Fail at Any of these Points Employee Smartphone Laptops PC workstations Network infrastructure Mobile storage devices Tablet PC Computer center Policies and guidelines Printer Production systems Page

4 Cyber vulnerabilities can affect your plant at many level The Need to Act Because of Cyber Security Vulnerabilities Loss of intellectual property, recipes, Sabotage of production plant Plant downtime e.g. caused by virus and malware Manipulation of data or of application software Unauthorized use of system functions Regulations and standards for industrial security require Controls Regulations: FDA, NERC CIP, CFATS, CPNI, KRITIS Standards: ISA 99, IEC Page

5 IEC 63443, Defense-in-Depth The Siemens Approach Page

6 IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner Service Provider operates and maintains Operational policies and procedures Maintenance policies and procedures System Integrator designs and deploys Basic Process Control System (BPCS) Automation solution Safety Instrumented System (SIS) Complementary Hardware and Software IACS environment / project specific is the base for Product Supplier develops control systems develops components Embedded devices Control System as a combination of components Network components Host devices Applications Independent of IACS environment Page

7 Various parts of IEC / ISA are addressing Defense in Depth IACS environment / project specific AO SP SI PS Independent of IACS environment Page

8 Each stakeholder can create vulnerabilities Example User Identification and Authentication Asset Owner Service Provider System Integrator IACS environment / project specific operates and maintains can create weaknesses designs and deploys can create weaknesses Industrial Automation and Control System (IACS) Operational policies and procedures Maintenance policies and procedures Basic Process Control System (BPCS) + Automation solution Safety Instrumented System (SIS) is the base for Complementary Hardware and Software Invalid accounts not deleted / deactivated Non confidential passwords Passwords not renewed Temporary accounts not deleted Default passwords not changed Product Supplier Independent of IACS environment develops control systems can create weaknesses develops components Embedded devices Control System as a combination of components Network components Example: User Identification and Authentication Host devices Applications Elevation of privileges Hard coded passwords Page

9 IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner Service Provider operates and maintains Operational policies and procedures Maintenance policies and procedures System Integrator designs and deploys Basic Process Control System (BPCS) Automation solution Safety Instrumented System (SIS) Complementary Hardware and Software IACS environment / project specific Siemens is product and solution supplier is the base for Product Supplier develops control systems develops components Embedded devices Control System as a combination of components Network components Host devices Applications Independent of IACS environment Page

10 IEC 63443, Defense-in-Depth The Siemens Approach Page

11 The Defense in Depth Concept Plant security Physical access protection Processes and guidelines Security service protecting production plants Security threats demand action Network security Cell protection, DMZ and remote maintenance Firewall and VPN System integrity System hardening Authentication and use administration Patch management Detection of attacks Integrated access protection in automation Security solutions in an industrial context must take account of all protection levels Page

12 The Siemens solution for plant security Plant Security Network security System integrity Page

13 Security Management Security Management Process Risk analysis with definition of mitigation measures 1 Risk analysis Setting up of policies and coordination of organizational measures Coordination of technical measures Regular / event-based repetition of the risk analysis 4 Validation & improvement 3 Technical measures 2 Policies, Organizational measures Security Management is essential for a well thought-out security concept Page

14 Siemens Plant Security Services Complete service portfolio aligned with Risk Management methodology Step 1: Assess Information about the security status and development of a security roadmap Step 2: Implement Planning, development and implementation of a holistic cyber security program Step 3: Manage Continuous security through detection and proactive protection Vulnerability analysis Gap analysis Threat analysis Risk analysis Cyber security training Development of security strategies and procedures Implementation of security technology Continuous operations Detection and resolution of incidents Fast adaptation to changing threats Page

15 Siemens Cyber Security Operations Center Continuous & proactive protection for your ICS environment Analysts proactively monitor vulnerability and cyber threat activity globally, to deliver real-time communication alerts and advisories When global threat intelligence indicates an elevated risk, A Cyber Security Operations Center defines and delivers the appropriate proactive defensive measures If an incident is detected on your ICS environment, the Cyber Security Operations Center will coordinate the incident response consisting of investigation, forensic analysis, and remediation Subscribed Customer Subscribed Customer Cyber Security Operations Center (CSOC) Patch & Vulnerability management support; mitigation analysis Monitoring Next-Generation Firewall Management Quarterly Firewall Rule Review On-demand Incident Handling Remediation support by a security engineer tailored to severity of incident, impact on your environment, and your business needs Subscribed Customer Plants Page

16 The Siemens solution for network security Plant security Network Security System integrity Page

17 Network Security Essential Network Security use cases Demilitarized zone (DMZ) Network services for secure and unsecure network Prevent direct connections A security module controls the access Unsecure zone DMZ zone Secure zone Remote access Remote programming, and monitoring Access via internet and mobile networks Encryption and secured access via VPN Secure redundancy Higher reliability and availability of secure connection Security modules in synchronized standby mode MRP ring (CU or fiber optic) Cell protection System is divided into separated cells All communication into the cells is controlled Communication is secured by firewall mechanisms Page

18 Security Integrated Overview Siemens products with Security Integrated provide security features such as integrated firewall, VPN communication, access protection, protection against manipulation. Page

19 Introduction 3 Application Examples 20 Page

20 Overview: Application Examples Network Security Adapted measures for production Network Access Control Interface to IT networks: Secure architecture with DMZ (SCALANCE S623) Secure Remote Access via Internet Local network access (port security) via device and user authentication (SCALANCE S) Redundancy Protection of redundant network topologies and secure redundant connection of underlying networks or rings with S627-2M Cell Protection Risk mitigation through network segmentation Extension of the cell protection concept with Security PC- and S7-CPs (CP1628, CP343-1 Adv., CP443-1 Adv., CP1543-1) Use of secure communication protocols (e.g. https) prevent espionage and manipulation Products with firewall or VPN functionality Page

21 Protection and segmenting through firewalls with SCALANCE S Task Parts of the system, which represent a logical unit and sometimes even come from different suppliers, should have only as many connections to one another as are absolutely necessary. Solution SCALANCE S is placed before an automation cell, thereby segmenting the network and reducing communication through firewall rules on the permitted connections. Page

22 Construction of a demilitarized zone (DMZ) e.g. for data server access with SCALANCE S623 Task Network users (e.g. MES servers) should be reachable from the secure and nonsecure network without creating a direct connection between the networks. Solution A DMZ can be established on the yellow port with the SCALANCE S623, in which the aforementioned server can be placed. Page

23 The Siemens solution for network security Plant security Network security System integrity Page

24 SIMATIC S7-1200, S and the TIA Portal Security Highlights The SIMATIC S V4, S and the TIA Portal provide several security features: Increased Know-How Protection in STEP 7 Protection of intellectual property and effective investment: Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against unauthorized copying of e.g. developed algorithms Password protection against unauthorized evaluation of the program blocks with external programs from the STEP 7 project from the data of the memory card from program libraries Increased Copy Protection Protection against unauthorized reproduction of executable programs: Binding of single blocks to the serial number of the memory card or PLC Protection against unauthorized copying of program blocks with STEP 7 Protection against duplicating the project saved on the memory card Page

25 SIMATIC S7-1200, S and the TIA Portal Security Highlights The SIMATIC S V4, S and the TIA Portal provide several security features: Increased Access Protection (Authentication) Extensive protection against unauthorized project changes: New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) * Configurable levels of authorization (1-3 with own password) For accessing over PLC and Communication Module interfaces General blocking of project parameter changes via the built-in display Expanded Access Protection Extensive protection against unauthorized project changes: Via Security CP by means of integrated firewall and VPN communication Increased Protection against Manipulation Protection of communication against unauthorized manipulation for high plant availability: Improved protection against manipulated communication by means of digital checksums when accessing controllers Protection against network attacks such as intrude of faked / recorded network communication (replay attacks) Protected password transfer for authentication Detection of manipulated firmware updates by means of digital checksums * Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server Page

26 SIMATIC S7-300, S7-400 and the TIA Portal Security Highlights For SIMATIC S7-300 and S7-400 the TIA Portal provides several security features to protect your investment against unauthorized reading and copying: Download STEP7 Program block Upload Increased Know-how Protection for Programs Prevents reading, content copying and unnoticed changes of program blocks Protects program blocks in the engineering project and in the controller Program block protection in projects and libraries S7-Controller Program block Programmable Copy Protection Know-how protected programs can be expanded by copy protection Comparison with a given serial number of a memory card or CPU Page

27 SIMATIC PCS 7 Security you trust Potential Attack DCS/ SCADA* Customer Requirement Protection against: Loss of Control Plant Downtime Product Quality Environmental Impact Our Solution SIMATIC PCS 7 Reducing Your Risk Defense-in-Depth Strategy Segmentation / Security Cells Secure Access Points User Authentication Secure Communication Patch Management System Hardening Virus Scanner Whitelisting *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition Page

28 Siemens Vertical Expertise: Pharmaceutical Pharmaceutical Environment Product Quality Reduced Time-to-Market Production Flexibility Different Equipment Suppliers Meeting Regulations (FDA) Industrial Security provides Increased Plant Availability Secure User Access Secure Plant Communications Industrial Security to keep your plant running securely Page

29 Thank you for your attention! Dr. Pierre Kobes Product and Solution Security Officer PD TI AT siemens.com/industrialsecurity Page