Plant Security Services Protecting productivity in the digital era October2017 Restricted www.siemens.com/plant-security-services
Internet of (hacked) Things Page 2
Use case - No OT cybersecurity company standard - Legal compliance - Existing OT cybersecurity company standard Page 3
Defense in Depth The Siemens security concept for Industrial Security The Siemens security concept Siemens products and systems offer integrated security Defense in Depth Know how and copy protection Authentication and user management Firewall and System VPN (Virtual hardening Private Network) Siemens Plant Security Services Page 4
Plant Security Services Portfolio aligned with Risk Management methodology Assess Security Evaluation of the current security status of an ICS environment Manage Security Comprehensive security through monitoring and proactive protection: Monitor to detect indicators of compromise Manage to keep security up-to-date React fast upon security relevant threats Implement Security Risk mitigation through implementation of security measures for reactive protection Page 5
Success Stories Pohjolan Voima (PVO) IEC 62443 assessment to patch cyber security gaps Challenge Solution Existing system does not meet modern cyber security standards No regular updates of routines in the old systems when new systems have been deployed Avoidance of intentional and unintentional malfunctions caused by security threats Protection against phishing of valuable information and espionage Deploy the assessment to identify security gaps and measures for risk mitigation based on IEC 62443 Investigation of the system s technological cyber security properties (e.g. user and access management, operation logs, level of back-up procedures, data encryption) Analysis of cyber security processes and instructions, such as the ability to react to threats Profile Pohjolan Voima was established in 1943 and produces electricity and heat to its shareholders with hydropower and thermal power. Customer benefit Different perspective than in-house assessments through an external expert Compliance with security requirements set for the business Achieving the desired higher maturity level of Industrial Security Page 6
Assess Security following a risk-based approach Assess Security covers a holistic analysis of threats and vulnerabilities, the identification of risk and recommendations of security measures to close the identified gaps Page 7
Patch & Vulnerability Management Managing vulnerabilities and critical updates in Microsoft products? = X Customer s challenge In 90% of attacks in 2014, old vulnerabilities that already had patches available were leveraged some of which were more than decade old 1 Patches contribute toward stable system operation and/or eliminate known security vulnerabilities. Regular and prompt installation of patches represents a vital element of a comprehensive security concept Patching with an incompatible patch can cause unplanned downtimes Common approach Customer has to release the Microsoft patches manually on a WSUS, based on Siemens SIMATIC PCS 7 compatibility excel sheet or No patching is performed at all or No WSUS server is used, but patches are downloaded directly by the endpoints Other customer specific solutions (e.g. usage of 3rd party software) are possible Weak points of common approach Possibility of system disruption due to missing consideration of compatibility Possibility of security incident due to obsolete patch status Possibility of failures due to manual work Need to manual check for updated excel sheet on Siemens Website Labor intensive process (monthly occurring) Goal Support customers by testing SIMATIC PCS 7 with Microsoft security and critical patches when new patches are released in order to check the compatibility of the PCS 7 software with these patch classifications 2 and providing metadata about approved patches at the customer site 1) Source CNN Money 2) Only "Security Patches" and "Critical Patches" are necessary to ensure that SIMATIC PCS 7 operation is secure and stable Page 8
Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity. Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/ industrialsecurity. Page 9
Thank you for your attention! Siemens AG Digital Factory DF CS DS Postbox 3240 91050 Erlangen GERMANY siemens.com/plant-security-services Page 10