- Protecting productivity Industrial Security in Pharmaanlagen siemens.com/industrialsecurity
Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security Cloud Computing approaches Increased use of Mobile Devices Wireless Technology Reduced Personnel Requirements Smart Grid The worldwide and remote access to remote plants, remote machines and mobile applications The Internet of Things Source: World Economic Forum, 50 Global Risks Page 2 2016-03-10
The corporate security chain is only as strong as its weakest link Security Can Fail at Any of these Points Employee Smartphone Laptops PC workstations Network infrastructure Mobile storage devices Tablet PC Computer center Policies and guidelines Printer Production systems Page 3 2016-03-10
Cyber vulnerabilities can affect your plant at many level The Need to Act Because of Cyber Security Vulnerabilities Loss of intellectual property, recipes, Sabotage of production plant Plant downtime e.g. caused by virus and malware Manipulation of data or of application software Unauthorized use of system functions Regulations and standards for industrial security require Controls Regulations: FDA, NERC CIP, CFATS, CPNI, KRITIS Standards: ISA 99, IEC 62443 Page 4 2016-03-10
IEC 63443, Defense-in-Depth The Siemens Approach Page 5 2016-03-10
IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner Service Provider operates and maintains Operational policies and procedures Maintenance policies and procedures + 2-1 2-4 2-3 System Integrator designs and deploys Basic Process Control System (BPCS) Automation solution Safety Instrumented System (SIS) Complementary Hardware and Software 2-4 3-3 3-2 IACS environment / project specific is the base for Product Supplier develops control systems develops components Embedded devices Control System as a combination of components Network components Host devices Applications 3-3 4-2 4-1 Independent of IACS environment Page 6 2016-03-10
Various parts of IEC / ISA-62443 are addressing Defense in Depth IACS environment / project specific AO SP SI PS Independent of IACS environment Page 7 2016-03-10
Each stakeholder can create vulnerabilities Example User Identification and Authentication Asset Owner Service Provider System Integrator IACS environment / project specific operates and maintains can create weaknesses designs and deploys can create weaknesses Industrial Automation and Control System (IACS) Operational policies and procedures Maintenance policies and procedures Basic Process Control System (BPCS) + Automation solution Safety Instrumented System (SIS) is the base for Complementary Hardware and Software Invalid accounts not deleted / deactivated Non confidential passwords Passwords not renewed Temporary accounts not deleted Default passwords not changed Product Supplier Independent of IACS environment develops control systems can create weaknesses develops components Embedded devices Control System as a combination of components Network components Example: User Identification and Authentication Host devices Applications Elevation of privileges Hard coded passwords Page 8 2016-03-10
IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner Service Provider operates and maintains Operational policies and procedures Maintenance policies and procedures + 2-1 2-4 2-3 System Integrator designs and deploys Basic Process Control System (BPCS) Automation solution Safety Instrumented System (SIS) Complementary Hardware and Software 2-4 3-3 3-2 IACS environment / project specific Siemens is product and solution supplier is the base for Product Supplier develops control systems develops components Embedded devices Control System as a combination of components Network components Host devices Applications 3-3 4-2 4-1 Independent of IACS environment Page 9 2016-03-10
IEC 63443, Defense-in-Depth The Siemens Approach Page 10 2016-03-10
The Defense in Depth Concept Plant security Physical access protection Processes and guidelines Security service protecting production plants Security threats demand action Network security Cell protection, DMZ and remote maintenance Firewall and VPN System integrity System hardening Authentication and use administration Patch management Detection of attacks Integrated access protection in automation Security solutions in an industrial context must take account of all protection levels Page 11 2016-03-10
The Siemens solution for plant security Plant Security Network security System integrity Page 12 2016-03-10
Security Management Security Management Process Risk analysis with definition of mitigation measures 1 Risk analysis Setting up of policies and coordination of organizational measures Coordination of technical measures Regular / event-based repetition of the risk analysis 4 Validation & improvement 3 Technical measures 2 Policies, Organizational measures Security Management is essential for a well thought-out security concept Page 13 2016-03-10
Siemens Plant Security Services Complete service portfolio aligned with Risk Management methodology Step 1: Assess Information about the security status and development of a security roadmap Step 2: Implement Planning, development and implementation of a holistic cyber security program Step 3: Manage Continuous security through detection and proactive protection Vulnerability analysis Gap analysis Threat analysis Risk analysis Cyber security training Development of security strategies and procedures Implementation of security technology Continuous operations Detection and resolution of incidents Fast adaptation to changing threats Page 14 2016-03-10
Siemens Cyber Security Operations Center Continuous & proactive protection for your ICS environment Analysts proactively monitor vulnerability and cyber threat activity globally, to deliver real-time communication alerts and advisories When global threat intelligence indicates an elevated risk, A Cyber Security Operations Center defines and delivers the appropriate proactive defensive measures If an incident is detected on your ICS environment, the Cyber Security Operations Center will coordinate the incident response consisting of investigation, forensic analysis, and remediation Subscribed Customer Subscribed Customer Cyber Security Operations Center (CSOC) Patch & Vulnerability management support; mitigation analysis Monitoring Next-Generation Firewall Management Quarterly Firewall Rule Review On-demand Incident Handling Remediation support by a security engineer tailored to severity of incident, impact on your environment, and your business needs Subscribed Customer Plants Page 15 2016-03-10
The Siemens solution for network security Plant security Network Security System integrity Page 16 2016-03-10
Network Security Essential Network Security use cases Demilitarized zone (DMZ) Network services for secure and unsecure network Prevent direct connections A security module controls the access Unsecure zone DMZ zone Secure zone Remote access Remote programming, and monitoring Access via internet and mobile networks Encryption and secured access via VPN Secure redundancy Higher reliability and availability of secure connection Security modules in synchronized standby mode MRP ring (CU or fiber optic) Cell protection System is divided into separated cells All communication into the cells is controlled Communication is secured by firewall mechanisms Page 17 2016-03-10
Security Integrated Overview Siemens products with Security Integrated provide security features such as integrated firewall, VPN communication, access protection, protection against manipulation. Page 18 2016-03-10
Introduction 3 Application Examples 20 Page 19 2016-03-10
Overview: Application Examples Network Security Adapted measures for production Network Access Control Interface to IT networks: Secure architecture with DMZ (SCALANCE S623) Secure Remote Access via Internet Local network access (port security) via device and user authentication (SCALANCE S) Redundancy Protection of redundant network topologies and secure redundant connection of underlying networks or rings with S627-2M Cell Protection Risk mitigation through network segmentation Extension of the cell protection concept with Security PC- and S7-CPs (CP1628, CP343-1 Adv., CP443-1 Adv., CP1543-1) Use of secure communication protocols (e.g. https) prevent espionage and manipulation Products with firewall or VPN functionality Page 20 2016-03-10
Protection and segmenting through firewalls with SCALANCE S Task Parts of the system, which represent a logical unit and sometimes even come from different suppliers, should have only as many connections to one another as are absolutely necessary. Solution SCALANCE S is placed before an automation cell, thereby segmenting the network and reducing communication through firewall rules on the permitted connections. Page 21 2016-03-10
Construction of a demilitarized zone (DMZ) e.g. for data server access with SCALANCE S623 Task Network users (e.g. MES servers) should be reachable from the secure and nonsecure network without creating a direct connection between the networks. Solution A DMZ can be established on the yellow port with the SCALANCE S623, in which the aforementioned server can be placed. Page 22 2016-03-10
The Siemens solution for network security Plant security Network security System integrity Page 23 2016-03-10
SIMATIC S7-1200, S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1200 V4, S7-1500 and the TIA Portal provide several security features: Increased Know-How Protection in STEP 7 Protection of intellectual property and effective investment: Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against unauthorized copying of e.g. developed algorithms Password protection against unauthorized evaluation of the program blocks with external programs from the STEP 7 project from the data of the memory card from program libraries Increased Copy Protection Protection against unauthorized reproduction of executable programs: Binding of single blocks to the serial number of the memory card or PLC Protection against unauthorized copying of program blocks with STEP 7 Protection against duplicating the project saved on the memory card Page 24 2016-03-10
SIMATIC S7-1200, S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1200 V4, S7-1500 and the TIA Portal provide several security features: Increased Access Protection (Authentication) Extensive protection against unauthorized project changes: New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) * Configurable levels of authorization (1-3 with own password) For accessing over PLC and Communication Module interfaces General blocking of project parameter changes via the built-in display Expanded Access Protection Extensive protection against unauthorized project changes: Via Security CP1543-1 by means of integrated firewall and VPN communication Increased Protection against Manipulation Protection of communication against unauthorized manipulation for high plant availability: Improved protection against manipulated communication by means of digital checksums when accessing controllers Protection against network attacks such as intrude of faked / recorded network communication (replay attacks) Protected password transfer for authentication Detection of manipulated firmware updates by means of digital checksums * Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server Page 25 2016-03-10
SIMATIC S7-300, S7-400 and the TIA Portal Security Highlights For SIMATIC S7-300 and S7-400 the TIA Portal provides several security features to protect your investment against unauthorized reading and copying: Download STEP7 Program block Upload Increased Know-how Protection for Programs Prevents reading, content copying and unnoticed changes of program blocks Protects program blocks in the engineering project and in the controller Program block protection in projects and libraries S7-Controller Program block Programmable Copy Protection Know-how protected programs can be expanded by copy protection Comparison with a given serial number of a memory card or CPU Page 26 2016-03-10
SIMATIC PCS 7 Security you trust Potential Attack DCS/ SCADA* Customer Requirement Protection against: Loss of Control Plant Downtime Product Quality Environmental Impact Our Solution SIMATIC PCS 7 Reducing Your Risk Defense-in-Depth Strategy Segmentation / Security Cells Secure Access Points User Authentication Secure Communication Patch Management System Hardening Virus Scanner Whitelisting *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition Page 27 2016-03-10
Siemens Vertical Expertise: Pharmaceutical Pharmaceutical Environment Product Quality Reduced Time-to-Market Production Flexibility Different Equipment Suppliers Meeting Regulations (FDA) Industrial Security provides Increased Plant Availability Secure User Access Secure Plant Communications Industrial Security to keep your plant running securely Page 28 2016-03-10
Thank you for your attention! Dr. Pierre Kobes Product and Solution Security Officer PD TI AT E-Mail: pierre.kobes@siemens.com siemens.com/industrialsecurity Page 29 2016-03-10