Mobility and Logistics, Traffic Solutions Security Principles for Stratos Part no. THIS DOCUMENT IS ELECTRONICALLY APPROVED AND HELD IN THE SIEMENS DOCUMENT CONTROL TOOL. All PAPER COPIES ARE DEEMED UNCONTROLLED COPIES Prepared By Checked and Released Division/BU Mobility and Logistics, Traffic Solutions Mobility and Logistics, Traffic Solutions Department Engineering Engineering Name Patrick Lismore Martin Gilham Function Date COPYRIGHT STATEMENT Engineering Manager The information contained herein is the property of Siemens plc. and is supplied without liability for errors or omissions. No part may be reproduced or used except as authorised by contract or other written permission. The copyright and the foregoing restriction on reproduction and use extend to all media in which the information may be embodied. Copyright Siemens plc 2016 All Rights Reserved Security classification Unrestricted Page 1 of 7
Mobility and Logistics, Traffic Solutions CONTENTS: 1 Introduction... 3 1.1 Purpose... 3 1.2 Scope... 3 1.3 Document Specific Abbreviations and Definitions... 3 2 Security Principles... 4 2.1 Stratos Functional Overview... 4 2.2 Cloud-based System Security... 6 2.3 Security Requirements... 6 2.4 Confidentiality... 6 2.5 Integrity... 7 2.6 Security Assessments... 7 2.7 Operational Security Plan... 7 TABLES: Table 1 - Issue History... 2 Table 2 - Abbreviations and Definitions... 3 CHANGE HISTORY: Version Date Change Author A March 2016 Initial Release Martin Gilham 1 May 2016 First Release Patrick Lismore Table 1 - Issue History Security classification Unrestricted Page 2 of 7
Mobility and Logistics, Traffic Solutions 1 Introduction 1.1 Purpose The purpose of this document is to provide an overview of security principles associated with Stratos. 1.2 Scope The scope of the document is to include details of Security associated will all Siemens Hosted Traffic management Services. 1.3 Document Specific Abbreviations and Definitions See the TS Engineering Glossary, [see section 1.5 References] Abbreviation AWS CERT DoS FOI I MO TS IaaS SaaS SLA SOA SQL UTC VPC Explanation Amazon Web Services, the Amazon cloud platform Computer Emergency Response Team Denial of Service Freedom Of Information Industry Mobility Traffic Solutions Infrastructure as a Service Software as a Service Service Level Agreement Service Oriented Architecture Structured Query Language Urban Traffic Control Virtual Private Cloud Table 2 - Abbreviations and Definitions Security classification Unrestricted Page 3 of 7
Siemens Mobility, Traffic Solutions 2 Security Principles 2.1 Stratos Functional Overview The Siemens Stratos solution delivers secure, resilient, scalable, accessible and real-time traffic information, management and control of complex urban traffic environments by providing functionality ranging from basic monitoring to strategic control. The Siemens Stratos Solution is a cloud-based solution hosted within a Virtual Private Cloud (VPC) in the Amazon cloud. Siemens Stratos uses both Linux and Windows operating systems within its VPC to fulfil various system functions. These operating systems and network subnets are fully managed by Siemens in accordance with Siemens internal Information Security Polices. Changes to the VPC environment go through a Change Control Board and both the network and operating systems adhere to Siemens mandatory Information Security Framework policies that are based off the ISO27001 standard. The VPC also adheres to the 14 Cloud Security Principles (which can be found in https://aws.amazon.com/compliance / https://aws.amazon.com/security) within Amazon s shared-responsibility model. Where Siemens is responsible for security within the cloud we apply guidance from the Cloud Security Principles. Amazon is responsible for the security of the cloud. At the network level within the VPC, security controls are provided by Amazon as detailed below: Security groups that restrict the ingress and egress network traffic at the VPC perimeter and also within the VPC between hosts and subnets. Each server instance within the VPC has its own Security Group controlling what ports are accessible in addition to firewalls that define its allowed protocols and ports. Everything else is denied by default. This gives Siemens full control over network traffic within the VPC. Siemens also makes use of access control lists (ACLs) provided by Amazon s VPC. This further helps restrict and lockdown network routes within the VPC to authorised devices and users. The diagram below shows Amazons share responsibility model, on the left it highlights the standards and guidance used by Siemens to govern and secure the Stratos solution within Amazon s cloud. Security classification Unrestricted Page 4 of 7
Security classification Unrestricted Page 5 of 7
Siemens Mobility, Traffic Solutions 2.2 Cloud-based System Security The Siemens Stratos solution is hosted within Amazon s AWS Secure Cloud Data Centre in Dublin, Ireland. Physical security at the data centre site includes perimeter fencing with manned security access gates monitored 24 hours a day, seven days a week, 365 days a year. Electric locks and access-card readers also control all areas and biometric fingerprint access and photographic ID is required for employees to enter the Data Centre. All racks are kept locked unless being accessed by authorised parties. CCTV covers all major access and common areas. Aisles are monitored by IP based cameras with motion detection and off-site recording and are controlled by card and PIN. Amazon AWS Data Centres adhere to ISO27001 and also Cloud Security Principles. Siemens Stratos solution is accessed by remote operators using a secure web link to the Stratos tenant. User login and rights management are administered by the Siemens Support department. Anti-virus and Malware software is installed on all servers managed by Siemens as part of mandatory Information Security policy compliance. The Siemens Stratos Cloud-based system runs a combination of fully patched Windows Server 2012 R2 and Linux Servers which are hardened based on mandatory policy requirements set by Siemens Information Security CERT (SiemensCERT) group. Each server managed and controlled by Siemens must follow the mandatory measure plans to ensure servers are patched and hardened against vulnerabilities. Audits are performed independently within Siemens from a central audit division to ensure ongoing compliance 2.3 Security Requirements Confidentiality, integrity and availability are key tenants and areas of focus for Siemens Information Security policies. Each Siemens Information Security policy is created with these three areas of focus in mind. Siemens Information Security policies are built on top of the ISO27001 standard, they state mandatory actions on Siemens employees at all levels with regards to securing information, handling of information and securing IT systems managed and maintained by Siemens. This includes on site IT systems and Cloud based systems. The Siemens Stratos Cloud solution has been assessed, classified and audited by Siemens to follow mandatory corporate policies based on ISO27001 and technical implementations to secure and harden IT systems and protect the data that reside in them and pass through them. 2.4 Confidentiality Siemens follows industry best practices for addressing the secrecy and privacy of information. Siemens uses several methods to prevent the disclosure of information or data to unauthorised individuals and systems. All users connecting to Siemens Stratos use user names and strong passwords to access the service. The roll out of 2 factor authentication is planned for end users in 2016. All Siemens support staff as well as engineers that support Stratos use multi-factor authentication by default. Within Siemens Stratos roles based access control restricts system access to authorised users. Siemens restricts access to live production systems to a limited small team of trusted individuals within the Siemens Traffic support team for help with assisting customers. Security classification Unrestricted Page 6 of 7
Siemens Mobility, Traffic Solutions Each remote user is able to access the Siemens Stratos Cloud-based system using unique login details (Username and Password) - confidentiality is a key requirement not only to ensure security of the system but also to enable traceability of changes within the system. 2.5 Integrity The integrity of information within the Siemens Stratos solution has various measures in place to prevent unauthorised alteration or revision of data. Cloud Security Principles 1 and 2 provide clear guidance on protecting data at rest and in transit. Much of the data transiting through the Siemens Stratos cloud solution is encrypted from server to server although not all network routes are encrypted with the virtual private cloud. Connection to the virtual private cloud is over a secure VPN connection from Siemens. The Stratos code base is held securely under version control and regularly audited with each release. By ensuring Stratos adheres to cloud security principles means the data is protected in transit via encryption of network traffic and secure endpoints. In addition check sums and cryptographic measures are in place throughout the system. 2.6 Security Assessments Siemens Regularly completes a Threat and Risk assessment on all products and solutions at Siemens Traffic UK. This is a mandatory action; the output from that exercise is a risk register of all the potential threats and risks that need mitigation. Having the risk register allows Siemens Traffic to plan and mitigate the highest priority items first and track the completion of all items on the list. During and as part of each software release a security review is undertaken on new components and features to ensure new risk is not introduced to the system. An internal penetration test is also performed as part of each software release; this is embedded within the Siemens software development life cycle. Siemens Traffic gets approval from Amazon AWS prior to performing simulated Cyber Attacks against the VPC solutions. 2.7 Operational Security Plan Siemens works under the guidance of Siemens Operational Security policy, this ISEC policy defines the rules related to the management of IT operation, including change management, capacity management, protection from malware, backup, logging and monitoring of information security events, software installation on operational IT systems, and technical vulnerability management through patching and updating. Siemens, through this policy has a patch management process for the Stratos system, the operations team work closely with SiemensCERT and Siemens ProductCERT to ensure any newly disclosed vulnerability that may affect any components used in Stratos is patched in a timely manner. The operations team ensure anti-virus, anti-malware and IDS is updated and monitored regularly and that any triggered intrusion detection alerts are investigated. The Siemens Stratos VPC is reviewed constantly as part of Siemens internal processes and policy. Siemens also has an Incident Handling Policy and process that clearly defines guidance, roles and responsibilities for handling any incidents in a professional and timely manner. Security classification Unrestricted Page 7 of 7