Security information 1 Preface 2 SIMATIC PCS 7 Process Control System 3 Dialup 4 Practical information 5 Commissioning Manual 11/2016 A5E39249952-AA
Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY A5E39249952-AA P 02/2017 Subject to change Copyright Siemens AG 2016. All rights reserved
Table of contents 1 Security information...5 2 Preface...7 2.1 Structure and organization of the document...7 2.2 Special Notes...7 3...9 3.1 Definitions...9 3.2 Concept...10 4 Dialup...13 4.1 Local dialup...13 4.2 Remote dialup...14 4.2.1 Network medium...14 4.2.2 Support device...15 4.2.3 Control System Network Access...15 4.3 Choice of technology...15 5 Practical information...21 5.1 General information...21 5.2 Siemens Remote Service (SRS)...21 Commissioning Manual, 11/2016, A5E39249952-AA 3
Table of contents 4 Commissioning Manual, 11/2016, A5E39249952-AA
Security information 1 Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit: http://www.siemens.com/industrialsecurity Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under: http://www.siemens.com/industrialsecurity Commissioning Manual, 11/2016, A5E39249952-AA 5
Security information 6 Commissioning Manual, 11/2016, A5E39249952-AA
Preface 2 2.1 Structure and organization of the document The Security Concept PCS 7 & WinCC has several parts: The basic document provides a central overview and path through Security Concept PCS 7 & WinCC. This document describes the basic principles and security strategies of the security concept in systematized form. All additional detail documents assume the reader has read the basic document. The detail documents (this is one such detail document) explain the individual principles, solutions and configuration recommended there in detailed form, and each focuses on a particular detailed issue. The detail documents are supplemented, updated and published independently of one another to ensure that they are always up-to-date. PCS 7 Compendium F: Compendium F describes in detail how the solutions can be implemented in the PCS 7 environment. You can find this documentation on the Internet at: https://support.industry.siemens.com/tf/ww/en/posts/69921/. (https:// support.industry.siemens.com/tf/ww/en/posts/69921) 2.2 Special Notes Objective of the Security Concept PCS 7 & WinCC The main priority of automation is to maintain control over production and process. Measures intended to prevent the spread of a security threat must not impair this aim. The security concept PCS 7 & WinCC is intended to provide support in creating a plant in which only authenticated users can perform authorized (permitted) operations using operating options assigned to them for authenticated devices. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise. Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available security mechanisms. To achieve the highest possible level of security, scaled, system-specific configurations should never contradict the basic principles of this security concept. Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network administrators of company networks (IT administrators) and automation networks (automation engineers) to exploit the advantages provided by the networking of process control technology and the data processing of other production levels, without increasing security risks at either end. Commissioning Manual, 11/2016, A5E39249952-AA 7
Preface 2.2 Special Notes Required Knowledge This documentation is aimed at anyone who is involved in configuring, commissioning and operating automated systems based on SIMATIC. It is assumed that readers have appropriate management knowledge of office IT. Validity Security Concept PCS 7 & WinCC incrementally replaces the following previous documents and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is valid as of WinCC V6.2 and PCS 7 V7.0. 8 Commissioning Manual, 11/2016, A5E39249952-AA
3 This detailed report focuses exclusively on remote maintenance, remote support and remote administration of a system. A description of remote control of a system is not included in this detailed report. However, information on remote control is provided in the detailed report Management of Communication within and between Security Cells. 3.1 Definitions Virtual Private Network (VPN) An extension of a private network which encompasses encapsulated, encrypted and authenticated connections over shared or public networks. Private networks can establish remote access and routing connections over the Internet using VPN connections. Point-to-Point Tunneling Protocol (PPTP) A network technology that supports multi-protocol VPNs (Virtual Private Networks). This provides remote users with secure access to internal company networks over the Internet or other networks by connecting via an Internet Service Provider (ISP) or by establishing a direct connection over the Internet. PPTP encapsulates IP (Internet Protocol) data, IPX (Internetwork Packet Exchange) data and NetBEUI (NetBIOS Extended User Interface) data in IP packets. Such encapsulation is also referred to as tunneling. This means that users can remotely run applications that are dependent on specific network protocols. Layer 2 Tunneling Protocol (L2TP) An industry-standard Internet tunneling protocol that provides encapsulation to send PPP (Point-to-Point Protocol) frames for packet-oriented media. On IP networks, L2TP traffic is transmitted in the form of UDP (User Datagram Protocol) messages. On Microsoft operating systems, L2TP is used in conjunction with IPsec (Internet Protocol Security) as the VPN (Virtual Private Network) technology to provide VPN connections via RAS (Remote Access) or routerto-router. L2TP is described in RFC 2661. Source: Microsoft Commissioning Manual, 11/2016, A5E39249952-AA 9
3.2 Concept 3.2 Concept Description of the concept Owing to the increase in networking and as systems are connected to company networks and the Internet and distances increase between support employees and systems (e.g. onshore support employee; system requiring support is located on a ship), support and remote dialup is growing in significance. However, support and remote dialup is associated with additional dangers. On the one hand, exceptions for support and remote dial-up have to be defined for the access point firewalls, which creates additional points of attack. On the other hand, support staff may thereby inadvertently introduce malicious software (malware) to the plant, including viruses, Trojans, etc. To minimize this risk, it is recommended to implement a "defense in depth" strategy for support and remote dial-up, just like the overall security concept for PCS 7 & WinCC. This means that there is no direct dialup to the endpoint for maintenance, but dialup is achieved with a combination of multiple technologies and security mechanisms over a central access point to ensure the highest possible security for the entire system. The VPN server described in the following is part of the back-end firewall and is therefore the responsibility of the system administrator. It is published to the WAN (intranet/office network) via the front-end firewall. The external VPN solution preferred by Siemens for PCS 7 systems, the Siemens Remote Service (SRS), may be used as an alternative to an internal VPN solution. The Siemens Remote Service is based on a platform technology. "Common Remote Service Platform (crsp)" (for more details, see section Practical information (Page 21)). This configuration ensures that the front firewall has absolutely no routing information for the Process Control Network (PCN) or information on the network structure in the Manufacturing Control System (MCS) level. Hence, even if the front firewall is bypassed by an attacker, there is no access to the system. A Microsoft Internet Security and Acceleration Server (MS ISA Server) is shown as the firewall in the following diagrams. The successor Microsoft Threat Management Gateway (TMG MS) introduced in 2010 can also be used or the Automation Firewall 2 offered by Siemens. Further information on the configuration of an ISA Server/TMG as a firewall is provided in the detailed report Managing the MS ISA Server/ MS TMG as an Access Point. 10 Commissioning Manual, 11/2016, A5E39249952-AA
3.2 Concept Demo System The following figure shows an example system with front-end and back-end firewall as well as all devices described in the section AUTOHOTSPOT, for example, the support / dial-up stations of support staff. Figure 3-1 Demo system with front and back firewall Commissioning Manual, 11/2016, A5E39249952-AA 11
3.2 Concept 12 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup 4 In principle, there are two different dialup options: local dialup, when the support employee is on site remote dialup over the intranet/office network, Internet or telephone network 4.1 Local dialup Support station belonging to the system The support station is a stationary support PC that is either physically located on the system as an ES in the Process Control Network (PCN) and is therefore part of the system or physically located as a remote ES in a perimeter network / Manufacturing Operating Network (MON) of the Manufacturing Execution Systems (MES) and therefore a trusted, remote system PC. In both cases, security is ensured by correctly implementing the Security Concept PCS 7 & WinCC basic document. As project files and backup copies are frequently changed on engineering stations in contrast to process control computers, external data media (USB sticks, CDs etc.) must also be scanned for viruses and malware before being inserted into engineering stations. Mobile Support PC / PG (Support Laptop) If the support employee brings his/her own support PC onto site, he/she should only be allowed to connect to the network at the access points specifically provided so-called support ports. This can be done, for example, with modern devices from the SCALANCE X 300 and 400 ranges. Individual ports can be configured so that connected computers can only participate in network communication if they have a valid certificate for each connection, which the SCALANCE device can verify on a RADIUS server, which in turn grants access. This ensures that only support employees who have been granted an applicable certificate can participate in network communication. The support employee then creates a VPN connection to the back firewall. As the support employee is on site and system personnel are supervising constantly, a PPTP dialup with a standard support user account is sufficient. In this case, a user account is queried (in conjunction with the MS Remote Access Server (RAS)) via a user authentication server (e.g. the MS Internet Authentication Server (IAS) / RADIUS server) and this can be used by all support employees for dialup on site. Each time the support job is completed, the system administrator must change the password for the standard support user. Using the quarantine functionality of MS ISA server \ MS TMG on the back-end firewall, the support PC is now checked to ensure that the virus scanner is up to date, the local firewall is activated, etc. Depending on the desired security requirements, the content and type of the verification can be defined by the operator himself. Only after checking has completed successfully can the support employee access the system PCN or a specific engineering station. When access to the Control System Network (CSN) is required as well, quarantine scripts should be written Commissioning Manual, 11/2016, A5E39249952-AA 13
Dialup 4.2 Remote dialup that the additional network cards of an engineering station reactivated (for example, CP 1623) in contact with the CSN are deactivated at the beginning and only reactivated after successful verification. 4.2 Remote dialup 4.2.1 Network medium Direct connection between devices Direct connections are initialized between two devices, e.g. two ISDN routers or two Siemens Teleservice devices. A Point-to-Point connection over which data can be exchanged is always established between the two devices. It is usually possible to configure the devices so that they only allow or accept connections to or from defined call numbers or devices. In addition, they can frequently be set up so that the dialup has to be manually confirmed before the connection is established. It is therefore possible to ensure that the connection is in fact established by the support employee via a telephone conversation. For the above reasons, use of a PPTP-VPN connection is sufficient in this scenario. Internet If dialup is via the Internet, maximum possible security must be guaranteed, as in principle every user on the Internet can attempt to establish a dialup connection to the VPN server. The VPN server is part of the back firewall and therefore the responsibility of the system administrator and is published over the front firewall to the WAN (Internet/intranet/office network). In this scenario, the front firewall accepts VPN connections by proxy and then forwards them to the back firewall. This configuration ensures that the front firewall has absolutely no routing information for the PCN or information on the network structure within the MCS level. A unique user with a strong password must be created for each support employee for access to be transparent. Users should only be enabled temporarily and following consultation by telephone. A particularly secure tunnel protocol, such as L2TP-IPsec VPN, must be used for communication to guarantee the integrity and confidentiality of the data via a high level of security and encryption depth. 14 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup 4.3 Choice of technology 4.2.2 Support device Defined Support PC If the support employee is an internal company employee who has to access the system regularly or, for example, the software manufacturer who has a maintenance contract with the system operator, it is recommended that a system support PC is made available to the support service provider for the support employee. The system operator installs this support PC as per the internal company security policies, configures it for support dialup (IPsec, certificates, user), installs the required programs and deploys the PC to the support service provider. After successful VPN dial-up (either through the Internet or a direct connection), the support PC is in a quarantine network and is checked by the quarantine functionality of the MS ISA server / MS TMG (back firewall). A simple check is sufficient to determine that the settings have not been changed and that they still conform to internal company security policies. After checking has completed successfully, the support PC is granted access to the PCN and can provide support on the PCN. Organizational measures (e.g. contractual conditions) must be implemented to ensure that the support employee is informed that the support PC may only be used for this defined task. Any PC If the support employee works with his/her own PC, i.e. a device that is completely unknown to the system operator and which the system operator cannot configure, greater security requirements must be applied to access. After successful VPN dial-up (either via the Internet or a direct connection) the PC is in a quarantine network and is checked by the quarantine functionality of MS ISA server / MS TMG (back firewall). A detailed test should be performed, including a complete virus scan, installation of any missing security updates, activation of the local firewall, etc. Once the PC has passed this test, remote access is granted to it either by an engineering station located directly in the plant or one installed in the perimeter network for this purpose. 4.2.3 Control System Network Access Support access to the CSN may only be provided via a remote connection to an engineering station that is connected to the CSN. Either Remote Desktop or NetMeeting (in future, Windows Live Meeting) should be used for the reasons mentioned above. 4.3 Choice of technology The following decision trees are designed to help choose remote dialup technology to suit requirements and the situation. Commissioning Manual, 11/2016, A5E39249952-AA 15
Dialup 4.3 Choice of technology Support access to the Process Control Network Figure 4-1 Support access to the Process Control Network 16 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup 4.3 Choice of technology Support access to the entire system Figure 4-2 Support access to the entire system Commissioning Manual, 11/2016, A5E39249952-AA 17
Dialup 4.3 Choice of technology Non-administrative remote access to third-party programs Figure 4-3 Non-administrative remote access to third-party programs 18 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup 4.3 Choice of technology Administrative remote access to system programs Figure 4-4 Administrative remote access to system programs Commissioning Manual, 11/2016, A5E39249952-AA 19
Dialup 4.3 Choice of technology Administrative remote access to the entire system Figure 4-5 Administrative remote access to the entire system 20 Commissioning Manual, 11/2016, A5E39249952-AA
Practical information 5 5.1 General information If remote administration and support tools are used, it must be ensured that the programs are activated in the local firewall of the computer to be serviced. NetMeeting Information on NetMeeting is available here: http://support.microsoft.com/kb/878451/de (http://support.microsoft.com/kb/878451/en) Remote support The help wizard account (installed during a remote support session) is the primary account used to set up a remote support session. This account is created automatically when you initiate a remote support session and has limited access to the computer. The help wizard account is managed by the service session manager for Remote Desktop help and is automatically deleted if remote support is no longer required/has been completed. You can find additional information on remote support here: http://go.microsoft.com/fwlink/? LinkId=38569 (http://go.microsoft.com/fwlink/?linkid=38569) Remote Desktop Protocol Please also refer to the section "Remote Service and Remote Operation" in the PCS 7 Readme (online). VNC Please also refer to the section "Remote Service and Remote Operation" in the PCS 7 Readme (online). 5.2 Siemens Remote Service (SRS) SRS can be used as an alternative to an internal VPN solution or a direct connection between devices. SRS can be used for all the scenarios described in the previous chapters that require use of any (non-specific) support PC. SRS is an external, central VPN solution. Only an SRS router is installed on the system, which functions in the same way as an ISDN router in the aforementioned scenarios, or the existing infrastructure is used to create a site-to-site coupling with the Siemens DMZ. A secure channel between the dialup support PC and the SRS router is created on the system via a central server center (DMZ). The advantage for the customer is that he/she relinquishes responsibility for administration, maintenance and service. I.e. securing the channel, the type of encryption, checking the dialup support PC and defining which users are permitted to dial up falls under Commissioning Manual, 11/2016, A5E39249952-AA 21
Practical information 5.2 Siemens Remote Service (SRS) the responsibility of the SRS provider and is contractually agreed between the customer and the SRS provider. Furthermore, SRS also decides which tools may be used for plant support and, since all tools are provided via the terminal server in the SRS server center, it ensures the timeliness and reliability of these tools. All tools recommended by PCS 7 & WinCC for remote access are supported by SRS. For further information about crsp, contact your sales partners and visit https:// support.industry.siemens.com/cs/ww/en/sc/2281 (https://support.industry.siemens.com/cs/ ww/en/sc/2281). The SRS solution is described in detail in a separate manual. 22 Commissioning Manual, 11/2016, A5E39249952-AA