Innovation Days Industrial Communication

Transcription

1 Innovation Days Industrial Communication Industrial Security siemens.com/industrial-security

2 London 1903 Royal Institution s lecture theatre Verdenspremiere på den trådløse telegraf Source: Page 2

3 Verdens første hackerandgreb Scientific hooliganism John Nevil Maskelyne The gentleman hacker Guglielmo Marconi Page 3

4 Cyber Security Hvorfor bekymre sig? Der er en meget høj trussel fra cyberspionage mod danske virksomheder. Flere statsstøttede t t tt hackergrupper er gået målrettet efter danske virksomheder i de seneste år. Oftere forekommer det, at svagheder hd i udstyr og software skyldes manglende kvalitet i producentens eller leverandørens processer. Source: Page 4

5 Den nye tendens Ransomware Page 5

6 En hurtig stigning Page 6

7 Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2014 Number of incidents Percentage of incidents Page 7 Source:

8 Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2015 Page 8 Source:

9 Er jeg ikke bare en nål i en høstak? Der er stadig SIMATIC devices der er eksponeret! lt Og Det er meget let # # %!&! # Page 9

10 Protecting Productivity Page 10

11 Industrial Security protecting Productivity Page 11

12 The Defense in Depth Concept Page 12

13 Løsninger på alle niveauer Page 13

14 Hvordan holder man sig opdateret? Abonner på Siemens RSS Feed: Eller på ICS-CERT: Page 14

15 Pareto-princippet 20% 80% Invest 20% 80% Security Page 15

16 Plant Security Physical access control Guidelines Norms and standards Security Services Page 16

17 Vi kan tilbyde services Security Assessment Workshops Page 17

18 Vi kender standarderne Page 18

19 IEC Security functions Based on IEC Security Level 1-4 Protection Level (PL) Security process Based on IEC and ISO27001 Maturity Level 1-4 Level Maturity PL 1 PL 2 PL 3 PL Security Level Page 19

20 Protection Levels cover security functionalities and processes Assessment of security functionalities Assessment of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Optimized - Process measured, controlled and continuously improved Protection Levels Ma aturity Level Security Level Page 20 PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

21 IEC 62443, security measures Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall). Monitoring of all device activities Online security functionality verification + Automated backup / recovery PL 3 Revolving doors with card reader No , No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) + Persons responsible for security within own organization Physical network segmentation or equivalent (e.g. SCALANCE ) Monitoring of all human interactions Remote access with crsp or equivalent Backup verification PL 2 Doors with card reader Continuous monitoring (e.g. SIEM) Remote access restriction (e.g. need to connect principle) + Mandatory security education PL 1 Locked building/doors with keys Awareness training (e.g. Operator Awareness Training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation Firewall protection (e.g. SCALANCE S) Security logging on all systems Backup / recovery system Page 21

22 Network Security Firewalls Virtual Private Networks VPN Segmentering Demilitarized zone DMZ Hardening Authentication Cell Protection Page 22

23 Network Security Jump Station og DMZ Opdeling i separate celler Secure zone DMZ zone Jump Station Unsecure zone Al kommunikation via Remote Desktop og Jump Station Backup og Restore via Jump Station Kun trådløs adgang fra Secure Zone til Jump Station Samme konfiguration i alle Firewalls (global firewall rules) Page 23

24 Network Security Cell protection Opdeling separate celler Al kommunikation ind og ud af cellern er kontroleret En decentrale Firewall struktur Page 24

25 Security Integrated Overview Page 25

26 Network Security Hvordan beskytter man gamle sårbare systemer? Access protection SCADA Ingen ændring i det eksisterende system også med Layer-2 protokoller Ghost Mode Adopterer IP-adresse og ændre MACadressen automatisk Samme konfiguration i alle Firewalls (global firewall rules) Secure zones Gamelt sårbart åb system Page 26

27 Network Security Anvend Hardning! Brug Password Anvend VLAN Disable DCP write Enable Management Access List Broadcarst limitation Disable ubrugte porte Enable SNMP V3 Page 27

28 System integrity Password protection Know-how og Copy protection Access protection Virus scanner og Whitelisting Sikker kommunikation VPN og OPC-UA Deactivation of services og hardware interfaces Windows security patch management* Page 28 *

29 Vi har sikre produkter Page 29

30 Siemens is the leading vendor of Achilles level 2 certified products Certified CPUs LOGO! S7-300 PN/DP S7-400 PN/DP S and 1505S S S7-400 HF CPU V6.0 S H Certified CPs CP343-1 Advanced CP443-1 & Advanced CP CP CP1628 Certified DP ET 200 PN/DP CPUs ET 200SP PN CPUs Certified Firewalls SCALANCE S602, S612, S623, S627-2M + Protection against DoS attacks + Defined behavior in case of attack Improved Availability International Standard Page 30

31 SCADA Controller kommunikation via OPC Et standard setup SCADA Controller Page 31

32 SCADA Controller kommunikation via OPC Implementer et VPN og Firewall koncept SCADA Via Security CP-Cards or external Firewall/VPN getaway for: Controller - S7 300 and S and ET 200SP CPU - SCALANCE S (for all Controllers) Page 32

33 SCADA Controller kommunikation via OPC Implementer et OPC-UA koncept 3. Part SCADA Via Security CP-Cards or Controller: Controller -S7-1500, 1500S, 1500T - ET 200SP CPU - PLCSIM Adv. - S7 400 via CP OPC-UA Page 33

34 OPC-UA Interoperability with openness and standardization Management -level Operator-level ERP MES Interoperability standards Controller-level SCADA Interoperability 3 rd party devices PLC HMI Field-level Interoperability openness Sensors Actuators Perfect interoperatbility on all levels of communication by openness and standards Page 34

35 OPC-UA OPC UA og PROFINET den perfekte kombination OPC UA s styrke PROFINET s styrke Leverandør uafhængig Cloud deterministisk i ti Direkte forbindelse til alle niveauer Autentificering og kryptering OPC UA interfa ace Controllerlevel Operatorlevel Managementlevel PROFINET Real-Time egenskaber Enkelt C2C-kommunikation Passer perfekt til data & management niveauet Passer perfekt til controller- &Fi Field niveauet Field- level Page 35

36 OPC-UA og TIA-Portal Read and write PLC-data easy, standardized and symbolic Easy setup Value 1 Activate the OPC UA server in the PLC properties Access possible Write access possible Individual access Level of access via OPC UA can be controlled individually for each variable 2 Confirm that you have purchased the correct license Inheritance of access rights Based upon the well known Step7 mechanisms Make PLC-variables Different ways to access accessible through Access individual variables as 3 checkboxes in the editor well as access whole structures and arrays as one object 4 Symbolic access via OPC UA OPC UA client Performance Access whole structures and arrays to achieve optimal performance Page 36

37 CP OPC UA Additional Openness for SIMATIC S7-400 Feature/ Function Benefit OPC UA Server/Client directly in the Price sensitive, standardized SIMATIC S7-400 station connection to HMI, SCADA, MES/ERP or 3 rd Party PLC As OPC UA Client Configuration via function blocks compliant to PLCOpen standard Use of the standardized OPC UA elementary security functions like authentication, authorization, encryption and signing of data Configuration in STEP7 Classic V5.5 5 as well as and STEP7 Professional V14 (TIA Portal) For use with CPU V5.3 / H-CPU V6.0 and H-CPU V8 Flexible but standardized Interface for communication to any OPC UA Server Protection of the system from unauthorized access Expansion of existing ST7 plants without Migration to TIA-Portal Investment protection Use of redundant H-system supported Page 37 Delivery release: 04/2016

38 Passwords et konkret eksempel Et Password skal være komplekst: Hvor stærkt er mit Password: numeric all space&charsetlen=77&kps= Page 38

39 Passwords Udgangspunketet er stadig ofte Admin/Admin Single Sign on Brute Force Prevention RADIUS Randomize Page 39

40 Slide 39 SBA1 Sarah Bay-Andersen; SBA2 Sarah Bay-Andersen;

41 Kan man anvende RADIUS og AD? Århus SCALANCE S615 Server SCALANCE S623 SINEMA Remote Connect Windows Active Directory RADIUS SIMATIC CPU Page 40

42 Den store løsning Siemens Ruggedcom CrossBow Wow! Det er en elegant løsning NERC-CIP og IEC kompatibel Page 41

43 endnu flere koncepter og informationer Defense-in-Depth Solution User Authentication Network Segmentation Demilitarized Zones Firewalls VPN Tunnels Virus Scanning Patch Management Application Whitelisting Super gode links All-round protection with Industrial Security Page 42

44 Opsummering Fokus er kritisk tag det alvorligt Stil krav til autentificering og brug af passwords Anvend Jump Stations og brug certificerede produkter Segmentér netværk og isolér sårbare systemer Implementer centrale Security Access Management løsninger Page 43

45 Mange tak for jeres opmærksomhed Kontakt info Navn Telefon Morten Kromann Per Krog Christiansen Lars Peter Hansen Page 44