siemens.com/energy/remoteservices Remote Services Security Concept Answers for energy.

Transcription

1 siemens.com/energy/remoteservices Remote Services Security Concept Answers for energy.

2 2

3 Introduction Remote services Reasons and objectives Remote services will become increasingly important in the future as companies try to offset rising cost pressures and as the availability of plants and turbo machinery becomes more and more crucial. Through remote monitoring and diagnosis, many developing faults can be detected at an early stage. This means that maintenance can be performed as needed, rather than at fixed intervals. Due to the massive use of microelectronics in today s products and the conversion from mechanical/electromechanical product features to software-based functionality, product support and services are changing significantly. Increasingly, traditional types of service will be replaced by IT-based services and services that rely on expert knowledge. Furthermore, as products become more interconnected with IT solutions and communication technology ad - vances, the need for new, more effective remote service offerings is increasing. As services evolve in this direction, security issues and data privacy become even more important. Both are absolutely crucial in remote services. 3

4 General operational concept Purpose of this document This security concept describes the measures we at Siemens follow to protect customer data, application programs, and IT systems when we perform remote services. Our security concept is divided into two main parts. The first is the general operational section, where we explain the basic concept of the Siemens Turbomachinery Application Remote Monitoring System (STA-RMS) platform and especially the Connectivity Layer using common Remote Service Platform (crsp), our service processes, and the technical capabilities of our products. This part is designed for users, technical managers, and all those who want to obtain a general overall understanding of how Siemens STA-RMS platform works. The second part, the technical concept, is primarily for IT specialists and data security experts who need more detail about the technical and organizational security measures we take to achieve a high level of security and ensure data privacy. It explains how a connection to Siemens STA-RMS platform via crsp is established, what our security infrastructure looks like, and the measures we take to prevent malicious attacks. Service and maintenance of technical equipment Given the growing complexity of modern products and solutions, Siemens has responded to this challenge by providing additional support in order to optimally service our customers. It is often faster and more efficient to determine the causes of equipment issues via remote diagnosis and, where possible, address the issue remotely. Even in cases where remote repair is not possible, the information obtained via remote diagnosis can support the Siemens service engineer on-site. In addition, our remote services help us to increasingly act in a preventive manner, rather than waiting to react in case of an emergency. Our concept for remote monitoring and diagnostics is based on the ongoing collection of the operational data 4

5 New perspective on a changing energy system: the power matrix Our energy system is in a state of radical change. As the share of distributed power generation grows, so does the system s complexity. Consumers are increasingly becoming power producers themselves and feed their surplus into the grid. The linear energy conversion chain has turned into a multifaceted system with countless new actors. of our turbo machinery or plant equipment. Additionally, a software program independently monitors certain important parameters within the data collector of the equipment at the customer s site. If values exceed or fall below the defined limits, our STA-RMS platform is designed to automatically send a message to our 24-hour global helpdesk at the responsible Product Competence Center. The incoming message is analyzed and, if necessary, forwarded to the customer for their information. Remote repair can be then initiated in consultation with the customer. Where necessary, Siemens technicians travel to the site to address the issue indicated in the message. This is all done within the scope of the specific service agreement whether it s one of our LTP (Long-Term Programs) agreements or a dedicated Remote Diagnostic Service agreement. Whether on-site or remote, when accessing data sets containing sensitive data, our data privacy protection programs are designed in compliance with applicable regulations and guidelines. Features of online support: Remote access to customer equipment for online support (for example, troubleshooting or user questions regarding operation) is done through remote desktop management tools. They provide a display of the customer s monitor at the 24-hour global helpdesk, and enable remote access by the Siemens service engineer. For this, the customer is to explicitly grant access for each individual session. The customer can track the course of the online support and, if necessary, terminate the access provided to the 24-hour global helpdesk at any time. Proactive and value-added service activities As part of our remote diagnostic services, the customer s device proactively sends predefined data and events to our STA-RMS platform. This enables our 24-hour global helpdesk at the responsible Product Competence Center to analyze the customer s equipment. This can include technical data such as oil pressure, oil temperature, vibration levels, statistic data (for instance, number of starts, etc.), or equipment reliability data. In addition, remote monitoring and diagnostics of selected equipment parameters enable us to offer our customers new attractive services designed to further optimize product utilization and life cycle costs. 5

6 requirements for safety and security are fundamental for Siemens As the first step, the customer s requirements for safety and security of their equipment must be communicated to Siemens and then carefully evaluated. For example, based on the customer s business, technical infrastructure, specific security issues, and applicable regulations, there may be a need to implement additional security measures that are beyond the standard scope of a product. By clarifying and addressing these at the outset, Siemens can establish a level of trust with the customer. This is critical as the customer must grant Siemens certain access rights to their equipment. The following non-exhaustive list sets forth some typical customer requirements. Comprehensive logging The customer and/or specific regulations may require comprehensive and comprehensible logging of session data. Audit trail Industry-specific requirements and/or applicable regulations may require that remote service sessions are recorded, so that the session is traceable in the case of future audits. Online supervision The customer may want to observe a remote session in real time. In particular, when critical parts of the equipment are being serviced, customers may want to supervise actions and be able to stop the session at any time. Selective access: comprehensive administration of user rights and data access s may want to have a detailed level of gradation of user rights and access to systems and data. For highly critical components, personalized access rights with strong authentication may be required. Protection of data privacy Before connecting remotely to a customer s equipment, there must be clarification on how data privacy protection issues are to be addressed. In addition, certain industry standards and/or applicable regulations require specific measures to ensure data privacy. Using a standard solution A growing number of manufacturers offer remote services for their products in various configurations. This can result in an increasing number and variety of remote connections between the customer and the product manufacturers (OEMs), which may increase administrative effort for the customer. The added administrative complexity can also increase the possibility of security gaps. Siemens strives to avoid this situation by building on a certified, standards-compliant solution for Siemens products. 6

7 Organizational security concept The organizational structure is as significant as the technical part of the security concept. For us at Siemens it is very important to provide the highest quality to our customers. Therefore, we take care that customers are included in every step of the implementation and all operation processes. All processes are designed to offer a high level of traceability. This section provides detailed information on the following topics: Implementation process User management Establishing a connection Work permit for remote service Access control Remote access logging Organizational measures Maintenance and further development of the Connectivity Layer (crsp) Implementation process Based on the contract requirements, the connections to the plants are planned and then verified with the customer. The implementation starts after the customer has agreed to the suggested implementation plan in accordance with the contract. Relevant systems, users, and other necessary information are reviewed by the customer in advance. After the finalization of the implementation the customer receives detailed documentation of his plant s connection to the STA-RMS platform. User management Siemens requires that users of the STA-RMS platform are authorized for access, and that they are trained in Remote Service. The certification process is intended to provide them with sufficient knowledge of applicable policies and procedures for the access and use of the information. Remote Services Remote Support Remote Diagnostic Services Performance Maintenance Condition Based Monitoring (CBM) & New Remote Services Dashboards App Service App AMS/cRSP App Diagnostic & Decision Level Advanced Diagnostics Agent Event Agent Event Analysis Agent Vibration Agent Early Warning Agent Performance Agent Notification Agent STA-RMS platform Condition Monitoring & Analysis Level Connectivity Level Using crsp Database Connectivity and Security All protocols through crsp VPN Tunnel STA-RMS Onsite Connector at Site TRICONEX MODBUS OPC WIN CC ABB SIMATIC PCS 7 SIMATIC S 7 EPS NETWORK YOKO- GAWA SPPA- T3000 Data Collectors for different control systems and solutions for all Siemens Energy Service products are available. 7

8 The user certification is valid for one year, and after that period the users are not allowed to connect with the STA-RMS platform until successful recertification. Establishing the connection To authorize remote access for a Siemens service engineer, additional security mechanisms can be put into place, such as authentication servers using one-time passwords. Work permit for remote service In addition to the general policy, which says that a customer must grant the permission to the Siemens service engineer to connect to the unit for every session, a customer can unlock/lock his systems via the STA-RMS Connectivity Layer (crsp), so that no physical activity is needed. This is possible via the Access Management Service (AMS) of the STA-RMS platform where customers can also supervise the access. Access control For every service activity, the service contract can ensure that the customer grants access to his plant to the STA- RMS platform, and retains control of who is permitted access to the equipment. Access is only granted to identify or correct errors. After a set period of time, during which no action has occurred, the Siemens remote session on the customer equipment automatically ends. Remote access logging Siemens records access to the customer equipment and applies a time stamp. In addition, the Siemens service engineer who accesses the equipment is assigned a unique user identification, which is also recorded in this log. As a result, we can inform the customer within an appropriate period of time which service engineer had access to data, when, and what communication activities were performed on each piece of equipment. We typically retain these log reports for two years, but can retain them for a longer period if it is a customer contract requirement. Maintenance and further development of the STA-RMS platform Maintenance and development tasks are based on dedicated processes. Suggested changes are discussed and assigned by a Change Control Board (CCB)/Change Advisory Board (CAB). After the realization of the changes, they are tested for failures or incompatibilities in a release environment to protect productive environments. After the approval at the end of the tests, the changes are implemented in the productive environment. This process is mandatory for all changes concerning the STA-RMS platform. Organizational measures Our Siemens service engineers understand the need for data privacy and IT security, and are trained to have knowledge of the applicable requirements. 8

9 Technical security concept Security infrastructure of the STA-RMS platform This section provides more detailed technical information on the following topics: Authentication and authorization of customer personnel Siemens service personnel authorized service partners Privacy along the transmission route The crsp DMZ: this is the Demilitarized Zone between the Siemens intranet and the Internet or public lines Security measures for accessing the customer network Protocols and services supported Authentication and authorization of Siemens service personnel The central access portal of the Connectivity Layer (crsp) within the STA-RMS platform is located within the Siemens intranet, in a separate network segment, and requires a valid crsp user ID and password to access it. A strong authentication method, such as PKI (Public Key Infrastructure) using a smart card, is also available. A multi-level service domain concept defines which users are permitted to access which equipment. This means that Siemens service engineers can only access customer equipment for which they have been authorized. Furthermore, only the Siemens Connectivity Layer (crsp) access functions for which the engineer is explicitly authorized are released for viewing by that engineer. Other equipment in the customer s network not maintained by Siemens are not configured for access by Siemens engineers. Siemens Intranet AP Access Portal Business Partner Network Siemens Service Technician Remote Service Center Service Partner BP Access Portal STA-RMS Platform DB DB DMZ crsp AS Access Server DS Data Server DMZ Business Partner AMS Access Manage ment Service BTS Terminal Server Internet VPN Diallines ISDN / POTS Optional Extension Communication Link Service Router Access Gateway Network Architectural overview of our security infrastructure 9

10 Authentication and authorization of Siemens service partners and customer personnel Comprehensive services for our customers sometimes require the involvement of service and engineering partners. To provide the same level of security in those cases, our Access Management Service (AMS), an optional addon to our STA-RMS platform security infrastructure, is available. The access portal for AMS users is located in the crsp DMZ and is accessible through the Internet. The users and their rights are stored on the same server, in a separate network segment, as the Siemens intranet users. The authentication of the AMS is realized with user ID, password, and mobile PIN. When the customer needs access to the AMS, he/she enters his/her username and his/her password followed by a mobile PIN that has just been sent to the mobile phone number, stored in his user profile. The PIN has to be entered within three minutes, or the authentication process has to start from the beginning. This type of access via the AMS may also be useful for customer personnel who are not on site, but who want to monitor certain critical service activities online. In that case, the authorization for the customer personnel can be configured in a way that certain remote service activities can be executed only if approved/confirmed by this individual. This form of secure access may also be useful for customer maintenance personnel working from home who want to perform certain remote service activities via the Internet. Privacy along the transmission route We use state-of-the-art encryption to protect our customer s data from unauthorized access during transmission. Demilitarized Zone DMZ To protect the customer and the Siemens intranet from problems and attacks, we have secured the Connectivity Layer, which is based on Linux servers, in a Demilitarized Zone (DMZ). Connections by the Siemens service engineer to the customer equipment, and vice versa, are not put through directly. They terminate in the Connectivity Layer, using a reverse proxy function. This means that a connection established from the Siemens intranet is terminated in the access server. This server then establishes the connection to the customer s equipment and mirrors the communication coming from the customer back to the Siemens intranet. This is configured to prevent any possibility of communication between the Siemens intranet and the customer s network over any protocols that have not been specifically authorized. Mirroring occurs only for predefined protocols and only after successful authorization at the Connectivity Layer. 10

11 Furthermore, all data streams coming from and to the customer or the Siemens intranet is led through firewalls featuring the latest detection methods. This architecture is designed to prevent: Unauthorized access (for instance, by hackers) Fraudulent use of secure passwords, access data, etc. Transmission of viruses or similar harmful programs from one network to the other In addition, we do not store any critical data in the DMZ including, in particular, customer access data. Within the scope of our proactive remote services, data is periodically sent by the monitored equipment. This communication is also established only after successful authorization of the equipment that is requesting the connection. Data sent through the VPN tunnels to the DMZ is then securely transferred onto the STA-RMS platform. Securing the transmission route Encrypted connections to the STA-RMS platform or AMS The connections from the customers equipment to the STA-RMS platform are HTTPS secured. All connections end in the browser window in which the STA-RMS platform or the AMS is opened. This is designed to prevent either the data sent by the customer equipment via the Internet or the data send from the STA-RMS platform from being read by invaders. Virtual Private Network (VPN) with Internet Protocol Security (IPSec) via the Internet: We recommend establishing a broadband, secure connection via the Internet. This can offer the following advantages: a high level of security, optimum data transfer quality and availability, and access to all STA- RMS platform-based services. A Virtual Private Network (VPN) is used for this, secured with IPSec between the Siemens DMZ and the customer s network portal. IPSec is designed to protect data against tampering and being read by others (optional). Siemens uses the established standard IP Security with pre-shared secrets for encrypted and authenticated data transmission. Pre-shared secrets comprise at least twelve randomly selected characters. The Internet Security Association and Key Management Protocol (ISAKMP) is used to exchange encryption key information. The use of an Authentication Header (AH) is for data integrity by using the MD5 or SHA1 hash method. Encrypted Secure Payload (ESP) provides for the confidentiality of data by 3DES encryption. The Diffie-Hellmann key, with a 1024, or 1536-bit key length, can be used as symmetrical session keys. Siemens can assist and provide customers with the prerequisites (for instance, VPN router) to use the Siemens STA- RMS platform. The VPN endpoint on Siemens side is cur- 11

12 rently a Cisco router that is configured according to the customer s infrastructure needs and security requirements. Virtual Private Network (VPN) with SSL via the Internet: Additional to the VPN via IPSec the STA-RMS platform offers connections using SSL (Secure Socket Layer) to the Siemens DMZ. To achieve this, a Siemens-SSL client has to be installed in the customer equipment/data collector. The client encrypts the data with certificates and sends them to the Siemens DMZ. This so-called SSL tunnel, which is based on SSL V3, provides communication privacy over the Internet to prevent eavesdropping, tampering, or message forgery between the client and the server. Virtual Private Network via dial-up connections This functionality is no longer supported by Siemens. s who do have a dial-up infrastructure can contact their local Siemens representative for further information. Technical security measures for the transmission route We offer the following technical measures to provide added security: Secure password transmission with CHAP To transfer passwords, we use the Challenge Handshake Protocol (CHAP), which provides encrypted password transmission. The CHAP password, as well as passwords for Telnet and configuration mode access, are randomly generated from upper- and lower-case alphanumeric characters as well as special characters. The passwords are ten characters in length. Enhanced control capabilities through debugging (optional) s who want to receive service router SNMP or syslog messages on their router, or who want to see the current service router configuration, should contact their local Siemens representative. Security measures within the customer network Access to the customer network In light of the security issues involved, external access to the customer network requires specific measures. The key security features depend on the specific concept and configuration of the service router (customer access gateway) chosen. Access enabled by customer One general security measure that can be implemented is to block any external access when not explicitly authorized or initiated by a component within the customer network. This security measure is supported by the STA-RMS platform, but has some limitations especially in cases where no on-site personnel are available. However, if this option is chosen, the Connectivity Layer of the STA-RMS platform supports various mechanisms such as single log-in passwords or defined-service timeslots. All security measures such as authentication, authorization, and logging 12

13 described under Authentication and authorization of Siemens service personnel and Authentication and authorization of Siemens service partners and customer personnel are available without such limitations. -supplied access (COA) If a customer already has an existing remote access solution in place, this system can, in most cases, be configured to work securely with the Siemens STA-RMS platform s infrastructure. To clarify the required configuration and measures, customers should contact their local Siemens service representative. Service VPN router/ Siemens-supplied access (SOA) The preferred solution due to cost, performance, and security benefits is our specified VPN-router solution with broadband Internet access, for example, DSL. This solution supports high-performance remote service solutions with lower communication costs and enables valueadded remote services to be added in the future. Specific customer demands for additional security measures for certain applications, network segments, etc., or requested on-site firewall features, can be provided based on this access solution. System access When remote access to a customer s equipment is released (either manually by the user/administrator or automatically, based on system configuration), Siemens recommends that the service engineer is authenticated at the equipment before being able to work on the equipment. Protocols Depending on the capabilities of the software on a customer s equipment, the following can be used to service the equipment: the http or preferably https protocol, or the Telnet, PuTTY, NetOp, pcanywhere, WinVNC, Tera- TermPro, Timbuktu, Netmeeting, Tarantella; Citrix-/ MS Terminal Server; SNMP; X.11 service tools/protocols and others (if customers need other protocols, they are welcome to contact their local Siemens representative for further information). Data transmission from the customer s equipment to the STA-RMS platform For our diagnostic services, only mandatory technical data is sent from the customer s equipment to the STA-RMS platform automatically (based on the customer s equipment configuration). Depending on the capabilities of the software, the following services are used: ftp/sftp (file transfer protocol, secure file transfer protocol) scp (secure copy) or optionally, other services of a system management tool. 13

14 Data transmission from STA-RMS platform to the customer s equipment (optional) Depending on the customer s needs and product capabilities, an STA-RMS platform-based software update service is available if requested. In this case, data could be sent manually or automatically from the STA-RMS platform to the customer s equipment in accordance with the customer s preferences as set out in the contract. This includes, for example, Anti Virus Pattern and Microsoft Hotfixes. The update service includes the delivery of the software packages and could include installation. For further information about available services for your specific equipment, please contact your local Siemens representative. Features of Siemens equipments to protect against malicious attacks STA-RMS platform protection The servers of the Connectivity Layer are Linux servers. Infection by worms, viruses, Trojan horses, or other viruses have not been reported as of the date of this publication. Nevertheless, we use state-of-the-art virus protection programs to protect the STA-RMS platform. equipment Threats from the STA-RMS platform The reverse proxy function, and the firewalls described on page 10, are intended to protect against a virus infection on the customer s equipment from affecting the STA-RMS platform or the distribution of viruses in the direction of the customer s equipment. Threats stemming from Internet connection Equipments connected to the corresponding STA-RMS platform via the Internet are as with any connection via the Internet exposed to a certain level of threat. As discussed above, Siemens security infrastructure contains anti-virus protection solutions. However, if the customer uses their Internet connection for other purposes, we recommend that they take appropriate precautions to protect their equipment. Threats from traffic Certain types of customer equipment can send s (without attachments) to the corresponding STA-RMS platform and in this direction only. s sent from customer equipment to the STA-RMS platform are forwarded to the appropriate Siemens mail server and then sent to the recipient. The Siemens mail server scans s for viruses and reacts in accordance with the Siemens established guidelines to protect the Siemens intranet. Since no s are sent to the customer equipment, infection of the customer equipment in this manner is unlikely. Infection of serviced equipment through contact with infected customer equipment Infection of the STA-RMS platform through contact with infected customer equipment is unlikely as there is no direct IP routing betwixt and between. Furthermore, all data streams coming from and to the customer or the Siemens intranet are led through firewalls featuring up-to-date anti-virus detection methods. 14

15 The following provides information about how a connection to a customer can be realized via the STA-RMS Connectivity Layer using crsp. An access router for the crsp can be placed anywhere in the customer s network as far as a routable connection between the systems and the crsp router is possible. VPN Situation 1 In this case, the Internet link is directly terminated by the crsp access router. There is no additional gateway in the customer s network. Siemens crsp SOA Internet Site Internet Gateway Internet Access = Siemens crsp Router Server System n crsp Tunnel Endpoint VPN Situation 2 In this case, the crsp access router bypasses the entire firewall of the customer. This solution should only be chosen if the customer s firewall is neither capable of forwarding IPSec traffic to a device in the customer s LAN nor of owning a DMZ interface. This is an easy but not a recommended solution since the customer s firewall is bypassed. Siemens crsp SOA Internet Internet Gateway Firewall Site Server System Siemens crsp Router n crsp Tunnel Endpoint 15

16 VPN Situation 3 In this case, the Internet link is terminated by the customer s equipment, but the IPSec tunnel is still terminated by the Siemens router. The Siemens router is placed within the customer s DMZ beyond the firewall. SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the crsp access router (WAN address). Siemens crsp SOA Internet Internet Gateway Firewall Site DMZ Server System Siemens crsp Router n crsp Tunnel Endpoint VPN Situation 4 In this case, the Internet link is established by the customer s equipment, the IPSec tunnel however is terminated by the Siemens router. The router is placed within a DMZ of the customer s firewall, but the LAN interface is directly connected to the customer s network. SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the crsp access router (WAN address). Siemens crsp SOA Internet Site Internet Gateway Firewall Server System DMZ Siemens crsp Router n crsp Tunnel Endpoint 16

17 VPN Situation 5 In this case, the Internet link is terminated by the customer s equipment, but the customer s equipment is not capable of terminating IPSec tunnels. Furthermore, the equipment does not feature a DMZ where the router can be placed. The Siemens router is placed within the network. SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the crsp access router (WAN address). Siemens crsp SOA Internet Internet Gateway Firewall Site Server System Siemens crsp Router n crsp Tunnel Endpoint VPN Situation 6 In this case, the Internet link and the IPSec tunnel is terminated by the customer s equipment. All necessary parameters will be verified between the contact persons. Siemens crsp COA Internet Internet Gateway Site router or firewall, at which the tunnel will be terminated n crsp Tunnel Endpoint Server System 17

18 VPN Situation 7 In this case, the Internet link is terminated by the customer s equipment, but the tunnel is terminated directly on the customer equipment with a crsp SSL client. TCP Port 443 from internal to external must be opened in the customer firewall. Siemens crsp SSL-VPN Client Site Internet Internet Gateway Firewall Server System n crsp Tunnel Endpoint Contacts For more details please contact 18

19 How the STA-RMS platform answers possible customer questions? How can I prevent unauthorized access to my plant? The AMS provides the possibility to lock all equipment to prevent access. The customer can unlock the access for his/her equipments individually in case remote service is needed. The routers Siemens delivers are configured so that no other data transfer is allowed other than transfer from and to the STA-RMS platform. How is the crsp always available if I need remote support? The crsp is highly redundant due to three data centers. The operation is designed for 24 hours/365 days. Could I use the crsp also for my own staff? It is also possible to include customer staff, as well as business partners, into the crsp. Access for non-siemens personnel can be granted by the customer via the AMS. How do I keep the overview about what is happening in my plant? The crsp offers comprehensive logging mechanisms, which can be accessed via the AMS. Additionally, an SMS or an can be sent if someone is trying to access a system of your site via the crsp. s can also be sent when the user is finished with the session, which can include a description of the work done. Is it possible to supervise remote experts while they are working? Depending on the application used for the remote service, it is possible to supervise the remote experts. Which applications are allowed for remote service is a part of the planning and is included in the documentation of the crsp connection. Do I have to buy hardware to use the crsp or could I use my corporate firewall? Siemens provides various connection methods, which include also the possibility to use a corporate firewall of a customer (if the customer equipment is capable of terminating the IPSec tunnel), as well as a software-based connection method. Is it possible to use my authentication server additional to the strong authentication method provided by the crsp? Yes, customers have the possibility to use their authentication server on the customer site in addition. What are the major advantages of the crsp compared to point-to-point connections? The crsp can be accessed worldwide without specific software, this provides wide flexibility. Additional to this, the heightened security level in the crsp-dmz, the user management based on different roles, and the given log level can not be reached by point-topoint connections. Are there any certifications available for the crsp? Yes, the operation of the crsp is designed to be ISO certifiable. I have many IPSec tunnel connections to my plant. Could I detach them with the crsp? Yes, that is possible if all the other parties migrate to the crsp. 19

20 Published by and copyright 2013: Siemens AG Energy Sector Freyeslebenstrasse Erlangen, Germany Siemens AG Energy Sector Service Division Oil & Gas and Industrial Applications Wolfgang-Reuter-Platz Duisburg, Germany Siemens Energy Inc Alafaya Trail Orlando, FL , USA For more information, contact our Support Center. Phone: Fax: (Charges depending on provider) [email protected] siemens.com/energy Energy Service Division Oil & Gas and Industrial Applications Services Order No. E50001-G510-A219-X-7600 Dispo 34806, c4bs 7447 bdk , P WS 1212 Printed in Germany Printed on paper treated with chlorine-free bleach. All rights reserved. Trademarks mentioned in this document are the property of Siemens AG, its affiliates, or their respective owners. Subject to change without prior notice. The information in this document contains general descriptions of the technical options available, which may not apply in all cases. The required technical options should therefore be specified in the contract.