IT Security in Process Automation - Top Ten

Transcription

1 IT Security for Process Control Field Devices, Services and Maintenance INTERKAMA Forum, April 13 th, 2005 Slide 1

2 IT Security in Process Automation Content Why is this important? Security Measures in /for devices: Field Devices Panel Devices Inventory Control / Remote Services Web enabled asset management What is needed The Risk Model Harmonized Standards Slide 2

3 IT Security in Process Automation Why is Information Security important? New technologies new risks (wireless, IT, WEB ) Openness of the communication, e.g. Ethernet Access to company networks from outside (outsourcing / remote clients ) Know how protection Internal attacks : disgruntled employees (FBI Study) External attacks Vandalism, Terror, DNS / viruses / worms, backdoors / masquerade / corruption Legal Requests e.g. pharmaceutical and food industry: 21 CFR part 11 Slide 3

4 IT Security in Process Automation Why is Information Security important? There was always the necessity to protect company assets against all kind of threats: misuse, theft, tampering, unauthorized changes, vandalism.. With the use of more IT and more open communication technologies Information Security is coming more important to guarantee dependable plant operation. Slide 4

5 IT Security in Process Automation Process automation architecture P View Ethernet Field Controller Slide 5 FieldCare W@M ControlCare Application Designer

6 IT Security in Process Automation Process automation architecture P View Ethernet Field Controller Device level Slide 6 FieldCare W@M ControlCare Application Designer

7 IT Security in Process Automation Access Control Devices Access based on Roll Concept Operator Maintenance Expert. Password Read: all (but service ) Write, if allowed Key locking Slide 7 Experience: Default passwords Or device is left open

8 IT Security in Process Automation Process automation architecture P View Ethernet Field Controller Slide 8 FieldCare W@M ControlCare Application Designer Panel devices

9 IT Security in Process Automation Panel Devices - FDA 21 CFR part 11: (among many other requests) Electronically stored data: reliable, addressable, and of high integrity Part 11 Slide 9

10 IT Security in Process Automation Panel devices - FDA Electronic signature conform with FDA 21 CFR part 11 ID- / password combination assignable to a unique individual. Preset password length for user and administrator. Default password must be changed Password must be changed after 30, 60 or 90 days. Audit Trail for successful or unsuccessful login attempts Slide 10 Rear panel is protected against manipulation via light barrier

11 IT Security in Process Automation Process automation architecture P View Ethernet Field Controller Remote Access via Fieldgate Slide 11 FieldCare W@M ControlCare Application Designer

12 IT Security in Process Automation Inventory Control and Remote Service Fieldgate with enclosure consumer site producer site Workstation e-business server ethernet LAN LAN Firewall Firewall Internet Workstation Firewall remote setup with ToF-Tool via Fieldgate HARTclient LAN 1 of 4 tanks for chemicals monitored with Micropilot M Slide 12 Endress+Hauser

13 IT Security in Process Automation Remote Access with Fieldgate Technology Fieldgate + GSM Telephone Ethernet LAN (Intranet) TCP/IP WAN (Internet) Field Nivotester FTC625 Office world Security Aspects Access control by password; transfer encrypted User defined access rights No parameterizations from the WEB if HW locked Slide 13 Hardware switch (no read/write); unlocking at the device only Point-to-point via GSM or phone line Call-back mechanism

14 IT Security in Process Automation Fieldgate Portal Server Workstation Workstation LAN Firewall Workstation Login to portal (https) Internet Firewall VPN Fieldgate Portal VPI Agent Software runs in the background on a workstation or a server uses standard http-port of proxy-servers establishes VPN connection to the portal knows only the configured Fieldgates in the LAN relays requests to the portal to the appropriate Fieldgate Firewall Workstation Workstation LAN Server Ethernet Fieldgate Ethernet Fieldgate Slide 14

15 IT Security in Process Automation Process automation architecture Plant Asset Management P View Ethernet Field Controller Slide 15 FieldCare W@M ControlCare Application Designer

16 The Service Portal System concept Web Application Server Portal) Wide Area Network (WAN) / Internet W@M Portal via Internet Access FieldCare Plant Asset Management Installed Base Assistant (IBA-C) W@M connectivity via Internet Access Management Plant Asset Management Local Area Network (LAN) FieldCare Local Maintenance and Configuration Supervisory Control Visualization, Monitoring and Control Plant Access Points JA Salusbury Field Remote I/O, Drives, Field devices Slide 16

17 IT Security in Process Automation Security Aspects Data protection against loss redundant memory system Backup / kept safe at a secure place daily within the scope of a disaster recovery backup mirrored on an identical memory system in the emergency computer Data protection against unauthorized access Authentication by user name and password client separation Data encryption (SSL / HTTPS) Multi-level firewall concept Regular security audits Availability twenty-four-seven Slide 17 maintenance dates per year are scheduled

18 IT Security in Process Automation The Risk Model Is what we are doing sufficient? Risk = Threat x Vulnerability Countermeasures x Value International harmonized and accepted standards are needed: Activities are numerous: ISA, IEC, NAMUR, DKE Common methods to evaluate security measures, IT office == IT industrial (needs own set of rules), Bundling the know how, Slide 18

19 IT Security in Process Automation Besten Dank für Ihre Aufmerksamkeit Slide 19