Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Transcription

1 Security for Industrial Considering the PROFINET Security Guideline Automation

2 Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery DCS/ SCADA* Network Security Security Zones & DMZ Secure architecture based on network segmentation Firewalls and VPN Implementation of Firewalls as the only access point to a security cell Potential Attack *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition System Integrity System Hardening Adapting system to be secure by default User Account Management Access control based on user rights and privileges Patch Management Regular implementation of patches and updates Malware Detection and Prevention Anti Virus and Whitelisting

3 What is IT Security? (Cyber/Network) 3 Protection of computers and networks from intrusion and disruption Security With so many systems relying on networks this is critical The internet allows global connectivity and all its advantages These advantaged lead to vulnerability

4 Why do I need IT Security? 4 Intrusion can be malicious or accidental Governments are concerned by terrorist acts Business is concerned by industrial espionage and theft Ex employees may have a grudge Current employees can be careless Computer viruses can attack PLCs Network intrusions are on the increase The damage can be catastrophic

5 How do I implement IT Security? 5 CPNI recommendations Risk analysis and policies Industrial grade equipment PROFINET / PROFINET Security Guideline (ICS CERT recommendations) Industrial Security Homepage:

6 PROFINET Security Concept 6 The PROFINET Security Concept From the PROFINET Security Guideline Network Architecture Security Zones Trust Concept within Zones Perimeter Defence Firewall/VPN Provision of Confidentiality and Integrity Transparent Integration of Firewalls

7 Security Zones 7 Security Zone Communication based on trust within zone Trusted networks should be able to talk with each other Perimeter defense Local Security Measures E.g. Locked Ethernet ports, Networking equipment in cabinets Firewall Trusted Network

8 How to secure the Network 8 Using Industrial Firewalls Monitor incoming and outgoing data packets on the basis of predefined rules Only authorized connections are accepted Help to keep unwanted traffic out (e.g. Office Broadcasts) Rugged industrial design Industrial like administration Built-in VPN capabilities

9 Linking Security Zones 9 Data traffic control between network using security modules Encrypted data transmission between security modules Firewalls help to keep unwanted office traffic out as well Corporate Network/Backbone VPN Firewall Firewall ed Network Trusted Netw

10 Secure Automation Cells (Zones) 10 Complete plant security Internet Secure automation cells

11 Connecting to the Outside World 11 When connecting to the outside world, think about Security against Wrong address allocations Unauthorized access Spying Manipulation Different requirements in industrial applications in Networks architectures Performance and functions PROFINET leverages effective and certified security standards (VPN) e.g. IPSec

12 Methods for Network Security 12 Security issues and vulnerabilities need to be addressed There are many methods How can we address these vulnerabilities using these techniques: Firewall Protect against unauthorized access VLAN (Virtual Local Area Network) Logical network that operates on the basis of a physical network DMZ (De-Militarized Zone) Exchange data with external partners via safe areas VPN (Virtual Private Network) Secure tunnel between authenticated users

13 DMZ 13

14 Industrial Security Everyone? 14 Management Operators OEM / System integrators Measures and processes that prevent unauthorized access of persons to the surrounding area of the plant Physical access protection for critical automation components (e.g. locked control cabinets) Requirements that operators of industrial automation systems must meet: Security guidelines and processes, Risk management in terms of security Information and document mgmt. etc. System-side requirements in terms of. Access protection, user control Data integrity and confidentiality Controlled data flow, etc. Component suppliers Requirements that components of an automation system must meet in terms of Product development processes Product functionalities

15 Industrial Security for Controllers / HMIs 15 Logon Control Central, plant-wide user administration. Deactivation of services Most network services deactivated in our products in their basic configuration. Deactivation of hardware interfaces The unused interfaces of HMI / Controller / Device can be deactivated via the configuration. Robust Communication One of the system properties of our PROFINET devices is their robustness against large volumes of network traffic or faulty network packets. Encryption of the user program Application code for the PLC / controller can be encrypted. Copy protection Encryption protection can be supplemented with copy protection that prevents duplication of application code.

16 Example of a Cell (Machine?) 16

17 Passwords! 17 Various Passwords are set by default: HMI: web server; default password = 100. HMI: user Administrator ; default password = administrator. Switches : user Administrator ; default password = administrator.

18 Secure Remote Access 18

19 Integrate the Office 19

20 Continuous Network / Security Monitoring 20 Monitoring of PROFINET / Networks for: Detection of changes Load monitoring Security monitoring Event-forwarding Industrial Service Station BANY Agent (integrated TAP) MRP TAP BANY Agent (external TAP)

21 Industrial IT Security 21 Security Services DCS/ SCADA* *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition Plant Security Physical Security Physical access to facilities and equipment Policies & procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery Network Security Security cells & DMZ Secure architecture based on network segmentation Firewalls and VPN Implementation of Firewalls as the only access point to a security cell System Integrity System hardening Adapting system to be secure by default User Account Management Access control based on user rights and privileges Patch Management Regular implementation of patches and updates Malware detection and prevention Anti Virus and Whitelisting Any Questions?

22 PI Corporate Design 22 Colors PI Green PI Grey PI Blue PI Red PI Yellow Black 44/166/123 82/87/101 0/100/ /0/26 255/221/13 51/51/51 80% 80% 80% 80% 80% 80% 86/184/ /121/132 51/131/ /51/72 255/228/61 92/92/92 60% 60% 60% 60% 60% 60% 128/202/ /154/ /162/ /102/ /235/ /133/133 40% 40% 40% 40% 40% 40% 171/219/ /188/ /193/ /153/ /241/ /173/173 20% 20% 20% 20% 20% 20% 213/237/ /221/ /224/ /204/ /248/ /214/214