Support and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.

Transcription

1 Preface 1 2 SIMATIC Process Control System PCS 7 Dialup 3 Practical information 4 Commissioning Manual 12/2011 A5E

2 Legal information Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken. CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken. NOTICE indicates that an unintended result or situation can occur if the relevant information is not taken into account. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. Trademarks All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach NÜRNBERG GERMANY A5E P 11/2011 Copyright Siemens AG Technical data subject to change

3 Table of contents 1 Preface Structure and organization of the document Special Notes Definitions Concept Dialup Local dialup Remote dialup Network medium Support device Control System Network Access Choice of technology Practical information General information Siemens Remote Service (SRS)...22 Commissioning Manual, 12/2011, A5E

4 Table of contents 4 Commissioning Manual, 12/2011, A5E

5 Preface Structure and organization of the document The Security Concept PCS 7 & WinCC has several parts: The basic document provides a central overview and path through Security Concept PCS 7 & WinCC. It systematically describes the basic principles and security strategies of the security concept. All additional detail documents assume the reader has read the basic document. The detail documents (this is one such detail document) explain the individual principles, solutions and configuration recommended there in detailed form, and each focuses on a particular detailed issue. The detail documents are supplemented, updated and published independently of one another to ensure that they are always up-to-date. Commissioning Manual, 12/2011, A5E

6 Preface 1.2 Special Notes 1.2 Special Notes Objective of the Security Concept PCS 7 & WinCC The main priority of automation is to maintain control over production and process. Even measures which aim to prevent the spread of a security threat must not affect control over production and process. Security Concept PCS 7 & WinCC is intended to ensure that only authenticated users can perform authorized (permitted) operations via operating permissions (assigned to them) for authenticated devices. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise. Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available security mechanisms. To achieve the highest possible level of security, scaled, systemspecific configurations should never contradict the basic principles of this security concept. Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network administrators of company networks (IT administrators) and automation networks (automation engineers) to exploit the advantages provided by the networking of process control technology and the data processing of other production levels, without increasing security risks at either end. Required Knowledge This documentation is aimed at anyone who is involved in configuring, commissioning and operating automated systems based on SIMATIC. It is assumed that readers have appropriate management knowledge of office IT. Validity Security Concept PCS 7 & WinCC incrementally replaces the following previous documents and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is valid as of WinCC V6.2 and PCS 7 V Commissioning Manual, 12/2011, A5E

7 2 This detailed report focuses exclusively on remote maintenance, remote support and remote administration of a system. A description of remote control of a system is not included in this detailed report. However, information on remote control is provided in the detailed report Management of Communication within and between Security Cells. 2.1 Definitions Virtual Private Network (VPN) Source: Microsoft Help & Support Center Windows Server 2003 An extension of a private network which encompasses encapsulated, encrypted and authenticated connections over shared or public networks. Private networks can establish remote access and routing connections over the Internet using VPN connections. Point-to-Point Tunneling Protocol (PPTP) Source: Microsoft Help & Support Center Windows Server 2003 A network technology that supports multi-protocol VPNs (Virtual Private Networks). This provides remote users with secure access to internal company networks over the Internet or other networks by connecting via an Internet Service Provider (ISP) or by establishing a direct connection over the Internet. PPTP encapsulates IP (Internet Protocol) data, IPX (Internetwork Packet Exchange) data and NetBEUI (NetBIOS Extended User Interface) data in IP packets. Such encapsulation is also referred to as tunneling. This means that users can remotely run applications that are dependent on specific network protocols. Layer 2 Tunneling Protocol (L2TP) Source: Microsoft Help & Support Center Windows Server 2003 An industry-standard Internet tunneling protocol that provides encapsulation to send PPP (Point-to-Point Protocol) frames for packet-oriented media. On IP networks, L2TP traffic is transmitted in the form of UDP (User Datagram Protocol) messages. On Microsoft operating systems, L2TP is used in conjunction with IPsec (Internet Protocol Security) as the VPN (Virtual Private Network) technology to provide VPN connections via RAS (Remote Access) or router-to-router. L2TP is described in RFC Commissioning Manual, 12/2011, A5E

8 2.2 Concept 2.2 Concept Concept Owing to the increase in networking and as systems are connected to company networks and the Internet and distances increase between support employees and systems (e.g. onshore support employee; system requiring support is located on a ship), support and remote dialup is growing in significance. However, support and remote dialup is associated with additional dangers. Exceptions have to be defined at the access point firewalls, creating additional weak points for hackers, and support employees can unintentionally infect the system with malware such as viruses and Trojans etc.. To minimize this risk, a Defense in Depth strategy is recommended for support and remote dialup, as for the entire Security Concept PCS 7 & WinCC. This means that there is no direct dialup to the endpoint for maintenance, but dialup is achieved with a combination of multiple technologies and security mechanisms over a central access point to ensure the highest possible security for the entire system. The VPN server described below is part of the back firewall and therefore the responsibility of the system administrator, and is published over the front firewall to the WAN (intranet/office network). The external VPN solution preferred by Siemens for PCS 7 systems, the Siemens Remote Service (SRS), may be used as an alternative to an internal VPN solution. The Siemens Remote Service is based on a platform technology. Common Remote Service Platform (CRSP) (for more information, see Chapter Practical information (Page 21)). This configuration ensures that the front firewall has absolutely no routing information for the Process Control Network (PCN) or information on the network structure in the Manufacturing Control System (MCS) level. Hence, even if the front firewall is bypassed by an attacker, there is no access to the system. A Microsoft Internet Security and Acceleration Server (MS ISA Server) is shown as the firewall in the following diagrams. The successor Microsoft Thread Management Gateway (MS TMG) that came out in 2010 may also be used. Further information on the configuration of an ISA Server/TMG as a firewall is provided in the detailed report Managing the MS ISA Server/MS TMG as an Access Point. 8 Commissioning Manual, 12/2011, A5E

9 2.2 Concept Demo System The following diagram shows a demo system with front and back firewalls and all the devices described in Chapter Auto-Hotspot, e.g. the support and dialup stations of the support employee. Enterprise Control Network Domain Controll Firewall Support Station WAN Intranet Router ISDN Historian Web Client SIMATIC IT SQL- SIMATIC IT Server Server Manufacturing Operations System Firewall ISA Server Front-Firewall Virusscan Server Perimeter Network Support Station Domain Controller Domain Controller Terminal Server WSUS Server Router ISDN Firewall ISA Server Back-Firewall WinCC Client OS Client Process Control Network SCALANCE X based redundant Ring Domain Controller Domain Controller WinCC Server WinCC Server OS Server OS Server Control System Network SCALANCE X based redundant Ring Engineering Station Maintenance Server S7-400H S7-400 S7-400 S7-400FH Figure 2-1 Demo system with front and back firewall Commissioning Manual, 12/2011, A5E

10 2.2 Concept 10 Commissioning Manual, 12/2011, A5E

11 Dialup 3 In principle, there are two different dialup options: local dialup, when the support employee is on site remote dialup over the intranet/office network, Internet or telephone network Commissioning Manual, 12/2011, A5E

12 Dialup 3.1 Local dialup 3.1 Local dialup Support station belonging to the system The support station is a stationary support PC that is either physically located on the system as an ES in the Process Control Network (PCN) and is therefore part of the system or physically located as a remote ES in a perimeter network / Manufacturing Operating Network (MON) of the Manufacturing Execution Systems (MES) and therefore a trusted, remote system PC. In both cases, security is ensured by correctly implementing the Security Concept PCS 7 & WinCC basic document. As project files and backup copies are frequently changed on engineering stations in contrast to process control computers, external data media (USB sticks, CDs etc.) must also be scanned for viruses and malware before being inserted into engineering stations. Mobile Support PC / PG (Support Laptop) If the support employee brings his/her own support PC onto site, he/she should only be allowed to connect to the network at the access points specifically provided so-called support ports. This can be done, for example, with modern devices from the SCALANCE X 300 and 400 ranges. Individual ports can be configured so that connected computers can only participate in network communication if they have a valid certificate for each connection, which the SCALANCE device can verify on a RADIUS server, which in turn grants access. This ensures that only support employees who have been granted an applicable certificate can participate in network communication. The support employee then creates a VPN connection to the back firewall. As the support employee is on site and system personnel are supervising constantly, a PPTP dialup with a standard support user account is sufficient. In this case, a user account is queried (in conjunction with the MS Remote Access Server (RAS)) via a user authentication server (e.g. the MS Internet Authentication Server (IAS) / RADIUS server) and this can be used by all support employees for dialup on site. Each time the support job is completed, the system administrator must change the password for the standard support user. The update status of the virus scanner and the activated local firewall etc. are then checked on the support PC using the quarantine functionality of the ISA Server\TMG in the back firewall. The content and the nature of checking can be defined by the system operator depending on the specific security requirements. Only after checking has completed successfully can the support employee access the system PCN or a specific engineering station. If access to the Control System Network (CSN) is also required, the quarantine scripts must be designed such that the additional network cards of an engineering station (e.g. CP1613) in contact with the CSN are initially deactivated and only reactivated after checking has completed successfully. 12 Commissioning Manual, 12/2011, A5E

13 Dialup 3.2 Remote dialup 3.2 Remote dialup Network medium Direct connection between devices Direct connections are initialized between two devices, e.g. two ISDN routers or two Siemens Teleservice devices. A Point-to-Point connection over which data can be exchanged is always established between the two devices. It is usually possible to configure the devices so that they only allow or accept connections to or from defined call numbers or devices. In addition, they can frequently be set up so that the dialup has to be manually confirmed before the connection is established. It is therefore possible to ensure that the connection is in fact established by the support employee via a telephone conversation. For the above reasons, use of a PPTP-VPN connection is sufficient in this scenario. Internet If dialup is via the Internet, maximum possible security must be guaranteed, as in principle every user on the Internet can attempt to establish a dialup connection to the VPN server. The VPN server is part of the back firewall and therefore the responsibility of the system administrator and is published over the front firewall to the WAN (Internet/intranet/office network). In this scenario, the front firewall accepts VPN connections by proxy and then forwards them to the back firewall. This configuration ensures that the front firewall has absolutely no routing information for the PCN or information on the network structure within the MCS level. A unique user with a strong password must be created for each support employee for access to be transparent. Users should only be enabled temporarily and following consultation by telephone. A particularly secure tunnel protocol, such as L2TP-IPsec VPN, must be used for communication to guarantee the integrity and confidentiality of the data via a high level of security and encryption depth. Commissioning Manual, 12/2011, A5E

14 Dialup 3.2 Remote dialup Support device Defined Support PC If the support employee is an internal company employee who has to access the system regularly or, for example, the software manufacturer who has a maintenance contract with the system operator, it is recommended that a system support PC is made available to the support service provider for the support employee. The system operator installs this support PC as per the internal company security policies, configures it for support dialup (IPsec, certificates, user), installs the required programs and deploys the PC to the support service provider. Once VPN dialup has been successful (either via the Internet or a direct connection), the support PC is in a quarantine network and is checked using the quarantine functionality of the ISA Server\TMG (back firewall). A simple check is sufficient to determine that the settings have not been changed and that they still conform to internal company security policies. After checking has completed successfully, the support PC is granted access to the PCN and can provide support on the PCN. Organizational measures (e.g. contractual conditions) must be implemented to ensure that the support employee is informed that the support PC may only be used for this defined task. Any (non-specific) PC If the support employee works with his/her own PC, i.e. a device that is completely unknown to the system operator and which the system operator cannot configure, greater security requirements must be applied to access. Once VPN dialup has been successful (either via the Internet or a direct connection), the support PC is in a quarantine network and is checked using the quarantine functionality of the ISA Server\TMG (back firewall). A comprehensive check must be carried out, including a full virus scan, installation of missing security updates, activation of the local firewall etc. If the PC passes the check successfully, it is granted remote access, either to an engineering station located on the system itself or to an engineering station installed in the perimeter network for this purpose. It is recommended that Remote Desktop, NetMeeting (in future, Windows Live Meeting) or a terminal server is used for the remote connection. The terminal server in the perimeter network can provide the support employee with the applications he/she requires. Remote Desktop is part of the Windows operating system and is therefore constantly updated via standard security updates. In addition, Remote Desktop comes with its own encryption in the form of the Remote Desktop Protocol (RDP) and permits the querying of user certificates for authentication. Remote access can be limited to so-called keyboard-video-mouse information, thereby preventing direct access to data. NetMeeting is also included in the Windows operating system and offers the same advantages. NetMeeting has certificatebased encryption (comparable to HTTPS), whereby the user can integrate his/her own certificates with individually defined encryption strength. One advantage of NetMeeting is that the system operator can follow the activity of the support employee on his/her monitor and intervene if necessary. 14 Commissioning Manual, 12/2011, A5E

15 Dialup 3.2 Remote dialup Control System Network Access Support access to the CSN may only be provided via a remote connection to an engineering station that is connected to the CSN. Either Remote Desktop or NetMeeting (in future, Windows Live Meeting) should be used for the reasons mentioned above. Commissioning Manual, 12/2011, A5E

16 Dialup 3.3 Choice of technology 3.3 Choice of technology The following decision trees are designed to help choose remote dialup technology to suit requirements and the situation. Support access to the Process Control Network Figure 3-1 Support access to the Process Control Network 16 Commissioning Manual, 12/2011, A5E

17 Dialup 3.3 Choice of technology Support access to the entire system Figure 3-2 Support access to the entire system Commissioning Manual, 12/2011, A5E

18 Dialup 3.3 Choice of technology Non-administrative remote access to third-party programs Figure 3-3 Non-administrative remote access to third-party programs 18 Commissioning Manual, 12/2011, A5E

19 Dialup 3.3 Choice of technology Administrative remote access to system programs Figure 3-4 Administrative remote access to system programs Commissioning Manual, 12/2011, A5E

20 Dialup 3.3 Choice of technology Administrative remote access to the entire system Figure 3-5 Administrative remote access to the entire system 20 Commissioning Manual, 12/2011, A5E

21 Practical information General information If remote administration and support tools are used, it must be ensured that the programs are activated in the local firewall of the computer to be serviced. NetMeeting Information on NetMeeting is available here: Remote support The help wizard account (installed during a remote support session) is the primary account used to set up a remote support session. This account is created automatically when you initiate a remote support session and has limited access to the computer. The help wizard account is managed by the service session manager for Remote Desktop help and is automatically deleted if remote support is no longer required/has been completed. More information on remote support is available here: Commissioning Manual, 12/2011, A5E

22 Practical information 4.2 Siemens Remote Service (SRS) 4.2 Siemens Remote Service (SRS) SRS can be used as an alternative to an internal VPN solution or a direct connection between devices. SRS can be used for all the scenarios described in the previous chapters that require use of any (non-specific) support PC. SRS is an external, central VPN solution. Only an SRS router is installed on the system, which functions in the same way as an ISDN router in the aforementioned scenarios, or the existing infrastructure is used to create a site-to-site coupling with the Siemens DMZ. A secure channel between the dialup support PC and the SRS router is created on the system via a central server center (DMZ). The advantage for the customer is that he/she relinquishes responsibility for administration, maintenance and service. I.e. securing the channel, the type of encryption, checking the dialup support PC and defining which users are permitted to dial up falls under the responsibility of the SRS provider and is contractually agreed between the customer and the SRS provider. In addition, SRS also manages which tools may be used for system support and ensures that all tools are available in the SRS server center via the terminal server, and that the tools are up-to-date and secure. All tools recommended by PCS 7 & WinCC for remote access are supported by SRS. For more information on CRSP, please contact your sales partners and visit The SRS solution is described in detail in a separate manual. 22 Commissioning Manual, 12/2011, A5E