Security 4.0 - Security by Separation



Similar documents
Embedded Java & Secure Element for high security in IoT systems

WIND RIVER SECURE ANDROID CAPABILITY

Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

PikeOS: Multi-Core RTOS for IMA. Dr. Sergey Tverdyshev SYSGO AG , Moscow

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

Flight Processor Virtualization

Secure Containers. Jan Imagination Technologies HGI Dec, 2014 p1

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Introduction to Cyber Security / Information Security

Outline. Security. Security of network. Security

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Trusted computing applied in Open Power Linux

Sierraware Overview. Simply Secure

EndUser Protection. Peter Skondro. Sophos

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Designing a Windows Server 2008 Network Infrastructure

Network Security Solution. Arktos Lam

Solving the Desktop Dilemma

White Paper How Noah Mobile uses Microsoft Azure Core Services

Guidance End User Devices Security Guidance: Apple OS X 10.9

Module 1: Overview of Network Infrastructure Design This module describes the key components of network infrastructure design.

SonicWALL PCI 1.1 Implementation Guide

Security in SCADA solutions

Embedded Trusted Computing on ARM-based systems

Recommended Wireless Local Area Network Architecture

Securing Cloud Computing by GED-i

Patterns for Secure Boot and Secure Storage in Computer Systems

RuggedCom Solutions for

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Introduction p. 2. Introduction to Information Security p. 1. Introduction

BYOD: End-to-End Security

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

SierraVMI Sizing Guide

iphone in Business Security Overview

End User Devices Security Guidance: Apple OS X 10.10

Proven LANDesk Solutions

Developing Network Security Strategies

Security Considerations in Cloud Deployments Matthew Garrett

Weak Spots in Enterprise Mobility Management Dennis Schröder

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

NETWORK SECURITY HACKS *

PCI Requirements Coverage Summary Table

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

SVN5800 Secure Access Gateway

ISOLATING UNTRUSTED SOFTWARE ON SECURE SYSTEMS HYPERVISOR CASE STUDY

PMDP is simple to set up, start using, and maintain

Technical Brief Distributed Trusted Computing

GlobalProtect Overview

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Mitigating Information Security Risks of Virtualization Technologies

PCI Requirements Coverage Summary Table

Athena Mobile Device Management from Symantec

Microsoft Technologies

BlackBerry 10.3 Work and Personal Corporate

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

H MICRO CASE STUDY. Device API + IPC mechanism. Electrical and Functional characterization of HMicro s ECG patch

BM482E Introduction to Computer Security

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

Building A Secure Microsoft Exchange Continuity Appliance

Developing reliable Multi-Core Embedded-Systems with NI Linux Real-Time

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Ensuring the security of your mobile business intelligence

GroupWise SMTP Infrastructure Design:

Internet of things (IOT) applications covering industrial domain. Dev Bhattacharya

Managed Security Services for Data

Linux Embedded devices with PicoDebian Martin Noha

Who s Endian?

Securing Oracle E-Business Suite in the Cloud

Java Environment for Parallel Realtime Development Platform Independent Software Development for Multicore Systems

Ensuring the security of your mobile business intelligence

What is Really Needed to Secure the Internet of Things?

PFP Technology White Paper

Cloud Orchestration. Mario Cho. Open Frontier Lab.

Best Practices on monitoring Solaris Global/Local Zones using IBM Tivoli Monitoring

Securely Connect, Network, Access, and Visualize Your Data

Symantec Mobile Management for Configuration Manager 7.2

Analysis of advanced issues in mobile security in android operating system

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security A Big Question for Big Data

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Basics of Internet Security

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Network Defense Tools

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Transcription:

Security 4.0 - Security by Separation Making Industrial Control Systems More Secure Author(s): Date: Version Mehmet Özer 19.05.2015 v1.0 SYSGO AG 1

Agenda Security Challenges IoT Architecture for Industrial Automation Industrial Automation Security Separation Kernel Separation Kernel Security Concept Linux Security Security Add-On Secure Boot Policy Management Security Certification Common Criteria EAL-X Summary SYSGO AG 2

Information Flow Industrial Control System (ICS) http://upload.wikimedia.org/wikipedia/commons/ 9/9c/Cylinders_with_Hall_sensors.png http://www.automationworld.com/sites/default/file s/styles/lightbox/public/field/image/1307np_vipa. png?itok=9qyz4-vt http://www.markbourgeois.com/portfolio/moeller usa_net/products/automation/media/plchmi_plc.png magazine.qualys.fr http://static1.1.sqspcdn.com/static/f/614694/139 35925/1314910419277/8GRTD100+PNG.png?t oken=hfpg%2bh6himyy%2bj3gjkhtx4qredq %3D SYSGO AG 3

ICS Security Challenges Handled Risks Office - Devices Confidentiality of Data!!! Confidentiality!! Integrity! Availability ICS - Devices Preserve Safety, Real-Time Execution and availability:!!! Availability!! Integrity! Confidentiality Security Means - Commercial Solutions - Broadly used Updates / Patches / - Update Server - Remote Access - Availability for OS or architecture - Update policy - Do I loose my safety certification? - Is Remote Access a Backdoor? Maintenance - Regularly - 24/7 operation - Availability requires high up-time Product Life-Cycle - 2-4 years - Up to Date Hardware and Software - 10 up to 30 years - Handle Obsolescence SYSGO AG 4

Security State of the by Separation art Network Security Firewall Authentication Cryptography Monitoring Intrusion detection Perimeter Protection Custom Application Custom Application OS-Kernel Hardware SYSGO AG 5

Security by Separation Communication & Security Data Base Control Application System Part. Health Mon. CBIT MILS: Safety and Security HW Obsolescence Linux Linux Soft-PLC Native GPL Isolation Separation Platform Real-Time Hypervisor Hardware Security by separation and controlled information flow SYSGO AG 6

Attack Scenario - SW Level SIL 0 SIL 2 SIL 3 APP APP APP Soft-SPS PikeOS Real-Time Linux or Android BT WIFI USB PikeOS - Microkernel HW Platform Device 1 Device 2 Core 0 Core 1 SYSGO AG 7

Linux Security Network Security ensured by Linux Networking Security Networking Communication Security Updates for Linux Firewall, Cryptography VPN IPSec, SSL, WPA, RADIUS Web Server/Brow ser Wifi... Secure Data... Embedded Linux Real-Time Inter-Process and Partition Communication Separation Kernel Hardware Platform SYSGO AG 8

Secure Boot Attack Scenario Hacking User or Kernel is complicated by Antivirus-SW Replace boot-loader, boot-image, Application image What am I trying to protect? Against unauthorized modification of Firmware and OS image My system from reverse engineering/cloning How Do I Protect my System My SoC provides a Mode to execute Secure-Boot-Code Validate every instance of Software loaded on my System Root of Trust to Validate in Chain of Trust SYSGO AG 9

PikeOS Use-Case - Security Policy Manager Kaspersky Security System for PikeOS Application independent from security means Separate Functionality and Security No limitation by application means Update Application and Security means in dependently System wide security Security Monitor evaluates Application behavior System state and Enforces Security Policy Security Server Security Configuration Security Context Takes Access Decision Linux PikeOS POSIX PikeOS Native (System Part.) libkss libkss libkss Security Server Security Monitor PikeOS Microkernel SYSGO AG 11

PikeOS - Security Certification CSPN evaluation criteria of French Authority French Information Security Agency (ANSSI) Certification de Sécurité de Premier Niveau" (CSPN) Comparable to Common Criteria EAL4+ Common Criteria and IEC 15408 PikeOS Security Target based on EURO-MILS PP Targeting EAL5+/EAL6 Ongoing Certification at BSI: BSI-DSZ-CC-0923 SYSGO AG 12

SYSGO IoT Security Solution - Summary SYSGO Security Concept Secure Boot SYSGO AG 13

Thank you for your attention! More information on www.sysgo.com SYSGO AG 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information