Innovation Days Industrial Communication



Similar documents
IT-sikkerhedssystem. Rockwool International. DAu Konference: Industriel IT sikkerhed

Protecting productivity with Plant Security Services

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Securityconcept fortheprotectionofindustrialplants. Industrial Security. White PaperV1.0

Operational Guidelines for Industrial Security

Industrial Security for Process Automation

Dr. György Kálmán

Trådløs forbindelse. Juni Peter Fuglsang Product Application Engineer Automation

Cyber Security. Smart Grid

Verve Security Center

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Security basics and application SIMATIC NET. Industrial Ethernet Security Security basics and application. Preface. Introduction and basics

2 halvleg. 1 halvleg. Opvarmning. 2 halvleg. 3 halvleg. Advanced & Powerful. Basic PC-based Automation. Diagnose. Online Tools & Add-on s

Effective Defense in Depth Strategies

Recommended IP Telephony Architecture

Document ID. Cyber security for substation automation products and systems

How To Secure Your System From Cyber Attacks

Cyber Security for NERC CIP Version 5 Compliance

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Designing a security policy to protect your automation solution

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

How To Boot A Cisco Ip Phone From A Cnet Vlan To A Vlan On A Cpower Box On A Ip Phone On A Network With A Network Vlan (Cisco) On A Powerline (Ip Phone) On An

Where Smart Data meets Data Security Siemens Cloud for Industry powered by SAP HANA. April 2015

Industrial Security Solutions

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Innovative Defense Strategies for Securing SCADA & Control Systems

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Patch Management. Is it recommended to patch an Industrial Automation Control System and, if so, why? Siemens AG All Rights Reserved.

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Data Security and Healthcare

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

SIMATIC Remote Services. Industry Services

Helping to increase your resistance to attack. Industrial Security Reale Gefahren aus dem virtuellen Raum

1B1 SECURITY RESPONSIBILITY

Network and Security Controls

Best Practices for DanPac Express Cyber Security

Are you prepared to be next? Invensys Cyber Security

Ovation Security Center Data Sheet

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

IT Security and OT Security. Understanding the Challenges

Birst Security and Reliability

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Symphony Plus Cyber security for the power and water industries

Security concept PCS 7 & WinCC. (Basic) SIMATIC. Process Control System PCS 7 Security concept PCS 7 & WinCC (Basic) Preface 1

How Much Cyber Security is Enough?

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Avaya G700 Media Gateway Security - Issue 1.0

SPDE. Lagring af større datamængder. make connections share ideas be inspired. Henrik Dorf Chefkonsulent SAS Institute A/S

Decrease your HMI/SCADA risk

Security Information & Event Management (SIEM)

Validity 1. Improvements in STEP 7 2. Improvements in WinCC 3. Simatic. Readme. Readme

Security Levels in ISA-99 / IEC 62443

SCADA Cyber Security

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

GE Measurement & Control. Cyber Security for NEI 08-09

DeltaV System Cyber-Security

Cover sheet. How do you create a backup of the OS systems during operation? SIMATIC PCS 7. FAQ November Service & Support. Answers for industry.

How To Protect Your School From A Breach Of Security

Three Simple Steps to SCADA Systems Security

Support and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

SRX. SRX Firewalls. Rasmus Elmholt V1.0

Design and interiors. Index. Design og indretning

PCI Requirements Coverage Summary Table

SIMATIC. Security concept PCS 7 and WinCC - Basic document. Preface. Aim of the security concept 2. References 3. Definitions 4

Securely Connect, Network, Access, and Visualize Your Data

Cybersecurity considerations for electrical distribution systems

Managed Security Services for Data

RSA SecurID Ready Implementation Guide

Information Blue Valley Schools FEBRUARY 2015

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Avaya TM G700 Media Gateway Security. White Paper

TeleTrusT Bundesverband IT-Sicherheit e.v.

Information Technology Security Procedures

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Hot & New in Symantec Management and Windows Protection

GoodData Corporation Security White Paper

Remote Services. Managing Open Systems with Remote Services

A Decision Maker s Guide to Securing an IT Infrastructure

Building Secure Networks for the Industrial World

Mitigating Information Security Risks of Virtualization Technologies

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Using Tofino to control the spread of Stuxnet Malware

Kevin Staggs - CISSP February 2, Patch Management

INTRUSION DETECTION SYSTEMS and Network Security

Transcription:

Innovation Days Industrial Communication Industrial Security siemens.com/industrial-security

London 1903 Royal Institution s lecture theatre Verdenspremiere på den trådløse telegraf Source: https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/#.vrprl-e2wn8 Page 2

Verdens første hackerandgreb Scientific hooliganism John Nevil Maskelyne The gentleman hacker Guglielmo Marconi Page 3

Cyber Security Hvorfor bekymre sig? Der er en meget høj trussel fra cyberspionage mod danske virksomheder. Flere statsstøttede t t tt hackergrupper er gået målrettet efter danske virksomheder i de seneste år. Oftere forekommer det, at svagheder hd i udstyr og software skyldes manglende kvalitet i producentens eller leverandørens processer. Source: https://fe-ddis.dk/sitecollectiondocuments/fe/efterretningsmaessigerisikovurderinger/risikovurdering2015.pdf Page 4

Den nye tendens Ransomware Page 5

En hurtig stigning Page 6

Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2014 Number of incidents Percentage of incidents Page 7 Source: https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf

Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2015 Page 8 Source: https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf

Er jeg ikke bare en nål i en høstak? Der er stadig SIMATIC devices der er eksponeret! lt Og Det er meget let at finde!!# @&?*!&+!# @&?*!&+! # %!# @&?*!&+! # %!&! # Page 9

Protecting Productivity Page 10

https://youtu.be/4jzsfeumhkw Industrial Security protecting Productivity Page 11

The Defense in Depth Concept Page 12

Løsninger på alle niveauer Page 13

Hvordan holder man sig opdateret? Abonner på Siemens RSS Feed: www.siemens.com/industrial-security Eller på ICS-CERT: www.ics-cert.us-cert.gov/ics-cert-feeds Page 14

Pareto-princippet 20% 80% Invest 20% 80% Security Page 15

Plant Security Physical access control Guidelines Norms and standards Security Services Page 16

Vi kan tilbyde services Security Assessment Workshops Page 17

Vi kender standarderne Page 18

IEC 62443 Security functions Based on IEC 62443-3-3 Security Level 1-4 Protection Level (PL) Security process Based on IEC 62443-2-4 and ISO27001 Maturity Level 1-4 Level Maturity 4 3 2 1 PL 1 PL 2 PL 3 PL 4 1 2 3 4 Security Level Page 19

Protection Levels cover security functionalities and processes Assessment of security functionalities Assessment of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Optimized - Process measured, controlled and continuously improved Protection Levels Ma aturity Level 4 3 2 1 1 2 3 4 Security Level Page 20 PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

IEC 62443, security measures Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall). Monitoring of all device activities Online security functionality verification + Automated backup / recovery PL 3 Revolving doors with card reader No Email, No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) + Persons responsible for security within own organization Physical network segmentation or equivalent (e.g. SCALANCE ) Monitoring of all human interactions Remote access with crsp or equivalent Backup verification PL 2 Doors with card reader Continuous monitoring (e.g. SIEM) Remote access restriction (e.g. need to connect principle) + Mandatory security education PL 1 Locked building/doors with keys Awareness training (e.g. Operator Awareness Training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation Firewall protection (e.g. SCALANCE S) Security logging on all systems Backup / recovery system Page 21

Network Security Firewalls Virtual Private Networks VPN Segmentering Demilitarized zone DMZ Hardening Authentication Cell Protection Page 22

Network Security Jump Station og DMZ Opdeling i separate celler Secure zone DMZ zone Jump Station Unsecure zone Al kommunikation via Remote Desktop og Jump Station Backup og Restore via Jump Station Kun trådløs adgang fra Secure Zone til Jump Station Samme konfiguration i alle Firewalls (global firewall rules) Page 23

Network Security Cell protection Opdeling separate celler Al kommunikation ind og ud af cellern er kontroleret En decentrale Firewall struktur Page 24

Security Integrated Overview Page 25

Network Security Hvordan beskytter man gamle sårbare systemer? Access protection SCADA Ingen ændring i det eksisterende system også med Layer-2 protokoller Ghost Mode Adopterer IP-adresse og ændre MACadressen automatisk Samme konfiguration i alle Firewalls (global firewall rules) Secure zones Gamelt sårbart åb system Page 26

Network Security Anvend Hardning! Brug Password Anvend VLAN Disable DCP write Enable Management Access List Broadcarst limitation Disable ubrugte porte Enable SNMP V3 Page 27

System integrity Password protection Know-how og Copy protection Access protection Virus scanner og Whitelisting Sikker kommunikation VPN og OPC-UA Deactivation of services og hardware interfaces Windows security patch management* Page 28 * https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-ww

Vi har sikre produkter Page 29

Siemens is the leading vendor of Achilles level 2 certified products Certified CPUs LOGO! S7-300 PN/DP S7-400 PN/DP S7-1500 and 1505S S7-1200 S7-400 HF CPU V6.0 S7-410-5H Certified CPs CP343-1 Advanced CP443-1 & Advanced CP1243-1 CP1543-1 CP1628 Certified DP ET 200 PN/DP CPUs ET 200SP PN CPUs Certified Firewalls SCALANCE S602, S612, S623, S627-2M + Protection against DoS attacks + Defined behavior in case of attack Improved Availability International Standard Page 30

SCADA Controller kommunikation via OPC Et standard setup SCADA Controller Page 31

SCADA Controller kommunikation via OPC Implementer et VPN og Firewall koncept SCADA Via Security CP-Cards or external Firewall/VPN getaway for: Controller - S7 300 and 400 - S7 1200 and 1500 - ET 200SP CPU - SCALANCE S (for all Controllers) Page 32

SCADA Controller kommunikation via OPC Implementer et OPC-UA koncept 3. Part SCADA Via Security CP-Cards or Controller: Controller -S7-1500, 1500S, 1500T - ET 200SP CPU - PLCSIM Adv. - S7 400 via CP 443-1 OPC-UA Page 33

OPC-UA Interoperability with openness and standardization Management -level Operator-level ERP MES Interoperability standards Controller-level SCADA Interoperability 3 rd party devices PLC HMI Field-level Interoperability openness Sensors Actuators Perfect interoperatbility on all levels of communication by openness and standards Page 34

OPC-UA OPC UA og PROFINET den perfekte kombination OPC UA s styrke PROFINET s styrke Leverandør uafhængig Cloud deterministisk i ti Direkte forbindelse til alle niveauer Autentificering og kryptering OPC UA interfa ace Controllerlevel Operatorlevel Managementlevel PROFINET Real-Time egenskaber Enkelt C2C-kommunikation Passer perfekt til data & management niveauet Passer perfekt til controller- &Fi Field niveauet Field- level Page 35

OPC-UA og TIA-Portal Read and write PLC-data easy, standardized and symbolic Easy setup Value 1 Activate the OPC UA server in the PLC properties Access possible Write access possible Individual access Level of access via OPC UA can be controlled individually for each variable 2 Confirm that you have purchased the correct license Inheritance of access rights Based upon the well known Step7 mechanisms Make PLC-variables Different ways to access accessible through Access individual variables as 3 checkboxes in the editor well as access whole structures and arrays as one object 4 Symbolic access via OPC UA OPC UA client Performance Access whole structures and arrays to achieve optimal performance Page 36

CP 443-1 OPC UA Additional Openness for SIMATIC S7-400 Feature/ Function Benefit OPC UA Server/Client directly in the Price sensitive, standardized SIMATIC S7-400 station connection to HMI, SCADA, MES/ERP or 3 rd Party PLC As OPC UA Client Configuration via function blocks compliant to PLCOpen standard Use of the standardized OPC UA elementary security functions like authentication, authorization, encryption and signing of data Configuration in STEP7 Classic V5.5 5 as well as and STEP7 Professional V14 (TIA Portal) For use with CPU V5.3 / H-CPU V6.0 and H-CPU V8 Flexible but standardized Interface for communication to any OPC UA Server Protection of the system from unauthorized access Expansion of existing ST7 plants without Migration to TIA-Portal Investment protection Use of redundant H-system supported Page 37 Delivery release: 04/2016

Passwords et konkret eksempel Et Password skal være komplekst: https://www.youtube.com/watch?v=knk5qlgerwo Hvor stærkt er mit Password: http://calc.opensecurityresearch.com/?pwlen=3&kpsselect=9250000&charselect=lalpha numeric all space&charsetlen=77&kps=9250000 Page 38

Passwords Udgangspunketet er stadig ofte Admin/Admin Single Sign on Brute Force Prevention RADIUS Randomize Page 39

Slide 39 SBA1 Sarah Bay-Andersen; 20-03-2015 SBA2 Sarah Bay-Andersen; 20-03-2015

Kan man anvende RADIUS og AD? Århus SCALANCE S615 Server SCALANCE S623 SINEMA Remote Connect Windows Active Directory RADIUS SIMATIC CPU Page 40

Den store løsning Siemens Ruggedcom CrossBow Wow! Det er en elegant løsning NERC-CIP og IEC 62443 kompatibel Page 41

endnu flere koncepter og informationer Defense-in-Depth Solution User Authentication Network Segmentation Demilitarized Zones Firewalls VPN Tunnels Virus Scanning Patch Management Application Whitelisting Super gode links All-round protection with Industrial Security https://support.industry.siemens.com/cs/document/92605897/all-round-protection-with-industrial-security-systemintegrity?dti=0&lc=en-ww Page 42

Opsummering Fokus er kritisk tag det alvorligt Stil krav til autentificering og brug af passwords Anvend Jump Stations og brug certificerede produkter Segmentér netværk og isolér sårbare systemer Implementer centrale Security Access Management løsninger Page 43

Mange tak for jeres opmærksomhed Kontakt info Navn Telefon email Morten Kromann +45 2037 3508 morten.kromann@siemens.com Per Krog Christiansen +45 4042 6239 per.christiansen@siemens.com Lars Peter Hansen +45 2129 9650 lars-peter.hansen@siemens.com Page 44

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information