Innovation Days Industrial Communication Industrial Security siemens.com/industrial-security
London 1903 Royal Institution s lecture theatre Verdenspremiere på den trådløse telegraf Source: https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/#.vrprl-e2wn8 Page 2
Verdens første hackerandgreb Scientific hooliganism John Nevil Maskelyne The gentleman hacker Guglielmo Marconi Page 3
Cyber Security Hvorfor bekymre sig? Der er en meget høj trussel fra cyberspionage mod danske virksomheder. Flere statsstøttede t t tt hackergrupper er gået målrettet efter danske virksomheder i de seneste år. Oftere forekommer det, at svagheder hd i udstyr og software skyldes manglende kvalitet i producentens eller leverandørens processer. Source: https://fe-ddis.dk/sitecollectiondocuments/fe/efterretningsmaessigerisikovurderinger/risikovurdering2015.pdf Page 4
Den nye tendens Ransomware Page 5
En hurtig stigning Page 6
Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2014 Number of incidents Percentage of incidents Page 7 Source: https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf
Industrial Cyber Security incidents in US Hvad siger ICS-CERT 2015 Page 8 Source: https://ics-cert.us-cert.gov/sites/default/files/monitors/ics-cert_monitor_sep2014-feb2015.pdf
Er jeg ikke bare en nål i en høstak? Der er stadig SIMATIC devices der er eksponeret! lt Og Det er meget let at finde!!# @&?*!&+!# @&?*!&+! # %!# @&?*!&+! # %!&! # Page 9
Protecting Productivity Page 10
https://youtu.be/4jzsfeumhkw Industrial Security protecting Productivity Page 11
The Defense in Depth Concept Page 12
Løsninger på alle niveauer Page 13
Hvordan holder man sig opdateret? Abonner på Siemens RSS Feed: www.siemens.com/industrial-security Eller på ICS-CERT: www.ics-cert.us-cert.gov/ics-cert-feeds Page 14
Pareto-princippet 20% 80% Invest 20% 80% Security Page 15
Plant Security Physical access control Guidelines Norms and standards Security Services Page 16
Vi kan tilbyde services Security Assessment Workshops Page 17
Vi kender standarderne Page 18
IEC 62443 Security functions Based on IEC 62443-3-3 Security Level 1-4 Protection Level (PL) Security process Based on IEC 62443-2-4 and ISO27001 Maturity Level 1-4 Level Maturity 4 3 2 1 PL 1 PL 2 PL 3 PL 4 1 2 3 4 Security Level Page 19
Protection Levels cover security functionalities and processes Assessment of security functionalities Assessment of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Optimized - Process measured, controlled and continuously improved Protection Levels Ma aturity Level 4 3 2 1 1 2 3 4 Security Level Page 20 PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
IEC 62443, security measures Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall). Monitoring of all device activities Online security functionality verification + Automated backup / recovery PL 3 Revolving doors with card reader No Email, No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) + Persons responsible for security within own organization Physical network segmentation or equivalent (e.g. SCALANCE ) Monitoring of all human interactions Remote access with crsp or equivalent Backup verification PL 2 Doors with card reader Continuous monitoring (e.g. SIEM) Remote access restriction (e.g. need to connect principle) + Mandatory security education PL 1 Locked building/doors with keys Awareness training (e.g. Operator Awareness Training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation Firewall protection (e.g. SCALANCE S) Security logging on all systems Backup / recovery system Page 21
Network Security Firewalls Virtual Private Networks VPN Segmentering Demilitarized zone DMZ Hardening Authentication Cell Protection Page 22
Network Security Jump Station og DMZ Opdeling i separate celler Secure zone DMZ zone Jump Station Unsecure zone Al kommunikation via Remote Desktop og Jump Station Backup og Restore via Jump Station Kun trådløs adgang fra Secure Zone til Jump Station Samme konfiguration i alle Firewalls (global firewall rules) Page 23
Network Security Cell protection Opdeling separate celler Al kommunikation ind og ud af cellern er kontroleret En decentrale Firewall struktur Page 24
Security Integrated Overview Page 25
Network Security Hvordan beskytter man gamle sårbare systemer? Access protection SCADA Ingen ændring i det eksisterende system også med Layer-2 protokoller Ghost Mode Adopterer IP-adresse og ændre MACadressen automatisk Samme konfiguration i alle Firewalls (global firewall rules) Secure zones Gamelt sårbart åb system Page 26
Network Security Anvend Hardning! Brug Password Anvend VLAN Disable DCP write Enable Management Access List Broadcarst limitation Disable ubrugte porte Enable SNMP V3 Page 27
System integrity Password protection Know-how og Copy protection Access protection Virus scanner og Whitelisting Sikker kommunikation VPN og OPC-UA Deactivation of services og hardware interfaces Windows security patch management* Page 28 * https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-ww
Vi har sikre produkter Page 29
Siemens is the leading vendor of Achilles level 2 certified products Certified CPUs LOGO! S7-300 PN/DP S7-400 PN/DP S7-1500 and 1505S S7-1200 S7-400 HF CPU V6.0 S7-410-5H Certified CPs CP343-1 Advanced CP443-1 & Advanced CP1243-1 CP1543-1 CP1628 Certified DP ET 200 PN/DP CPUs ET 200SP PN CPUs Certified Firewalls SCALANCE S602, S612, S623, S627-2M + Protection against DoS attacks + Defined behavior in case of attack Improved Availability International Standard Page 30
SCADA Controller kommunikation via OPC Et standard setup SCADA Controller Page 31
SCADA Controller kommunikation via OPC Implementer et VPN og Firewall koncept SCADA Via Security CP-Cards or external Firewall/VPN getaway for: Controller - S7 300 and 400 - S7 1200 and 1500 - ET 200SP CPU - SCALANCE S (for all Controllers) Page 32
SCADA Controller kommunikation via OPC Implementer et OPC-UA koncept 3. Part SCADA Via Security CP-Cards or Controller: Controller -S7-1500, 1500S, 1500T - ET 200SP CPU - PLCSIM Adv. - S7 400 via CP 443-1 OPC-UA Page 33
OPC-UA Interoperability with openness and standardization Management -level Operator-level ERP MES Interoperability standards Controller-level SCADA Interoperability 3 rd party devices PLC HMI Field-level Interoperability openness Sensors Actuators Perfect interoperatbility on all levels of communication by openness and standards Page 34
OPC-UA OPC UA og PROFINET den perfekte kombination OPC UA s styrke PROFINET s styrke Leverandør uafhængig Cloud deterministisk i ti Direkte forbindelse til alle niveauer Autentificering og kryptering OPC UA interfa ace Controllerlevel Operatorlevel Managementlevel PROFINET Real-Time egenskaber Enkelt C2C-kommunikation Passer perfekt til data & management niveauet Passer perfekt til controller- &Fi Field niveauet Field- level Page 35
OPC-UA og TIA-Portal Read and write PLC-data easy, standardized and symbolic Easy setup Value 1 Activate the OPC UA server in the PLC properties Access possible Write access possible Individual access Level of access via OPC UA can be controlled individually for each variable 2 Confirm that you have purchased the correct license Inheritance of access rights Based upon the well known Step7 mechanisms Make PLC-variables Different ways to access accessible through Access individual variables as 3 checkboxes in the editor well as access whole structures and arrays as one object 4 Symbolic access via OPC UA OPC UA client Performance Access whole structures and arrays to achieve optimal performance Page 36
CP 443-1 OPC UA Additional Openness for SIMATIC S7-400 Feature/ Function Benefit OPC UA Server/Client directly in the Price sensitive, standardized SIMATIC S7-400 station connection to HMI, SCADA, MES/ERP or 3 rd Party PLC As OPC UA Client Configuration via function blocks compliant to PLCOpen standard Use of the standardized OPC UA elementary security functions like authentication, authorization, encryption and signing of data Configuration in STEP7 Classic V5.5 5 as well as and STEP7 Professional V14 (TIA Portal) For use with CPU V5.3 / H-CPU V6.0 and H-CPU V8 Flexible but standardized Interface for communication to any OPC UA Server Protection of the system from unauthorized access Expansion of existing ST7 plants without Migration to TIA-Portal Investment protection Use of redundant H-system supported Page 37 Delivery release: 04/2016
Passwords et konkret eksempel Et Password skal være komplekst: https://www.youtube.com/watch?v=knk5qlgerwo Hvor stærkt er mit Password: http://calc.opensecurityresearch.com/?pwlen=3&kpsselect=9250000&charselect=lalpha numeric all space&charsetlen=77&kps=9250000 Page 38
Passwords Udgangspunketet er stadig ofte Admin/Admin Single Sign on Brute Force Prevention RADIUS Randomize Page 39
Slide 39 SBA1 Sarah Bay-Andersen; 20-03-2015 SBA2 Sarah Bay-Andersen; 20-03-2015
Kan man anvende RADIUS og AD? Århus SCALANCE S615 Server SCALANCE S623 SINEMA Remote Connect Windows Active Directory RADIUS SIMATIC CPU Page 40
Den store løsning Siemens Ruggedcom CrossBow Wow! Det er en elegant løsning NERC-CIP og IEC 62443 kompatibel Page 41
endnu flere koncepter og informationer Defense-in-Depth Solution User Authentication Network Segmentation Demilitarized Zones Firewalls VPN Tunnels Virus Scanning Patch Management Application Whitelisting Super gode links All-round protection with Industrial Security https://support.industry.siemens.com/cs/document/92605897/all-round-protection-with-industrial-security-systemintegrity?dti=0&lc=en-ww Page 42
Opsummering Fokus er kritisk tag det alvorligt Stil krav til autentificering og brug af passwords Anvend Jump Stations og brug certificerede produkter Segmentér netværk og isolér sårbare systemer Implementer centrale Security Access Management løsninger Page 43
Mange tak for jeres opmærksomhed Kontakt info Navn Telefon email Morten Kromann +45 2037 3508 morten.kromann@siemens.com Per Krog Christiansen +45 4042 6239 per.christiansen@siemens.com Lars Peter Hansen +45 2129 9650 lars-peter.hansen@siemens.com Page 44