Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Similar documents
Operational Guidelines for Industrial Security

Industrial Security Solutions

GE Measurement & Control. Cyber Security for NEI 08-09

Industrial Security for Process Automation

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Network/Cyber Security

Supporting our customers with NERC CIP compliance. James McQuiggan, CISSP

Building Secure Networks for the Industrial World

Designing a security policy to protect your automation solution

DeltaV System Cyber-Security

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Recommended IP Telephony Architecture

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

ICANWK406A Install, configure and test network security

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Achieving PCI-Compliance through Cyberoam

T46 - Integrated Architecture Tools for Securing Your Control System

Dr. György Kálmán

Best Practices for DanPac Express Cyber Security

What would you like to protect?

Ovation Security Center Data Sheet

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Network Security Guidelines. e-governance

Are you prepared to be next? Invensys Cyber Security

Protecting productivity with Plant Security Services

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Security Policy

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Innovative Defense Strategies for Securing SCADA & Control Systems

SCADA Cyber Security

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Decrease your HMI/SCADA risk

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Principles of Information Assurance Syllabus

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Cyber Security for NERC CIP Version 5 Compliance

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Ovation Security Center Data Sheet

Security Awareness. Wireless Network Security

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

1B1 SECURITY RESPONSIBILITY

CYBER SECURITY. Is your Industrial Control System prepared?

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Scalable Secure Remote Access Solutions for OEMs

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

GoodData Corporation Security White Paper

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

INTRUSION DETECTION SYSTEMS and Network Security

Retention & Destruction

Securing the Connected Enterprise

8 Steps for Network Security Protection

8 Steps For Network Security Protection

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Session 14: Functional Security in a Process Environment

Document ID. Cyber security for substation automation products and systems

High Performance, Secure VPN Servers for Remote Utility, Industrial Automation Systems:

The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private

How Secure is Your SCADA System?

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Verve Security Center

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

Remote Services. Managing Open Systems with Remote Services

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

How To Secure Your System From Cyber Attacks

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

How To Protect Your School From A Breach Of Security

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

SCADA SYSTEMS AND SECURITY WHITEPAPER

74% 96 Action Items. Compliance

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Information Technology Branch Access Control Technical Standard

Latest IT Exam Questions & Answers

Network Security Topologies. Chapter 11

Secure Network Design: Designing a DMZ & VPN

Network and Security Controls

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Security Policy for External Customers

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

UCIT INFORMATION SECURITY STANDARDS

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cisco Advanced Services for Network Security

Critical Controls for Cyber Security.

PCI Requirements Coverage Summary Table

Firewalls, Tunnels, and Network Intrusion Detection

Logical & Physical Security

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Transcription:

Security for Industrial Considering the PROFINET Security Guideline Automation

Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery DCS/ SCADA* Network Security Security Zones & DMZ Secure architecture based on network segmentation Firewalls and VPN Implementation of Firewalls as the only access point to a security cell Potential Attack *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition System Integrity System Hardening Adapting system to be secure by default User Account Management Access control based on user rights and privileges Patch Management Regular implementation of patches and updates Malware Detection and Prevention Anti Virus and Whitelisting

What is IT Security? (Cyber/Network) 3 Protection of computers and networks from intrusion and disruption Security With so many systems relying on networks this is critical The internet allows global connectivity and all its advantages These advantaged lead to vulnerability

Why do I need IT Security? 4 Intrusion can be malicious or accidental Governments are concerned by terrorist acts Business is concerned by industrial espionage and theft Ex employees may have a grudge Current employees can be careless Computer viruses can attack PLCs Network intrusions are on the increase The damage can be catastrophic

How do I implement IT Security? 5 CPNI recommendations Risk analysis and policies Industrial grade equipment PROFINET / PROFINET Security Guideline (ICS CERT recommendations) Industrial Security Homepage: http://www.industry.siemens.com/topics/global/en/industrial-security

PROFINET Security Concept 6 The PROFINET Security Concept From the PROFINET Security Guideline Network Architecture Security Zones Trust Concept within Zones Perimeter Defence Firewall/VPN Provision of Confidentiality and Integrity Transparent Integration of Firewalls www.allthingsprofinet.com

Security Zones 7 Security Zone Communication based on trust within zone Trusted networks should be able to talk with each other Perimeter defense Local Security Measures E.g. Locked Ethernet ports, Networking equipment in cabinets Firewall Trusted Network

How to secure the Network 8 Using Industrial Firewalls Monitor incoming and outgoing data packets on the basis of predefined rules Only authorized connections are accepted Help to keep unwanted traffic out (e.g. Office Broadcasts) Rugged industrial design Industrial like administration Built-in VPN capabilities

Linking Security Zones 9 Data traffic control between network using security modules Encrypted data transmission between security modules Firewalls help to keep unwanted office traffic out as well Corporate Network/Backbone VPN Firewall Firewall ed Network Trusted Netw

Secure Automation Cells (Zones) 10 Complete plant security Internet Secure automation cells

Connecting to the Outside World 11 When connecting to the outside world, think about Security against Wrong address allocations Unauthorized access Spying Manipulation Different requirements in industrial applications in Networks architectures Performance and functions PROFINET leverages effective and certified security standards (VPN) e.g. IPSec

Methods for Network Security 12 Security issues and vulnerabilities need to be addressed There are many methods How can we address these vulnerabilities using these techniques: Firewall Protect against unauthorized access VLAN (Virtual Local Area Network) Logical network that operates on the basis of a physical network DMZ (De-Militarized Zone) Exchange data with external partners via safe areas VPN (Virtual Private Network) Secure tunnel between authenticated users

DMZ 13

Industrial Security Everyone? 14 Management Operators OEM / System integrators Measures and processes that prevent unauthorized access of persons to the surrounding area of the plant Physical access protection for critical automation components (e.g. locked control cabinets) Requirements that operators of industrial automation systems must meet: Security guidelines and processes, Risk management in terms of security Information and document mgmt. etc. System-side requirements in terms of. Access protection, user control Data integrity and confidentiality Controlled data flow, etc. Component suppliers Requirements that components of an automation system must meet in terms of Product development processes Product functionalities

Industrial Security for Controllers / HMIs 15 Logon Control Central, plant-wide user administration. Deactivation of services Most network services deactivated in our products in their basic configuration. Deactivation of hardware interfaces The unused interfaces of HMI / Controller / Device can be deactivated via the configuration. Robust Communication One of the system properties of our PROFINET devices is their robustness against large volumes of network traffic or faulty network packets. Encryption of the user program Application code for the PLC / controller can be encrypted. Copy protection Encryption protection can be supplemented with copy protection that prevents duplication of application code.

Example of a Cell (Machine?) 16

Passwords! 17 Various Passwords are set by default: HMI: web server; default password = 100. HMI: user Administrator ; default password = administrator. Switches : user Administrator ; default password = administrator.

Secure Remote Access 18

Integrate the Office 19

Continuous Network / Security Monitoring 20 Monitoring of PROFINET / Networks for: Detection of changes Load monitoring Security monitoring Event-forwarding Industrial Service Station BANY Agent (integrated TAP) MRP TAP BANY Agent (external TAP)

Industrial IT Security 21 Security Services DCS/ SCADA* *DCS: Distributed Control System SCADA: Supervisory Control and Data Acquisition Plant Security Physical Security Physical access to facilities and equipment Policies & procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery Network Security Security cells & DMZ Secure architecture based on network segmentation Firewalls and VPN Implementation of Firewalls as the only access point to a security cell System Integrity System hardening Adapting system to be secure by default User Account Management Access control based on user rights and privileges Patch Management Regular implementation of patches and updates Malware detection and prevention Anti Virus and Whitelisting Any Questions?

PI Corporate Design 22 Colors PI Green PI Grey PI Blue PI Red PI Yellow Black 44/166/123 82/87/101 0/100/173 226/0/26 255/221/13 51/51/51 80% 80% 80% 80% 80% 80% 86/184/149 117/121/132 51/131/189 232/51/72 255/228/61 92/92/92 60% 60% 60% 60% 60% 60% 128/202/176 151/154/163 102/162/206 238/102/118 255/235/110 133/133/133 40% 40% 40% 40% 40% 40% 171/219/202 186/188/193 153/193/222 243/153/163 255/241/158 173/173/173 20% 20% 20% 20% 20% 20% 213/237/229 220/221/224 204/224/239 249/204/209 255/248/207 214/214/214

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information