Helping to increase your resistance to attack Industrial Security Reale Gefahren aus dem virtuellen Raum siemens.com/industrialsecurity
The age of cyberattacks The concept of Defense-in-Depth The Siemens approach Awareness is Key Outlook: in future cybersecurity will be regulated Page 2
Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security Cloud Computing approaches Increased use of Mobile Devices Wireless Technology Reduced Personnel Requirements Smart Grid The worldwide and remote access to remote plants, remote machines and mobile applications The Internet of Things Source: World Economic Forum, 50 Global Risks Page 3
The corporate security chain is only as strong as its weakest link Security Can Fail at Any of these Points Employee Smartphone Laptops PC workstations Network infrastructure Mobile storage devices Tablet PC Computer center Policies and guidelines Printer Production systems Page 4
Why has industrial security become so important? Main Trends Impacting the Vulnerability of Automation Plants Horizontal and vertical Integration at all network levels Connection of automation networks with IT-Networks and Internet for remote maintenance Increased use of open standards and PC-based systems Possible Threats increased due to these trends: Access violation through unauthorized persons Espionage and manipulation of data Damages and data loss caused by malware Several security incidents reveal the vulnerability of automation plants. Page 5
Cyber vulnerabilities can affect your plant at many level The Need to Act Because of Cyber Security Vulnerabilities Loss of intellectual property, recipes, Sabotage of production plant Plant downtime e.g. caused by virus and malware Manipulation of data or of application software Unauthorized use of system functions Regulations and standards for industrial security require conformance Regulations: FDA, NERC CIP, CFATS, CPNI, KRITIS Standards: ISA 99, IEC 62443 Page 6
Threat analysis Every three years new developments The Age of Computerworms Cybercrime and Financial Interests Politics and Critical Infrastructure Cyberwarfare- Preparation CodeRed Slammer Blaster Hacking for Fun Hobbyists Worms Backdoors Anti-Virus Hackers Viruses BlackHat Responsible Disclosure Zeus SpyEye Rustock Hacking for Money Organized Criminals Botnets Adware Credit Card Fraud Phishing Banker Trojans SPAM WebSite Hacking Number of published exploits Number of published vulnerabilities Number of new malware signatures Aurora Nitro Stuxnet Hacking for political and economic gains Hacktivists State sponsored Actors Anonymous SCADA RSA Breach DigiNotar APT Targeted Attacks Sony Hack??? Development and spreading of cyberwarface capabilities Multiple state- and non-state actors Underground exploit market Systematic remote exploration and reconnaissance of critical Infrastructures and vendors Increasing sophistication, focus and brutality/impact of cyber methods Introduction of malicious, sleeping functionality in critical products? 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Page 7
Top 10 threats Page 8
The age of cyberattacks The concept of Defense-in-Depth The Siemens approach Awareness is Key Outlook: in future cybersecurity will be regulated Page 9
IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner operates Operational and Maintenance policies and procedures + System Integrator designs and deploys IACS environment / project specific Basic Process Control System (BPCS) Automation solution is the base for Safety Instrumented System (SIS) Product Supplier develops Embedded devices Control System as a combination of Network components Host devices Applications Independent of IACS environment Page 10
Actual structure of IEC / ISA-62443 Main documents to be published IEC / ISA-62443 General Policies and procedures System Component 1-1 Terminology, concepts and 2-1 Requirements for an IACS 3-1 Security technologies for IACS models security management system IS* 2009 TR* 2009 Ed.2.0 Profile of ISO 27001 / 27002 1-2 Master glossary of terms and abbreviations 1-3 System security compliance metrics DTS* 1Q14 Rejected DC* 10/12 2-3 Patch management in the IACS environment TR* 4Q14 2-4 Requirements for IACS solution suppliers 3-2 Security risk assessment and system design DC* 2Q13 3-3 System security requirements and security levels IS* 08/2013 4-1 Product development requirements ID* 4Q13 4-2 Technical security requirements for IACS products ID* 4Q13 IS* 4Q14 Definitions Metrics Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components *DC: Draft for Comment *IS: International Standard *CDV: Committee Draft for Vote *TR: Technical Report Page 11 *ID: Initial Draft Functional requirements Processes / procedures
Various parts of IEC / ISA-62443 are addressing Defense in Depth Main parts of IEC 62443 General Asset Owner Policies and procedures IEC / ISA-62443 System Component 2-1 2-4 Operational and Maintenances policies and procedures 2-4 3-2 3-3 System Integrator Policies and procedures Security capabilities of the Automation Solution 3-3 4-2 Product Supplier Security capabilities of the products 4-1 Development process Defense in Depth involves all stakeholders: Asset Owner, System Integrator, Product Supplier Page 12
IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner System Integrator operates designs and deploys IACS environment / project specific Operational and Maintenance policies and procedures Basic Process Control System (BPCS) + Automation solution is the base for Safety Instrumented System (SIS) 2-1 2-4 2-4 3-2 3-3 Product Supplier develops Independent of IACS environment Embedded devices Control System as a combination of Network components Host devices Applications 4-1 3-3 4-2 Page 13
Each stakeholder can create vulnerabilities Asset Owner operates can create weaknesses Industrial Automation and Control System (IACS) Operational and Maintenance policies and procedures + Invalid accounts not deleted Non confidential passwords Passwords not renewed System Integrator IACS environment designs and deploys can create weaknesses Basic Process Control System (BPCS) Automation solution base for Safety Instrumented System (SIS) Temporary accounts not deleted Default passwords not changed Product Supplier develops can create weaknesses Embedded devices Control System as a combination of Network components Host devices Applications Elevation of privileges Hard coded passwords Example: User Identification and Authentication Page 14
The age of cyberattacks The concept of Defense-in-Depth The Siemens approach Awareness is Key Outlook: in future cybersecurity will be regulated Page 15
IACS, automation solution, control system Industrial Automation and Control System (IACS) Asset Owner System Integrator operates designs and deploys Basic Process Control System (BPCS) Operational and Maintenance policies and procedures + Automation solution Safety Instrumented System (SIS) Complementary Hardware and Software IACS environment / project specific Siemens is product and solution supplier is the base for Product Supplier develops Embedded devices Network components Control System as a combination of Host devices Applications Independent of IACS environment Page 16
The Defense in Depth Concept Plant security Physical prevention of access to critical areas Establishing a Security Management Process Network security Controlled interfaces between office and plant network e.g. via firewalls Further segmentation of plant network System integrity Antivirus and whitelisting software System hardening Maintenance and update processes User authentication for plant or machine operators Integrated access protection mechanisms in automation components Security solutions in an industrial context must take account of all protection layers Page 17
The Siemens Approach Siemens Industrial Security approach Implementation of Security Management The interfaces are subject to regulations - and are monitored accordingly. PC-based systems must be protected. The control level must be protected. Communication must be monitored and can be segmented. The Siemens approach is based on five key points Page 18
The Siemens Solution Industrial Security Services Managed service and consulting Security Management Processes and policies Products & Systems Secure PCs, controllers and networks Integral security in PCs and controllers Security products for networking and communication The Siemens solution reduces your risk with a well thought-out security concept Page 19
Step-by-step approach for long-term protection of your industrial control system (ICS) Step 1: Assess Information about the security status and development of a security roadmap Step 2: Implement Planning, development and implementation of a holistic cyber security program Step 3: Continuous security services Continuous security through detection and proactive protection Vulnerability analysis Gap analysis Threat analysis Risk analysis Cyber security training Development of security strategies and procedures Implementation of security technology Global Threat Intelligence Detection and resolution of incidents Fast adaptation to changing threats Page 20
The Siemens solution for plant security Implementation of Security Management The interfaces are subject to regulations - and are monitored accordingly. Plant security PC-based systems must be protected. The control level must be protected. Communication must be monitored and can be segmented. Page 21
Security Management Security Management Process Risk analysis with definition of mitigation measures 1 Risk analysis Setting up of policies and coordination of organizational measures Coordination of technical measures Regular / event-based repetition of the risk analysis 4 Validation & improvement 3 Technical measures 2 Policies, Organizational measures Security Management is essential for a well thought-out security concept Page 22
The Siemens Solution for Network Security Implementation of Security Management The interfaces are subject to regulations - and are monitored accordingly. PC-based systems must be protected. Network security System Integrity The control level must be protected. Communication must be monitored and can be segmented. Implementierung des Security- Managements Page 23
Security Integrated is an essential component of a Defense in Depth concept Plant security Access blocked for unauthorized persons Physical prevention of access to critical components Network security Controlled interfaces with SCALANCE firewalls Further segmentation with Advanced CPs System integrity Know-how protection Copy protection Protection against manipulation Access protection Expanded access protection with CP 1543-1 Siemens products with Security Integrated provide security features such as integrated firewall, VPN communication, access protection, protection against manipulation. Page 24
SIMATIC S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1500 and the TIA Portal provide several security features: Increased Know-How Protection in STEP 7 Protection of intellectual property and effective investment: Password protection against unauthorized opening of program blocks in STEP 7 and thus protection against unauthorized copying of e.g. developed algorithms Password protection against unauthorized evaluation of the program blocks with external programs from the STEP 7 project from the data of the memory card from program libraries Increased Copy Protection Protection against unauthorized reproduction of executable programs: Binding of single blocks to the serial number of the memory card or PLC Protection against unauthorized copying of program blocks with STEP 7 Protection against duplicating the project saved on the memory card Page 25
SIMATIC S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1500 and the TIA Portal provide several security features: Increased Access Protection (Authentication) Extensive protection against unauthorized project changes: New degree of Protection Level 4 for PLC, complete lockdown (also HMI connections need password) * Configurable levels of authorization (1-3 with own password) For accessing over PLC and Communication Module interfaces General blocking of project parameter changes via the built-in display Expanded Access Protection Extensive protection against unauthorized project changes: Via Security CP1543-1 by means of integrated firewall and VPN communication Increased Protection against Manipulation Protection of communication against unauthorized manipulation for high plant availability: Improved protection against manipulated communication by means of digital checksums when accessing controllers Protection against network attacks such as intrude of faked / recorded network communication (replay attacks) Protected password transfer for authentication Detection of manipulated firmware updates by means of digital checksums Page 26 * Optimally supported by SIMATIC HMI products and SIMATIC NET OPC Server
The age of cyberattacks The concept of Defense-in-Depth The Siemens approach Awareness is Key Outlook: in future cybersecurity will be regulated Page 27
Security Awareness is a basic Element Organization Technical Security Processes Security Awareness Standardization/ Regulations Industrial Security must be addressed at different levels Page 28
die 10 Top-Tipps der Informationssicherheit 1 Stufen Sie Informationen richtig ein, z.b. als vertraulich, und schützen Sie diese entsprechend 2 Machen Sie Informationen nur denjenigen zugänglich, die diese wirklich benötigen 3 Geben Sie persönliche Passwörter, Zugangscodes oder Ihre PIN/PKI nicht weiter auch nicht zu Vertretungszwecken 4 Speichern oder versenden Sie vertrauliche Informationen nur verschlüsselt. Verschlüsseln Sie Ihre Kommunikation mit Externen 5 Nutzen Sie sichere Entsorgungswege für vertrauliche Informationen, z.b. spezielle Container, Schredder 6 Führen Sie auf Reisen nur Informationen und Geräte mit, die Sie wirklich brauchen 7 Schützen Sie Informationen vor ungewollten Blicken und unerwünschten Zuhörern, im Büro und in der Öffentlichkeit 8 Seien Sie stets vorsichtig und wachsam im Umgang mit dem Internet und mit E-Mails 9 Halten Sie Ihre PC- und Antivirus-Software stets auf dem aktuellen Stand 10 Verständigen Sie sofort Ihren InfoSec Advisor, wenn Sie unsicher sind oder Gefahr vermuten Page 29
The age of cyberattacks The concept of Defense-in-Depth The Siemens approach Awareness is Key Outlook: in future cybersecurity will be regulated Page 30
Security will be regulated Page 31
Assessment of cybersecurity requires an holistic approach Cybersecurity protection of IACS operates Asset Owner Automation solution Asset Owner has the appropriate operational and maintenance policies and procedures to operate in a secure fashion an automation solution + Automation solution fulfills the security functionalities required by the target protection level of the plant controls Plant SL 1 SL 2 SL 3 SL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation Page 32
Thank you for your attention! Dr. Pierre Kobes Product and Solution Security Officer PD TI ATS TM 2 E-Mail: pierre.kobes@siemens.com siemens.com/industrialsecurity Page 33
Support & Service for Industrial Security Information about Industrial Security WWW: http://www.siemens.de/industrialsecurity Email: industrialsecurity.i@siemens.com Contact in Marketing Promotion Industrial Security Oliver Narr Email: oliver.narr@siemens.com Phone: +49 (911) 895-2442 Contact for Industrial Security Services Stefan Woronka Email: stefan.woronka@siemens.com Phone: +49 (721) 595-4500 Page 34
Support & Service for Industrial Security SIMATIC System Presales Support Factory Automation Email: simatic.industry@siemens.com Phone: +49 (911) 895-4646 Contact in Security Product Management Factory Automation Dirk Gebert Email: dirk.gebert@siemens.com Phone: +49 (911) 895-2253 Contact for Motion Control Sven Härtel Email: sven.haertel@siemens.com Phone: +49 (9131) 98-3059 Page 35
Support & Service for Industrial Security SIMATIC System Presales Support Process Automation Email: pcs7.industry@siemens.com Phone: +49 (721) 595-7117 Contact in Security Product Management Process Automation Jean-Luc Gummersbach Email: gummersbach.jean-luc@siemens.com Phone: +49 (721) 595-8637 Page 36
Support & Service for Industrial Security SIMATIC NET support for Network Security Email: presales.ci.industry@siemens.com Phone: +49 (911) 895-2905 Customer Support WWW: http://support.automation.siemens.com Phone: +49 (911) 895-7222 Page 37
Any questions about Network Security?? Contact in Security Product Management Network Security Franz Köbinger Email: franz.koebinger@siemens.com Phone: +49 (911) 895-4912 Contact in Business Development Network Security Maximilian Korff Email: maximilian.korff@siemens.com Phone: +49 (911) 895-2839 Contact in Marketing Promotion Network Security Christine Gaida E-Mail: christine.gaida@siemens.com Telefon: +49 (911) 895-2111 Page 38
Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit http://support.automation.siemens.com. Page 39
Thank you for your attention! Dr. Pierre Kobes Product and Solution Security Officer PD TI ATS TM 2 E-Mail: pierre.kobes@siemens.com siemens.com/industrialsecurity Page 40