Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference
Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical automation assets Recent events have demonstrated the vulnerability of Industrial control systems against cyber threats Compliance to Govermental Regulations and International Standards (CFATS, NERC CIP, ISA 99) Security Incident can result in: Performance degradation Loss of System Availability Capturing, modification or loss of data Loss of control Loss of Life Environmental Impact Company Image Page 2
Control Systems Vulnerabilities Industrial Control System have changed from proprietary to open systems, based on standard ( off-the-shelf ) technology, components and protocols Control systems are now vulnerable to the same cyber threats that affect IT systems Increased Connectivity and Enterprise Integration using plant, corporate and even public networks We are not connected to the internet is no longer valid - most DCS systems are connected to their business systems, and they are connected to the internet Demand for 24/7 remote access for engineering, operations or service Means more insecure connections to control systems at all levels Control systems are gaining interest and detailed information is publicly available Open source information about industrial control systems, their operations, and security vulnerabilities are publicly available Page 3
Security strategies Great Wall Unconquerable wall single layer of protection no more checkpoints behind the wall No single security measure is good enough to prevent intrusions! Defense in Depth multiple layers of protection each layer supports the other layers for every transition between two layers an attacker must spend time and effort Page 4 Jul-2009
Defense in Depth strategy Creating multiple layers of protection Potential Threat Physical Security Physical access to facilities and equipment Policies & procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery Security cells & DMZ Secure architecture based on network segmentation DCS Firewalls and VPN Implementation of Firewalls as the only access point to a security cell System hardening adapting system from default to secure User Account Management Administration of operator und user rights (role based access control) Patch Management Malware detection and prevention Anti Virus and Whitelisting Defense in Depth because you should not rely on just one measure Page 5 Jul-2009
Physical Security Ignoring the risk of physical security could undo all other security measures Restrict physical and unauthorized access to Facilities and buildings Control and equipment rooms Cabinets Devices, PCs (USB, CD/DVD) Switches, cables and wiring LAN Ports, WiFi, Controller, IO System, PS, etc. Page 6 Jul-2009
Policies, Procedures and Training: Most critical path of and effective security strategy Management buy-in Defined Responsibilities Control System specific: Remote access & Service Laptops Portable Media Patch Management Strategy Malware Protection Mitigation and Disaster Recovery Plan Change Management & documentation Maintenance of Security Measures (e.g. FW rules) Regular Auditing of implemented measures Raise security awareness of personnel Provide training on policies and procedures Page 7
Security Cells and DMZ: Key to a Secure System Architecture Limits the effect of a security threat to the local cell ERP Internal network structure will not be visible from outside Access to the security cell only via clearly defined access points MES DMZ DCS Page 8 Jul-2009
Firewalls and VPN: Secure access to the security cell New PCS 7 Add On: Automation Firewall 200 and 1000 Based on Microsoft Forefront Threat Management Gateway (TMG) 2010 For comprehensive threat management, secure WEB - and remote access Tested and validated in a PCS 7 & WinCC environment Configuration Wizzard for easy setup Supports the following configurations: Front-/Back-Firewall 3-homed Firewall Accesspoint Firewall Features: Stateful Inspection Packet filtering Application Layer Firewall VPN Gateway URL-Filtering and Web Proxy (Secure Web publishing) Anti Virus Scanning and IDS Page 9 Jul-2009
System Hardening Commercially available PCs contain a lot of software that is not used by the process control system Many viruses are written against common software like Internet Explorer, Media Player, Active X, Javascript, Adapt an out of the box system from default to secure: Disable or lock down USB, CD/DVD, unused communication ports Remove and disable unnecessary applications, protocols and services e.g. e-mail, Games, Autorun, Screensaver, Messenger, Apply latest MS Patches SSC Siemens Security Console (DCOM, FW, limiting file registry, sharing, and database access) Bios PW and limit desktop and system access IP hardened equipment ensures that critical automation components do not fail when subjected to communication stress Page 10
Role based Access Control and User Management Role-Based Access Control based on least privilege principle: Grant users and computers the minimum set of access rights that are required to perform their function Account/Access Management features provided by SIMATIC Logon Central management of users, passwords, and permissions (via Domains or Workgroups) Clear assignment of roles and rights (can be based on workstation or plant area) Leverage Windows user management (pwd expiration, validity, account lockout) Single Sign On - common login/pwd between applications Roles Windows users and/or groups assigned to a Role Windows Users SIMATIC Logon Page 11
Preventing a wide range of attacks: Patch Management 90% of all successful cyber security attacks are based on vulnerabilities for which patches have already been released Only 2% of all equipment is completely patched (source: Secunia) PCS 7/WinCC support for MS Security Patches New MS Security Patches are tested for compatibility with latest/supported versions of PCS 7 Test results published via Newsletter and FAQ http://support.automation.siemens.com/ww/view/en/18490004 Patch Deployment via centralized Patch Server located in a perimeter network (DMZ) and Windows Server Update Serv. (WSUS) Setup of Patch Groups and Procedures for updating online (redundant system) Page 12
Malware detection and prevention: Virus Scanner & Whitelisting The following virus scanners are approved: Trend Micro Office Scan Symantec Endpoint Protection McAfee VirusScan Enterprise To avoid a negative impact on performance or response time of the system, follow the recommended setup guidelines for PCS 7/ WinCC based Control systems Whitelisting to Stop unauthorized applications and malware Whitelisting software creates or holds a list of programs and applications that are allowed to be executed on a PC Software that is not part of the Whitelist will not be executed Benefits no pattern updates required less maintenance effective protection against zero-day exploits Page 13
Summary: Defense in Depth Example 1. Segmentation in Security Cells and DMZ 2. Cell access via Front & Back FW only 3. All Ports and Media Drives disabled 4. PC hardening 5. Latest MS Patches 6. Role-Based Access Control and User Account Management with least privilege principle 7. Anti Virus & Whitelisting 8. Remote access via secure communication, dedicated Access points and defined support user accounts 9. and 10. Policies and Procedures! Office PC OS Client Enterprise Control Network Office PC Perimeter Netzwork (DMZ) OS Server OS Client Process Control Network (DCS) OS Server IT - Firewall WAN Engineering Station WSUS or WWW Front - Firewall Quarantine - PC Back - Firewall WSUS AV Server Whitelisting Console Page 14
Siemens Industrial Security Services Assess and Optimize Security Assessment Vulnerability Analysis Detailed Security and Risk Assessment Train and Consult Security Awareness Training Customer Specific Security Workshops Consulting on Industrial Security Concepts Design and Implement Security cells and firewall package Antivirus & Whitelisting package Patch Manangement/WSUS package Domain Controller and User Management package Operate and Maintain MS Patch-, AV Pattern- and SW-Update Services System back-up and recovery services Industrial Security Services covering all phases of the plant lifecycle Page 15
Services Example: Security Assessment Workshop Interview based Assessment covering all aspects of industrial security, from organizational measures to product specific technical implementation Page 16
Services Example: Security Assessment Workshop In the Report the current Risk Level, identified Vulnerabilities and the completeness of the implemented security measures will be provided Documentation also includes prioritized recommendations how to improve and enhance the security level of the plant Baseline for decisions on next steps Page 17
Industrial Security Summary Industrial Security is not only a topic of technical implementation, but starts from security awareness across all layers of management and employees Industrial Security Security is an ongoing task and must be ensured through all lifecycle phases Siemens provides products, systems and solutions as well as professional services to ensure overall Industrial Security for customers Page 18
Thank you for your attention! SPACe 2012 Siemens Process Automation Conference
Contact India: Kamal Kumar I CS VS ERM Mumbai, India Telefon: +91-22-39677106 +91-9920656464 E-mail: kamal.shewaramani@siemens.com Contact Germany: I CS VS CMR BD Erlangen, Germany Telefon: +49 (9131) 734025 E-mail: jens.kautler@siemens.com