Unrestricted © Siemens AG 2018
Drivers of Digitalization
Security
Speed Flexibility Quality Efficiency
11/29/2017 Page 2
IEC 62443 The all
encompassing Industrial
Security Standard
siemens.com Lars Peter Hansen
Unrestricted © Siemens AG 2018
The Cyber Threat
Why worry?
Source: https://fe-ddis.dk/SiteCollectionDocuments/FE/EfterretningsmaessigeRisikovurderinger/Risikovurdering2015.pdf
Danmark står fortsat over for en meget høj cybertrussel,
særligt fra fremmede stater. Nogle stater forsøger
vedholdende at udføre cyberspionage mod danske
myndigheder og virksomheder, og de gør det stadigt
sværere at opdage deres aktiviteter.
Truslen er derfor særligt rettet mod forskningstunge
virksomheder, inden for bl.a. højteknologi, energi og
medicinalindustrien.
11/29/2017 Page 5
Unrestricted © Siemens AG 2018
Caught between regulation, requirements, and standards
11/29/2017 Page 10
Unrestricted © Siemens AG 2018
The all encompassing Industrial Security Standard
Provides greater clarity by clearly defining the roles and responsibilities
11/29/2017 Page 12
Unrestricted © Siemens AG 2018
What does IEC 62443 provide us with?
11/29/2017 Page 13
Unrestricted © Siemens AG 2018
IEC 62443 addresses the Defense in Depth concept
• Cell protection, DMZ and
remote maintenance
• Firewall and VPN
• Physical access protection
• Processes and guidelines
• Security service protecting production plants
• System hardening
• Authentication and use administration
• Patch management
• Detection of attacks
Unrestricted © Siemens AG 2018
IEC 62443 focus on the interfaces between all stakeholders
Asset Owners, Integrators, and
Manufactures
11/29/2017 Page 16
Unrestricted © Siemens AG 2018
IEC 62443 provide generic network blueprints
How to connect IT with OT How to develop a
segmentation
concept for the
11/29/2017 Page 17
Unrestricted © Siemens AG 2018
IEC 62443 defines a complete Cyber Security Management System
It is a Risk based approach that covers the setup of a:
security organization and
security processes
security countermeasures
and Implementation
11/29/2017 Page 18
Unrestricted © Siemens AG 2018
Component System Policies and procedures General
1-1 Terminology, concepts and
models
1-2 Master glossary of terms
and abbreviations
3-3 System security requirements
and security assurance levels
3-2 Security assurance levels
for zones and conduits
3-1 Security technologies for
IACS
2-3 Patch management in the
IACS environment
2-2 Operating an IACS security
program
2-1 Establishing an IACS
security program
1-3 System security compliance
metrics
4-2 Technical security
requirements for IACS products
4-1 Product development
requirements
IEC 62443
Definitions
Metrics
Requirements to the security
organization and processes of the
plant owner and suppliers
Requirements to a secure system Requirements to secure system
components
2-4 Certification of IACS
supplier security policies
The IEC 62443 Structure
Functional requirements Processes / procedures 11/29/2017 Page 19
Unrestricted © Siemens AG 2018
Phases in product and IACS life cycles
Product life cycle
Product Supplier
IACS life cycle
Asset Owner Asset Owner
(Service provider)
System
Integrator
Asset Owner
Operation / Maintenance Specification Integration / Commissioning Decommissioning
Automation solution
Project application
Configuration, User Management Security measures and settings
Automation solution
Security measures and settings
Operational policies and
procedures
Security targets
Control Systems
Host devices
Network components Applications
Embedded devices
Specification Design Commercialization / maintenance Phase Out
Automation solution
Decommissioning policies and procedures
4-1
2-3 3-3
4-2
2-1 2-3
2-4 3-2
2-1 2-3
3-2
2-4
2-1
2-4 3-3 3-3
11/29/2017 Page 21
Unrestricted © Siemens AG 2018
Protection Levels
Cover security functionalities and processes
Protection Levels
Security functionalities Security processes
SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
Capability to protect against casual or coincidental violation
Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation
SL 2
SL 1
ML 4 Optimized - Process measured, controlled and continuously improved
ML 3
Defined - Process characterized, proactive deployment
Initial - Process unpredictable, poorly controlled and reactive.
Managed - Process characterized , reactive ML 2
ML 1
4
3
2
1 Ma
turi
ty L
eve
l
2 3 4 1
Security Level
PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation
Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation PL 3
PL 4
PL 1 Protection against casual or coincidental violation
11/29/2017 Page 23
Unrestricted © Siemens AG 2018
IEC 62443 Security measures
It is concrete …
PL 1
PL 2
PL 3
PL 4
Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door
Revolving doors with card reader
Doors with card reader
Locked building/doors with keys
Awareness training (e.g. Operator Aware. training) Network segmentation
(e.g. VLAN)
Security logging on all systems
Backup / recovery system
Mandatory rules on USB sticks (e.g. Whitelisting) …
…
Automated backup / recovery
No Email, No WWW, etc. in Secure Cell
…
2 PCs (Secure Cell/outside)
…
Remote access with cRSP or equivalent
Monitoring of all human interactions
Dual approval for critical actions
Firewalls with Fail Close(e.g. Next Generation Firewall)
Monitoring of all device activities
Online security functionality verification
…
Persons responsible for security within own organization
Continuous monitoring (e.g. SIEM)
Backup verification
Mandatory security education
…
Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access
restriction (e.g. need to connect principle)
+
Organize
Security
Secure Solution
Design
Secure
Operations
Secure Lifecycle
management
Secure Physical
Access
+
+
11/29/2017 Page 24
Unrestricted © Siemens AG 2018
Protection Levels
Cover security functionalities and processes
11/29/2017 Page 25
Unrestricted © Siemens AG 2018
Consequences
Some randomly selected points
Use of VLAN is mandatory Network Hardening is mandatory Managed Switches is mandatory Capability to backup …
Unique identification and authentication A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup …
Even more….
11/29/2017 Page 26
Unrestricted © Siemens AG 2018
IEC 62443 3-2
Generic Blueprint
11/29/2017 Page 27
Unrestricted © Siemens AG 2018
IEC 62443 3-2
Zones and Conduits
Zone Enterprise Network
Zone Plant
Zone Control #1
Conduit
Zone Control #2
PL3 PL2
PL1
Trusted/Untrusted
11/29/2017 Page 28
Unrestricted © Siemens AG 2018
IEC 62443-3-3
Defines security requirements for industrial control systems
FR 1 – Identification and authentication control
FR 2 – Use control
FR 3 – System integrity
FR 4 – Data confidentiality
FR 5 – Restricted data flow
FR 6 – Timely response to events
FR 7 – Resource availability
7 Foundational Requirements
11/29/2017 Page 29
Unrestricted © Siemens AG 2018
SRs und REs SL 1 SL 2 SL 3 SL 4
SR 1.1 – Human user identification and authentication
SR 1.1 RE 1 – Unique identification and authentication
SR 1.1 RE 2 – Multifactor authentication for untrusted networks
SR 1.1 RE 3 – Multifactor authentication for all networks
SR 1.2 – Software process and device identification and authentication
SR 1.2 RE 1 – Unique identification and authentication
SR 1.3 – Account management
SR 1.3 RE 1 – Unified account management
SR 1.4 – Identifier management
SR 1.5 – Authenticator management
SR 1.5 RE 1 – Hardware security for software process identity credentials
SR 1.6 – Wireless access management
SR 1.6 RE 1 – Unique identification and authentication
FR 1 – Identification and authentication control
System Requirement Overview (Part 1)
11/29/2017 Page 30
Unrestricted © Siemens AG 2018
What can we offer?
11/29/2017 Page 40
Unrestricted © Siemens AG 2018
We are Certified !
Product Development, Proces Control System (PCS7) and Sub Station design
11/29/2017 Page 41
Unrestricted © Siemens AG 2018
Solutions and Services aligned with your needs and budget
Comprehensive, Modular and Scalable Portfolio
Outsource? or
Insource?
11/29/2017 Page 42
Unrestricted © Siemens AG 2018
Solutions and Services aligned with your needs and budget
Comprehensive, Modular and Scalable Portfolio
Intel Security inside
• IEC 62443 Assessment
• ISO 27001 Assessment
• SIMATIC PCS 7 & WinCC
Assessment
• Risk & Vulnerability Assessment
• Security Awareness Training
• Security Policy Consulting
• Network Security Consulting
• Perimeter Firewall Installation
• Clean Slate Validation
• Anti Virus Installation
• Whitelisting Installation
• System BackUp
• Windows Patch Installation
• Industrial Security Monitoring
• Remote Incident Handling
• Perimeter Firewall Management
• Perimeter Firewall Review
• Anti Virus Management
• Whitelisting Management
• Patch & Vulnerability Management
11/29/2017 Page 43
Unrestricted © Siemens AG 2018
• Firewalls
• Virtual Private Networks VPN
• Segmentering
• Demilitarized zone DMZ
• Hardening • Authentication
• Cell Protection
Industrial Security
Network Security
11/29/2017 Page 48
Unrestricted © Siemens AG 2018
Industrial security appliances – SCALANCE S
Variants
SC632-2C SC636-2C S615 SC642-2C SC646-2C
11/29/2017 Page 49
Unrestricted © Siemens AG 2018
• Central administration of users
and VPN connections
• Encrypted connections based on
OpenVPN
• Logging of access
• Local access management via DI
or SMS
• Simple integration
• Special IT knowledge is not required
SINEMA Remote Connect
The secure access solution
11/29/2017 Page 50
Unrestricted © Siemens AG 2018
SINEMA RC example of a configuration: Remote service for series machine builders
SINEMA Remote Connect
Remote access to identical machines
• Generates devices with routing / NAT information in SINEMA RC
• Select a device via extremely simple telephone book function in SINEMA RC Client with
one mouse click
• Logging of access and 2-factor authentication and user to agree on
(AGB’s) terms and conditions
• Use of Windows, IOS and Android clients
• Well structured Whitepaper
11/29/2017 Page 51
Unrestricted © Siemens AG 2018
SINEMA Remote Connect
Well structured Whitepaper
https://support.industry.siemens.com/cs/document/109746841
11/29/2017 Page 52
Unrestricted © Siemens AG 2018
Network Security
How do you protect old, vulnerable systems?
• Access protection
• No change in the
existing system
• also with layer 2 protocols
• Adopts IP address and
changes the MAC
address automatically
• Same configuration in all firewalls (global firewall rules)
Old, vulnerable system
SCADA
Ghost Mode
11/29/2017 Page 53
Unrestricted © Siemens AG 2018
Network Security
Use Hardening!
• Use Password
• Use VLAN
• Disable DCP write
• Enable Management Access
List
• Broadcast limitation
• Disable unused ports
• Enable SNMP V3
11/29/2017 Page 54
Unrestricted © Siemens AG 2018
Network Security
Use Hardening!
• Use Password
• Use VLAN
• Disable DCP write
• Enable Management Access
List
• Broadcast limitation
• Disable unused ports
• Enable SNMP V3
11/29/2017 Page 55
Unrestricted © Siemens AG 2018
Industrial Security
System integrity
• Password
protection • Know-how and copy protection
• Access protection
• Virus scanner whitelisting
• Secure communication VPN
and OPC-UA • Deactivation of services and
hardware interfaces
• Windows security patch management*
* https://support.industry.siemens.com/cs/document/18752994?dti=0&lc=en-WW
11/29/2017 Page 56
Unrestricted © Siemens AG 2018
Industrial Security
We have certified products…
11/29/2017 Page 57
Unrestricted © Siemens AG 2018
Industrial Security
We have certified products… The Dairy situation
11/29/2017 Page 58
Unrestricted © Siemens AG 2018
SCADA – Controller communication via OPC
And standard setup
SCADA
Controller
11/29/2017 Page 59
Unrestricted © Siemens AG 2018
SCADA – Controller communication via OPC
Implement a VPN and firewall concept
SCADA
Controller
Via Security CP-Cards or external
Firewall/VPN getaway for:
- S7 300 and 400
- S7 1200 and 1500
- ET 200SP CPU
- SCALANCE S (for all Controllers)
11/29/2017 Page 60
Unrestricted © Siemens AG 2018
Via Security CP-Cards or Controller:
-S7-1500, 1500S, 1500T
- ET 200SP CPU
- PLCSIM Adv.
- S7 400 via CP 443-1 OPC-UA
Controller
3. Part SCADA
SCADA – Controller communication via OPC
Implement a OPC-UA concept
11/29/2017 Page 61
Unrestricted © Siemens AG 2018
11/29/2017 Author / department Page 62
Unrestricted © Siemens AG 2018
SCADA – Controller communication via OPC
Simple standadized and symbolic Read and Write Controller-data
Access possible Write access possible
SCADA, OPC UA server Controller, OPC UA client
11/29/2017 Page 63
Unrestricted © Siemens AG 2018
Asset and Network Management +
Overview
It’s a System
Secure the plant Availability
Centralized Monitoring and Management
11/29/2017 Page 65
Unrestricted © Siemens AG 2018
Asset and Network Management +
SINEMA Server V14
• Firmware
update
• Config. Backup / Restore
• Password
Management
• SNMP Management
• Connection to
MindSphere
• NAT V2 support
11/29/2017 Page 66
Unrestricted © Siemens AG 2018
SINEMA Server
Communication to all devices
Works with:
• All IP-based devices
• Also 3. part devices
• And PROFIBUS
slaver via S7-300 or S7-
400 CPU’er
SINEMA Server
SNMP PROFINET
DCP LLDP
SIMATIC
11/29/2017 Page 67
Unrestricted © Siemens AG 2018
SINEMA Server
Local or distributed architecture
SINEMA Server SCADA
Distributed architecture. Up to
50.000 nodes..
Local architecture. From 50 to 500
nodes..
SINEMA
Server
SCADA
11/29/2017 Page 68
Unrestricted © Siemens AG 2018
SINEMA Server – SCADA integration
Overall diagnostic information via OPC-UA
SINEMA Server SCADA
OPC-UA
11/29/2017 Page 69
Unrestricted © Siemens AG 2018
SINEMA Server – SCADA integration
Access to Views and Reports via URL’s
SINEMA Server SCADA
https://
11/29/2017 Page 70
Unrestricted © Siemens AG 2018
Good2Know!
11/29/2017 Page 73
Unrestricted © Siemens AG 2018
How do you stay up to date?
Subscribe to Siemens RSS Feed: www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/overview.aspx
Or to ICS-CERT: www.ics-cert.us-cert.gov/ICS-CERT-Feeds
11/29/2017 Page 74
Unrestricted © Siemens AG 2018
Solutions and Services aligned with your needs and budget
Comprehensive, Modular and Scalable Portfolio
Intel Security inside
• IEC 62443 Assessment
• ISO 27001 Assessment
• SIMATIC PCS 7 & WinCC
Assessment
• Risk & Vulnerability Assessment
• Security Awareness Training
• Security Policy Consulting
• Network Security Consulting
• Perimeter Firewall Installation
• Clean Slate Validation
• Anti Virus Installation
• Whitelisting Installation
• System BackUp
• Windows Patch Installation
• Industrial Security Monitoring
• Remote Incident Handling
• Perimeter Firewall Management
• Perimeter Firewall Review
• Anti Virus Management
• Whitelisting Management
• Patch & Vulnerability Management
11/29/2017 Page 75
Unrestricted © Siemens AG 2018 * SVM: Security Vulnerability Monitoring from SIEMENS CERT
Security Vulnerability Information based on MindSphere
1
2 3
App UI with
dashboards, charts
and security
bulletins
App SVM* Service DB
27.000+ components
33.000+ vulnerabilities
MindSphere
Backend /
Algorithm for data
comparison
API
csv file upload with
component list to be
monitored
Web surveillance
and more than
100 various
sources
11/29/2017 Page 76
Unrestricted © Siemens AG 2018
App UI with dashboards, charts and security bulletins
11/29/2017 Page 77
Unrestricted © Siemens AG 2018
Get certified!
Global training and certification program
11/29/2017 Page 78
Unrestricted © Siemens AG 2018
Siemens Industrial Networks Education Program
Our current Training Offer
V1.1 Page 79
http://www.siemens.com/industrial-networks-education
Unrestricted © Siemens AG 2018
We can offer you
Security Products and Solutions Security Services Security Assessments
Managed Security Industrial SIEM (Security information and event management)
And Cloud based Security Management Training and Physical Security
11/29/2017 Page 80
Unrestricted © Siemens AG 2018
Products, Services and technology
What can we offer?
Market-leading portfolio for over 25 years1)
1) ARC: Global market research study »Industrial Ethernet Switches«, 2015
Software Security
Siemens
Portfolio
Remote
Wired Wireless
11/29/2017 Page 81
Unrestricted © Siemens AG 2018
Industrial Ethernet
New Switches
More feauters
Lower prices
Also focus on IP65/67
Unrestricted © Siemens AG 2018
The extreme flexible switch
SCALANCE XM-400
Up to 24 Gigabit ports enable high data rates for
ring structures and uplinks
+ Pay as you grow …
Expand the amount of ports or upgrade to Layer-3
+
Reduce cabling by - Supplying up
to 16 powered devices with
Power-over-Ethernet+
+
What problem do we solve?
Diagnostics per smart phone or
tablet in existing WLAN using
NFC (Near Field Communication)
+
Choose the FO connectors
flexibly according to customer’s
preference (SC, ST/BFOC or SFP)
+ preventive maintenance Build in reflectometer Scan the cobber cables and
monitor the optical connection and its performance over time
+
Unrestricted © Siemens AG 2018
The brad new X200 switch family
SCALANCE XC-200, XP-200, XB-200 and XF200
What problem do we solve?
XB XC
XF
XP
Unrestricted © Siemens AG 2018
The brad new XR300 switch family
SCALANCE XR-300 WG
What problem do we solve?
Optimally priced Ruggedized switch
+
Unrestricted © Siemens AG 2018
Topologies
New Redundancy
concepts
A IEC62443 related
blueprint
Network Segmentation,
Hardning
Unrestricted © Siemens AG 2018
L2 Redundancy
Media Redundancy Protocol (MRP)
Unrestricted © Siemens AG 2018
L2 Redundancy
Media Redundancy with Planned Duplication of frames (MRPD)
Unrestricted © Siemens AG 2018
Brand New Industrial WLAN products - SCALANCE W
Robust and compact
What problem do we solve?
Space-saving mounting options
flat and book-shelf style, optional adapters
for DIN-rail / 90°mounting
+ Cost-efficent cabling
thanks to Power-over-Ethernet
+
IEEE 802.11n compliant
Up to 300 Mbit/s data rate
+
Robust housing for mounting
outside a cabinet
Protection class IP65 while compact
+
Unrestricted © Siemens AG 2018
Industrial wireless LAN – SCALANCE W
Simple and fast exchange of defect devices
Unrestricted © Siemens AG 2018
Industrial wireless LAN – SCALANCE W
How do you check a connection?
• The integrated Signal
Recorder is really
cool…
Unrestricted © Siemens AG 2018
Industrial wireless LAN – SCALANCE W
How do you check for disturbance?
• The integrated
Sectrum
Analyzer is super
cool …
Unrestricted © Siemens AG 2018
Industrial wireless LAN – SCALANCE W
Frequency, HW and bumpless redundancy based on PRP
RNA Switch
VLAN – A
VLAN – B
Network – A
Network – B
RNA Switch
IO device
IO controller
Unrestricted © Siemens AG 2018
Office graded Access Point
SCALANCE W1750D-2IA RJ45 based on IEEE 802.11ac
Page 95
Investment protection
through state-of-the-art technology
+
Reduced costs for cabling
thanks to Power-over-Ethernet
+
Very high data rates
up to 1733 Mbps for high-density applications +
No dedicated controller necessary thanks to integrated virtual controller
for up to 64 access points
What problem do we solve?
+
Unrestricted © Siemens AG 2018
We has a unique offer -
Expertise in industrial networks
Unrestricted © Siemens AG 2018
Thank you for your attention
Contact info
Name Phone email
Morten Kromann
+45 2037 3508 [email protected]
Per Krog Christiansen
+45 4042 6239 [email protected]
Lars Peter Hansen
+45 2129 9650 [email protected]
11/29/2017 Page 97